terraform.aws-baseline-infra/examples/eks-lab-ip6/network/main.tf

# Create VPC and subnets

resource "aws_vpc" "vpc1" {
  cidr_block                       = "192.168.123.0/24"
  assign_generated_ipv6_cidr_block = true
  enable_dns_support               = true
  enable_dns_hostnames             = true

  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" })
}

data "aws_availability_zones" "azs" {
  state = "available"
}

# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "private-subnets" {
  count                           = 2
  availability_zone               = data.aws_availability_zones.azs.names[count.index]
  vpc_id                          = aws_vpc.vpc1.id
  cidr_block                      = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index)
  assign_ipv6_address_on_creation = true
  # ipv6 subnets must be a /64
  ipv6_cidr_block                             = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index)
  enable_resource_name_dns_a_record_on_launch = true
  tags = merge(local.default-tags,
    { "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" },
    { "kubernetes.io/role/internal-elb" : "1" }
  )
}

# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "public-subnets" {
  count                           = 2
  availability_zone               = data.aws_availability_zones.azs.names[count.index]
  vpc_id                          = aws_vpc.vpc1.id
  cidr_block                      = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2)
  assign_ipv6_address_on_creation = true
  # ipv6 subnets must be a /64
  ipv6_cidr_block                             = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2)
  enable_resource_name_dns_a_record_on_launch = true
  tags = merge(local.default-tags,
    { "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" },
    { "kubernetes.io/role/elb" : "1" }
  )
}

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.vpc1.id
  tags   = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" })
}

resource "aws_eip" "ngw-ip" {
  vpc = true
}

resource "aws_nat_gateway" "ngw" {
  allocation_id = aws_eip.ngw-ip.id
  subnet_id     = aws_subnet.public-subnets[0].id
  tags          = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" })
}

resource "aws_route_table" "public-rtb" {
  vpc_id = aws_vpc.vpc1.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" })
}

resource "aws_route_table" "private-rtb" {
  vpc_id = aws_vpc.vpc1.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_nat_gateway.ngw.id
  }
  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" })
}

resource "aws_route_table_association" "public-rtb-asso" {
  count          = length(aws_subnet.public-subnets)
  subnet_id      = aws_subnet.public-subnets[count.index].id
  route_table_id = aws_route_table.public-rtb.id
}

resource "aws_route_table_association" "private-rtb-asso" {
  count          = length(aws_subnet.private-subnets)
  subnet_id      = aws_subnet.private-subnets[count.index].id
  route_table_id = aws_route_table.private-rtb.id
}

resource "aws_vpc_endpoint" "eks-vpcep" {
  vpc_id              = aws_vpc.vpc1.id
  service_name        = "com.amazonaws.${var.aws-region}.eks"
  vpc_endpoint_type   = "Interface"
  security_group_ids  = [aws_security_group.generic-ep-sg.id]
  private_dns_enabled = true
  subnet_ids          = aws_subnet.private-subnets.*.id
  tags                = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}

resource "aws_security_group" "generic-ep-sg" {
  name        = "HttpsAccessToVpcEndpoints"
  description = "HttpsAccessToVpcEndpoints"
  vpc_id      = aws_vpc.vpc1.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.vpc1.cidr_block]
  }

  ingress {
    description      = "TLS from VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags)
}
NEW: EKS sample code 2023-02-21 12:26:31 +08:00			`# Create VPC and subnets`

			`resource "aws_vpc" "vpc1" {`
			`cidr_block = "192.168.123.0/24"`
			`assign_generated_ipv6_cidr_block = true`
			`enable_dns_support = true`
			`enable_dns_hostnames = true`

			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" })`
			`}`

			`data "aws_availability_zones" "azs" {`
			`state = "available"`
			`}`

			`# kubernetes tag is needed for alb ingress controller`
			`resource "aws_subnet" "private-subnets" {`
			`count = 2`
			`availability_zone = data.aws_availability_zones.azs.names[count.index]`
			`vpc_id = aws_vpc.vpc1.id`
			`cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index)`
			`assign_ipv6_address_on_creation = true`
			`# ipv6 subnets must be a /64`
			`ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index)`
			`enable_resource_name_dns_a_record_on_launch = true`
			`tags = merge(local.default-tags,`
			`{ "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" },`
			`{ "kubernetes.io/role/internal-elb" : "1" }`
			`)`
			`}`

			`# kubernetes tag is needed for alb ingress controller`
			`resource "aws_subnet" "public-subnets" {`
			`count = 2`
			`availability_zone = data.aws_availability_zones.azs.names[count.index]`
			`vpc_id = aws_vpc.vpc1.id`
			`cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2)`
			`assign_ipv6_address_on_creation = true`
			`# ipv6 subnets must be a /64`
			`ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2)`
			`enable_resource_name_dns_a_record_on_launch = true`
			`tags = merge(local.default-tags,`
			`{ "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" },`
			`{ "kubernetes.io/role/elb" : "1" }`
			`)`
			`}`

			`resource "aws_internet_gateway" "igw" {`
			`vpc_id = aws_vpc.vpc1.id`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" })`
			`}`

			`resource "aws_eip" "ngw-ip" {`
			`vpc = true`
			`}`

			`resource "aws_nat_gateway" "ngw" {`
			`allocation_id = aws_eip.ngw-ip.id`
			`subnet_id = aws_subnet.public-subnets[0].id`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" })`
			`}`

			`resource "aws_route_table" "public-rtb" {`
			`vpc_id = aws_vpc.vpc1.id`
			`route {`
			`cidr_block = "0.0.0.0/0"`
			`gateway_id = aws_internet_gateway.igw.id`
			`}`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" })`
			`}`

			`resource "aws_route_table" "private-rtb" {`
			`vpc_id = aws_vpc.vpc1.id`
			`route {`
			`cidr_block = "0.0.0.0/0"`
			`gateway_id = aws_nat_gateway.ngw.id`
			`}`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" })`
			`}`

			`resource "aws_route_table_association" "public-rtb-asso" {`
			`count = length(aws_subnet.public-subnets)`
			`subnet_id = aws_subnet.public-subnets[count.index].id`
			`route_table_id = aws_route_table.public-rtb.id`
			`}`

			`resource "aws_route_table_association" "private-rtb-asso" {`
			`count = length(aws_subnet.private-subnets)`
			`subnet_id = aws_subnet.private-subnets[count.index].id`
			`route_table_id = aws_route_table.private-rtb.id`
			`}`

			`resource "aws_vpc_endpoint" "eks-vpcep" {`
			`vpc_id = aws_vpc.vpc1.id`
			`service_name = "com.amazonaws.${var.aws-region}.eks"`
			`vpc_endpoint_type = "Interface"`
			`security_group_ids = [aws_security_group.generic-ep-sg.id]`
			`private_dns_enabled = true`
			`subnet_ids = aws_subnet.private-subnets.*.id`
			`tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })`
			`}`

			`resource "aws_security_group" "generic-ep-sg" {`
			`name = "HttpsAccessToVpcEndpoints"`
			`description = "HttpsAccessToVpcEndpoints"`
			`vpc_id = aws_vpc.vpc1.id`

			`ingress {`
			`description = "TLS from VPC"`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`cidr_blocks = [aws_vpc.vpc1.cidr_block]`
			`}`

			`ingress {`
			`description = "TLS from VPC"`
			`from_port = 443`
			`to_port = 443`
			`protocol = "tcp"`
			`ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block]`
			`}`

			`egress {`
			`from_port = 0`
			`to_port = 0`
			`protocol = "-1"`
			`cidr_blocks = ["0.0.0.0/0"]`
			`ipv6_cidr_blocks = ["::/0"]`
			`}`

			`tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags)`
			`}`