terraform.aws-baseline-infra/examples/eks-lab-ip6/network/main.tf

# Create VPC and subnets

resource "aws_vpc" "vpc1" {
  cidr_block                       = "192.168.123.0/24"
  assign_generated_ipv6_cidr_block = true
  enable_dns_support               = true
  enable_dns_hostnames             = true

  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpc1" })
}

data "aws_availability_zones" "azs" {
  state = "available"
}

# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "private-subnets" {
  count                           = 2
  availability_zone               = data.aws_availability_zones.azs.names[count.index]
  vpc_id                          = aws_vpc.vpc1.id
  cidr_block                      = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index)
  assign_ipv6_address_on_creation = true
  # ipv6 subnets must be a /64
  ipv6_cidr_block                             = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index)
  enable_resource_name_dns_a_record_on_launch = true
  tags = merge(local.default-tags,
    { "Name" : "${local.resource-prefix}-private-${data.aws_availability_zones.azs.names[count.index]}" },
    { "kubernetes.io/role/internal-elb" : "1" }
  )
}

# kubernetes tag is needed for alb ingress controller
resource "aws_subnet" "public-subnets" {
  count                           = 2
  availability_zone               = data.aws_availability_zones.azs.names[count.index]
  vpc_id                          = aws_vpc.vpc1.id
  cidr_block                      = cidrsubnet(aws_vpc.vpc1.cidr_block, 2, count.index + 2)
  assign_ipv6_address_on_creation = true
  # ipv6 subnets must be a /64
  ipv6_cidr_block                             = cidrsubnet(aws_vpc.vpc1.ipv6_cidr_block, 8, count.index + 2)
  enable_resource_name_dns_a_record_on_launch = true
  tags = merge(local.default-tags,
    { "Name" : "${local.resource-prefix}-public-${data.aws_availability_zones.azs.names[count.index]}" },
    { "kubernetes.io/role/elb" : "1" }
  )
}

resource "aws_internet_gateway" "igw" {
  vpc_id = aws_vpc.vpc1.id
  tags   = merge(local.default-tags, { "Name" : "${local.resource-prefix}-igw" })
}

resource "aws_eip" "ngw-ip" {
  vpc = true
}

resource "aws_nat_gateway" "ngw" {
  allocation_id = aws_eip.ngw-ip.id
  subnet_id     = aws_subnet.public-subnets[0].id
  tags          = merge(local.default-tags, { "Name" : "${local.resource-prefix}-ngw" })
}

resource "aws_route_table" "public-rtb" {
  vpc_id = aws_vpc.vpc1.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.igw.id
  }
  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-public-rtb" })
}

resource "aws_route_table" "private-rtb" {
  vpc_id = aws_vpc.vpc1.id
  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_nat_gateway.ngw.id
  }
  tags = merge(local.default-tags, { "Name" : "${local.resource-prefix}-private-rtb" })
}

resource "aws_route_table_association" "public-rtb-asso" {
  count          = length(aws_subnet.public-subnets)
  subnet_id      = aws_subnet.public-subnets[count.index].id
  route_table_id = aws_route_table.public-rtb.id
}

resource "aws_route_table_association" "private-rtb-asso" {
  count          = length(aws_subnet.private-subnets)
  subnet_id      = aws_subnet.private-subnets[count.index].id
  route_table_id = aws_route_table.private-rtb.id
}

resource "aws_vpc_endpoint" "eks-vpcep" {
  vpc_id              = aws_vpc.vpc1.id
  service_name        = "com.amazonaws.${var.aws-region}.eks"
  vpc_endpoint_type   = "Interface"
  security_group_ids  = [aws_security_group.generic-ep-sg.id]
  private_dns_enabled = true
  subnet_ids          = aws_subnet.private-subnets.*.id
  tags                = merge(local.default-tags, { "Name" : "${local.resource-prefix}-vpcep-eks" })
}

resource "aws_security_group" "generic-ep-sg" {
  name        = "HttpsAccessToVpcEndpoints"
  description = "HttpsAccessToVpcEndpoints"
  vpc_id      = aws_vpc.vpc1.id

  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.vpc1.cidr_block]
  }

  ingress {
    description      = "TLS from VPC"
    from_port        = 443
    to_port          = 443
    protocol         = "tcp"
    ipv6_cidr_blocks = [aws_vpc.vpc1.ipv6_cidr_block]
  }

  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]
    ipv6_cidr_blocks = ["::/0"]
  }

  tags = merge({ "Name" : "VpcEpAccess" }, local.default-tags)
}