AnqiZhou26/vpc.tf Secret

## vpc.tf
# VPC
resource "aws_vpc" "vpc" {
  cidr_block = var.vpc_cidr

  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = {
    Name                                           = "${var.project}-vpc",
    "kubernetes.io/cluster/${var.project}-cluster" = "shared"
  }
}

# Public Subnets
resource "aws_subnet" "public" {
  count = var.availability_zones_count

  vpc_id            = aws_vpc.vpc.id
  cidr_block        = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index)
  availability_zone = data.aws_availability_zones.available.names[count.index]

  tags = {
    Name                                           = "${var.project}-public-sg"
    "kubernetes.io/cluster/${var.project}-cluster" = "shared"
    "kubernetes.io/role/elb"                       = 1
  }

  map_public_ip_on_launch = true
}

# Private Subnets
resource "aws_subnet" "private" {
  count = var.availability_zones_count

  vpc_id            = aws_vpc.vpc.id
  cidr_block        = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index + var.availability_zones_count)
  availability_zone = data.aws_availability_zones.available.names[count.index]

  tags = {
    Name                                           = "${var.project}-private-sg"
    "kubernetes.io/cluster/${var.project}-cluster" = "shared"
    "kubernetes.io/role/internal-elb"              = 1
  }
}

# Internet Gateway for the Public Subnet
resource "aws_internet_gateway" "internet_gateway" {
  vpc_id = aws_vpc.vpc.id

  tags = {
    "Name" = "${var.project}-igw"
  }

  depends_on = [aws_vpc.vpc]
}

# NAT Elastic IP
resource "aws_eip" "main" {
  vpc = true

  tags = {
    Name = "${var.project}-ngw-ip"
  }
}

# NAT Gateway
resource "aws_nat_gateway" "main" {
  allocation_id = aws_eip.main.id
  subnet_id     = aws_subnet.public[0].id

  tags = {
    Name = "${var.project}-ngw"
  }
}

# Route Table(s)
# Route the public subnet traffic through the IGW
resource "aws_route_table" "main" {
  vpc_id = aws_vpc.vpc.id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.internet_gateway.id
  }

  tags = {
    Name = "${var.project}-Default-rt"
  }
}

# Route table and subnet associations
resource "aws_route_table_association" "internet_access" {
  count = var.availability_zones_count

  subnet_id      = aws_subnet.public[count.index].id
  route_table_id = aws_route_table.main.id
}

# Add route to route table
resource "aws_route" "main" {
  route_table_id         = aws_vpc.vpc.default_route_table_id
  nat_gateway_id         = aws_nat_gateway.main.id
  destination_cidr_block = "0.0.0.0/0"
}

# Security group for public subnet
resource "aws_security_group" "public_sg" {
  name   =  "${var.project}-Public-sg"
  vpc_id = aws_vpc.vpc.id

  tags = {
    Name = "${var.project}-Public-sg"
  }
}

# Security group for private subnet
resource "aws_security_group" "private_sg" {
  name        = "private-sg"
  description = "Allow web tier and ssh traffic"
  vpc_id      = aws_vpc.vpc.id

  ingress {
    from_port        = 3306
    to_port          = 3306
    protocol         = "tcp"
    cidr_blocks      = ["10.0.0.0/16"]
    security_groups = [aws_security_group.public_sg.id]
  }
  ingress {
    from_port         = 22
    to_port           = 22
    protocol          = "tcp"
    cidr_blocks       = ["0.0.0.0/0"]
  }
  egress {
    from_port        = 0
    to_port          = 0
    protocol         = "-1"
    cidr_blocks      = ["0.0.0.0/0"]

  }
}

# Security group traffic rules
resource "aws_security_group_rule" "sg_ingress_public_443" {
  security_group_id = aws_security_group.public_sg.id
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "sg_ingress_public_80" {
  security_group_id = aws_security_group.public_sg.id
  type              = "ingress"
  from_port         = 80
  to_port           = 80
  protocol          = "tcp"
  cidr_blocks       = ["0.0.0.0/0"]
}

resource "aws_security_group_rule" "sg_egress_public" {
  security_group_id = aws_security_group.public_sg.id
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
}

# Security group for data plane
resource "aws_security_group" "data_plane_sg" {
  name   =  "${var.project}-Worker-sg"
  vpc_id = aws_vpc.vpc.id

  tags = {
    Name = "${var.project}-Worker-sg"
  }
}

# Security group traffic rules
resource "aws_security_group_rule" "nodes" {
  description       = "Allow nodes to communicate with each other"
  security_group_id = aws_security_group.data_plane_sg.id
  type              = "ingress"
  from_port         = 0
  to_port           = 65535
  protocol          = "-1"
  cidr_blocks       = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
}

resource "aws_security_group_rule" "nodes_inbound" {
  description       = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
  security_group_id = aws_security_group.data_plane_sg.id
  type              = "ingress"
  from_port         = 1025
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
}

resource "aws_security_group_rule" "node_outbound" {
  security_group_id = aws_security_group.data_plane_sg.id
  type              = "egress"
  from_port         = 0
  to_port           = 0
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
}

# Security group for control plane
resource "aws_security_group" "control_plane_sg" {
  name   = "${var.project}-ControlPlane-sg"
  vpc_id = aws_vpc.vpc.id

  tags = {
    Name = "${var.project}-ControlPlane-sg"
  }
}

# Security group traffic rules
resource "aws_security_group_rule" "control_plane_inbound" {
  security_group_id = aws_security_group.control_plane_sg.id
  type              = "ingress"
  from_port         = 0
  to_port           = 65535
  protocol          = "tcp"
  cidr_blocks       = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
}

resource "aws_security_group_rule" "control_plane_outbound" {
  security_group_id = aws_security_group.control_plane_sg.id
  type              = "egress"
  from_port         = 0
  to_port           = 65535
  protocol          = "-1"
  cidr_blocks       = ["0.0.0.0/0"]
}
	# VPC
	resource "aws_vpc" "vpc" {
	cidr_block = var.vpc_cidr

	enable_dns_hostnames = true
	enable_dns_support = true

	tags = {
	Name = "${var.project}-vpc",
	"kubernetes.io/cluster/${var.project}-cluster" = "shared"
	}
	}

	# Public Subnets
	resource "aws_subnet" "public" {
	count = var.availability_zones_count

	vpc_id = aws_vpc.vpc.id
	cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index)
	availability_zone = data.aws_availability_zones.available.names[count.index]

	tags = {
	Name = "${var.project}-public-sg"
	"kubernetes.io/cluster/${var.project}-cluster" = "shared"
	"kubernetes.io/role/elb" = 1
	}

	map_public_ip_on_launch = true
	}

	# Private Subnets
	resource "aws_subnet" "private" {
	count = var.availability_zones_count

	vpc_id = aws_vpc.vpc.id
	cidr_block = cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, count.index + var.availability_zones_count)
	availability_zone = data.aws_availability_zones.available.names[count.index]

	tags = {
	Name = "${var.project}-private-sg"
	"kubernetes.io/cluster/${var.project}-cluster" = "shared"
	"kubernetes.io/role/internal-elb" = 1
	}
	}

	# Internet Gateway for the Public Subnet
	resource "aws_internet_gateway" "internet_gateway" {
	vpc_id = aws_vpc.vpc.id

	tags = {
	"Name" = "${var.project}-igw"
	}

	depends_on = [aws_vpc.vpc]
	}

	# NAT Elastic IP
	resource "aws_eip" "main" {
	vpc = true

	tags = {
	Name = "${var.project}-ngw-ip"
	}
	}

	# NAT Gateway
	resource "aws_nat_gateway" "main" {
	allocation_id = aws_eip.main.id
	subnet_id = aws_subnet.public[0].id

	tags = {
	Name = "${var.project}-ngw"
	}
	}

	# Route Table(s)
	# Route the public subnet traffic through the IGW
	resource "aws_route_table" "main" {
	vpc_id = aws_vpc.vpc.id

	route {
	cidr_block = "0.0.0.0/0"
	gateway_id = aws_internet_gateway.internet_gateway.id
	}

	tags = {
	Name = "${var.project}-Default-rt"
	}
	}

	# Route table and subnet associations
	resource "aws_route_table_association" "internet_access" {
	count = var.availability_zones_count

	subnet_id = aws_subnet.public[count.index].id
	route_table_id = aws_route_table.main.id
	}

	# Add route to route table
	resource "aws_route" "main" {
	route_table_id = aws_vpc.vpc.default_route_table_id
	nat_gateway_id = aws_nat_gateway.main.id
	destination_cidr_block = "0.0.0.0/0"
	}

	# Security group for public subnet
	resource "aws_security_group" "public_sg" {
	name = "${var.project}-Public-sg"
	vpc_id = aws_vpc.vpc.id

	tags = {
	Name = "${var.project}-Public-sg"
	}
	}

	# Security group for private subnet
	resource "aws_security_group" "private_sg" {
	name = "private-sg"
	description = "Allow web tier and ssh traffic"
	vpc_id = aws_vpc.vpc.id

	ingress {
	from_port = 3306
	to_port = 3306
	protocol = "tcp"
	cidr_blocks = ["10.0.0.0/16"]
	security_groups = [aws_security_group.public_sg.id]
	}
	ingress {
	from_port = 22
	to_port = 22
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}
	egress {
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]

	}
	}

	# Security group traffic rules
	resource "aws_security_group_rule" "sg_ingress_public_443" {
	security_group_id = aws_security_group.public_sg.id
	type = "ingress"
	from_port = 443
	to_port = 443
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}

	resource "aws_security_group_rule" "sg_ingress_public_80" {
	security_group_id = aws_security_group.public_sg.id
	type = "ingress"
	from_port = 80
	to_port = 80
	protocol = "tcp"
	cidr_blocks = ["0.0.0.0/0"]
	}

	resource "aws_security_group_rule" "sg_egress_public" {
	security_group_id = aws_security_group.public_sg.id
	type = "egress"
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}

	# Security group for data plane
	resource "aws_security_group" "data_plane_sg" {
	name = "${var.project}-Worker-sg"
	vpc_id = aws_vpc.vpc.id

	tags = {
	Name = "${var.project}-Worker-sg"
	}
	}

	# Security group traffic rules
	resource "aws_security_group_rule" "nodes" {
	description = "Allow nodes to communicate with each other"
	security_group_id = aws_security_group.data_plane_sg.id
	type = "ingress"
	from_port = 0
	to_port = 65535
	protocol = "-1"
	cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
	}

	resource "aws_security_group_rule" "nodes_inbound" {
	description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
	security_group_id = aws_security_group.data_plane_sg.id
	type = "ingress"
	from_port = 1025
	to_port = 65535
	protocol = "tcp"
	cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
	}

	resource "aws_security_group_rule" "node_outbound" {
	security_group_id = aws_security_group.data_plane_sg.id
	type = "egress"
	from_port = 0
	to_port = 0
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}

	# Security group for control plane
	resource "aws_security_group" "control_plane_sg" {
	name = "${var.project}-ControlPlane-sg"
	vpc_id = aws_vpc.vpc.id

	tags = {
	Name = "${var.project}-ControlPlane-sg"
	}
	}

	# Security group traffic rules
	resource "aws_security_group_rule" "control_plane_inbound" {
	security_group_id = aws_security_group.control_plane_sg.id
	type = "ingress"
	from_port = 0
	to_port = 65535
	protocol = "tcp"
	cidr_blocks = flatten([cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 0), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 1), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 2), cidrsubnet(var.vpc_cidr, var.subnet_cidr_bits, 3)])
	}

	resource "aws_security_group_rule" "control_plane_outbound" {
	security_group_id = aws_security_group.control_plane_sg.id
	type = "egress"
	from_port = 0
	to_port = 65535
	protocol = "-1"
	cidr_blocks = ["0.0.0.0/0"]
	}