confluent_network
provides a Network resource that enables creating, editing, and deleting Networks on Confluent Cloud.
resource "confluent_environment" "development" {
display_name = "Development"
}
resource "confluent_network" "aws-private-link" {
display_name = "AWS Private Link Network"
cloud = "AWS"
region = "us-east-1"
connection_types = ["PRIVATELINK"]
zones = ["use1-az1", "use1-az2", "use1-az6"]
environment {
id = confluent_environment.development.id
}
}
resource "confluent_environment" "development" {
display_name = "Development"
lifecycle {
prevent_destroy = true
}
}
resource "confluent_network" "azure-peering" {
display_name = "Azure Peering Network"
cloud = "AZURE"
region = "eastus2"
cidr = "10.10.0.0/16"
connection_types = ["PEERING"]
environment {
id = confluent_environment.development.id
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_environment" "development" {
display_name = "Development"
lifecycle {
prevent_destroy = true
}
}
resource "confluent_network" "gcp-private-service-connect" {
display_name = "GCP Private Service Connect Network"
cloud = "GCP"
region = "us-central1"
connection_types = ["PRIVATELINK"]
zones = ["us-central1-a", "us-central1-b", "us-central1-c"]
environment {
id = confluent_environment.development.id
}
dns_config {
resolution = "PRIVATE"
}
lifecycle {
prevent_destroy = true
}
}
resource "confluent_environment" "development" {
display_name = "Development"
lifecycle {
prevent_destroy = true
}
}
resource "confluent_network" "aws-transit-gateway-attachment" {
display_name = "AWS Transit Gateway Attachment Network"
cloud = "AWS"
region = "us-east-1"
cidr = "10.10.0.0/16"
connection_types = ["TRANSITGATEWAY"]
environment {
id = confluent_environment.development.id
}
lifecycle {
prevent_destroy = true
}
}
The following arguments are supported:
display_name
- (Required String) The name of the Network.cloud
- (Required String) The cloud service provider in which the network exists. Accepted values are: AWS
, AZURE
, and GCP
.region
- (Required String) The cloud provider region where the network exists.cidr
- (Optional String) The IPv4 CIDR block to be used for the network. Must be /16
. Required for VPC peering and AWS TransitGateway.reserved_cidr
- (Optional String) The reserved IPv4 CIDR block to be used for the network. Must be /24
. If not specified, Confluent Cloud Network uses 172.20.255.0/24
.zone_info
(Optional Configuration Blocks) Each item represents information related to a single zone. It supports the following:
zone_id
- (Required String) Cloud provider zone ID.cidr
- (Required String) The IPv4 CIDR block to be used for the network. Must be /27
. Required for VPC peering and AWS TransitGateway.connection_types
- (Required List of String) The list of connection types that may be used with the network. Accepted connection types are: PEERING
, TRANSITGATEWAY
, and PRIVATELINK
.zones
- (Optional List of String) The 3 availability zones for this network. They can optionally be specified for AWS networks
used with PrivateLink, for GCP networks used with Private Service Connect, and for AWS and GCP
networks used with Peering. Otherwise, they are automatically chosen by Confluent Cloud.
On AWS, zones are AWS AZ IDs, for example, use1-az3
.
On GCP, zones are GCP zones, for example, us-central1-c
.
On Azure, zones are Confluent-chosen names (for example, 1
, 2
, 3
) since Azure does not have universal zone identifiers.dns_config
(Optional Configuration Block) Network DNS config. It applies only to the PRIVATELINK network connection type. When omitted, resolution
defaults to CHASED_PRIVATE
. It supports the following:
resolution
- (Required String) Network DNS resolution.
When resolution is CHASED_PRIVATE
, clusters in this network require both public and private DNS to resolve cluster endpoints.
When resolution is PRIVATE
, clusters in this network only require private DNS to resolve cluster endpoints.environment
(Required Configuration Block) supports the following:
id
- (Required String) The ID of the Environment that the Network belongs to, for example, env-abc123
.In addition to the preceding arguments, the following attributes are exported:
id
- (Required String) The ID of the Network, for example, n-abc123
.resource_name
- (Required String) The Confluent Resource Name of the Network.dns_domain
- (Optional String) The root DNS domain for the network, for example, pr123a.us-east-2.aws.confluent.cloud
if applicable. Present on Networks that support Private Link.zonal_subdomains
- (Optional Map) The DNS subdomain for each zone. Present on networks that support Private Link. Keys are zone names, for example, use2-az1
and values are DNS domains, for example, use2-az1.pr123a.us-east-2.aws.confluent.cloud
.gateway
(Optional Configuration Block) supports the following:
id
- (Optional String) The ID of the Gateway, for example, gw-abc123
.aws
- (Optional Configuration Block) The AWS-specific network details if available. It supports the following:
vpc
- (Required String) The Confluent Cloud VPC ID.account
- (Required String) The AWS account ID associated with the Confluent Cloud VPC.private_link_endpoint_service
- (Optional String) The endpoint service of the Confluent Cloud VPC (used for PrivateLink) if available.azure
- (Optional Configuration Block) The Azure-specific network details if available. It supports the following:
private_link_service_aliases
- (Optional Map) The mapping of zones to Private Link Service Aliases if available. Keys are zone names, for example, 1
and values are Azure Private Link Service Aliases, for example, s-nk99e-privatelink-1.8c43dcd0-695c-1234-bc35-11fe6abb303a.centralus.azure.privatelinkservice
.gcp
- (Optional Configuration Block) The GCP-specific network details if available. It supports the following:
project
- (Required String) The GCP Project ID associated with the Confluent Cloud VPC.vpc_network
- (Required String) The network name of the Confluent Cloud VPC.private_service_connect_service_attachments
- (Optional Map) The mapping of zones to Private Service Connect Service Attachments if available. Keys are zones and values are GCP Private Service Connect service attachment.You can import a Network by using Environment ID and Network ID, in the format <Environment ID>/<Network ID>
. The following example shows how to import a Network:
$ export CONFLUENT_CLOUD_API_KEY="<cloud_api_key>"
$ export CONFLUENT_CLOUD_API_SECRET="<cloud_api_secret>"
$ terraform import confluent_network.my_network env-abc123/n-abc123
The following end-to-end examples might help to get started with confluent_network
resource:
dedicated-privatelink-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLsdedicated-privatelink-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using RBACdedicated-privatelink-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using RBACdedicated-privatelink-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via PrivateLink connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using ACLsdedicated-private-service-connect-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via Private Service Connect connections with authorization using RBACdedicated-vnet-peering-azure-kafka-acls
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using ACLsdedicated-vnet-peering-azure-kafka-rbac
: _Dedicated_ Kafka cluster on Azure that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via VPC Peering connections with authorization using RBACdedicated-vpc-peering-gcp-kafka-acls
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using ACLsdedicated-vpc-peering-gcp-kafka-rbac
: _Dedicated_ Kafka cluster on GCP that is accessible via VPC Peering connections with authorization using RBACdedicated-transit-gateway-attachment-aws-kafka-acls
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using ACLsdedicated-transit-gateway-attachment-aws-kafka-rbac
: _Dedicated_ Kafka cluster on AWS that is accessible via Transit Gateway Endpoint with authorization using RBACenterprise-privatelinkattachment-aws-kafka-acls
: _Enterprise_ Kafka cluster on AWS that is accessible via PrivateLink connections with authorization using ACLs