ClusterDaemon/terraform-aws-thneed

Terraform resource module that creates a single resilient VPC with TGW and Privatelink inter-VPC networking for the purpose of providing the foundation for an arbitrary amount of high-density EKS clusters. It's a thing that every EKS needs; a thneed.

terraform-aws-thneed

This module aims to create a resilient VPC with strong focus on private interconnectivity.

This module is designed to be able to be used independently, though emits output attributes that may be used to create very high-density EKS clusters in environments with contrained routable address space. Additionally, this module is designed to attach its VPC to a Transit Gateway as well as an arbitrary amount of unmanaged (customer) VPC endpoints, enabling inter-VPC private networking without requiring peering.

• terraform-aws-thneed
  • Features
  • Dependencies
  • Input Attributes
  • Output Attributes
  • Resource Types
  • Modules
  • Contributing
  • Change Log
  • Authors

Features

• Conditional resource creation.
• Strong inter-VPC availability zone colocation across accounts.
  • Enables VPC endpoint connectivity with guaranteed network resilience.
  • Keeps AWS networking costs lower by reducing inter-AZ traffic.
• Efficient automatic subnet allocation.
  • Packs subnets of differing network block size "densely" within a given IPv4 CIDR block.
  • Defines secondary private subnets for database clusters, cache clusters, and Kuberentes clusters in dedicated secondary IPv4 CIDR blocks.
• Effective inter-VPC connectivity within AWS, enabling private inter-cluster communication patterns.
  • Unmanaged VPC Endpoint connectivity, in addition to AWS-managed VPC endpoint connectivity.
  • Transit gateway attachment.

Dependencies

Name	Version
Terraform	~> 0.14.0

Providers

Name	Version
AWS	=> 2.41

Input Attributes

Name	Description	Type	Default	Required
project_name	Unique string that describes this deployment as a whole across all environments, and namespaces every resource name. This name is critical when connecting dependent modules, as it is used to reference resources.	string	nil	yes
environment	Unique string that namespaces every resource name. This name is critical when connecting dependent infrastructure modules, as it is used to reference resources.	string	nil	yes
vpc_cidr	Primary VPC CIDR block. Take care when using a Transit Gateway to interconnect VPCs, as subnets between interconnected VPCs must not overlap.	string	"10.0.0.0"	yes
private_subnet_newbits	Amount of additional netmask bits to add to subnets, relative to vpc_cidr.	number	2	no
public_subnet_newbits	Amount of additional netmask bits to add to subnets, relative to vpc_cidr offset by private_subnet_newbits and az_count. Should usually be 1-2 bits higher than private_subnet_newbits since they occupy the same base CIDR.	number	4	no
tgw_cidr	Transit Gateway CIDR block. Take care when allocating TGW subnets, as they must not overlap between attached VPCs. Not supplying a CIDR here will disable TGW attachment.	string	nil	no
tgw_subnet_newbits	Amount of additional bits added to each subnet, relative to tgw_cidr.	number	3	no
eks_cidr	EKS CIDR block. Not publicly routable. Not providing a CIDR here disables dedicated private EKS cluster subnets.	string	nil	no
az_count_min	Minimum amount of availability zones in which subnets will be created.	number	3	no
az_count_max	Maximum amount of availability zones in which subnets will be created.	number	3	no
tgw_route_networks	List of CIDR blocks to define as destination networks via the TGW attachment.	list(string)	[]	no
tgw_id	ID of a transit gateway to attach this VPC to. This gateway should already exist. Not providing an ID here disables TGW attachment.	string	nil	no
vpc_endpoints	List of objects that describe non-AWS(customer) VPC endpoint connections. All included endpoint service names are also used to define availability zone occupancy of all subnets. A VPC endpoint service that is set create = false will still be used when calculating AZ occupancy.	list(object({ create = bool, service_name = string, security_group_ids = list(string), allowed_ingress_rules = list(tuple([ number, number, string ])), allowed_cidr_blocks = list(string), auto_accept = bool, alternate_private_dns = object({ name = string, domain = string, zone_id = string ]) }))	nil	no
eks_cluster_id_prefixes	EKS cluster name prefixes that may use the primary CIDR subnets for load balancer creation. Renders an associated output map of namespaced cluster IDs keyed by these prefixes.	list(string)	["eks"]	no

Output Attributes

Name	Description	Type
vpc_id	VPC ID.	object
vpc_endpoint_ids	VPC endpoint IDs.	list(object)
eks_subnet_ids	List of EKS subnet IDs	list(string)
eks_ids	Map of EKS cluster IDs which may create load balancers in the primary CIDR space, regardless of their subnet assignment(s). keyed by eks_cluster_id_prefixes.	map(string)
tags	Map of common tags that are applied to all resources.	map(string)

Resource Types

• aws_subnet
• aws_route_table
• aws_route_table_association

Modules

Name	Source
az_colocate	https://github.com:ClusterDaemon/terraform-aws-privatelink-az-colocation
subnets	hashicorp/subnets/cidr
vpc	terraform-aws-modules/vpc/aws
vpc_endpoint	https://github.com:ClusterDaemon/terraform-aws-vpc-interface-endpoint-private-dns
tgw_attachment	https://github.com:ClusterDaemon/terraform-aws-transit-gateway-attachment