Skip to main content
Sponsor @cloudposse

Module: dynamic-subnets

Terraform module to provision public and private subnets in an existing VPC

Note: This module is intended for use with an existing VPC and existing Internet Gateway. To create a new VPC, use terraform-aws-vpc module.

Note: Due to Terraform limitations, many optional inputs to this module are specified as a list(string) that can have zero or one element, rather than as a string that could be empty or null. The designation of an input as a list type does not necessarily mean that you can supply more than one value in the list, so check the input's description before supplying more than one value.

The core function of this module is to create 2 sets of subnets, a "public" set with bidirectional access to the public internet, and a "private" set behind a firewall with egress-only access to the public internet. This includes dividing up a given CIDR range so that a each subnet gets its own distinct CIDR range within that range, and then creating those subnets in the appropriate availability zones. The intention is to keep this module relatively simple and easy to use for the most popular use cases. In its default configuration, this module creates 1 public subnet and 1 private subnet in each of the specified availability zones. The public subnets are configured for bi-directional traffic to the public internet, while the private subnets are configured for egress-only traffic to the public internet. Rather than provide a wealth of configuration options allowing for numerous special cases, this module provides some common options and further provides the ability to suppress the creation of resources, allowing you to create and configure them as you like from outside this module. For example, rather than give you the option to customize the Network ACL, the module gives you the option to create a completely open one (and control access via Security Groups and other means) or not create one at all, allowing you to create and configure one yourself.

Public subnets

This module defines a public subnet as one that has direct access to an internet gateway and can accept incoming connection requests. In the simplest configuration, the module creates a single route table with a default route targeted to the VPC's internet gateway, and associates all the public subnets with that single route table.

Likewise it creates a single Network ACL with associated rules allowing all ingress and all egress, and associates that ACL with all the public subnets.

Private subnets

A private subnet may be able to initiate traffic to the public internet through a NAT gateway, a NAT instance, or an egress-only internet gateway, or it might only have direct access to other private subnets. In the simple configuration, for IPv4 and/or IPv6 with NAT64 enabled via public_dns64_enabled or private_dns64_enabled, the module creates 1 NAT Gateway or NAT Instance for each private subnet (in the public subnet in the same availability zone), creates 1 route table for each private subnet, and adds to that route table a default route from the subnet to its NAT Gateway or Instance. For IPv6, the module adds a route to the Egress-Only Internet Gateway configured via input.

As with the Public subnets, the module creates a single Network ACL with associated rules allowing all ingress and all egress, and associates that ACL with all the private subnets.

Customization for special use cases

Various features are controlled by bool inputs with names ending in _enabled. By changing the default values, you can enable or disable creation of public subnets, private subnets, route tables, NAT gateways, NAT instances, or Network ACLs. So for example, you could use this module to create only private subnets and the open Network ACL, and then add your own route table associations to the subnets and route all non-local traffic to a Transit Gateway or VPN.

CIDR allocation

For IPv4, you provide a CIDR and the module divides the address space into the largest CIDRs possible that are still small enough to accommodate max_subnet_count subnets of each enabled type (public or private). When max_subnet_count is left at the default 0, it is set to the total number of availability zones in the region. Private subnets are allocated out of the first half of the reserved range, and public subnets are allocated out of the second half.

For IPv6, you provide a /56 CIDR and the module assigns /64 subnets of that CIDR in consecutive order starting at zero. (You have the option of specifying a list of CIDRs instead.) As with IPv4, enough CIDRs are allocated to cover max_subnet_count private and public subnets (when both are enabled, which is the default), with the private subnets being allocated out of the lower half of the reservation and the public subnets allocated out of the upper half.

Usage

module "subnets" {
  source = "cloudposse/dynamic-subnets/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"
  namespace           = "eg"
  stage               = "prod"
  name                = "app"
  vpc_id              = "vpc-XXXXXXXX"
  igw_id              = ["igw-XXXXXXXX"]
  ipv4_cidr_block     = ["10.0.0.0/16"]
  availability_zones  = ["us-east-1a", "us-east-1b"]
}

Create only private subnets, route to transit gateway:

module "private_tgw_subnets" {
  source = "cloudposse/dynamic-subnets/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"
  namespace           = "eg"
  stage               = "prod"
  name                = "app"
  vpc_id              = "vpc-XXXXXXXX"
  igw_id              = ["igw-XXXXXXXX"]
  ipv4_cidr_block     = ["10.0.0.0/16"]
  availability_zones  = ["us-east-1a", "us-east-1b"]

  nat_gateway_enabled    = false
  public_subnets_enabled = false
}

resource "aws_route" "private" {
  count = length(module.private_tgw_subnets.private_route_table_ids)

  route_table_id         = module.private_tgw_subnets.private_route_table_ids[count.index]
  destination_cidr_block = "0.0.0.0/0"
  transit_gateway_id     = "tgw-XXXXXXXXX"
}

See examples for working examples. In particular, see examples/nacls for an example of how to create custom Network Access Control Lists (NACLs) outside of but in conjunction with this module.

Variables

Required Variables

vpc_id (string) required

VPC ID where subnets will be created (e.g. vpc-aceb2723)

Optional Variables

availability_zone_attribute_style (string) optional

The style of Availability Zone code to use in tags and names. One of full, short, or fixed.
When using availability_zone_ids, IDs will first be translated into AZ names.



Default value: "short"

availability_zone_ids (list(string)) optional

List of Availability Zones IDs where subnets will be created. Overrides availability_zones.
Useful in some regions when using only some AZs and you want to use the same ones across multiple accounts.



Default value: [ ]

availability_zones (list(string)) optional

List of Availability Zones (AZs) where subnets will be created. Ignored when availability_zone_ids is set.
The order of zones in the list must be stable or else Terraform will continually make changes.
If no AZs are specified, then max_subnet_count AZs will be selected in alphabetical order.
If max_subnet_count > 0 and length(var.availability_zones) > max_subnet_count, the list
will be truncated. We recommend setting availability_zones and max_subnet_count explicitly as constant
(not computed) values for predictability, consistency, and stability.



Default value: [ ]

aws_route_create_timeout (string) optional

DEPRECATED: Use route_create_timeout instead.
Time to wait for AWS route creation, specified as a Go Duration, e.g. 2m



Default value: null

aws_route_delete_timeout (string) optional

DEPRECATED: Use route_delete_timeout instead.
Time to wait for AWS route deletion, specified as a Go Duration, e.g. 2m



Default value: null

igw_id (list(string)) optional

The Internet Gateway ID that the public subnets will route traffic to.
Used if public_route_table_enabled is true, ignored otherwise.



Default value: [ ]

ipv4_cidr_block (list(string)) optional

Base IPv4 CIDR block which will be divided into subnet CIDR blocks (e.g. 10.0.0.0/16). Ignored if ipv4_cidrs is set.
If no CIDR block is provided, the VPC's default IPv4 CIDR block will be used.



Default value: [ ]

ipv4_cidrs optional

Lists of CIDRs to assign to subnets. Order of CIDRs in the lists must not change over time.
Lists may contain more CIDRs than needed.



Type:

list(object({
private = list(string)
public  = list(string)
}))

Default value: [ ]

ipv4_enabled (bool) optional

Set true to enable IPv4 addresses in the subnets


Default value: true

ipv4_private_instance_hostname_type (string) optional

How to generate the DNS name for the instances in the private subnets.
Either ip-name to generate it from the IPv4 address, or
resource-name to generate it from the instance ID.



Default value: "ip-name"

ipv4_private_instance_hostnames_enabled (bool) optional

If true, DNS queries for instance hostnames in the private subnets will be answered with A (IPv4) records.


Default value: false

ipv4_public_instance_hostname_type (string) optional

How to generate the DNS name for the instances in the public subnets.
Either ip-name to generate it from the IPv4 address, or
resource-name to generate it from the instance ID.



Default value: "ip-name"

ipv4_public_instance_hostnames_enabled (bool) optional

If true, DNS queries for instance hostnames in the public subnets will be answered with A (IPv4) records.


Default value: false

ipv6_cidr_block (list(string)) optional

Base IPv6 CIDR block from which /64 subnet CIDRs will be assigned. Must be /56. (e.g. 2600:1f16:c52:ab00::/56).
Ignored if ipv6_cidrs is set. If no CIDR block is provided, the VPC's default IPv6 CIDR block will be used.



Default value: [ ]

ipv6_cidrs optional

Lists of CIDRs to assign to subnets. Order of CIDRs in the lists must not change over time.
Lists may contain more CIDRs than needed.



Type:

list(object({
private = list(string)
public  = list(string)
}))

Default value: [ ]

ipv6_egress_only_igw_id (list(string)) optional

The Egress Only Internet Gateway ID the private IPv6 subnets will route traffic to.
Used if private_route_table_enabled is true and ipv6_enabled is true, ignored otherwise.



Default value: [ ]

ipv6_enabled (bool) optional

Set true to enable IPv6 addresses in the subnets


Default value: false

ipv6_private_instance_hostnames_enabled (bool) optional

If true (or if ipv4_enabled is false), DNS queries for instance hostnames in the private subnets will be answered with AAAA (IPv6) records.



Default value: false

ipv6_public_instance_hostnames_enabled (bool) optional

If true (or if ipv4_enabled is false), DNS queries for instance hostnames in the public subnets will be answered with AAAA (IPv6) records.



Default value: false

map_public_ip_on_launch (bool) optional

If true, instances launched into a public subnet will be assigned a public IPv4 address


Default value: true

max_nats (number) optional

Upper limit on number of NAT Gateways/Instances to create.
Set to 1 or 2 for cost savings at the expense of availability.



Default value: 999

max_subnet_count (number) optional

Sets the maximum number of each type (public or private) of subnet to deploy.
0 will reserve a CIDR for every Availability Zone (excluding Local Zones) in the region, and
deploy a subnet in each availability zone specified in availability_zones or availability_zone_ids,
or every zone if none are specified. We recommend setting this equal to the maximum number of AZs you anticipate using,
to avoid causing subnets to be destroyed and recreated with smaller IPv4 CIDRs when AWS adds an availability zone.
Due to Terraform limitations, you can not set max_subnet_count from a computed value, you have to set it
from an explicit constant. For most cases, 3 is a good choice.



Default value: 0

metadata_http_endpoint_enabled (bool) optional

Whether the metadata service is available on the created NAT instances


Default value: true

metadata_http_put_response_hop_limit (number) optional

The desired HTTP PUT response hop limit (between 1 and 64) for instance metadata requests on the created NAT instances


Default value: 1

metadata_http_tokens_required (bool) optional

Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2, on the created NAT instances


Default value: true

nat_elastic_ips (list(string)) optional

Existing Elastic IPs (not EIP IDs) to attach to the NAT Gateway(s) or Instance(s) instead of creating new ones.


Default value: [ ]

nat_gateway_enabled (bool) optional

Set true to create NAT Gateways to perform IPv4 NAT and NAT64 as needed.
Defaults to true unless nat_instance_enabled is true.



Default value: null

nat_instance_ami_id (list(string)) optional

A list optionally containing the ID of the AMI to use for the NAT instance.
If the list is empty (the default), the latest official AWS NAT instance AMI
will be used. NOTE: The Official NAT instance AMI is being phased out and
does not support NAT64. Use of a NAT gateway is recommended instead.



Default value: [ ]

nat_instance_cpu_credits_override (string) optional

NAT Instance credit option for CPU usage. Valid values are "standard" or "unlimited".
T3 and later instances are launched as unlimited by default. T2 instances are launched as standard by default.



Default value: ""

nat_instance_enabled (bool) optional

Set true to create NAT Instances to perform IPv4 NAT.
Defaults to false.



Default value: null

nat_instance_root_block_device_encrypted (bool) optional

Whether to encrypt the root block device on the created NAT instances


Default value: true

nat_instance_type (string) optional

NAT Instance type


Default value: "t3.micro"

open_network_acl_ipv4_rule_number (number) optional

The rule_no assigned to the network ACL rules for IPv4 traffic generated by this module


Default value: 100

open_network_acl_ipv6_rule_number (number) optional

The rule_no assigned to the network ACL rules for IPv6 traffic generated by this module


Default value: 111

private_assign_ipv6_address_on_creation (bool) optional

If true, network interfaces created in a private subnet will be assigned an IPv6 address


Default value: true

private_dns64_nat64_enabled (bool) optional

If true and IPv6 is enabled, DNS queries made to the Amazon-provided DNS Resolver in private subnets will return synthetic
IPv6 addresses for IPv4-only destinations, and these addresses will be routed to the NAT Gateway.
Requires public_subnets_enabled, nat_gateway_enabled, and private_route_table_enabled to be true to be fully operational.
Defaults to true unless there is no public IPv4 subnet for egress, in which case it defaults to false.



Default value: null

private_label (string) optional

The string to use in IDs and elsewhere to identify resources for the private subnets and distinguish them from resources for the public subnets


Default value: "private"

private_open_network_acl_enabled (bool) optional

If true, a single network ACL be created and it will be associated with every private subnet, and a rule (number 100)
will be created allowing all ingress and all egress. You can add additional rules to this network ACL
using the aws_network_acl_rule resource.
If false, you will need to manage the network ACL outside of this module.



Default value: true

private_route_table_enabled (bool) optional

If true, a network route table and default route to the NAT gateway, NAT instance, or egress-only gateway
will be created for each private subnet (1:1). If false, you will need to create your own route table(s) and route(s).



Default value: true

private_subnets_additional_tags (map(string)) optional

Additional tags to be added to private subnets


Default value: { }

private_subnets_enabled (bool) optional

If false, do not create private subnets (or NAT gateways or instances)


Default value: true

public_assign_ipv6_address_on_creation (bool) optional

If true, network interfaces created in a public subnet will be assigned an IPv6 address


Default value: true

public_dns64_nat64_enabled (bool) optional

If true and IPv6 is enabled, DNS queries made to the Amazon-provided DNS Resolver in public subnets will return synthetic
IPv6 addresses for IPv4-only destinations, and these addresses will be routed to the NAT Gateway.
Requires nat_gateway_enabled and public_route_table_enabled to be true to be fully operational.



Default value: false

public_label (string) optional

The string to use in IDs and elsewhere to identify resources for the public subnets and distinguish them from resources for the private subnets


Default value: "public"

public_open_network_acl_enabled (bool) optional

If true, a single network ACL be created and it will be associated with every public subnet, and a rule
will be created allowing all ingress and all egress. You can add additional rules to this network ACL
using the aws_network_acl_rule resource.
If false, you will need to manage the network ACL outside of this module.



Default value: true

public_route_table_enabled (bool) optional

If true, network route table(s) will be created as determined by public_route_table_per_subnet_enabled and
appropriate routes will be added to destinations this module knows about.
If false, you will need to create your own route table(s) and route(s).
Ignored if public_route_table_ids is non-empty.



Default value: true

public_route_table_ids (list(string)) optional

List optionally containing the ID of a single route table shared by all public subnets
or exactly one route table ID for each public subnet.
If provided, it overrides public_route_table_per_subnet_enabled.
If omitted and public_route_table_enabled is true,
one or more network route tables will be created for the public subnets,
according to the setting of public_route_table_per_subnet_enabled.



Default value: [ ]

public_route_table_per_subnet_enabled (bool) optional

If true (and public_route_table_enabled is true), a separate network route table will be created for and associated with each public subnet.
If false (and public_route_table_enabled is true), a single network route table will be created and it will be associated with every public subnet.
If not set, it will be set to the value of public_dns64_nat64_enabled.



Default value: null

public_subnets_additional_tags (map(string)) optional

Additional tags to be added to public subnets


Default value: { }

public_subnets_enabled (bool) optional

If false, do not create public subnets.
Since NAT gateways and instances must be created in public subnets, these will also not be created when false.



Default value: true

root_block_device_encrypted (bool) optional

DEPRECATED: use nat_instance_root_block_device_encrypted instead.
Whether to encrypt the root block device on the created NAT instances



Default value: null

route_create_timeout (string) optional

Time to wait for a network routing table entry to be created, specified as a Go Duration, e.g. 2m. Use null for proivder default.


Default value: null

route_delete_timeout (string) optional

Time to wait for a network routing table entry to be deleted, specified as a Go Duration, e.g. 2m. Use null for proivder default.


Default value: null

subnet_create_timeout (string) optional

Time to wait for a subnet to be created, specified as a Go Duration, e.g. 2m. Use null for proivder default.


Default value: null

subnet_delete_timeout (string) optional

Time to wait for a subnet to be deleted, specified as a Go Duration, e.g. 5m. Use null for proivder default.


Default value: null

subnet_type_tag_key (string) optional

DEPRECATED: Use public_subnets_additional_tags and private_subnets_additional_tags instead
Key for subnet type tag to provide information about the type of subnets, e.g. cpco.io/subnet/type: private or cpco.io/subnet/type: public



Default value: null

subnet_type_tag_value_format (string) optional

DEPRECATED: Use public_subnets_additional_tags and private_subnets_additional_tags instead.
The value of the subnet_type_tag_key will be set to format(var.subnet_type_tag_value_format, <type>)
where <type> is either public or private.



Default value: "%s"

subnets_per_az_count (number) optional

The number of subnet of each type (public or private) to provision per Availability Zone.



Default value: 1

subnets_per_az_names (list(string)) optional

The subnet names of each type (public or private) to provision per Availability Zone.
This variable is optional.
If a list of names is provided, the list items will be used as keys in the outputs named_private_subnets_map, named_public_subnets_map,
named_private_route_table_ids_map and named_public_route_table_ids_map



Default value:

[
  "common"
]

Context Variables

The following variables are defined in the context.tf file of this module and part of the terraform-null-label pattern.

additional_tag_map (map(string)) optional

Additional key-value pairs to add to each map in tags_as_list_of_maps. Not added to tags or id.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration.


Required: No

Default value: { }

attributes (list(string)) optional

ID element. Additional attributes (e.g. workers or cluster) to add to id,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the delimiter
and treated as a single ID element.


Required: No

Default value: [ ]

context (any) optional

Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as null to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional_tag_map, which are merged.


Required: No

Default value:

{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
delimiter (string) optional

Delimiter to be used between ID elements.
Defaults to - (hyphen). Set to "" to use no delimiter at all.


Required: No

Default value: null

descriptor_formats (any) optional

Describe additional descriptors to be output in the descriptors output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
\{<br/> format = string<br/> labels = list(string)<br/> \}
(Type is any so the map values can later be enhanced to provide additional options.)
format is a Terraform format string to be passed to the format() function.
labels is a list of labels, in order, to pass to format() function.
Label values will be normalized before being passed to format() so they will be
identical to how they appear in id.
Default is {} (descriptors output will be empty).


Required: No

Default value: { }

enabled (bool) optional

Set to false to prevent the module from creating any resources
Required: No

Default value: null

environment (string) optional

ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'
Required: No

Default value: null

id_length_limit (number) optional

Limit id to this many characters (minimum 6).
Set to 0 for unlimited length.
Set to null for keep the existing setting, which defaults to 0.
Does not affect id_full.


Required: No

Default value: null

label_key_case (string) optional

Controls the letter case of the tags keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the tags input.
Possible values: lower, title, upper.
Default value: title.


Required: No

Default value: null

label_order (list(string)) optional

The order in which the labels (ID elements) appear in the id.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present.


Required: No

Default value: null

label_value_case (string) optional

Controls the letter case of ID elements (labels) as included in id,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the tags input.
Possible values: lower, title, upper and none (no transformation).
Set this to title and set delimiter to "" to yield Pascal Case IDs.
Default value: lower.


Required: No

Default value: null

labels_as_tags (set(string)) optional

Set of labels (ID elements) to include as tags in the tags output.
Default is to include all labels.
Tags with empty values will not be included in the tags output.
Set to [] to suppress all generated tags.
Notes:
The value of the name tag, if included, will be the id, not the name.
Unlike other null-label inputs, the initial setting of labels_as_tags cannot be
changed in later chained modules. Attempts to change it will be silently ignored.


Required: No

Default value:

[
  "default"
]
name (string) optional

ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a tag.
The "name" tag is set to the full id string. There is no tag with the value of the name input.


Required: No

Default value: null

namespace (string) optional

ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique
Required: No

Default value: null

regex_replace_chars (string) optional

Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, "/[^a-zA-Z0-9-]/" is used to remove all characters other than hyphens, letters and digits.


Required: No

Default value: null

stage (string) optional

ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'
Required: No

Default value: null

tags (map(string)) optional

Additional tags (e.g. {'BusinessUnit': 'XYZ'}).
Neither the tag keys nor the tag values will be modified by this module.


Required: No

Default value: { }

tenant (string) optional

ID element (Rarely used, not included by default). A customer identifier, indicating who this instance of a resource is for
Required: No

Default value: null

Outputs

availability_zone_ids

List of Availability Zones IDs where subnets were created, when available

availability_zones

List of Availability Zones where subnets were created

az_private_route_table_ids_map

Map of AZ names to list of private route table IDs in the AZs

az_private_subnets_map

Map of AZ names to list of private subnet IDs in the AZs

az_public_route_table_ids_map

Map of AZ names to list of public route table IDs in the AZs

az_public_subnets_map

Map of AZ names to list of public subnet IDs in the AZs

named_private_route_table_ids_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of private route table IDs

named_private_subnets_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of private subnet IDs

named_private_subnets_stats_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of objects with each object having three items: AZ, private subnet ID, private route table ID

named_public_route_table_ids_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of public route table IDs

named_public_subnets_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of public subnet IDs

named_public_subnets_stats_map

Map of subnet names (specified in subnets_per_az_names variable) to lists of objects with each object having three items: AZ, public subnet ID, public route table ID

nat_eip_allocation_ids

Elastic IP allocations in use by NAT

nat_gateway_ids

IDs of the NAT Gateways created

nat_gateway_public_ips

DEPRECATED: use nat_ips instead. Public IPv4 IP addresses in use by NAT.

nat_instance_ami_id

ID of AMI used by NAT instance

nat_instance_ids

IDs of the NAT Instances created

nat_ips

Elastic IP Addresses in use by NAT

private_network_acl_id

ID of the Network ACL created for private subnets

private_route_table_ids

IDs of the created private route tables

private_subnet_arns

ARNs of the created private subnets

private_subnet_cidrs

IPv4 CIDR blocks of the created private subnets

private_subnet_ids

IDs of the created private subnets

private_subnet_ipv6_cidrs

IPv6 CIDR blocks of the created private subnets

public_network_acl_id

ID of the Network ACL created for public subnets

public_route_table_ids

IDs of the created public route tables

public_subnet_arns

ARNs of the created public subnets

public_subnet_cidrs

IPv4 CIDR blocks of the created public subnets

public_subnet_ids

IDs of the created public subnets

public_subnet_ipv6_cidrs

IPv6 CIDR blocks of the created public subnets

Dependencies

Requirements

  • terraform, version: >= 1.1.0
  • aws, version: >= 3.71.0

Providers

  • aws, version: >= 3.71.0

Modules

NameVersionSourceDescription
nat_instance_label0.25.0cloudposse/label/nulln/a
nat_label0.25.0cloudposse/label/nulln/a
private_label0.25.0cloudposse/label/nulln/a
public_label0.25.0cloudposse/label/nulln/a
this0.25.0cloudposse/label/nulln/a
utils1.4.0cloudposse/utils/awsn/a

Resources

The following resources are used by this module:

Data Sources

The following data sources are used by this module:

Subnet calculation logic

terraform-aws-dynamic-subnets creates a set of subnets based on various CIDR inputs and the maximum possible number of subnets, which is max_subnet_count when specified or the number of Availability Zones in the region when max_subnet_count is left at its default value of zero.

You can explicitly provide CIDRs for subnets via ipv4_cidrs and ipv6_cidrs inputs if you want, but the usual use case is to provide a single CIDR which this module will subdivide into a set of CIDRs as follows:

  1. Get number of available AZ in the region:
existing_az_count = length(data.aws_availability_zones.available.names)
  1. Determine how many sets of subnets are being created. (Usually it is 2: public and private): subnet_type_count.
  2. Multiply the results of (1) and (2) to determine how many CIDRs to reserve:
cidr_count = existing_az_count * subnet_type_count
  1. Calculate the number of bits needed to enumerate all the CIDRs:
subnet_bits = ceil(log(cidr_count, 2))
  1. Reserve CIDRs for private subnets using cidrsubnet:
private_subnet_cidrs = [ for netnumber in range(0, existing_az_count): cidrsubnet(cidr_block, subnet_bits, netnumber) ]
  1. Reserve CIDRs for public subnets in the second half of the CIDR block:
public_subnet_cidrs = [ for netnumber in range(existing_az_count, existing_az_count * 2): cidrsubnet(cidr_block, subnet_bits, netnumber) ]

Note that this means that, for example, in a region with 4 availability zones, if you specify only 3 availability zones in var.availability_zones, this module will still reserve CIDRs for the 4th zone. This is so that if you later want to expand into that zone, the existing subnet CIDR assignments will not be disturbed. If you do not want to reserve these CIDRs, set max_subnet_count to the number of zones you are actually using.