feat: Implement VPC module for AWS, including configuration for public and private subnets, NAT gateways, and outputs for VPC resources

Arnel Jan Sarmiento · Arnel Jan Sarmiento · commit e704c86e40ea · 2026-04-12T14:44:17.000+08:00
diff --git a/modules/aws/vpc/main.tf b/modules/aws/vpc/main.tf
@@ -0,0 +1,151 @@
+terraform {
+  required_version = ">= 1.14.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.65.0"
+    }
+  }
+}
+
+locals {
+  az_keys = { for i, az in var.availability_zones : az => i }
+
+  # When single_nat_gateway is true, all private subnets route through the first AZ's NAT.
+  # Otherwise, each AZ gets its own NAT gateway.
+  nat_az_keys = var.enable_nat_gateway ? (
+    var.single_nat_gateway ? { (var.availability_zones[0]) = 0 } : local.az_keys
+  ) : {}
+}
+
+# ------------------------------------------------------------------------------
+# VPC
+# ------------------------------------------------------------------------------
+
+resource "aws_vpc" "this" {
+  cidr_block           = var.cidr_block
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = var.name
+  }
+}
+
+# ------------------------------------------------------------------------------
+# Internet Gateway
+# ------------------------------------------------------------------------------
+
+resource "aws_internet_gateway" "this" {
+  vpc_id = aws_vpc.this.id
+
+  tags = {
+    Name = "${var.name}-igw"
+  }
+}
+
+# ------------------------------------------------------------------------------
+# Public Subnets
+# ------------------------------------------------------------------------------
+
+resource "aws_subnet" "public" {
+  for_each = local.az_keys
+
+  vpc_id                  = aws_vpc.this.id
+  cidr_block              = var.public_subnet_cidrs[each.value]
+  availability_zone       = each.key
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "${var.name}-public-${each.key}"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.this.id
+
+  tags = {
+    Name = "${var.name}-public"
+  }
+}
+
+resource "aws_route" "public_internet" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.this.id
+}
+
+resource "aws_route_table_association" "public" {
+  for_each = aws_subnet.public
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.public.id
+}
+
+# ------------------------------------------------------------------------------
+# Private Subnets
+# ------------------------------------------------------------------------------
+
+resource "aws_subnet" "private" {
+  for_each = local.az_keys
+
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = var.private_subnet_cidrs[each.value]
+  availability_zone = each.key
+
+  tags = {
+    Name = "${var.name}-private-${each.key}"
+  }
+}
+
+resource "aws_route_table" "private" {
+  for_each = local.az_keys
+
+  vpc_id = aws_vpc.this.id
+
+  tags = {
+    Name = "${var.name}-private-${each.key}"
+  }
+}
+
+resource "aws_route_table_association" "private" {
+  for_each = aws_subnet.private
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.private[each.key].id
+}
+
+# ------------------------------------------------------------------------------
+# NAT Gateway (optional)
+# ------------------------------------------------------------------------------
+
+resource "aws_eip" "nat" {
+  for_each = local.nat_az_keys
+
+  domain = "vpc"
+
+  tags = {
+    Name = "${var.name}-nat-${each.key}"
+  }
+}
+
+resource "aws_nat_gateway" "this" {
+  for_each = local.nat_az_keys
+
+  allocation_id = aws_eip.nat[each.key].id
+  subnet_id     = aws_subnet.public[each.key].id
+
+  tags = {
+    Name = "${var.name}-nat-${each.key}"
+  }
+}
+
+resource "aws_route" "private_nat" {
+  for_each = var.enable_nat_gateway ? local.az_keys : {}
+
+  route_table_id         = aws_route_table.private[each.key].id
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id = var.single_nat_gateway ? (
+    aws_nat_gateway.this[var.availability_zones[0]].id
+  ) : aws_nat_gateway.this[each.key].id
+}
diff --git a/modules/aws/vpc/outputs.tf b/modules/aws/vpc/outputs.tf
@@ -0,0 +1,49 @@
+output "vpc_id" {
+  description = "ID of the VPC."
+  value       = aws_vpc.this.id
+}
+
+output "vpc_cidr_block" {
+  description = "CIDR block of the VPC."
+  value       = aws_vpc.this.cidr_block
+}
+
+output "public_subnet_ids" {
+  description = "List of public subnet IDs."
+  value       = [for s in aws_subnet.public : s.id]
+}
+
+output "private_subnet_ids" {
+  description = "List of private subnet IDs."
+  value       = [for s in aws_subnet.private : s.id]
+}
+
+output "public_subnet_cidrs" {
+  description = "List of public subnet CIDR blocks."
+  value       = [for s in aws_subnet.public : s.cidr_block]
+}
+
+output "private_subnet_cidrs" {
+  description = "List of private subnet CIDR blocks."
+  value       = [for s in aws_subnet.private : s.cidr_block]
+}
+
+output "internet_gateway_id" {
+  description = "ID of the internet gateway."
+  value       = aws_internet_gateway.this.id
+}
+
+output "nat_gateway_ids" {
+  description = "List of NAT gateway IDs. Empty when enable_nat_gateway is false."
+  value       = [for ng in aws_nat_gateway.this : ng.id]
+}
+
+output "public_route_table_id" {
+  description = "ID of the public route table."
+  value       = aws_route_table.public.id
+}
+
+output "private_route_table_ids" {
+  description = "List of private route table IDs."
+  value       = [for rt in aws_route_table.private : rt.id]
+}
diff --git a/modules/aws/vpc/variables.tf b/modules/aws/vpc/variables.tf
@@ -0,0 +1,36 @@
+variable "name" {
+  description = "Name prefix for all VPC resources."
+  type        = string
+}
+
+variable "cidr_block" {
+  description = "CIDR block for the VPC (e.g. 10.10.0.0/16)."
+  type        = string
+}
+
+variable "availability_zones" {
+  description = "List of availability zones for subnet placement."
+  type        = list(string)
+}
+
+variable "public_subnet_cidrs" {
+  description = "CIDR blocks for public subnets, one per availability zone."
+  type        = list(string)
+}
+
+variable "private_subnet_cidrs" {
+  description = "CIDR blocks for private subnets, one per availability zone."
+  type        = list(string)
+}
+
+variable "enable_nat_gateway" {
+  description = "Create a NAT gateway for private subnet internet access."
+  type        = bool
+  default     = false
+}
+
+variable "single_nat_gateway" {
+  description = "Use a single NAT gateway instead of one per AZ. Only applies when enable_nat_gateway is true."
+  type        = bool
+  default     = true
+}
diff --git a/workspaces/nonprod/main.tf b/workspaces/nonprod/main.tf
@@ -12,3 +12,21 @@ module "github_oidc" {
   role_name     = "github_oidc_role"
   allowed_repos = var.allowed_github_repos
 }
+
+module "vpc" {
+  source = "../../modules/aws/vpc"
+
+  name               = "durianpy-nonprod"
+  cidr_block         = "10.30.0.0/16"
+  availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  public_subnet_cidrs = [
+    "10.30.0.0/20",
+    "10.30.16.0/20",
+    "10.30.32.0/20",
+  ]
+  private_subnet_cidrs = [
+    "10.30.48.0/20",
+    "10.30.64.0/20",
+    "10.30.80.0/20",
+  ]
+}
diff --git a/workspaces/nonprod/outputs.tf b/workspaces/nonprod/outputs.tf
@@ -7,3 +7,18 @@ output "budget_name" {
   description = "Name of the nonprod account cost budget."
   value       = module.budget.budget_name
 }
+
+output "vpc_id" {
+  description = "ID of the nonprod account VPC."
+  value       = module.vpc.vpc_id
+}
+
+output "vpc_public_subnet_ids" {
+  description = "Public subnet IDs in the nonprod account VPC."
+  value       = module.vpc.public_subnet_ids
+}
+
+output "vpc_private_subnet_ids" {
+  description = "Private subnet IDs in the nonprod account VPC."
+  value       = module.vpc.private_subnet_ids
+}
diff --git a/workspaces/prod/main.tf b/workspaces/prod/main.tf
@@ -25,3 +25,21 @@ module "github_oidc" {
 #   enabled_apis = var.gcp_enabled_apis
 #   iam_bindings = var.gcp_iam_bindings
 # }
+
+module "vpc" {
+  source = "../../modules/aws/vpc"
+
+  name               = "durianpy-prod"
+  cidr_block         = "10.20.0.0/16"
+  availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  public_subnet_cidrs = [
+    "10.20.0.0/20",
+    "10.20.16.0/20",
+    "10.20.32.0/20",
+  ]
+  private_subnet_cidrs = [
+    "10.20.48.0/20",
+    "10.20.64.0/20",
+    "10.20.80.0/20",
+  ]
+}
diff --git a/workspaces/prod/outputs.tf b/workspaces/prod/outputs.tf
@@ -17,3 +17,18 @@ output "budget_name" {
   description = "Name of the prod account cost budget."
   value       = module.budget.budget_name
 }
+
+output "vpc_id" {
+  description = "ID of the prod account VPC."
+  value       = module.vpc.vpc_id
+}
+
+output "vpc_public_subnet_ids" {
+  description = "Public subnet IDs in the prod account VPC."
+  value       = module.vpc.public_subnet_ids
+}
+
+output "vpc_private_subnet_ids" {
+  description = "Private subnet IDs in the prod account VPC."
+  value       = module.vpc.private_subnet_ids
+}
diff --git a/workspaces/root/main.tf b/workspaces/root/main.tf
@@ -55,3 +55,21 @@ module "identity_center" {
 module "amplify" {
   source = "./amplify"
 }
+
+module "vpc" {
+  source = "../../modules/aws/vpc"
+
+  name               = "durianpy-root"
+  cidr_block         = "10.10.0.0/16"
+  availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  public_subnet_cidrs = [
+    "10.10.0.0/20",
+    "10.10.16.0/20",
+    "10.10.32.0/20",
+  ]
+  private_subnet_cidrs = [
+    "10.10.48.0/20",
+    "10.10.64.0/20",
+    "10.10.80.0/20",
+  ]
+}
diff --git a/workspaces/root/outputs.tf b/workspaces/root/outputs.tf
@@ -47,3 +47,18 @@ output "amplify_app_ids" {
   description = "Map of Amplify app key to app ID."
   value       = module.amplify.app_ids
 }
+
+output "vpc_id" {
+  description = "ID of the root account VPC."
+  value       = module.vpc.vpc_id
+}
+
+output "vpc_public_subnet_ids" {
+  description = "Public subnet IDs in the root account VPC."
+  value       = module.vpc.public_subnet_ids
+}
+
+output "vpc_private_subnet_ids" {
+  description = "Private subnet IDs in the root account VPC."
+  value       = module.vpc.private_subnet_ids
+}
diff --git a/workspaces/sandbox/main.tf b/workspaces/sandbox/main.tf
@@ -21,3 +21,31 @@ module "github_oidc" {
 #   attendee_id_end     = var.attendee_id_end
 #   workshop_group_name = var.workshop_group_name
 # }
+
+module "vpc" {
+  source = "../../modules/aws/vpc"
+
+  name               = "durianpy-sandbox"
+  cidr_block         = "10.40.0.0/16"
+  availability_zones = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  public_subnet_cidrs = [
+    "10.40.0.0/20",
+    "10.40.16.0/20",
+    "10.40.32.0/20",
+  ]
+  private_subnet_cidrs = [
+    "10.40.48.0/20",
+    "10.40.64.0/20",
+    "10.40.80.0/20",
+  ]
+}
+
+module "on_prem_vpc" {
+  source = "../../modules/aws/vpc"
+
+  name                 = "on-prem-vpc"
+  cidr_block           = "172.16.0.0/16"
+  availability_zones   = ["${var.aws_region}a", "${var.aws_region}b", "${var.aws_region}c"]
+  public_subnet_cidrs  = ["172.16.0.0/20", "172.16.16.0/20", "172.16.32.0/20"]
+  private_subnet_cidrs = ["172.16.48.0/20", "172.16.64.0/20", "172.16.80.0/20"]
+}
diff --git a/workspaces/sandbox/outputs.tf b/workspaces/sandbox/outputs.tf
