|
| 1 | +# Bring Your Own VPC (BYO VPC) Guide |
| 2 | + |
| 3 | +This document explains how to use the `quix-eks` module with your existing network infrastructure. |
| 4 | + |
| 5 | +## Overview of Changes |
| 6 | + |
| 7 | +The module now supports two modes of operation: |
| 8 | + |
| 9 | +1. **Create VPC Mode** (`create_vpc = true`, default): The module creates all network infrastructure |
| 10 | +2. **BYO VPC Mode** (`create_vpc = false`): The module uses your existing VPC, subnets, and NAT Gateway |
| 11 | + |
| 12 | +## New Variables |
| 13 | + |
| 14 | +### BYO VPC Variables |
| 15 | + |
| 16 | +```hcl |
| 17 | +# Main control |
| 18 | +variable "create_vpc" { |
| 19 | + description = "If false, use an existing VPC" |
| 20 | + type = bool |
| 21 | + default = true |
| 22 | +} |
| 23 | +
|
| 24 | +# Existing resource IDs (required when create_vpc = false) |
| 25 | +variable "vpc_id" { |
| 26 | + description = "ID of the existing VPC" |
| 27 | + type = string |
| 28 | + default = null |
| 29 | +} |
| 30 | +
|
| 31 | +variable "private_subnet_ids" { |
| 32 | + description = "List of existing private subnet IDs" |
| 33 | + type = list(string) |
| 34 | + default = [] |
| 35 | +} |
| 36 | +
|
| 37 | +variable "public_subnet_ids" { |
| 38 | + description = "List of existing public subnet IDs" |
| 39 | + type = list(string) |
| 40 | + default = [] |
| 41 | +} |
| 42 | +
|
| 43 | +# NAT Gateway configuration |
| 44 | +variable "enable_nat_gateway" { |
| 45 | + description = "Whether to create a single NAT Gateway for private subnets" |
| 46 | + type = bool |
| 47 | + default = true |
| 48 | +} |
| 49 | +
|
| 50 | +# VPC endpoints |
| 51 | +variable "create_s3_endpoint" { |
| 52 | + description = "If false, assumes S3 endpoint already exists" |
| 53 | + type = bool |
| 54 | + default = true |
| 55 | +} |
| 56 | +``` |
| 57 | + |
| 58 | +### VPC Creation Variables (modified) |
| 59 | + |
| 60 | +When `create_vpc = true`, these variables are **required**: |
| 61 | + |
| 62 | +```hcl |
| 63 | +variable "vpc_cidr" { |
| 64 | + description = "VPC CIDR (required when create_vpc = true)" |
| 65 | + type = string |
| 66 | + default = null # Now optional with default null |
| 67 | +} |
| 68 | +
|
| 69 | +variable "azs" { |
| 70 | + description = "Number of availability zones (required when create_vpc = true)" |
| 71 | + type = number |
| 72 | + default = null # Now optional with default null |
| 73 | +} |
| 74 | +
|
| 75 | +variable "private_subnets" { |
| 76 | + description = "Private subnet CIDRs (required when create_vpc = true)" |
| 77 | + type = list(string) |
| 78 | + default = [] |
| 79 | +} |
| 80 | +
|
| 81 | +variable "public_subnets" { |
| 82 | + description = "Public subnet CIDRs (required when create_vpc = true)" |
| 83 | + type = list(string) |
| 84 | + default = [] |
| 85 | +} |
| 86 | +``` |
| 87 | + |
| 88 | +## Usage |
| 89 | + |
| 90 | +### Option 1: Create New VPC (default behavior) |
| 91 | + |
| 92 | +```hcl |
| 93 | +module "eks" { |
| 94 | + source = "../../modules/quix-eks" |
| 95 | +
|
| 96 | + cluster_name = "my-cluster" |
| 97 | + region = "eu-central-1" |
| 98 | +
|
| 99 | + # Create new VPC (create_vpc = true by default) |
| 100 | + vpc_cidr = "10.240.0.0/16" |
| 101 | + azs = 2 |
| 102 | + private_subnets = ["10.240.0.0/24", "10.240.1.0/24"] |
| 103 | + public_subnets = ["10.240.100.0/24", "10.240.101.0/24"] |
| 104 | +
|
| 105 | + # ... rest of configuration |
| 106 | +} |
| 107 | +``` |
| 108 | + |
| 109 | +### Option 2: Use Existing VPC |
| 110 | + |
| 111 | +```hcl |
| 112 | +# Get existing VPC |
| 113 | +data "aws_vpc" "existing" { |
| 114 | + id = "vpc-0123456789abcdef0" |
| 115 | +} |
| 116 | +
|
| 117 | +# Get existing subnets |
| 118 | +data "aws_subnets" "private" { |
| 119 | + filter { |
| 120 | + name = "vpc-id" |
| 121 | + values = [data.aws_vpc.existing.id] |
| 122 | + } |
| 123 | + tags = { |
| 124 | + Type = "private" |
| 125 | + } |
| 126 | +} |
| 127 | +
|
| 128 | +data "aws_subnets" "public" { |
| 129 | + filter { |
| 130 | + name = "vpc-id" |
| 131 | + values = [data.aws_vpc.existing.id] |
| 132 | + } |
| 133 | + tags = { |
| 134 | + Type = "public" |
| 135 | + } |
| 136 | +} |
| 137 | +
|
| 138 | +module "eks" { |
| 139 | + source = "../../modules/quix-eks" |
| 140 | +
|
| 141 | + cluster_name = "my-cluster" |
| 142 | + region = "eu-central-1" |
| 143 | +
|
| 144 | + # Use existing VPC |
| 145 | + create_vpc = false |
| 146 | + vpc_id = data.aws_vpc.existing.id |
| 147 | + private_subnet_ids = data.aws_subnets.private.ids |
| 148 | + public_subnet_ids = data.aws_subnets.public.ids |
| 149 | +
|
| 150 | + # If your VPC already has an S3 endpoint |
| 151 | + create_s3_endpoint = false |
| 152 | +
|
| 153 | + # NOTE: You don't need to specify: |
| 154 | + # - vpc_cidr |
| 155 | + # - azs |
| 156 | + # - private_subnets |
| 157 | + # - public_subnets |
| 158 | +
|
| 159 | + # ... rest of configuration |
| 160 | +} |
| 161 | +``` |
| 162 | + |
| 163 | +## Existing VPC Requirements |
| 164 | + |
| 165 | +To use an existing VPC, it must meet the following requirements: |
| 166 | + |
| 167 | +### 1. DNS Configuration |
| 168 | +```bash |
| 169 | +# The VPC must have these options enabled: |
| 170 | +- enableDnsSupport = true |
| 171 | +- enableDnsHostnames = true |
| 172 | +``` |
| 173 | + |
| 174 | +### 2. Private Subnets |
| 175 | + |
| 176 | +Private subnets must: |
| 177 | +- Have internet access via NAT Gateway |
| 178 | +- Be tagged for EKS: |
| 179 | + ``` |
| 180 | + kubernetes.io/role/internal-elb = 1 |
| 181 | + ``` |
| 182 | + |
| 183 | +### 3. Public Subnets |
| 184 | + |
| 185 | +Public subnets must: |
| 186 | +- Have a route to Internet Gateway |
| 187 | +- Be tagged for EKS: |
| 188 | + ``` |
| 189 | + kubernetes.io/role/elb = 1 |
| 190 | + ``` |
| 191 | + |
| 192 | +### 4. NAT Gateway |
| 193 | + |
| 194 | +- Must exist in a public subnet |
| 195 | +- Must be configured in the route table of private subnets |
| 196 | + |
| 197 | +### 5. VPC Endpoints (Recommended) |
| 198 | + |
| 199 | +If your VPC doesn't have an S3 endpoint, the module can create it by setting: |
| 200 | +```hcl |
| 201 | +create_s3_endpoint = true |
| 202 | +``` |
| 203 | + |
| 204 | +For production, consider adding these endpoints manually: |
| 205 | +- `com.amazonaws.{region}.ecr.api` |
| 206 | +- `com.amazonaws.{region}.ecr.dkr` |
| 207 | +- `com.amazonaws.{region}.ec2` |
| 208 | +- `com.amazonaws.{region}.sts` |
| 209 | +- `com.amazonaws.{region}.logs` |
| 210 | + |
| 211 | +## Migrating Existing Configuration |
| 212 | + |
| 213 | +If you already have a cluster with a VPC created by the module and want to migrate to BYO VPC: |
| 214 | + |
| 215 | +### ⚠️ WARNING |
| 216 | +This migration requires **recreating the cluster**. Zero-downtime migration is not possible. |
| 217 | + |
| 218 | +### Steps: |
| 219 | + |
| 220 | +1. **Export current VPC information** |
| 221 | + ```bash |
| 222 | + terraform output vpc_id |
| 223 | + terraform output private_subnets |
| 224 | + terraform output public_subnets |
| 225 | + ``` |
| 226 | + |
| 227 | +2. **Import VPC to new state** (if you want to keep it) |
| 228 | + ```bash |
| 229 | + # Remove VPC from module |
| 230 | + terraform state rm module.eks.module.vpc |
| 231 | + |
| 232 | + # Import it as an independent resource |
| 233 | + # (You'll need to create separate configuration for the VPC) |
| 234 | + ``` |
| 235 | + |
| 236 | +3. **Update module configuration** |
| 237 | + ```hcl |
| 238 | + module "eks" { |
| 239 | + # ... |
| 240 | + create_vpc = false |
| 241 | + vpc_id = "vpc-xxx" # From step 1 |
| 242 | + private_subnet_ids = ["subnet-xxx", "subnet-yyy"] |
| 243 | + public_subnet_ids = ["subnet-aaa", "subnet-bbb"] |
| 244 | + } |
| 245 | + ``` |
| 246 | + |
| 247 | +4. **Recreate cluster** |
| 248 | + ```bash |
| 249 | + terraform apply |
| 250 | + ``` |
| 251 | + |
| 252 | +## Complete Example |
| 253 | + |
| 254 | +See the complete example at [`examples/byo-vpc/`](examples/byo-vpc/) |
| 255 | + |
| 256 | +## Internal Architecture |
| 257 | + |
| 258 | +### Modified Files |
| 259 | + |
| 260 | +1. **`variables.tf`**: Adds BYO VPC variables |
| 261 | +2. **`vpc.tf`**: Conditional logic to create or use existing VPC |
| 262 | +3. **`vpc-endpoints.tf`**: Conditional support for S3 endpoint |
| 263 | +4. **`main.tf`**: Logic to detect AZs from existing subnets |
| 264 | +5. **`eks.tf`**: Uses locals instead of direct VPC module outputs |
| 265 | +6. **`outputs.tf`**: Returns correct values based on mode |
| 266 | + |
| 267 | +### Unified Locals |
| 268 | + |
| 269 | +The module uses locals to abstract the resource source: |
| 270 | + |
| 271 | +```hcl |
| 272 | +locals { |
| 273 | + # Unifies VPC ID |
| 274 | + vpc_id = var.create_vpc ? module.vpc[0].vpc_id : var.vpc_id |
| 275 | +
|
| 276 | + # Unifies subnet IDs |
| 277 | + private_subnet_ids = var.create_vpc ? module.vpc[0].private_subnets : var.private_subnet_ids |
| 278 | + public_subnet_ids = var.create_vpc ? module.vpc[0].public_subnets : var.public_subnet_ids |
| 279 | +
|
| 280 | + # Route tables for VPC endpoints |
| 281 | + private_route_table_ids = var.create_vpc ? |
| 282 | + module.vpc[0].private_route_table_ids : |
| 283 | + data.aws_route_tables.existing_private[0].ids |
| 284 | +} |
| 285 | +``` |
| 286 | + |
| 287 | +## Troubleshooting |
| 288 | + |
| 289 | +### Error: "No private subnets found" |
| 290 | + |
| 291 | +**Cause**: Filters in `data.aws_subnets.private` don't match your tags |
| 292 | + |
| 293 | +**Solution**: Adjust filters to match your tagging convention: |
| 294 | +```hcl |
| 295 | +data "aws_subnets" "private" { |
| 296 | + filter { |
| 297 | + name = "vpc-id" |
| 298 | + values = [data.aws_vpc.existing.id] |
| 299 | + } |
| 300 | + # Adjust these tags for your VPC |
| 301 | + tags = { |
| 302 | + Tier = "Private" # or whatever tag you use |
| 303 | + } |
| 304 | +} |
| 305 | +``` |
| 306 | + |
| 307 | +### Error: "Nodes not joining cluster" |
| 308 | + |
| 309 | +**Possible causes**: |
| 310 | +1. NAT Gateway not configured correctly |
| 311 | +2. Security groups blocking traffic |
| 312 | +3. Subnets missing correct tags |
| 313 | + |
| 314 | +**Solution**: Verify: |
| 315 | +```bash |
| 316 | +# Check route tables |
| 317 | +aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-xxx" |
| 318 | + |
| 319 | +# Check NAT Gateway |
| 320 | +aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=vpc-xxx" |
| 321 | + |
| 322 | +# Check subnet tags |
| 323 | +aws ec2 describe-subnets --subnet-ids subnet-xxx |
| 324 | +``` |
| 325 | + |
| 326 | +### Error: "Failed to create load balancer" |
| 327 | + |
| 328 | +**Cause**: Subnets don't have the required EKS tags |
| 329 | + |
| 330 | +**Solution**: Add tags to subnets: |
| 331 | +```bash |
| 332 | +# For public subnets |
| 333 | +aws ec2 create-tags --resources subnet-xxx \ |
| 334 | + --tags Key=kubernetes.io/role/elb,Value=1 |
| 335 | + |
| 336 | +# For private subnets |
| 337 | +aws ec2 create-tags --resources subnet-xxx \ |
| 338 | + --tags Key=kubernetes.io/role/internal-elb,Value=1 |
| 339 | +``` |
| 340 | + |
| 341 | +## Cost Considerations |
| 342 | + |
| 343 | +### Create VPC Mode |
| 344 | +- NAT Gateway: ~$32/month + data transfer |
| 345 | +- VPC Endpoints: ~$7/month per endpoint (optional) |
| 346 | + |
| 347 | +### BYO VPC Mode |
| 348 | +- Costs depend on your existing infrastructure |
| 349 | +- You can share NAT Gateway with other resources |
| 350 | +- Potential savings if you already have infrastructure |
| 351 | + |
| 352 | +## Frequently Asked Questions |
| 353 | + |
| 354 | +**Q: Can I use a VPC in a different account?** |
| 355 | +A: Not directly. You would need to configure VPC peering or Transit Gateway. |
| 356 | + |
| 357 | +**Q: Can I mix created and existing subnets?** |
| 358 | +A: No. You must use `create_vpc = true` (all created) or `create_vpc = false` (all existing). |
| 359 | + |
| 360 | +**Q: Does the module modify my existing VPC?** |
| 361 | +A: No. The module only reads information from your VPC. It can create resources within it (EKS, ENIs, etc.) but doesn't modify the VPC or subnets. |
| 362 | + |
| 363 | +**Q: What about existing VPC endpoints?** |
| 364 | +A: If your VPC already has an S3 endpoint, set `create_s3_endpoint = false`. The module will detect it automatically. |
| 365 | + |
| 366 | +**Q: Can I use only some of my subnets?** |
| 367 | +A: Yes, specify only the IDs of the subnets you want to use in `private_subnet_ids` and `public_subnet_ids`. |
0 commit comments