## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= v1.3.9 | | [aws](#requirement\_aws) | >= 4.56.0 | | [local](#requirement\_local) | 2.2.3 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | 4.63.0 | | [aws.hub](#provider\_aws.hub) | 4.63.0 | | [local](#provider\_local) | 2.2.3 | ## Modules | Name | Source | Version | |------|--------|---------| | [connected\_vpcs](#module\_connected\_vpcs) | aws-ia/vpc/aws | >= 4.2.0 | ## Resources | Name | Type | |------|------| | [aws_ec2_managed_prefix_list_entry.nss_pl_spoke_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_managed_prefix_list_entry) | resource | | [aws_ec2_managed_prefix_list_entry.nw_segment_pl_spoke_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_managed_prefix_list_entry) | resource | | [aws_ec2_transit_gateway_route_table_association.vpc_tgw_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource | | [aws_ec2_transit_gateway_route_table_propagation.spoke_propagation_to_nss_tgw_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | | [aws_ec2_transit_gateway_route_table_propagation.spoke_propagation_to_nw_segment_tgw_rt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource | | [aws_iam_instance_profile.ec2_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource | | [aws_iam_role.ec2_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | | [aws_iam_role_policy_attachment.ec2_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | | [aws_instance.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | | [aws_route53_resolver_rule_association.dnse_out](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule_association) | resource | | [aws_route53_vpc_association_authorization.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_vpc_association_authorization) | resource | | [aws_route53_zone_association.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association) | resource | | [aws_security_group.test_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.egress_ec2_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_security_group_rule.ingress_cdu_sg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [local_file.test_ec2](https://registry.terraform.io/providers/hashicorp/local/2.2.3/docs/resources/file) | resource | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [nw\_shared\_svc\_attributes](#input\_nw\_shared\_svc\_attributes) | Network Shared Service attributes
Outputs from the Network Shared Service module.
Work with your Network Shared Services (NSS) to identify this. | `any` | n/a | yes | | [project](#input\_project) | Project name, used as prefix/suffix for resource identification. | `string` | n/a | yes | | [tags](#input\_tags) | Common and mandatory tags for the resources. | `map(string)` | n/a | yes | | [ec2\_test\_script](#input\_ec2\_test\_script) | Name of the test script that can be used to test all ec2 instances created for testing.
if not provided, the test script will not be created. | `string` | `null` | no | | [spoke\_vpc\_specs](#input\_spoke\_vpc\_specs) | List of specs for the Spoke VPC(s).
- `name_prefix`, mandatory. A short name that will be used to name the VPC.
- `env_name`, mandatory. Environment name e.g. dev, prod, used for resource identification.
- `cidr_block`, mandatory. CIDR block for the VPC hosting the Network Shared Services (NSS).
The CIDR block should be in the range of /16 to /20.
- `az_count`, mandatory. Number of AZs for which subnet(s) are created.
Assumes AZs sorted a-z. Max 6 AZs.
- `tags`, optional. Extra tags to add to the VPC. These will be carried forward to all subnets too.
Default: {}.
- `network_segment`, optional. network segment name to which spoke vpc will be connected.
Defaults to "ISOLATED", if the provided network segment is not supported by NSS.
Default: "ISOLATED"
- `enable_centralized_vpc_endpoints`, optional. Should the NSS `Centralized VPC Endpoints` be enabled for the Spoke VPC?
Default: false
- `vpce_service_codes`, optional. List of supported service codes for which the `Centralized VPC Endpoints` is enabled for the Spoke VPC.
If empty, all the enabled VPC Endpoints by the NSS are enabled for the Spoke VPC.
If contains any service code that is not yet enabled by NSS, it will not be enabled for the Spoke VPC.
- `enable_hybrid_dns`, optional. Should the NSS `Hybrid DNS` be enabled for the Spoke VPC?
Default: false
- `enable_centralized_egress_to_internet`, optional. Should the NSS `Centralized Egress to Internet` be enabled for the Spoke VPC?
Default: false
Note: **not yet implemented, must use false**
- `enable_centralized_ingress_from_internet`, optional. Should the NSS `Centralized Ingress from Internet` be enabled for the Spoke VPC?
Default: false
Note: **not yet implemented, must use false**
- `create_test_ec2`, optional. Should a test EC2 instance be created in all the subnets of the Spoke VPC?
Default: false
- `subnets`, mandatory. = List of specs for the Subnet(s) in the Spoke VPC.
- `name_prefix`, mandatory. A short name that will be used to name the subnet.
- `cidrs`, mandatory. List of CIDRs for the subnet(s).
Length of the list must be greater of equal to the `az_count` for the Spoke VPC.
- `type`, mandatory. Type of the subnet.
Must be "public", "private" or "transit\_gateway"
For the Spoke VPC to be of any practical use, it must have at least one "transit\_gateway" (/28) subnet and one "private" subnet.
Default: "private"
- `tags`, optional. Extra tags to add to the subnet.
Default: {}. | 
list(object({
    name_prefix                              = string
    env_name                                 = string
    cidr_block                               = string
    az_count                                 = number
    tags                                     = optional(map(string), {})
    network_segment                          = optional(string, "")
    enable_centralized_vpc_endpoints         = optional(bool, true)
    vpce_service_codes                       = optional(list(string), [])
    enable_hybrid_dns                        = optional(bool, true)
    enable_centralized_egress_to_internet    = optional(bool, false)
    enable_centralized_ingress_from_internet = optional(bool, false)
    create_test_ec2                          = optional(bool, false)
    subnets = list(object({
      name_prefix = string
      cidrs       = list(string)
      type        = string
      tags        = optional(map(string), {})
    }))
  }))
| `[]` | no | ## Outputs | Name | Description | |------|-------------| | [test\_ec2\_instances](#output\_test\_ec2\_instances) | List of test EC2 instances | | [vpc\_dns\_resolver\_rule\_assoc](#output\_vpc\_dns\_resolver\_rule\_assoc) | List of DNS resolver rules associations with VPCs. | | [vpc\_vpce\_phz\_assoc](#output\_vpc\_vpce\_phz\_assoc) | List of private hosted zone associations with VPCs. |