NTC VPC
NTC VPC v2 introduces major improvements including AWS Provider v6 support and AWS European Sovereign Cloud compatibility.
📖 Read the Migration Guide for step-by-step instructions.
Description​
NTC VPC simplifies the deployment and management of Virtual Private Clouds (VPCs) in AWS. This building block automates the creation of VPCs, subnets, route tables, and network configurations, ensuring a secure, scalable, and well-architected network foundation. With support for both single and multi-account environments, NTC VPC integrates seamlessly with other NTC building blocks, providing a modular approach to network design.
Whether you are setting up isolated environments, connecting workloads, or implementing hybrid architectures, NTC VPC ensures consistent and reliable networking aligned with AWS best practices.
To share Prefix Lists and VPC Subnets across Organizational Units (OUs), RAM sharing must first be enabled for the organization.
This can be configured using NTC Organizations by setting enable_ram_sharing_in_organization to true.
Usage​
| Latest Release | 2.0.1 |
|---|
Requirements​
The following requirements are needed by this module:
-
terraform (>= 1.5.0)
-
aws (>= 6.0)
Providers​
The following providers are used by this module:
- aws (>= 6.0)
Modules​
The following Modules are called:
flow_logs​
Source: ./modules/flow-logs
Version:
subnet_calculator​
Source: ./modules/subnet-calculator
Version:
Resources​
The following resources are used by this module:
- aws_default_security_group.ntc_default (resource)
- aws_ec2_managed_prefix_list.ntc_dynamic (resource)
- aws_ec2_managed_prefix_list_entry.ntc_dynamic (resource)
- aws_ec2_transit_gateway_route_table_association.ntc_tgw (resource)
- aws_ec2_transit_gateway_route_table_propagation.ntc_tgw (resource)
- aws_ec2_transit_gateway_vpc_attachment.ntc_tgw (resource)
- aws_eip.ntc_public_nat (resource)
- aws_internet_gateway.ntc_dynamic (resource)
- aws_internet_gateway_attachment.ntc_dynamic (resource)
- aws_nat_gateway.ntc_private (resource)
- aws_nat_gateway.ntc_public (resource)
- aws_network_acl.ntc_dynamic (resource)
- aws_network_acl_rule.ntc_dynamic_inbound (resource)
- aws_network_acl_rule.ntc_dynamic_outbound (resource)
- aws_ram_principal_association.ntc_prefix_list_share (resource)
- aws_ram_principal_association.ntc_subnet_share (resource)
- aws_ram_resource_association.ntc_prefix_list_share (resource)
- aws_ram_resource_association.ntc_subnet_share (resource)
- aws_ram_resource_share.ntc_prefix_list_share (resource)
- aws_ram_resource_share.ntc_subnet_share (resource)
- aws_route.ntc_to_internet_gateway_default (resource)
- aws_route.ntc_to_public_nat_gateway_default (resource)
- aws_route.ntc_to_transit_gateway_default (resource)
- aws_route_table.ntc_dynamic (resource)
- aws_route_table_association.ntc_dynamic (resource)
- aws_security_group.ntc_vpce_interface (resource)
- aws_subnet.ntc_dynamic (resource)
- aws_vpc.ntc_dynamic (resource)
- aws_vpc_dhcp_options.ntc_custom (resource)
- aws_vpc_dhcp_options_association.ntc_custom (resource)
- aws_vpc_endpoint.ntc_vpce_gateway (resource)
- aws_vpc_endpoint.ntc_vpce_interface (resource)
- aws_vpc_ipam_pool_cidr_allocation.ntc_primary_reservation (resource)
- aws_vpc_ipam_pool_cidr_allocation.ntc_secondary_reservation (resource)
- aws_vpc_ipv4_cidr_block_association.ntc_ipam (resource)
- aws_vpc_ipv4_cidr_block_association.ntc_manual (resource)
- aws_availability_zones.available (data source)
- aws_ec2_managed_prefix_list.individual (data source)
- aws_ec2_managed_prefix_lists.all (data source)
- aws_organizations_organization.org (data source)
- aws_partition.current (data source)
- aws_region.provider_region (data source)
- aws_vpc_endpoint_service.vpce_gateway (data source)
- aws_vpc_endpoint_service.vpce_interface (data source)
Required Inputs​
No required inputs.
Optional Inputs​
The following input variables are optional (have default values):
availability_zones​
Description: Count of availability zones used in VPC. Subnets will be generated for each reserved availability zone. Some resources like NAT Gateway, VPC Endpoints or RAM sharing will only apply to active availability zones.
Type:
object({
reserved = optional(number, 3)
active = optional(number, 3)
filter_zone_names = optional(list(string), [])
})
Default: {}
custom_dhcp_options​
Description: Define a custom DHCP options set on the VPC.
Type:
object({
enable = optional(bool, false)
domain_name = optional(string, null)
domain_name_servers = optional(list(string), ["AmazonProvidedDNS"])
ntp_servers = optional(list(string), [])
netbios_name_servers = optional(list(string), [])
netbios_node_type = optional(number, 2)
})
Default: {}
customer_managed_prefix_lists​
Description: Define customer managed prefix lists to be referenced in route tables.
Type:
list(object({
name = optional(string, null)
address_family = optional(string, "IPv4")
entries = optional(list(object({
cidr = string
description = optional(string, null)
})), [])
max_entries = optional(number, null)
ram_share_principals = optional(list(string), [])
ram_share_allow_external_principals = optional(bool, false)
}))
Default: []
default_security_group_egress_rules​
Description: List of maps of egress rules to set on the default security group
Type:
list(object({
self = optional(bool, false)
ipv4_cidr_blocks = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
prefix_list_names = optional(list(string), [])
security_group_ids = optional(list(string), [])
description = optional(string, null)
from_port = optional(number, 0)
to_port = optional(number, 0)
protocol = optional(string, "all")
}))
Default: []
default_security_group_ingress_rules​
Description: List of maps of ingress rules to set on the default security group
Type:
list(object({
self = optional(bool, false)
ipv4_cidr_blocks = optional(list(string), [])
ipv6_cidr_blocks = optional(list(string), [])
prefix_list_names = optional(list(string), [])
security_group_ids = optional(list(string), [])
description = optional(string, null)
from_port = optional(number, 0)
to_port = optional(number, 0)
protocol = optional(string, "all")
}))
Default: []
enable_dns_hostnames​
Description: Set to true to enable DNS hostnames on the VPC.
Type: bool
Default: true
enable_dns_support​
Description: Set to true to enable DNS support on the VPC.
Type: bool
Default: true
enable_network_address_usage_metrics​
Description: Set to true to enable Network Address Usage metrics on the VPC.
Type: bool
Default: false
instance_tenancy​
Description: A tenancy option for instances launched into the VPC.
Type: string
Default: "default"
interface_endpoints_security_group_ingress​
Description: A dedicated security group for VPC interface endpoints. if 'allowed_cidr_blocks' is empty the local VPC CIDR will be added to the ingress rule.
Type:
object({
create_security_group = optional(bool, true)
allowed_cidr_blocks = optional(list(string), [])
allowed_prefix_list_names = optional(list(string), [])
allowed_security_group_ids = optional(list(string), [])
inbound_ports = optional(list(string), ["443"])
})
Default: {}
manage_default_security_group​
Description: Should be true to adopt and manage the default security group
Type: bool
Default: true
prefix_name​
Description: Prefix name to be used on all VPC resources as identifier.
Type: string
Default: ""
public_natgw_external_eip_ids​
Description: List of EIP IDs to be assigned to the public NAT Gateways (used in combination with reuse_nat_ips)
Type: list(string)
Default: []
public_natgw_use_external_ips​
Description: Set to true to indicate that existing EIP should be used for public NAT Gateway. Requires specifiying "public_natgw_external_eip_ids".
Type: bool
Default: false
region​
Description: AWS region where the resources will be created. Omit to use the provider default region.
Type: string
Default: null
vpc_flow_log_destinations​
Description: List of VPC flow log destinations. VPC flow logs can be delivered to S3, CloudWatch or Kineses Data Firehose and multiple destinations can be configured in parallel.
Type:
list(object({
destination_type = string
destination_arn = optional(string, "")
traffic_type = optional(string, "ALL")
log_format = optional(string, null)
max_aggregation_interval = optional(number, 600)
s3_options = optional(object({
file_format = optional(string, "plain-text")
hive_compatible_partitions = optional(bool, false)
per_hour_partition = optional(bool, false)
}), {})
cloudwatch_options = optional(object({
iam_role_arn = optional(string, "")
iam_role_prefix = optional(string, "vpc-flow-log-role-")
iam_policy_prefix = optional(string, "vpc-flow-log-to-cloudwatch-")
use_existing_kms_key = optional(bool, false)
kms_key_arn = optional(string, "")
permissions_boundary_arn = optional(string, null)
name_prefix = optional(string, "/aws/vpc-flow-log/")
retention_in_days = optional(number, null)
}), {})
}))
Default: []
vpc_ipam_settings​
Description: Configuration of VPC IPAM (optional). IPAM can be used to dynamically get a VPC CIDR allocated.
Type:
object({
cidrs_requested_from_ipam = optional(bool, false)
cidrs_allocated_by_terraform = optional(bool, false)
reservation_description = optional(string, null)
ipv4_primary_pool_id = optional(string, "")
ipv4_primary_pool_netmask_length = optional(number, 0)
ipv4_secondary_pools = optional(list(object({
cidr_identifier = string
pool_id = string
netmask_length = optional(number, 0)
})), [])
})
Default: {}
vpc_ipv4_primary_cidr​
Description: The CIDR block for the VPC. Will be ignored if IPAM is used.
Type: string
Default: "10.0.0.0/16"
vpc_ipv4_secondary_cidr_blocks​
Description: List of secondary IPv4 CIDR blocks to associate with the VPC to extend the IP Address pool. Will be ignored if IPAM is used.
Type:
list(object({
cidr_identifier = string
cidr_block = string
}))
Default: []
vpc_subnets​
Description: List of subnets with it's own set of arguments corresponding to subnet type. Subnets are duplicated for each zone in "availability_zones".
Type:
list(object({
vpc_cidr_identifier = optional(string, "primary")
subnet_identifier = string
subnet_type = string
netmask_length = optional(number, 0)
static_cidrs = optional(list(string), [])
network_acl_inbound = optional(list(object({
rule_number = number
rule_action = string
protocol = string
from_port = optional(number, null)
to_port = optional(number, null)
icmp_code = optional(number, 0)
icmp_type = optional(number, 0)
ipv4_cidr_block = optional(string, "")
ipv6_cidr_block = optional(string, "")
})), [])
network_acl_outbound = optional(list(object({
rule_number = number
rule_action = string
protocol = string
from_port = optional(number, null)
to_port = optional(number, null)
icmp_code = optional(number, 0)
icmp_type = optional(number, 0)
ipv4_cidr_block = optional(string, "")
ipv6_cidr_block = optional(string, "")
})), [])
ram_share_principals = optional(list(string), [])
ram_share_allow_external_principals = optional(bool, false)
gateway_endpoints = optional(list(object({
common_name = string
policy_json = optional(string, null)
associate_with_all_subnets = optional(bool, false)
})), [])
interface_endpoints = optional(list(object({
common_name = string
policy_json = optional(string, null)
private_dns_enabled = optional(bool, true)
})), [])
private_subnet_config = optional(object({
default_route_to_public_nat_gateway = optional(bool, false)
default_route_to_transit_gateway = optional(bool, false)
create_private_nat_gateway = optional(bool, false)
secondary_private_ip_address_count = optional(number, 0)
}), {})
public_subnet_config = optional(object({
create_public_nat_gateway = optional(bool, false)
map_public_ip_on_launch = optional(bool, true)
default_route_to_internet_gateway = optional(bool, true)
}), {})
firewall_subnet_config = optional(object({
default_route_to_internet_gateway = optional(bool, false)
default_route_to_public_nat_gateway = optional(bool, false)
default_route_to_transit_gateway = optional(bool, false)
}), {})
transit_subnet_config = optional(object({
transit_gateway_create_attachment = optional(bool, false)
transit_gateway_id = optional(string, "")
transit_gateway_skip_route_table_association = optional(bool, false)
transit_gateway_default_route_table_association = optional(bool, true)
transit_gateway_default_route_table_propagation = optional(bool, true)
transit_gateway_association_with_route_table_id = optional(string, "")
transit_gateway_propagation_to_route_table_ids = optional(list(string), [])
transit_gateway_appliance_mode_support = optional(bool, false)
transit_gateway_ipv6_support = optional(bool, false)
transit_gateway_dns_support = optional(bool, true)
transit_gateway_security_group_referencing_support = optional(bool, false)
}), {})
}))
Default: []
Outputs​
The following outputs are exported:
active_subnet_arns​
Description: Map of subnet names with list of active subnet ARNs
active_subnet_cidr_blocks​
Description: Map of subnet names with list of active subnet cidr_blocks
active_subnet_ids​
Description: Map of subnet names with list of active subnet IDs
all_prefix_list_ids_by_name​
Description: List of all prefix lists
custom_dhcp_options_id​
Description: The ID of the DHCP options
customer_managed_prefix_lists​
Description: Map of customer managed prefix lists
gateway_endpoints​
Description: Map of VPC gateway endpoints
interface_endpoints​
Description: Map of VPC interface endpoints
internet_gateway_arn​
Description: The ARN of the Internet Gateway
internet_gateway_id​
Description: The ID of the Internet Gateway
network_acl_ids​
Description: Map of Network ACL IDs
private_nat_gateway_ids_by_subnet​
Description: List of private NAT Gateway IDs by private subnet
public_nat_gateway_azs​
Description: List of Availability Zones where NAT Gateway is deployed
public_nat_gateway_eip_ids​
Description: List of allocation ID of Elastic IPs created for public NAT Gateway
public_nat_gateway_eip_public_ips​
Description: List of public Elastic IPs created for public NAT Gateway
public_nat_gateway_ids​
Description: List of NAT Gateway IDs
route_table_ids​
Description: Map of route table IDs
subnet_arns​
Description: Map of subnet names with list of ARNs
subnet_cidr_blocks​
Description: Map of subnet names with list of cidr_blocks
subnet_ids​
Description: Map of subnet names with list of IDs
transit_gateway_vpc_attachement_id​
Description: The ID of the transit gateway VPC attachement
vpc_arn​
Description: The ARN of the VPC
vpc_availability_zones​
Description: The availability zones of the VPC
vpc_cidr_blocks​
Description: The CIDR blocks of the VPC
vpc_enable_dns_hostnames​
Description: Whether or not the VPC has DNS hostname support
vpc_enable_dns_support​
Description: Whether or not the VPC has DNS support
vpc_id​
Description: The ID of the VPC
vpc_instance_tenancy​
Description: Tenancy of instances spin up within VPC
vpc_owner_id​
Description: The ID of the AWS account that owns the VPC