Red Network

Requirements:

1. Terraform 1.14.6
2. Trivy >= 0.68.2

Trivy can be installed via Homebrew on macOS with the command:

brew install aquasecurity/trivy/trivy

A VPC Network module designed to be practical for casual use.

Features

• VPC with DNS hostname and DNS resolution support
• Flexible subnet configuration via a single map variable (public, private, or both)
• Internet Gateway provisioned automatically when public subnets exist
• NAT Gateway with Elastic IP for private subnet outbound internet access
• S3 Gateway VPC Endpoint with route table associations
• Optional Transit Gateway creation for hub-and-spoke network topologies
• Optional Transit Gateway VPC attachment with automatic private subnet selection
• Cross-VPC routing via configurable CIDR-based Transit Gateway routes on both public and private route tables
• Centralized NAT gateway sharing — spoke VPCs can skip local NAT and route outbound internet traffic through a hub VPC's NAT via the Transit Gateway
• Trivy security scanning via pre-commit hooks
• Terratest integration tests for baseline and transit gateway deployments
• Configurable tags with default project and orchestrator metadata

Requirements

Name	Version
terraform	>= 1.15.0
aws	>= 6.47.0

Providers

Name	Version
aws	>= 6.47.0

Modules

No modules.

Resources

Name	Type
aws_ec2_transit_gateway.main	resource
aws_ec2_transit_gateway_vpc_attachment.main	resource
aws_eip.nat	resource
aws_internet_gateway.main	resource
aws_nat_gateway.main	resource
aws_route.private_centralized_nat	resource
aws_route.private_nat	resource
aws_route.private_tgw	resource
aws_route.public_internet	resource
aws_route.public_tgw	resource
aws_route_table.private	resource
aws_route_table.public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_subnet.subnets	resource
aws_vpc.main	resource
aws_vpc_endpoint.s3	resource
aws_vpc_endpoint_route_table_association.s3_private	resource
aws_vpc_endpoint_route_table_association.s3_public	resource

Inputs

Name	Description	Type	Default	Required
additional_tags	Additional tags to apply to the resources	map(string)	{}	no
attach_to_transit_gateway	Whether to attach this VPC to a Transit Gateway	bool	false	no
create_nat_gateway	Whether to create a NAT gateway for private subnet outbound internet access. Defaults to true (created when public subnets exist). Set to false for public-only VPCs (e.g. bastion or build hosts) that have no private subnets needing egress, avoiding the NAT gateway hourly + data processing cost. Ignored when use_centralized_nat is true.	bool	true	no
create_transit_gateway	Whether to create a new Transit Gateway	bool	false	no
project_name	Set the project name.	string	n/a	yes
region	Set the appropriate AWS region.	string	n/a	yes
subnets	Map of subnets to create. Each subnet should specify name, cidr_block, availability_zone, and type (public/private)	map(object({ name = string cidr_block = string availability_zone = string type = string }))	n/a	yes
transit_gateway_asn	Amazon side ASN for the Transit Gateway	number	64512	no
transit_gateway_id	ID of an existing Transit Gateway to attach to (required if attach_to_transit_gateway is true and create_transit_gateway is false)	string	""	no
transit_gateway_name	Name for the Transit Gateway (only used if create_transit_gateway is true)	string	""	no
transit_gateway_routes	List of CIDR blocks to route through the Transit Gateway (e.g., other VPC CIDRs)	list(string)	[]	no
use_centralized_nat	If true, this VPC will NOT create its own NAT gateway. Instead, a default route (0.0.0.0/0) on private subnets will point to the Transit Gateway, expecting a hub VPC to provide NAT. Only applies when attach_to_transit_gateway is true.	bool	false	no
vpc_cidr	CIDR block for the VPC	string	n/a	yes
vpc_name	Name of the VPC	string	n/a	yes

Outputs

Name	Description
has_public_subnets	Boolean indicating if the VPC has any public subnets
internet_gateway_id	ID of the Internet Gateway (if public subnets exist)
nat_gateway_id	ID of the NAT Gateway (if created — not present when using centralized NAT)
nat_gateway_public_ip	Public IP address of the NAT Gateway (if created — not present when using centralized NAT)
private_route_table_id	ID of the private route table
private_subnet_ids	List of private subnet IDs
public_route_table_id	ID of the public route table (if public subnets exist)
public_subnet_ids	List of public subnet IDs
s3_vpc_endpoint_id	ID of the S3 VPC Endpoint
s3_vpc_endpoint_prefix_list_id	Prefix list ID of the S3 VPC Endpoint (useful for security groups)
subnet_arns	Map of subnet names to their ARNs
subnet_availability_zones	Map of subnet names to their availability zones
subnet_cidrs	Map of subnet names to their CIDR blocks
subnet_ids	Map of subnet names to their IDs
transit_gateway_arn	ARN of the Transit Gateway (if created)
transit_gateway_attachment_id	ID of the Transit Gateway VPC Attachment (if attached)
transit_gateway_id	ID of the Transit Gateway (if created)
using_centralized_nat	Boolean indicating if this VPC uses centralized NAT via Transit Gateway
vpc_arn	The ARN of the VPC
vpc_cidr	The CIDR block of the VPC
vpc_id	The ID of the VPC