Skip to main content

Palo Alto Networks VPC Module for AWS

A Terraform module for deploying a VPC in AWS.

One advantage of this module over the terraform-aws-vpc module is that it does not create multiple resources based on Terraform count iterator. This allows for example easier removal of any single subnet, without the need to briefly destroy and re-create any other subnet.

GitHub Logo Terraform Logo

Usage

module "vpc" {
  source = "../../modules/vpc"

  name                    = var.name
  cidr_block              = var.vpc_cidr_block
  secondary_cidr_blocks   = var.vpc_secondary_cidr_blocks
  create_internet_gateway = true
  global_tags             = var.global_tags
  vpc_tags                = var.vpc_tags
  security_groups         = var.security_groups
}

Reference

Requirements

NameVersion
terraform>= 1.0.0, < 2.0.0
aws~> 5.17

Providers

NameVersion
aws~> 5.17

Modules

No modules.

Resources

NameType
aws_internet_gateway.thisresource
aws_network_acl.thisresource
aws_network_acl_rule.thisresource
aws_route_table.from_igwresource
aws_route_table.from_vgwresource
aws_route_table_association.from_igwresource
aws_route_table_association.from_vgwresource
aws_security_group.thisresource
aws_vpc.thisresource
aws_vpc_dhcp_options.thisresource
aws_vpc_dhcp_options_association.thisresource
aws_vpc_ipv4_cidr_block_association.thisresource
aws_vpn_gateway.thisresource
aws_internet_gateway.thisdata source
aws_vpc.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
assign_generated_ipv6_cidr_blockA boolean flag to assign AWS-provided /56 IPv6 CIDR block. Defaults falseboolnullno
cidr_blockCIDR block to assign to a new VPC.stringnullno
create_dhcp_optionsShould be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers.boolfalseno
create_internet_gatewaySet to true to create IG and attach it to the VPC.boolfalseno
create_vpcWhen set to true inputs are used to create a VPC, otherwise - to get data about an existing one (based on the name value).booltrueno
create_vpn_gatewayWhen set to true, create VPN gateway and a dedicated route table.boolfalseno
domain_nameSpecifies DNS name for DHCP options set. 'create_dhcp_options' needs to be enabled.string""no
domain_name_serversSpecify a list of DNS server addresses for DHCP options set, default to AWS providedlist(string)[]no
enable_dns_hostnamesA boolean flag to enable/disable DNS hostnames in the VPC. Defaults false.boolnullno
enable_dns_supportA boolean flag to enable/disable DNS support in the VPC. Defaults true.boolnullno
global_tagsOptional map of arbitrary tags to apply to all the created resources.map(string){}no
instance_tenancyVPC level instance tenancy.stringnullno
naclsThe nacls variable is a map of maps, where each map represents an AWS NACL.

Example:
nacls = {
    trusted_path_monitoring = {
      name = "trusted-path-monitoring"
      rules = {
        block_outbound_icmp = {
          rule_number = 110
          egress      = true
          protocol    = "icmp"
          rule_action = "deny"
          cidr_block  = "10.100.1.0/24"
          from_port   = null
          to_port     = null
        }
        allow_inbound = {
          rule_number = 300
          egress      = false
          protocol    = "-1"
          rule_action = "allow"
          cidr_block  = "0.0.0.0/0"
          from_port   = null
          to_port     = null
        }
      }
    }
  }
any{}no
nameName of the VPC to create or use.stringn/ayes
name_internet_gatewayName of the IGW to create or use.stringnullno
name_vpn_gatewayName of the VPN gateway to create.stringnullno
ntp_serversSpecify a list of NTP server addresses for DHCP options set, default to AWS providedlist(string)[]no
route_table_internet_gatewayName of route table for the IGW.stringnullno
route_table_vpn_gatewayName of the route table for VPN gateway.stringnullno
secondary_cidr_blocksSecondary CIDR block to assign to a new VPC.list(string)[]no
security_groupsThe security_groups variable is a map of maps, where each map represents an AWS Security Group.
The key of each entry acts as the Security Group name.
List of available attributes of each Security Group entry:
- rules: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Security Group.
List of attributes available to define a Security Group rule:
- description: Security Group description.
- type: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.
- cidr_blocks: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress
Determines the traffic that can leave your instance, and where it can go.
- prefix_list_ids: List of Prefix List IDs
- self: security group itself will be added as a source to the rule. Cannot be specified with cidr_blocks, or security_groups.
- source_security_groups: list of security group IDs to be used as a source to the rule. Cannot be specified with cidr_blocks, or self.


Example:
security_groups = {
    vmseries-mgmt = {
      name = "vmseries-mgmt"
      rules = {
        all-outbound = {
          description = "Permit All traffic outbound"
          type        = "egress", from_port = "0", to_port = "0", protocol = "-1"
          cidr_blocks = ["0.0.0.0/0"]
        }
        https-inbound-private = {
          description = "Permit HTTPS for VM-Series Management"
          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
          cidr_blocks = ["10.0.0.0/8"]
        }
        https-inbound-eip = {
          description = "Permit HTTPS for VM-Series Management from known public IPs"
          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
          cidr_blocks = ["100.100.100.100/32"]
        }
        ssh-inbound-eip = {
          description = "Permit SSH for VM-Series Management from known public IPs"
          type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
          cidr_blocks = ["100.100.100.100/32"]
        }
        https-inbound-self = {
          description = "Permit HTTPS from instances with the same security group"
          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
          self        = true
        }
        https-inbound-security-groups = {
          description = "Permit HTTPS traffic for the resources associated with the specified security group"
          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
          source_security_groups = ["sg-1a2b3c4d5e6f7g8h9i"]
        }
        https-inbound-prefix-list = {
          description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"
          type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
          prefix_list_ids = ["pl-1a2b3c4d5e6f7g8h9i"]
        }
      }
    }
  }
any{}no
use_internet_gatewayIf an existing VPC is provided and has IG attached, set to true to reuse it.boolfalseno
vpc_tagsOptional map of arbitrary tags to apply to VPC resource.map{}no
vpn_gateway_amazon_side_asnASN for the Amazon side of the gateway.stringnullno

Outputs

NameDescription
has_secondary_cidrsn/a
idThe VPC identifier (either created or pre-existing).
igw_as_next_hop_setThe object is suitable for use as vpc_route module's input next_hop_set.
internet_gatewayThe entire Internet Gateway object. It is null when create_internet_gateway is false.
internet_gateway_route_tableThe Route Table object created to handle traffic from Internet Gateway (IGW). It is null when create_internet_gateway is false.
nacl_idsMap of NACL -> ID (newly created).
nameThe VPC Name Tag (either created or pre-existing).
security_group_idsMap of Security Group Name -> ID (newly created).
vpcThe entire VPC object (either created or pre-existing).
vpn_gatewayThe entire Virtual Private Gateway object. It is null when create_vpn_gateway is false.
vpn_gateway_route_tableThe Route Table object created to handle traffic from Virtual Private Gateway (VGW). It is null when create_vpn_gateway is false.