diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 837f45982..11084f7ca 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
- rev: v1.99.0
+ rev: v1.100.0
hooks:
- id: terraform_fmt
- id: terraform_docs
@@ -23,7 +23,7 @@ repos:
- '--args=--only=terraform_workspace_remote'
- id: terraform_validate
- repo: https://github.com/pre-commit/pre-commit-hooks
- rev: v5.0.0
+ rev: v6.0.0
hooks:
- id: check-merge-conflict
- id: end-of-file-fixer
diff --git a/README.md b/README.md
index da2482379..11d939520 100644
--- a/README.md
+++ b/README.md
@@ -579,6 +579,7 @@ No modules.
| [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
| [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
| [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | `string` | `null` | no |
| [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
| [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
diff --git a/UPGRADE-3.0.md b/docs/UPGRADE-3.0.md
similarity index 100%
rename from UPGRADE-3.0.md
rename to docs/UPGRADE-3.0.md
diff --git a/UPGRADE-4.0.md b/docs/UPGRADE-4.0.md
similarity index 100%
rename from UPGRADE-4.0.md
rename to docs/UPGRADE-4.0.md
diff --git a/main.tf b/main.tf
index 618aa2c10..02f377a3a 100644
--- a/main.tf
+++ b/main.tf
@@ -28,6 +28,8 @@ locals {
resource "aws_vpc" "this" {
count = local.create_vpc ? 1 : 0
+ region = var.region
+
cidr_block = var.use_ipam_pool ? null : var.cidr
ipv4_ipam_pool_id = var.ipv4_ipam_pool_id
ipv4_netmask_length = var.ipv4_netmask_length
@@ -53,6 +55,8 @@ resource "aws_vpc" "this" {
resource "aws_vpc_ipv4_cidr_block_association" "this" {
count = local.create_vpc && length(var.secondary_cidr_blocks) > 0 ? length(var.secondary_cidr_blocks) : 0
+ region = var.region
+
# Do not turn this into `local.vpc_id`
vpc_id = aws_vpc.this[0].id
@@ -62,12 +66,16 @@ resource "aws_vpc_ipv4_cidr_block_association" "this" {
resource "aws_vpc_block_public_access_options" "this" {
count = local.create_vpc && length(keys(var.vpc_block_public_access_options)) > 0 ? 1 : 0
+ region = var.region
+
internet_gateway_block_mode = try(var.vpc_block_public_access_options["internet_gateway_block_mode"], null)
}
resource "aws_vpc_block_public_access_exclusion" "this" {
for_each = { for k, v in var.vpc_block_public_access_exclusions : k => v if local.create_vpc }
+ region = var.region
+
vpc_id = try(each.value.exclude_vpc, false) ? local.vpc_id : null
subnet_id = try(each.value.exclude_subnet, false) ? lookup(
@@ -99,6 +107,8 @@ resource "aws_vpc_block_public_access_exclusion" "this" {
resource "aws_vpc_dhcp_options" "this" {
count = local.create_vpc && var.enable_dhcp_options ? 1 : 0
+ region = var.region
+
domain_name = var.dhcp_options_domain_name
domain_name_servers = var.dhcp_options_domain_name_servers
ntp_servers = var.dhcp_options_ntp_servers
@@ -116,21 +126,27 @@ resource "aws_vpc_dhcp_options" "this" {
resource "aws_vpc_dhcp_options_association" "this" {
count = local.create_vpc && var.enable_dhcp_options ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
dhcp_options_id = aws_vpc_dhcp_options.this[0].id
}
################################################################################
-# PubliŃ Subnets
+# Public Subnets
################################################################################
locals {
create_public_subnets = local.create_vpc && local.len_public_subnets > 0
+
+ num_public_route_tables = var.create_multiple_public_route_tables ? local.len_public_subnets : 1
}
resource "aws_subnet" "public" {
count = local.create_public_subnets && (!var.one_nat_gateway_per_az || local.len_public_subnets >= length(var.azs)) ? local.len_public_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.public_subnet_ipv6_native ? true : var.public_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -157,13 +173,11 @@ resource "aws_subnet" "public" {
)
}
-locals {
- num_public_route_tables = var.create_multiple_public_route_tables ? local.len_public_subnets : 1
-}
-
resource "aws_route_table" "public" {
count = local.create_public_subnets ? local.num_public_route_tables : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -181,6 +195,8 @@ resource "aws_route_table" "public" {
resource "aws_route_table_association" "public" {
count = local.create_public_subnets ? local.len_public_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.public[*].id, count.index)
route_table_id = element(aws_route_table.public[*].id, var.create_multiple_public_route_tables ? count.index : 0)
}
@@ -188,6 +204,8 @@ resource "aws_route_table_association" "public" {
resource "aws_route" "public_internet_gateway" {
count = local.create_public_subnets && var.create_igw ? local.num_public_route_tables : 0
+ region = var.region
+
route_table_id = aws_route_table.public[count.index].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
@@ -200,6 +218,8 @@ resource "aws_route" "public_internet_gateway" {
resource "aws_route" "public_internet_gateway_ipv6" {
count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? local.num_public_route_tables : 0
+ region = var.region
+
route_table_id = aws_route_table.public[count.index].id
destination_ipv6_cidr_block = "::/0"
gateway_id = aws_internet_gateway.this[0].id
@@ -212,6 +232,8 @@ resource "aws_route" "public_internet_gateway_ipv6" {
resource "aws_network_acl" "public" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.public[*].id
@@ -225,6 +247,8 @@ resource "aws_network_acl" "public" {
resource "aws_network_acl_rule" "public_inbound" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.public[0].id
egress = false
@@ -242,6 +266,8 @@ resource "aws_network_acl_rule" "public_inbound" {
resource "aws_network_acl_rule" "public_outbound" {
count = local.create_public_subnets && var.public_dedicated_network_acl ? length(var.public_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.public[0].id
egress = true
@@ -267,6 +293,8 @@ locals {
resource "aws_subnet" "private" {
count = local.create_private_subnets ? local.len_private_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.private_subnet_ipv6_native ? true : var.private_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -296,6 +324,8 @@ resource "aws_subnet" "private" {
resource "aws_route_table" "private" {
count = local.create_private_subnets && local.max_subnet_length > 0 ? local.nat_gateway_count : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -313,6 +343,8 @@ resource "aws_route_table" "private" {
resource "aws_route_table_association" "private" {
count = local.create_private_subnets ? local.len_private_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.private[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
@@ -331,6 +363,8 @@ locals {
resource "aws_network_acl" "private" {
count = local.create_private_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.private[*].id
@@ -344,6 +378,8 @@ resource "aws_network_acl" "private" {
resource "aws_network_acl_rule" "private_inbound" {
count = local.create_private_network_acl ? length(var.private_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.private[0].id
egress = false
@@ -361,6 +397,8 @@ resource "aws_network_acl_rule" "private_inbound" {
resource "aws_network_acl_rule" "private_outbound" {
count = local.create_private_network_acl ? length(var.private_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.private[0].id
egress = true
@@ -387,6 +425,8 @@ locals {
resource "aws_subnet" "database" {
count = local.create_database_subnets ? local.len_database_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.database_subnet_ipv6_native ? true : var.database_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -414,6 +454,8 @@ resource "aws_subnet" "database" {
resource "aws_db_subnet_group" "database" {
count = local.create_database_subnets && var.create_database_subnet_group ? 1 : 0
+ region = var.region
+
name = lower(coalesce(var.database_subnet_group_name, var.name))
description = "Database subnet group for ${var.name}"
subnet_ids = aws_subnet.database[*].id
@@ -430,6 +472,8 @@ resource "aws_db_subnet_group" "database" {
resource "aws_route_table" "database" {
count = local.create_database_route_table ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : local.len_database_subnets : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -447,6 +491,8 @@ resource "aws_route_table" "database" {
resource "aws_route_table_association" "database" {
count = local.create_database_subnets ? local.len_database_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.database[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.database[*].id, aws_route_table.private[*].id),
@@ -457,6 +503,8 @@ resource "aws_route_table_association" "database" {
resource "aws_route" "database_internet_gateway" {
count = local.create_database_route_table && var.create_igw && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0
+ region = var.region
+
route_table_id = aws_route_table.database[0].id
destination_cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.this[0].id
@@ -469,6 +517,8 @@ resource "aws_route" "database_internet_gateway" {
resource "aws_route" "database_nat_gateway" {
count = local.create_database_route_table && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? var.single_nat_gateway ? 1 : local.len_database_subnets : 0
+ region = var.region
+
route_table_id = element(aws_route_table.database[*].id, count.index)
destination_cidr_block = "0.0.0.0/0"
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
@@ -481,6 +531,8 @@ resource "aws_route" "database_nat_gateway" {
resource "aws_route" "database_dns64_nat_gateway" {
count = local.create_database_route_table && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway && var.enable_ipv6 && var.private_subnet_enable_dns64 ? var.single_nat_gateway ? 1 : local.len_database_subnets : 0
+ region = var.region
+
route_table_id = element(aws_route_table.database[*].id, count.index)
destination_ipv6_cidr_block = "64:ff9b::/96"
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
@@ -493,6 +545,8 @@ resource "aws_route" "database_dns64_nat_gateway" {
resource "aws_route" "database_ipv6_egress" {
count = local.create_database_route_table && var.create_egress_only_igw && var.enable_ipv6 && var.create_database_internet_gateway_route ? 1 : 0
+ region = var.region
+
route_table_id = aws_route_table.database[0].id
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = aws_egress_only_internet_gateway.this[0].id
@@ -513,6 +567,8 @@ locals {
resource "aws_network_acl" "database" {
count = local.create_database_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.database[*].id
@@ -526,6 +582,8 @@ resource "aws_network_acl" "database" {
resource "aws_network_acl_rule" "database_inbound" {
count = local.create_database_network_acl ? length(var.database_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.database[0].id
egress = false
@@ -543,6 +601,8 @@ resource "aws_network_acl_rule" "database_inbound" {
resource "aws_network_acl_rule" "database_outbound" {
count = local.create_database_network_acl ? length(var.database_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.database[0].id
egress = true
@@ -569,6 +629,8 @@ locals {
resource "aws_subnet" "redshift" {
count = local.create_redshift_subnets ? local.len_redshift_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.redshift_subnet_ipv6_native ? true : var.redshift_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -596,6 +658,8 @@ resource "aws_subnet" "redshift" {
resource "aws_redshift_subnet_group" "redshift" {
count = local.create_redshift_subnets && var.create_redshift_subnet_group ? 1 : 0
+ region = var.region
+
name = lower(coalesce(var.redshift_subnet_group_name, var.name))
description = "Redshift subnet group for ${var.name}"
subnet_ids = aws_subnet.redshift[*].id
@@ -610,6 +674,8 @@ resource "aws_redshift_subnet_group" "redshift" {
resource "aws_route_table" "redshift" {
count = local.create_redshift_route_table ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -622,6 +688,8 @@ resource "aws_route_table" "redshift" {
resource "aws_route_table_association" "redshift" {
count = local.create_redshift_subnets && !var.enable_public_redshift ? local.len_redshift_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.private[*].id),
@@ -632,6 +700,8 @@ resource "aws_route_table_association" "redshift" {
resource "aws_route_table_association" "redshift_public" {
count = local.create_redshift_subnets && var.enable_public_redshift ? local.len_redshift_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.redshift[*].id, count.index)
route_table_id = element(
coalescelist(aws_route_table.redshift[*].id, aws_route_table.public[*].id),
@@ -650,6 +720,8 @@ locals {
resource "aws_network_acl" "redshift" {
count = local.create_redshift_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.redshift[*].id
@@ -663,6 +735,8 @@ resource "aws_network_acl" "redshift" {
resource "aws_network_acl_rule" "redshift_inbound" {
count = local.create_redshift_network_acl ? length(var.redshift_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.redshift[0].id
egress = false
@@ -680,6 +754,8 @@ resource "aws_network_acl_rule" "redshift_inbound" {
resource "aws_network_acl_rule" "redshift_outbound" {
count = local.create_redshift_network_acl ? length(var.redshift_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.redshift[0].id
egress = true
@@ -706,6 +782,8 @@ locals {
resource "aws_subnet" "elasticache" {
count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.elasticache_subnet_ipv6_native ? true : var.elasticache_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -733,6 +811,8 @@ resource "aws_subnet" "elasticache" {
resource "aws_elasticache_subnet_group" "elasticache" {
count = local.create_elasticache_subnets && var.create_elasticache_subnet_group ? 1 : 0
+ region = var.region
+
name = coalesce(var.elasticache_subnet_group_name, var.name)
description = "ElastiCache subnet group for ${var.name}"
subnet_ids = aws_subnet.elasticache[*].id
@@ -747,6 +827,8 @@ resource "aws_elasticache_subnet_group" "elasticache" {
resource "aws_route_table" "elasticache" {
count = local.create_elasticache_route_table ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -759,6 +841,8 @@ resource "aws_route_table" "elasticache" {
resource "aws_route_table_association" "elasticache" {
count = local.create_elasticache_subnets ? local.len_elasticache_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.elasticache[*].id, count.index)
route_table_id = element(
coalescelist(
@@ -780,6 +864,8 @@ locals {
resource "aws_network_acl" "elasticache" {
count = local.create_elasticache_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.elasticache[*].id
@@ -793,6 +879,8 @@ resource "aws_network_acl" "elasticache" {
resource "aws_network_acl_rule" "elasticache_inbound" {
count = local.create_elasticache_network_acl ? length(var.elasticache_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.elasticache[0].id
egress = false
@@ -810,6 +898,8 @@ resource "aws_network_acl_rule" "elasticache_inbound" {
resource "aws_network_acl_rule" "elasticache_outbound" {
count = local.create_elasticache_network_acl ? length(var.elasticache_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.elasticache[0].id
egress = true
@@ -829,12 +919,15 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
################################################################################
locals {
- create_intra_subnets = local.create_vpc && local.len_intra_subnets > 0
+ create_intra_subnets = local.create_vpc && local.len_intra_subnets > 0
+ num_intra_route_tables = var.create_multiple_intra_route_tables ? local.len_intra_subnets : 1
}
resource "aws_subnet" "intra" {
count = local.create_intra_subnets ? local.len_intra_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.intra_subnet_ipv6_native ? true : var.intra_subnet_assign_ipv6_address_on_creation
availability_zone = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
availability_zone_id = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
@@ -859,13 +952,11 @@ resource "aws_subnet" "intra" {
)
}
-locals {
- num_intra_route_tables = var.create_multiple_intra_route_tables ? local.len_intra_subnets : 1
-}
-
resource "aws_route_table" "intra" {
count = local.create_intra_subnets ? local.num_intra_route_tables : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -883,6 +974,8 @@ resource "aws_route_table" "intra" {
resource "aws_route_table_association" "intra" {
count = local.create_intra_subnets ? local.len_intra_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.intra[*].id, count.index)
route_table_id = element(aws_route_table.intra[*].id, var.create_multiple_intra_route_tables ? count.index : 0)
}
@@ -898,6 +991,8 @@ locals {
resource "aws_network_acl" "intra" {
count = local.create_intra_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.intra[*].id
@@ -911,6 +1006,8 @@ resource "aws_network_acl" "intra" {
resource "aws_network_acl_rule" "intra_inbound" {
count = local.create_intra_network_acl ? length(var.intra_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.intra[0].id
egress = false
@@ -928,6 +1025,8 @@ resource "aws_network_acl_rule" "intra_inbound" {
resource "aws_network_acl_rule" "intra_outbound" {
count = local.create_intra_network_acl ? length(var.intra_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.intra[0].id
egress = true
@@ -953,6 +1052,8 @@ locals {
resource "aws_subnet" "outpost" {
count = local.create_outpost_subnets ? local.len_outpost_subnets : 0
+ region = var.region
+
assign_ipv6_address_on_creation = var.enable_ipv6 && var.outpost_subnet_ipv6_native ? true : var.outpost_subnet_assign_ipv6_address_on_creation
availability_zone = var.outpost_az
cidr_block = var.outpost_subnet_ipv6_native ? null : element(concat(var.outpost_subnets, [""]), count.index)
@@ -982,6 +1083,8 @@ resource "aws_subnet" "outpost" {
resource "aws_route_table_association" "outpost" {
count = local.create_outpost_subnets ? local.len_outpost_subnets : 0
+ region = var.region
+
subnet_id = element(aws_subnet.outpost[*].id, count.index)
route_table_id = element(
aws_route_table.private[*].id,
@@ -1000,6 +1103,8 @@ locals {
resource "aws_network_acl" "outpost" {
count = local.create_outpost_network_acl ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
subnet_ids = aws_subnet.outpost[*].id
@@ -1013,6 +1118,8 @@ resource "aws_network_acl" "outpost" {
resource "aws_network_acl_rule" "outpost_inbound" {
count = local.create_outpost_network_acl ? length(var.outpost_inbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.outpost[0].id
egress = false
@@ -1030,6 +1137,8 @@ resource "aws_network_acl_rule" "outpost_inbound" {
resource "aws_network_acl_rule" "outpost_outbound" {
count = local.create_outpost_network_acl ? length(var.outpost_outbound_acl_rules) : 0
+ region = var.region
+
network_acl_id = aws_network_acl.outpost[0].id
egress = true
@@ -1051,6 +1160,8 @@ resource "aws_network_acl_rule" "outpost_outbound" {
resource "aws_internet_gateway" "this" {
count = local.create_public_subnets && var.create_igw ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -1063,6 +1174,8 @@ resource "aws_internet_gateway" "this" {
resource "aws_egress_only_internet_gateway" "this" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.max_subnet_length > 0 ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
tags = merge(
@@ -1075,6 +1188,8 @@ resource "aws_egress_only_internet_gateway" "this" {
resource "aws_route" "private_ipv6_egress" {
count = local.create_vpc && var.create_egress_only_igw && var.enable_ipv6 && local.len_private_subnets > 0 ? local.nat_gateway_count : 0
+ region = var.region
+
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_ipv6_cidr_block = "::/0"
egress_only_gateway_id = element(aws_egress_only_internet_gateway.this[*].id, 0)
@@ -1092,6 +1207,8 @@ locals {
resource "aws_eip" "nat" {
count = local.create_vpc && var.enable_nat_gateway && !var.reuse_nat_ips ? local.nat_gateway_count : 0
+ region = var.region
+
domain = "vpc"
tags = merge(
@@ -1111,6 +1228,8 @@ resource "aws_eip" "nat" {
resource "aws_nat_gateway" "this" {
count = local.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0
+ region = var.region
+
allocation_id = element(
local.nat_gateway_ips,
var.single_nat_gateway ? 0 : count.index,
@@ -1137,6 +1256,8 @@ resource "aws_nat_gateway" "this" {
resource "aws_route" "private_nat_gateway" {
count = local.create_vpc && var.enable_nat_gateway && var.create_private_nat_gateway_route ? local.nat_gateway_count : 0
+ region = var.region
+
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_cidr_block = var.nat_gateway_destination_cidr_block
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
@@ -1149,6 +1270,8 @@ resource "aws_route" "private_nat_gateway" {
resource "aws_route" "private_dns64_nat_gateway" {
count = local.create_vpc && var.enable_nat_gateway && var.enable_ipv6 && var.private_subnet_enable_dns64 ? local.nat_gateway_count : 0
+ region = var.region
+
route_table_id = element(aws_route_table.private[*].id, count.index)
destination_ipv6_cidr_block = "64:ff9b::/96"
nat_gateway_id = element(aws_nat_gateway.this[*].id, count.index)
@@ -1165,6 +1288,8 @@ resource "aws_route" "private_dns64_nat_gateway" {
resource "aws_customer_gateway" "this" {
for_each = var.customer_gateways
+ region = var.region
+
bgp_asn = each.value["bgp_asn"]
ip_address = each.value["ip_address"]
device_name = lookup(each.value, "device_name", null)
@@ -1188,6 +1313,8 @@ resource "aws_customer_gateway" "this" {
resource "aws_vpn_gateway" "this" {
count = local.create_vpc && var.enable_vpn_gateway ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
amazon_side_asn = var.amazon_side_asn
availability_zone = var.vpn_gateway_az
@@ -1202,6 +1329,8 @@ resource "aws_vpn_gateway" "this" {
resource "aws_vpn_gateway_attachment" "this" {
count = var.vpn_gateway_id != "" ? 1 : 0
+ region = var.region
+
vpc_id = local.vpc_id
vpn_gateway_id = var.vpn_gateway_id
}
@@ -1209,6 +1338,8 @@ resource "aws_vpn_gateway_attachment" "this" {
resource "aws_vpn_gateway_route_propagation" "public" {
count = local.create_vpc && var.propagate_public_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? 1 : 0
+ region = var.region
+
route_table_id = element(aws_route_table.public[*].id, count.index)
vpn_gateway_id = element(
concat(
@@ -1222,6 +1353,8 @@ resource "aws_vpn_gateway_route_propagation" "public" {
resource "aws_vpn_gateway_route_propagation" "private" {
count = local.create_vpc && var.propagate_private_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_private_subnets : 0
+ region = var.region
+
route_table_id = element(aws_route_table.private[*].id, count.index)
vpn_gateway_id = element(
concat(
@@ -1235,6 +1368,8 @@ resource "aws_vpn_gateway_route_propagation" "private" {
resource "aws_vpn_gateway_route_propagation" "intra" {
count = local.create_vpc && var.propagate_intra_route_tables_vgw && (var.enable_vpn_gateway || var.vpn_gateway_id != "") ? local.len_intra_subnets : 0
+ region = var.region
+
route_table_id = element(aws_route_table.intra[*].id, count.index)
vpn_gateway_id = element(
concat(
@@ -1252,6 +1387,8 @@ resource "aws_vpn_gateway_route_propagation" "intra" {
resource "aws_default_vpc" "this" {
count = var.manage_default_vpc ? 1 : 0
+ region = var.region
+
enable_dns_support = var.default_vpc_enable_dns_support
enable_dns_hostnames = var.default_vpc_enable_dns_hostnames
@@ -1265,6 +1402,8 @@ resource "aws_default_vpc" "this" {
resource "aws_default_security_group" "this" {
count = local.create_vpc && var.manage_default_security_group ? 1 : 0
+ region = var.region
+
vpc_id = aws_vpc.this[0].id
dynamic "ingress" {
@@ -1311,6 +1450,8 @@ resource "aws_default_security_group" "this" {
resource "aws_default_network_acl" "this" {
count = local.create_vpc && var.manage_default_network_acl ? 1 : 0
+ region = var.region
+
default_network_acl_id = aws_vpc.this[0].default_network_acl_id
# subnet_ids is using lifecycle ignore_changes, so it is not necessary to list
@@ -1364,6 +1505,8 @@ resource "aws_default_network_acl" "this" {
resource "aws_default_route_table" "default" {
count = local.create_vpc && var.manage_default_route_table ? 1 : 0
+ region = var.region
+
default_route_table_id = aws_vpc.this[0].default_route_table_id
propagating_vgws = var.default_route_table_propagating_vgws
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
index 5b734876b..060889d0a 100644
--- a/modules/vpc-endpoints/README.md
+++ b/modules/vpc-endpoints/README.md
@@ -95,6 +95,7 @@ No modules.
| [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `false` | no |
| [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
+| [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration. If a value is provided, `service_endpoint` must be specified due to https://github.com/hashicorp/terraform-provider-aws/issues/42462 | `string` | `null` | no |
| [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
| [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created. Conflicts with `security_group_name_prefix` | `string` | `null` | no |
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
index 5e2d105b0..d5fcea999 100644
--- a/modules/vpc-endpoints/main.tf
+++ b/modules/vpc-endpoints/main.tf
@@ -9,11 +9,14 @@ locals {
}
data "aws_vpc_endpoint_service" "this" {
- for_each = local.endpoints
+ # This data source is sort of useless without the following
+ # https://github.com/hashicorp/terraform-provider-aws/issues/42462
+ # It only works in the same region as the provider, regardless of the arguments provided (service, service_name, service_regions, etc.)
+ for_each = { for k, v in local.endpoints : k => v if var.region == null }
service = try(each.value.service, null)
service_name = try(each.value.service_name, null)
- service_regions = try(coalescelist(compact([each.value.service_region])), null)
+ service_regions = try([each.value.service_region], null)
filter {
name = "service-type"
@@ -24,6 +27,8 @@ data "aws_vpc_endpoint_service" "this" {
resource "aws_vpc_endpoint" "this" {
for_each = local.endpoints
+ region = var.region
+
vpc_id = var.vpc_id
service_name = try(each.value.service_endpoint, data.aws_vpc_endpoint_service.this[each.key].service_name)
service_region = try(each.value.service_region, null)
@@ -76,6 +81,8 @@ resource "aws_vpc_endpoint" "this" {
resource "aws_security_group" "this" {
count = var.create && var.create_security_group ? 1 : 0
+ region = var.region
+
name = var.security_group_name
name_prefix = var.security_group_name_prefix
description = var.security_group_description
@@ -95,6 +102,8 @@ resource "aws_security_group" "this" {
resource "aws_security_group_rule" "this" {
for_each = { for k, v in var.security_group_rules : k => v if var.create && var.create_security_group }
+ region = var.region
+
# Required
security_group_id = aws_security_group.this[0].id
protocol = try(each.value.protocol, "tcp")
diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
index 30a747abd..7744e9048 100644
--- a/modules/vpc-endpoints/variables.tf
+++ b/modules/vpc-endpoints/variables.tf
@@ -4,6 +4,12 @@ variable "create" {
default = true
}
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the region set in the provider configuration. If a value is provided, `service_endpoint` must be specified due to https://github.com/hashicorp/terraform-provider-aws/issues/42462"
+ type = string
+ default = null
+}
+
variable "vpc_id" {
description = "The ID of the VPC in which the endpoint will be used"
type = string
diff --git a/variables.tf b/variables.tf
index d8338267a..1b560ee52 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,13 +1,25 @@
-################################################################################
-# VPC
-################################################################################
-
variable "create_vpc" {
description = "Controls if VPC should be created (it affects almost all resources)"
type = bool
default = true
}
+variable "region" {
+ description = "Region where the resource(s) will be managed. Defaults to the region set in the provider configuration"
+ type = string
+ default = null
+}
+
+variable "tags" {
+ description = "A map of tags to add to all resources"
+ type = map(string)
+ default = {}
+}
+
+################################################################################
+# VPC
+################################################################################
+
variable "name" {
description = "Name to be used on all the resources as identifier"
type = string
@@ -110,12 +122,6 @@ variable "vpc_tags" {
default = {}
}
-variable "tags" {
- description = "A map of tags to add to all resources"
- type = map(string)
- default = {}
-}
-
variable "vpc_block_public_access_options" {
description = "A map of VPC block public access options"
type = map(string)
diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
index fc7ba90be..b165af872 100644
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -1,20 +1,18 @@
data "aws_region" "current" {
- # Call this API only if create_vpc and enable_flow_log are true
count = var.create_vpc && var.enable_flow_log ? 1 : 0
+
+ region = var.region
}
data "aws_caller_identity" "current" {
- # Call this API only if create_vpc and enable_flow_log are true
count = var.create_vpc && var.enable_flow_log ? 1 : 0
}
data "aws_partition" "current" {
- # Call this API only if create_vpc and enable_flow_log are true
count = var.create_vpc && var.enable_flow_log ? 1 : 0
}
locals {
- # Only create flow log if user selected to create a VPC as well
enable_flow_log = var.create_vpc && var.enable_flow_log
create_flow_log_cloudwatch_iam_role = local.enable_flow_log && var.flow_log_destination_type != "s3" && var.create_flow_log_cloudwatch_iam_role
@@ -36,6 +34,8 @@ locals {
resource "aws_flow_log" "this" {
count = local.enable_flow_log ? 1 : 0
+ region = var.region
+
log_destination_type = var.flow_log_destination_type
log_destination = local.flow_log_destination_arn
log_format = var.flow_log_log_format
@@ -65,6 +65,8 @@ resource "aws_flow_log" "this" {
resource "aws_cloudwatch_log_group" "flow_log" {
count = local.create_flow_log_cloudwatch_log_group ? 1 : 0
+ region = var.region
+
name = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}"
retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
kms_key_id = var.flow_log_cloudwatch_log_group_kms_key_id