To follow this guide you need to have the following.<\/p>
- The latest Terraform binary is installed and configured in your system.<\/li>
- AWS CLI installed <\/a>and configured with a Valid AWS account with full permissions to create and manage AWS VPC service.<\/li>
- If you are using terraform on an ec2 instance, ensure you have a valid IAM role<\/a> attached to the instance with VPC provisioning permissions.<\/li><\/ol>
Terraform AWS VPC Code<\/strong> Repository<\/h2>
AWS VPC terraform code is part of the terraform AWS<\/a> repository. Clone it to your workstation to follow the guide.<\/p>
git clone https:\/\/github.com\/techiescamp\/terraform-aws.git<\/code><\/pre>Fork and clone the repository if you intend to reuse and make changes as per your requirements.<\/p>
Terraform AWS VPC Creation Workflow<\/h2>
The VPC terraform code is structured in the following way.<\/p>
\u251c\u2500\u2500 infra\n\u2502 \u2514\u2500\u2500 vpc\n\u2502 \u251c\u2500\u2500 main.tf\n\u2502 \u2514\u2500\u2500 variables.tf\n\u251c\u2500\u2500 modules\n\u2502 \u2514\u2500\u2500 vpc\n\u2502 \u251c\u2500\u2500 endpoint.tf\n\u2502 \u251c\u2500\u2500 internet-gateway.tf\n\u2502 \u251c\u2500\u2500 nacl.tf\n\u2502 \u251c\u2500\u2500 nat-gateway.tf\n\u2502 \u251c\u2500\u2500 outputs.tf\n\u2502 \u251c\u2500\u2500 route-tables.tf\n\u2502 \u251c\u2500\u2500 subnet.tf\n\u2502 \u251c\u2500\u2500 variables.tf\n\u2502 \u2514\u2500\u2500 vpc.tf\n\u2514\u2500\u2500 vars\n \u2514\u2500\u2500 dev\n \u2514\u2500\u2500 vpc.tfvars<\/code><\/pre>vars<\/strong><\/code> folder contains the variables file namedvpc.tfvars<\/code> . It is the only file that needs modification<\/p>The
modules\/vpc<\/code><\/strong> folder contains the following VPC related resources. All the resource provisioning logic is part of these resources.<\/p>- endpoint<\/li>
- internet-gateway<\/li>
- nacl<\/li>
- nat-gateway<\/li>
- route-tables<\/li>
- subnet<\/li>
- vpc<\/li><\/ol>
The
infra\/vpc\/main.tf<\/code><\/strong> file calls all thevpc<\/strong><\/code> module with all the VPC resources using the variables we pass using thevpc.tfvars<\/code> file<\/p>Create VPC Using Terraform<\/h2>
Note<\/strong>: The VPC and subnets for this demo is created based on our VPC design document<\/a>. Please refer it if you want to understand how to design a VPC.<\/blockquote>
We will be creating the VPC with the following<\/p>\n\n
- \n
- CIDR Block: <\/strong>10.0.0.0\/16<\/li>\n\n\n
- Region:<\/strong> us-west-2<\/li>\n\n\n
- Availability Zones: <\/strong>us-west-2a, us-west-2b, us-west-2c<\/li>\n\n\n
- Subnets<\/strong>: 15 Subnets (One per availability Zone)\n
- \n
- Public Sunets (3)<\/li>\n\n\n
- App Subets (3)<\/li>\n\n\n
- DB Subnets (3)<\/li>\n\n\n
- Management Subnet (3) <\/li>\n\n\n
- Platform Subnet (3)<\/li>\n<\/ul>\n<\/li>\n\n\n
- NAT Gateway<\/strong> for Private subnets<\/li>\n\n\n
- Internet Gateway<\/strong> for public subnets.<\/li>\n\n\n
- Enabled Endpoints:<\/strong> s3, Cloudwatch & Secrets Manager<\/li>\n\n\n
- Dedicated NACLs for 4 set of subnets.<\/li>\n<\/ol>\n\n
Follow the steps give below to create VPC using Terraform code.<\/p>
Step 1: CD in the Cloned Repository<\/h3>
If you haven’t already cloned the repo, clone it using the following command.<\/p>
git clone https:\/\/github.com\/techiescamp\/terraform-aws.git<\/code><\/pre>Then cd in to the terraform-aws folder<\/p>
cd terraform-aws<\/code><\/pre>Step 2: Modify the vpc.tfvars<\/h3>
Note<\/strong>: Open the repository folder in your favorite IDE, as it makes editing and reviewing the code easier.<\/blockquote>
Modify the
vars\/dev\/vpc.tfvars<\/code><\/strong> file as per your requirements.<\/p>If you dont want the NAT gateway, set
create_nat_gateway<\/code><\/strong> to false.<\/p>#vpc\nregion = \"us-west-2\"\nvpc_cidr_block = \"10.0.0.0\/16\"\ninstance_tenancy = \"default\"\nenable_dns_support = true\nenable_dns_hostnames = true\n\n#elastic ip\ndomain = \"vpc\"\n\n#nat-gateway\ncreate_nat_gateway = true\n\n#route-table\ndestination_cidr_block = \"0.0.0.0\/0\"\n\n#tags\nowner = \"techiescamp\"\nenvironment = \"dev\"\ncost_center = \"techiescamp-commerce\"\napplication = \"ecommerce\"\n\n#subnet\n\nmap_public_ip_on_launch = true\n\npublic_subnet_cidr_blocks = [\"10.0.1.0\/24\", \"10.0.2.0\/24\", \"10.0.3.0\/24\"]\napp_subnet_cidr_blocks = [\"10.0.4.0\/24\", \"10.0.5.0\/24\", \"10.0.6.0\/24\"]\ndb_subnet_cidr_blocks = [\"10.0.7.0\/24\", \"10.0.8.0\/24\", \"10.0.9.0\/24\"]\nmanagement_subnet_cidr_blocks = [\"10.0.10.0\/24\", \"10.0.11.0\/24\", \"10.0.12.0\/24\"]\nplatform_subnet_cidr_blocks = [\"10.0.13.0\/24\", \"10.0.14.0\/24\", \"10.0.15.0\/24\"]\navailability_zones = [\"us-west-2a\", \"us-west-2b\", \"us-west-2c\"]\n\n#public nacl\n\ningress_public_nacl_rule_no = [100]\ningress_public_nacl_action = [\"allow\"]\ningress_public_nacl_from_port = [0]\ningress_public_nacl_to_port = [0]\ningress_public_nacl_protocol = [\"-1\"]\ningress_public_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\negress_public_nacl_rule_no = [200]\negress_public_nacl_action = [\"allow\"]\negress_public_nacl_from_port = [0]\negress_public_nacl_to_port = [0]\negress_public_nacl_protocol = [\"-1\"]\negress_public_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\n#app nacl\n\ningress_app_nacl_rule_no = [100]\ningress_app_nacl_action = [\"allow\"]\ningress_app_nacl_from_port = [0]\ningress_app_nacl_to_port = [0]\ningress_app_nacl_protocol = [\"-1\"]\ningress_app_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\negress_app_nacl_rule_no = [200]\negress_app_nacl_action = [\"allow\"]\negress_app_nacl_from_port = [0]\negress_app_nacl_to_port = [0]\negress_app_nacl_protocol = [\"-1\"]\negress_app_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\n##db nacl\n\ningress_db_nacl_rule_no = [100]\ningress_db_nacl_action = [\"allow\"]\ningress_db_nacl_from_port = [0]\ningress_db_nacl_to_port = [0]\ningress_db_nacl_protocol = [\"-1\"]\ningress_db_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\negress_db_nacl_rule_no = [200]\negress_db_nacl_action = [\"allow\"]\negress_db_nacl_from_port = [0]\negress_db_nacl_to_port = [0]\negress_db_nacl_protocol = [\"-1\"]\negress_db_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\n##management nacl\n\ningress_management_nacl_rule_no = [100]\ningress_management_nacl_action = [\"allow\"]\ningress_management_nacl_from_port = [0]\ningress_management_nacl_to_port = [0]\ningress_management_nacl_protocol = [\"-1\"]\ningress_management_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\negress_management_nacl_rule_no = [200]\negress_management_nacl_action = [\"allow\"]\negress_management_nacl_from_port = [0]\negress_management_nacl_to_port = [0]\negress_management_nacl_protocol = [\"-1\"]\negress_management_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\n#platform nacl\n\ningress_platform_nacl_rule_no = [100]\ningress_platform_nacl_action = [\"allow\"]\ningress_platform_nacl_from_port = [0]\ningress_platform_nacl_to_port = [0]\ningress_platform_nacl_protocol = [\"-1\"]\ningress_platform_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\negress_platform_nacl_rule_no = [200]\negress_platform_nacl_action = [\"allow\"]\negress_platform_nacl_from_port = [0]\negress_platform_nacl_to_port = [0]\negress_platform_nacl_protocol = [\"-1\"]\negress_platform_nacl_cidr_block = [\"0.0.0.0\/0\"]\n\n#endpoint\n\ncreate_s3_endpoint = true\ncreate_secrets_manager_endpoint = true\ncreate_cloudwatch_logs_endpoint = true<\/code><\/pre>Step 2: Initialize Terraform and Execute the Plan<\/h3>
Now cd in to infra\/vpc<\/strong> folder and execute the terraform plan to validate the configurations.<\/p>
cd infra\/vpc<\/code><\/pre>Initialize Terraform<\/p>
terraform init<\/code><\/pre>Execute the plan<\/p>
terraform plan -var-file=..\/..\/vars\/dev\/vpc.tfvars<\/code><\/pre>You should see an output with all the resources that will be created by terraform.<\/p>
Step 3: Create VPC With Terraform Apply<\/h3>
Lets create the VPC and related resources using terraform apply.<\/p>
terraform apply -var-file=..\/..\/vars\/dev\/vpc.tfvars<\/code><\/pre>Step 4: Validate VPC<\/h3>
Head over to the AWS Console the check the Resource Map of the VPC.<\/p>
Click on the created VPC and scroll down to view the Resource Map.<\/p>
You should see 15 subnets , 6 route tables, internet gateway and NAT gateway as shown beow.<\/p>
![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/03\/image-77-4.png\")
<\/figure>Step 5: Cleanup the Resources<\/h3>
If you have created the VPC for learning purposes and wish to clean up the resources created by Terraform, execute the following command<\/p>
terraform destroy -var-file=..\/..\/vars\/dev\/vpc.tfvars<\/code><\/pre>Real World Terraform Code Reference<\/h2>
If you want to understand how Terraform code is structured and maintained in a real-world project environment, you should refer to the modernisation platform repository.<\/p>
It contains code and standards that are actually used in the infrastructure management of the UK Ministry of Justice platform.<\/p>
Refer to the architecture decision document<\/a> to understand the reasoning behind each design.<\/p>
https:\/\/github.com\/ministryofjustice\/modernisation-platform<\/code><\/pre>Conclusion<\/h2>
In this guide, we looked at creating aws VPC<\/strong> using terraform.<\/p>
When implemented in real projects, you may need to consider more VPC options, like flow logs, peering connections, etc.<\/p>
For state management, you should use remote backend with s3<\/a> with dynamoDB lock.<\/p>
Also, tweak the Terraform code according to your requirements. If you want to gain more knowledge, go through each resource under the VPC module<\/p>
If you face any errors or have any queries or suggestions, drop a comment below.<\/p>\n
- Internet Gateway<\/strong> for public subnets.<\/li>\n\n\n
- Region:<\/strong> us-west-2<\/li>\n\n\n
- CIDR Block: <\/strong>10.0.0.0\/16<\/li>\n\n\n
- If you are using terraform on an ec2 instance, ensure you have a valid IAM role<\/a> attached to the instance with VPC provisioning permissions.<\/li><\/ol>