conventions
Each cluster in a platform instance has a dedicated vpc. Nameing convention assumes vpvc's are named "cluster name"-vpc. This enables later fetching of vpc info just by knowning the cluster instance name.
vpc subnet structure
A typical single-cluster vpc definition:
In this example, the private-ingress range represents an allocation from what would be the enterprise shared network space. Load balancers can be placed on the private-ingress subnet which can be made routable across an enterprise shared network as needed, This subnet would also have private nat-gateways with routing table rules that result in the primary VPC cidr being effectively non-routable. cidr ranges should not overlap amongst clusters of the same role, but the cidr space of a role in general could overlap with other roles since all traffic out of the cluster is nated, with private or public, and all inbound traffic is only through LBs in either the private or public ingress subnet.
| vpc | region | az | az | az |
|---|---|---|---|---|
| us-east-1 | us-east-1a | us-east-1b | us-east-1c | |
| sbx-i01-aws-us-east-1 | 10.80.0.0/16 | |||
| private | 10.80.0.0/18 | 10.80.64.0/18 | 10.80.128.0/18 | |
| private-ingress* | X.X.X.X/28 | X.X.X.X/28 | X.X.X.X/28 | |
| public-ingress | 10.80.240.0/26 | 10.80.240.64/26 | 10.80.240.128/26 | |
| database | 10.80.192.0/20 | 10.80.208.0/20 | 10.80.224.0/20 |
*When using private network for ingress, recommend using an additional associated cidr from the organizations private network ip space with the use of private NAT gateways and routing rules for transit or direct network pairing such that the full assigned VPC cidr for the cluster is effectively isolated from the rest of the organizational network. This simplifies ip management within the cluster as only a small amount of IP need to be rationalized with the rest of the organization.
terraform modules
Uses the following AWS official terraform modules: (check for updates)
terraform-aws-modules/vpc/aws
local engineering practice additions or notes (See lab-documentation for standard practices and ADRs)
- specific .gitignore entries
- Ignore all extensions of .auto.tfvars.json. These are autogenerated during the pipeline run and are ignored so that any local testing doesn't accidently cause problem to the pipeline.
- Local python and ruby environment config is ignored.
- credential information generated at runtime but not maintained is ignored to prevent local development from accidently pushing secrets into the repo.
- Pre-commit checks. In addition to typical linting and style checks, several terraform code checks are run. This aligns with static checks performed in the pipeline.
- pre-commit
- Common pre-commit-hooks
- pre-commit-terraform
- awslabs/git-secrets
- Circleci Executor: twdps/circleci-infra-aws
- Terraform Cloud for backend state
- 1password for secrets
- [awspec(https://github.com/k1LoW/awspec)]
- orbs: twdps/terraform, twdps/onepassword, twdps/pipeline-events
- tflint
- trivy
- checkov