# Create VPC and subnets resource "aws_vpc" "vpc1" { cidr_block = "192.168.123.0/24" assign_generated_ipv6_cidr_block = true enable_dns_support = true enable_dns_hostnames = true tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" }) } data "aws_availability_zones" "azs" { state = "available" } # kubernetes tag is needed for alb ingress controller resource "aws_subnet" "private-subnets" { count = 2 availability_zone = data.aws_availability_zones.azs.names[count.index] vpc_id = aws_vpc.vpc1.id cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index) assign_ipv6_address_on_creation = true # ipv6 subnets must be a /64 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index) enable_resource_name_dns_a_record_on_launch = true tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" }, { "kubernetes.io/role/internal-elb" : "1" } ) } # kubernetes tag is needed for alb ingress controller resource "aws_subnet" "public-subnets" { count = 2 availability_zone = data.aws_availability_zones.azs.names[count.index] vpc_id = aws_vpc.vpc1.id cidr_block = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2) assign_ipv6_address_on_creation = true # ipv6 subnets must be a /64 ipv6_cidr_block = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2) enable_resource_name_dns_a_record_on_launch = true tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" }, { "kubernetes.io/role/elb" : "1" } ) } resource "aws_internet_gateway" "igw" { vpc_id = aws_vpc.vpc1.id tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" }) } resource "aws_eip" "ngw-ip" { vpc = true } resource "aws_nat_gateway" "ngw" { allocation_id = aws_eip.ngw-ip.id subnet_id = aws_subnet.public-subnets[0].id tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" }) } resource "aws_route_table" "public-rtb" { vpc_id = aws_vpc.vpc1.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.igw.id } tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" }) } resource "aws_route_table" "private-rtb" { vpc_id = aws_vpc.vpc1.id route { cidr_block = "0.0.0.0/0" gateway_id = aws_nat_gateway.ngw.id } tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" }) } resource "aws_route_table_association" "public-rtb-asso" { count = length(aws_subnet.public-subnets) subnet_id = aws_subnet.public-subnets[count.index].id route_table_id = aws_route_table.public-rtb.id } resource "aws_route_table_association" "private-rtb-asso" { count = length(aws_subnet.private-subnets) subnet_id = aws_subnet.private-subnets[count.index].id route_table_id = aws_route_table.private-rtb.id } resource "aws_vpc_endpoint" "eks-vpcep" { vpc_id = aws_vpc.vpc1.id service_name = "com.amazonaws.${var.aws-region}.eks" vpc_endpoint_type = "Interface" security_group_ids = [aws_security_group.generic-ep-sg.id] private_dns_enabled = true subnet_ids = aws_subnet.private-subnets.*.id tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" }) } resource "aws_security_group" "generic-ep-sg" { name = "HttpsAccessToVpcEndpoints" description = "HttpsAccessToVpcEndpoints" vpc_id = aws_vpc.vpc1.id ingress { description = "TLS from VPC" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = [aws_vpc.vpc1.cidr_block] } ingress { description = "TLS from VPC" from_port = 443 to_port = 443 protocol = "tcp" ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] ipv6_cidr_blocks = ["::/0"] } tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags) }