# VPC Module for Code-Server Deployment # Creates a secure VPC with public and private subnets, NAT gateway, and VPC endpoints locals { azs = slice(data.aws_availability_zones.available.names, 0, 3) } data "aws_availability_zones" "available" { state = "available" } # VPC resource "aws_vpc" "main" { cidr_block = var.vpc_cidr enable_dns_hostnames = true enable_dns_support = true tags = merge( var.tags, { Name = "${var.name_prefix}-vpc" } ) } # Internet Gateway resource "aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id tags = merge( var.tags, { Name = "${var.name_prefix}-igw" } ) } # Public Subnets resource "aws_subnet" "public" { count = length(var.public_subnet_cidrs) vpc_id = aws_vpc.main.id cidr_block = var.public_subnet_cidrs[count.index] availability_zone = local.azs[count.index] map_public_ip_on_launch = true tags = merge( var.tags, { Name = "${var.name_prefix}-public-subnet-${count.index + 1}" "kubernetes.io/role/elb" = "1" "kubernetes.io/cluster/${var.cluster_name}" = "shared" } ) } # Private Subnets resource "aws_subnet" "private" { count = length(var.private_subnet_cidrs) vpc_id = aws_vpc.main.id cidr_block = var.private_subnet_cidrs[count.index] availability_zone = local.azs[count.index] tags = merge( var.tags, { Name = "${var.name_prefix}-private-subnet-${count.index + 1}" "kubernetes.io/role/internal-elb" = "1" "kubernetes.io/cluster/${var.cluster_name}" = "shared" } ) } # Elastic IPs for NAT Gateways resource "aws_eip" "nat" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.public_subnet_cidrs)) : 0 domain = "vpc" tags = merge( var.tags, { Name = "${var.name_prefix}-nat-eip-${count.index + 1}" } ) depends_on = [aws_internet_gateway.main] } # NAT Gateways resource "aws_nat_gateway" "main" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.public_subnet_cidrs)) : 0 allocation_id = aws_eip.nat[count.index].id subnet_id = aws_subnet.public[count.index].id tags = merge( var.tags, { Name = "${var.name_prefix}-nat-${count.index + 1}" } ) depends_on = [aws_internet_gateway.main] } # Public Route Table resource "aws_route_table" "public" { vpc_id = aws_vpc.main.id tags = merge( var.tags, { Name = "${var.name_prefix}-public-rt" } ) } # Public Route resource "aws_route" "public" { route_table_id = aws_route_table.public.id destination_cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id } # Public Route Table Association resource "aws_route_table_association" "public" { count = length(var.public_subnet_cidrs) subnet_id = aws_subnet.public[count.index].id route_table_id = aws_route_table.public.id } # Private Route Tables resource "aws_route_table" "private" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.private_subnet_cidrs)) : 0 vpc_id = aws_vpc.main.id tags = merge( var.tags, { Name = "${var.name_prefix}-private-rt-${count.index + 1}" } ) } # Private Routes resource "aws_route" "private" { count = var.enable_nat_gateway ? (var.single_nat_gateway ? 1 : length(var.private_subnet_cidrs)) : 0 route_table_id = aws_route_table.private[count.index].id destination_cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.main[var.single_nat_gateway ? 0 : count.index].id } # Private Route Table Associations resource "aws_route_table_association" "private" { count = length(var.private_subnet_cidrs) subnet_id = aws_subnet.private[count.index].id route_table_id = aws_route_table.private[var.single_nat_gateway ? 0 : count.index].id } # VPC Endpoints for enhanced security (S3 and ECR for EKS) resource "aws_vpc_endpoint" "s3" { count = var.enable_vpc_endpoints ? 1 : 0 vpc_id = aws_vpc.main.id service_name = "com.amazonaws.${var.aws_region}.s3" tags = merge( var.tags, { Name = "${var.name_prefix}-s3-endpoint" } ) } resource "aws_vpc_endpoint_route_table_association" "s3_private" { count = var.enable_vpc_endpoints ? length(aws_route_table.private) : 0 route_table_id = aws_route_table.private[count.index].id vpc_endpoint_id = aws_vpc_endpoint.s3[0].id } # VPC Flow Logs for security monitoring resource "aws_cloudwatch_log_group" "vpc_flow_logs" { count = var.enable_flow_logs ? 1 : 0 name = "/aws/vpc/${var.name_prefix}-flow-logs" retention_in_days = var.flow_logs_retention_days tags = var.tags } resource "aws_iam_role" "vpc_flow_logs" { count = var.enable_flow_logs ? 1 : 0 name = "${var.name_prefix}-vpc-flow-logs-role" assume_role_policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = "sts:AssumeRole" Effect = "Allow" Principal = { Service = "vpc-flow-logs.amazonaws.com" } } ] }) tags = var.tags } resource "aws_iam_role_policy" "vpc_flow_logs" { count = var.enable_flow_logs ? 1 : 0 name = "${var.name_prefix}-vpc-flow-logs-policy" role = aws_iam_role.vpc_flow_logs[0].id policy = jsonencode({ Version = "2012-10-17" Statement = [ { Action = [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents", "logs:DescribeLogGroups", "logs:DescribeLogStreams" ] Effect = "Allow" Resource = "*" } ] }) } resource "aws_flow_log" "main" { count = var.enable_flow_logs ? 1 : 0 iam_role_arn = aws_iam_role.vpc_flow_logs[0].arn log_destination = aws_cloudwatch_log_group.vpc_flow_logs[0].arn traffic_type = "ALL" vpc_id = aws_vpc.main.id tags = var.tags }