/ infrastructure / networking.tf
networking.tf
1 # VPC 2 resource "aws_vpc" "main" { 3 cidr_block = var.vpc_cidr 4 enable_dns_hostnames = true 5 enable_dns_support = true 6 7 tags = { 8 Name = "${var.project_name}-vpc" 9 } 10 } 11 12 data "aws_availability_zones" "available" { 13 state = "available" 14 } 15 16 # Public Subnet 17 resource "aws_subnet" "public" { 18 vpc_id = aws_vpc.main.id 19 cidr_block = cidrsubnet(var.vpc_cidr, 8, 1) 20 availability_zone = data.aws_availability_zones.available.names[0] 21 map_public_ip_on_launch = true 22 23 tags = { 24 Name = "${var.project_name}-public-subnet" 25 } 26 } 27 28 # Internet Gateway 29 resource "aws_internet_gateway" "main" { 30 vpc_id = aws_vpc.main.id 31 32 tags = { 33 Name = "${var.project_name}-igw" 34 } 35 } 36 37 # Route Table 38 resource "aws_route_table" "public" { 39 vpc_id = aws_vpc.main.id 40 41 route { 42 cidr_block = "0.0.0.0/0" 43 gateway_id = aws_internet_gateway.main.id 44 } 45 46 tags = { 47 Name = "${var.project_name}-public-rt" 48 } 49 } 50 51 # Route Table Association 52 resource "aws_route_table_association" "public" { 53 subnet_id = aws_subnet.public.id 54 route_table_id = aws_route_table.public.id 55 } 56 57 # Security Group for VPC Endpoints 58 resource "aws_security_group" "vpc_endpoints" { 59 name = "${var.project_name}-vpc-endpoints-sg" 60 description = "Security group for VPC endpoints" 61 vpc_id = aws_vpc.main.id 62 63 ingress { 64 from_port = 443 65 to_port = 443 66 protocol = "tcp" 67 cidr_blocks = [var.vpc_cidr] 68 } 69 70 egress { 71 from_port = 0 72 to_port = 0 73 protocol = "-1" 74 cidr_blocks = ["0.0.0.0/0"] 75 } 76 77 tags = { 78 Name = "${var.project_name}-vpc-endpoints-sg" 79 } 80 } 81 82 # VPC Endpoint for S3 (Gateway) 83 # Allows direct access to S3 from private instances without NAT Gateway 84 resource "aws_vpc_endpoint" "s3" { 85 vpc_id = aws_vpc.main.id 86 service_name = "com.amazonaws.${var.region}.s3" 87 vpc_endpoint_type = "Gateway" 88 89 route_table_ids = [aws_route_table.public.id] 90 91 tags = { 92 Name = "${var.project_name}-s3-endpoint" 93 } 94 } 95 96 # VPC Endpoint for SSM (Interface) 97 resource "aws_vpc_endpoint" "ssm" { 98 vpc_id = aws_vpc.main.id 99 service_name = "com.amazonaws.${var.region}.ssm" 100 vpc_endpoint_type = "Interface" 101 subnet_ids = [aws_subnet.public.id] 102 security_group_ids = [aws_security_group.vpc_endpoints.id] 103 private_dns_enabled = true 104 105 tags = { 106 Name = "${var.project_name}-ssm-endpoint" 107 } 108 } 109 110 # VPC Endpoint for SSM Messages (Interface) 111 resource "aws_vpc_endpoint" "ssmmessages" { 112 vpc_id = aws_vpc.main.id 113 service_name = "com.amazonaws.${var.region}.ssmmessages" 114 vpc_endpoint_type = "Interface" 115 subnet_ids = [aws_subnet.public.id] 116 security_group_ids = [aws_security_group.vpc_endpoints.id] 117 private_dns_enabled = true 118 119 tags = { 120 Name = "${var.project_name}-ssmmessages-endpoint" 121 } 122 } 123 124 # VPC Endpoint for EC2 Messages (Interface) 125 resource "aws_vpc_endpoint" "ec2messages" { 126 vpc_id = aws_vpc.main.id 127 service_name = "com.amazonaws.${var.region}.ec2messages" 128 vpc_endpoint_type = "Interface" 129 subnet_ids = [aws_subnet.public.id] 130 security_group_ids = [aws_security_group.vpc_endpoints.id] 131 private_dns_enabled = true 132 133 tags = { 134 Name = "${var.project_name}-ec2messages-endpoint" 135 } 136 } 137 138 # EC2 Instance Connect Endpoint 139 resource "aws_ec2_instance_connect_endpoint" "main" { 140 subnet_id = aws_subnet.public.id 141 security_group_ids = [aws_security_group.vpc_endpoints.id] 142 143 tags = { 144 Name = "${var.project_name}-instance-connect-endpoint" 145 } 146 }