diff --git a/README.md b/README.md
index ffe631e3a..f846eefa2 100644
--- a/README.md
+++ b/README.md
@@ -229,6 +229,18 @@ module "vpc_cidr_from_ipam" {
}
```
+## Disable default route creation for public subnets
+
+Disabling the creation of the default can be used if you want have a default pointing to other gateways than the internet gateway(IGW)
+
+This is useful if you ex. would want to route all traffic through a AWS Network Firewall, but can also be useful for other purposes
+
+You disable the creation by setting the var.public_enable_default_route variable ex.
+
+```hcl
+ public_disable_default_route = false # <= By default it is true to maintain existing behavior
+```
+
## Examples
- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete) with VPC Endpoints.
@@ -545,6 +557,7 @@ No modules.
| [propagate\_public\_route\_tables\_vgw](#input\_propagate\_public\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
| [public\_acl\_tags](#input\_public\_acl\_tags) | Additional tags for the public subnets network ACL | `map(string)` | `{}` | no |
| [public\_dedicated\_network\_acl](#input\_public\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for public subnets | `bool` | `false` | no |
+| [public\_enable\_default\_route](#input\_public\_enable\_default\_route) | Disable default route to internet gateway for public subnets | `bool` | `true` | no |
| [public\_inbound\_acl\_rules](#input\_public\_inbound\_acl\_rules) | Public subnets inbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
| [public\_outbound\_acl\_rules](#input\_public\_outbound\_acl\_rules) | Public subnets outbound network ACLs | `list(map(string))` | [
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no |
| [public\_route\_table\_tags](#input\_public\_route\_table\_tags) | Additional tags for the public route tables | `map(string)` | `{}` | no |
diff --git a/main.tf b/main.tf
index 618aa2c10..2dc8fb135 100644
--- a/main.tf
+++ b/main.tf
@@ -186,7 +186,7 @@ resource "aws_route_table_association" "public" {
}
resource "aws_route" "public_internet_gateway" {
- count = local.create_public_subnets && var.create_igw ? local.num_public_route_tables : 0
+ count = alltrue([local.create_public_subnets, var.create_igw, var.public_enable_default_route]) ? local.num_public_route_tables : 0
route_table_id = aws_route_table.public[count.index].id
destination_cidr_block = "0.0.0.0/0"
@@ -198,7 +198,7 @@ resource "aws_route" "public_internet_gateway" {
}
resource "aws_route" "public_internet_gateway_ipv6" {
- count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? local.num_public_route_tables : 0
+ count = alltrue([local.create_public_subnets, var.create_igw, var.enable_ipv6, var.public_enable_default_route]) ? local.num_public_route_tables : 0
route_table_id = aws_route_table.public[count.index].id
destination_ipv6_cidr_block = "::/0"
diff --git a/variables.tf b/variables.tf
index d8338267a..1c6105151 100644
--- a/variables.tf
+++ b/variables.tf
@@ -274,6 +274,12 @@ variable "public_route_table_tags" {
default = {}
}
+variable "public_enable_default_route" {
+ description = "Disable default route to internet gateway for public subnets"
+ type = bool
+ default = true
+}
+
################################################################################
# Public Network ACLs
################################################################################