terraform: Terraform module for AWS (#2503)

2025-09-18 12:04:41 -04:00 · 2023-11-08 19:10:01 +01:00 · 2023-11-08 19:10:01 +01:00 · cea6204b37
commit cea6204b37
parent 0bac72261d
94 changed files with 912 additions and 87 deletions
--- a/terraform/infrastructure/aws/modules/public_private_subnet/main.tf
+++ b/terraform/infrastructure/aws/modules/public_private_subnet/main.tf
@ -0,0 +1,120 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.17.0"
+    }
+  }
+}
+
+locals {
+  # az_number is a stable mapping of az suffix to a number used for calculating the subnet cidr
+  az_number = {
+    # we start counting at 2 to have the legacy subnet before the first newly created networks
+    # the legacy subnet did not start at a /20 boundary
+    # 0 => 192.168.176.0/24 (unused private subnet cidr)
+    # 1 => 192.168.177.0/24 (unused private subnet cidr)
+    legacy = 2 # => 192.168.178.0/24 (legacy private subnet)
+    a      = 3 # => 192.168.179.0/24 (first newly created zonal private subnet)
+    b      = 4
+    c      = 5
+    d      = 6
+    e      = 7
+    f      = 8
+    g      = 9
+    h      = 10
+    i      = 11
+    j      = 12
+    k      = 13
+    l      = 14
+    m      = 15 # => 192.168.191.0/24 (last reserved zonal private subnet cidr). In reality, AWS doesn't have that many zones in a region.
+  }
+}
+
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+data "aws_availability_zone" "all" {
+  for_each = toset(data.aws_availability_zones.available.names)
+
+  name = each.key
+}
+
+resource "aws_eip" "nat" {
+  for_each = toset(var.zones)
+  domain   = "vpc"
+  tags     = var.tags
+}
+
+resource "aws_subnet" "private" {
+  for_each          = data.aws_availability_zone.all
+  vpc_id            = var.vpc_id
+  cidr_block        = cidrsubnet(var.cidr_vpc_subnet_nodes, 4, local.az_number[each.value.name_suffix])
+  availability_zone = each.key
+  tags              = merge(var.tags, { Name = "${var.name}-subnet-nodes" }, { "kubernetes.io/role/internal-elb" = 1 }) # aws-load-balancer-controller needs role annotation
+  lifecycle {
+    ignore_changes = [
+      cidr_block, # required. Legacy subnets used fixed cidr blocks for the single zone that don't match the new scheme.
+    ]
+  }
+}
+
+resource "aws_subnet" "public" {
+  for_each          = data.aws_availability_zone.all
+  vpc_id            = var.vpc_id
+  cidr_block        = cidrsubnet(var.cidr_vpc_subnet_internet, 4, local.az_number[each.value.name_suffix])
+  availability_zone = each.key
+  tags              = merge(var.tags, { Name = "${var.name}-subnet-internet" }, { "kubernetes.io/role/elb" = 1 }) # aws-load-balancer-controller needs role annotation
+  lifecycle {
+    ignore_changes = [
+      cidr_block, # required. Legacy subnets used fixed cidr blocks for the single zone that don't match the new scheme.
+    ]
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = var.vpc_id
+  tags   = merge(var.tags, { Name = "${var.name}-internet-gateway" })
+}
+
+resource "aws_nat_gateway" "gw" {
+  for_each      = toset(var.zones)
+  subnet_id     = aws_subnet.public[each.key].id
+  allocation_id = aws_eip.nat[each.key].id
+  tags          = merge(var.tags, { Name = "${var.name}-nat-gateway" })
+}
+
+resource "aws_route_table" "private_nat" {
+  for_each = toset(var.zones)
+  vpc_id   = var.vpc_id
+  tags     = merge(var.tags, { Name = "${var.name}-private-nat" })
+
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.gw[each.key].id
+  }
+}
+
+resource "aws_route_table" "public_igw" {
+  for_each = toset(var.zones)
+  vpc_id   = var.vpc_id
+  tags     = merge(var.tags, { Name = "${var.name}-public-igw" })
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+}
+
+resource "aws_route_table_association" "private_nat" {
+  for_each       = toset(var.zones)
+  subnet_id      = aws_subnet.private[each.key].id
+  route_table_id = aws_route_table.private_nat[each.key].id
+}
+
+resource "aws_route_table_association" "route_to_internet" {
+  for_each       = toset(var.zones)
+  subnet_id      = aws_subnet.public[each.key].id
+  route_table_id = aws_route_table.public_igw[each.key].id
+}
--- a/terraform/infrastructure/aws/modules/public_private_subnet/output.tf
+++ b/terraform/infrastructure/aws/modules/public_private_subnet/output.tf
@ -0,0 +1,19 @@
+output "private_subnet_id" {
+  value = {
+    for az in data.aws_availability_zone.all :
+    az.name => aws_subnet.private[az.name].id
+  }
+}
+
+output "public_subnet_id" {
+  value = {
+    for az in data.aws_availability_zone.all :
+    az.name => aws_subnet.public[az.name].id
+  }
+}
+
+# all_zones is a list of all availability zones in the region
+# it also contains zones that are not currently used by node groups (but might be in the future)
+output "all_zones" {
+  value = distinct(sort([for az in data.aws_availability_zone.all : az.name]))
+}
--- a/terraform/infrastructure/aws/modules/public_private_subnet/variables.tf
+++ b/terraform/infrastructure/aws/modules/public_private_subnet/variables.tf
@ -0,0 +1,34 @@
+variable "name" {
+  type        = string
+  description = "Name of your Constellation, which is used as a prefix for tags."
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC."
+}
+
+variable "zone" {
+  type        = string
+  description = "Main availability zone. Only used for legacy reasons."
+}
+
+variable "zones" {
+  type        = list(string)
+  description = "Availability zones."
+}
+
+variable "cidr_vpc_subnet_nodes" {
+  type        = string
+  description = "CIDR block for the subnet that will contain the nodes."
+}
+
+variable "cidr_vpc_subnet_internet" {
+  type        = string
+  description = "CIDR block for the subnet that contains resources reachable from the Internet."
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "The tags to add to the resource."
+}