AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
							locals {
  vpc_name = "${var.vpc_info["name"]}-${var.account_name}"
}

data "aws_availability_zones" "available" {
  state = "available"
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> v2.70"
  name    = local.vpc_name
  cidr    = var.vpc_info["cidr"]

  azs = slice(data.aws_availability_zones.available.names, 0, 3)

  private_subnets = [
    cidrsubnet(var.vpc_info["cidr"], 3, 0),
    cidrsubnet(var.vpc_info["cidr"], 3, 1),
    cidrsubnet(var.vpc_info["cidr"], 3, 2),
  ]

  public_subnets = [
    cidrsubnet(var.vpc_info["cidr"], 3, 4),
    cidrsubnet(var.vpc_info["cidr"], 3, 5),
    cidrsubnet(var.vpc_info["cidr"], 3, 6),
  ]

  enable_nat_gateway     = var.enable_nat_gateway
  single_nat_gateway     = var.single_nat_gateway
  one_nat_gateway_per_az = var.one_nat_gateway_per_az
  enable_vpn_gateway     = false
  enable_dns_hostnames   = true
  enable_dhcp_options    = true


  # Endpoints without a DNS setting
  enable_dynamodb_endpoint = false
  enable_s3_endpoint       = false

  # Endpoints with a dns setting
  enable_ec2_endpoint              = false
  ec2_endpoint_private_dns_enabled = false
  ec2_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ec2messages_endpoint              = false
  ec2messages_endpoint_private_dns_enabled = false
  ec2messages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ecr_api_endpoint              = false
  ecr_api_endpoint_private_dns_enabled = false
  ecr_api_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ecr_dkr_endpoint              = false
  ecr_dkr_endpoint_private_dns_enabled = false
  ecr_dkr_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_kms_endpoint              = false
  kms_endpoint_private_dns_enabled = false
  kms_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_logs_endpoint              = false
  logs_endpoint_private_dns_enabled = false
  logs_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ssm_endpoint              = false
  ssm_endpoint_private_dns_enabled = false
  ssm_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_ssmmessages_endpoint              = false
  ssmmessages_endpoint_private_dns_enabled = false
  ssmmessages_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_sts_endpoint              = false
  sts_endpoint_private_dns_enabled = false
  sts_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  enable_monitoring_endpoint              = false
  monitoring_endpoint_private_dns_enabled = false
  monitoring_endpoint_security_group_ids  = [module.aws_endpoints_sg.security_group_id]

  #dhcp_options_domain_name = var.dns_info["private"]["zone"]
  #dhcp_options_domain_name_servers = local.dns_servers
  dhcp_options_ntp_servers = ["169.254.169.123"]
  dhcp_options_tags        = merge(local.standard_tags, var.tags)

  tags = merge(local.standard_tags, var.tags, { "Purpose" = var.vpc_info["purpose"] })

  nat_eip_tags = {
    "eip_type" = "natgw"
    Name       = local.vpc_name
  }
}

resource "aws_flow_log" "flowlogs" {
  iam_role_arn    = "arn:${var.aws_partition}:iam::${var.aws_account_id}:role/aws_services/flowlogs"
  log_destination = "arn:${var.aws_partition}:logs:${var.aws_region}:${var.aws_account_id}:log-group:vpc_flow_logs"

  traffic_type = "REJECT" # ALL is very noisy, and CIS only requires rejects.
  vpc_id       = module.vpc.vpc_id
  tags         = merge(local.standard_tags, var.tags)
}