This message was deleted Pulumi Community #aws

Join Slack

This message was deleted.

# aws

sparse-intern-71089

10/03/2023, 8:47 PM

This message was deleted.

icy-dress-83371

10/04/2023, 1:35 PM

I’d love to be able to use awsx components as some of the heavy lifting is taken care of, but so far the only things I can think of is using pure

pulumi_aws

components and build each piece myself. Creating the VPC, then adding the additional cidr block, followed by the subnets, then everything else like nat gateway and internet gateway.

billowy-army-68599

10/04/2023, 2:37 PM

@icy-dress-83371 how would this look in terraform? How would you instantiate the module?

icy-dress-83371

10/04/2023, 2:48 PM

My invocation of the module would looks something like this:

Copy code

locals {
  cluster_name = "${var.name}-${var.environment}"
  region       = var.aws_region
  sliced_azs   = slice(data.aws_availability_zones.available_azs.zone_ids, 0, var.number_of_azs)
  subnet_group_count  = 3

  tags = {
    Environment         = var.environment
  }
}

data "aws_availability_zones" "available_azs" {
  state = "available"
  exclude_names = [ "us-east-1e" ] #us-east-1e was not supporting EKS deployment
}

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  name                  = "${var.name}-${var.environment}-vpc"
  cidr                  = var.primary_vpc_cidr
  secondary_cidr_blocks = [var.secondary_vpc_cidr]
  azs                   = local.sliced_azs
  enable_nat_gateway    = true
  single_nat_gateway    = true
  enable_dns_hostnames  = true

  private_subnets = [
    for netnumber in range(0, length(local.sliced_azs)): 
        cidrsubnet(var.primary_vpc_cidr, ceil(log(length(local.sliced_azs) * local.subnet_group_count, 2)), netnumber) 
  ]

  public_subnets = [
    for netnumber in range(length(local.sliced_azs), length(local.sliced_azs) * 2): 
        cidrsubnet(var.primary_vpc_cidr, ceil(log(length(local.sliced_azs) * local.subnet_group_count, 2)), netnumber)
  ]

  intra_subnets = [
    for netnumber in range(length(local.sliced_azs) * 2, length(local.sliced_azs)): 
        cidrsubnet(var.secondary_vpc_cidr, ceil(log(length(local.sliced_azs) * local.subnet_group_count, 2)), netnumber)
  ]

  tags = {
    "<http://kubernetes.io/cluster/${local.cluster_name}|kubernetes.io/cluster/${local.cluster_name}>" = "shared"
  }
  public_subnet_tags = {
    "<http://kubernetes.io/cluster/${local.cluster_name}-primary|kubernetes.io/cluster/${local.cluster_name}-primary>" = "shared"
    "<http://kubernetes.io/role/elb|kubernetes.io/role/elb>"                    = "1"
  }
  private_subnet_tags = {
    "<http://kubernetes.io/cluster/${local.cluster_name}-primary|kubernetes.io/cluster/${local.cluster_name}-primary>" = "shared"
    "<http://kubernetes.io/role/internal-elb|kubernetes.io/role/internal-elb>"           = "1"
  }
}

icy-dress-83371

10/04/2023, 2:55 PM

This allowed me to setup both the public and private subnets in my primary vpc cidr, where I will have LB’s, NAT and IGWs, etc. Then I would setup my eks cluster later to be within the intra subnet, which uses my secondary cidr. This was to help me get ahead of the issues of IP exhaustion in eks clusters.

icy-dress-83371

10/04/2023, 2:58 PM

While I can visualize how I would set this up using the AWS Classic format, and create each component manually, I was hoping to be able to use more of the awsx stuff, which automated a bit of the heavy lifting, but seems to remove some of the functionality of rolling it myself.

billowy-army-68599

10/04/2023, 3:00 PM

ah, I see. We don’t support secondary cidr blocks on

awsx.ec2.Vpc

as a native input. However, you should be able to do this, because it’s just a resource https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf#L53

billowy-army-68599

10/04/2023, 3:00 PM

give me half an hour and I’ll see if I can come up with something

icy-dress-83371

10/04/2023, 3:04 PM

Yeah, I have tried to add it as an additional component in my code above as you can see, and that works fine, but then there is a circular dependency. The

aws.ec2.VpcIpv4CidrBlockAssociation

requires a vpc_id. But in order for the VPC to be built (at least using

awsx.ec2.Vpc

) I need to provide subnet specs. I also don’t see how I would set the actual cidr for each subnet, when it only seems to allow a cidr_mask.

billowy-army-68599

10/04/2023, 3:10 PM

You will likely have to define the intra subnet yourself, not as an isolated subnet within the awsx.ec2.Vpc resource

icy-dress-83371

10/04/2023, 3:11 PM

Maybe I am just looking at this the wrong way, and am trying to use awsx when I shouldn’t be? Is there a maor benefit to trying to use the awsx components rather than just rolling my own with aws classic?

billowy-army-68599

10/04/2023, 3:21 PM

awsx is meant to solve the problem of a fairly simple VPC with public and private subnets. For your use case, you can bootstrap the public and private with awsx and then add your intra subnets

billowy-army-68599

10/04/2023, 3:21 PM

something like this

Copy code

"""An AWS Python Pulumi program"""

import pulumi
import pulumi_aws as aws
import pulumi_awsx as awsx

vpc = awsx.ec2.Vpc(
    "vpc",
    cidr_block="10.0.0.0/16",
    subnet_specs=[
        awsx.ec2.SubnetSpecArgs(
            cidr_mask=22,
            type="public",
        ),
        awsx.ec2.SubnetSpecArgs(
            cidr_mask=22,
            type="private",
        ),
    ],
)

secondary_block = aws.ec2.VpcIpv4CidrBlockAssociation(
    "secondaryBlock", vpc_id=vpc.vpc_id, cidr_block="10.0.20.0/22"
)

intra = aws.ec2.Subnet(
    "intra",
    vpc_id=vpc.vpc_id,
    cidr_block=secondary_block.cidr_block,
)

intra_rt = aws.ec2.RouteTable(
    "intra",
    vpc_id=vpc.vpc_id,
)

intra_rt_associ = aws.ec2.RouteTableAssociation(
    "intra",
    route_table_id=intra_rt.id,
    subnet_id=intra.id,
)

icy-dress-83371

10/04/2023, 3:26 PM

Yeah, that makes sense. I guess my only question is, is it worth bootstrapping the first portions with awsx. I guess the only thing I am really gaining is the automatic creation of the route tables and NAT for the public and private.

billowy-army-68599

10/04/2023, 3:27 PM

if you’re happy creating your own vpc, you’ll get more flexibility doing it yourself

icy-dress-83371

10/04/2023, 3:32 PM

Yeah, it seems so. I think I was putting too much stake in the awsx side of things. Coming from a terraform world, I saw it as the alternative to TF modules. But I think it is really more of an “Easy Button” for the most basic implementation of that resource.

billowy-army-68599

10/04/2023, 3:33 PM

personally I never used terraform modules, they broke all the time and they essentially just plumb every possibly API element through to the user, so it ended up being harded to understand what was happening. But that’s just me..

icy-dress-83371

10/04/2023, 3:34 PM

Yeah, sometimes they aren’t great, the ones I used the most was the VPC, but I think that was just because I didn’t want to write all the rest myself.

👍 1

icy-dress-83371

10/04/2023, 3:34 PM

Thanks for the insight, and I appreciate your time. BTW… Epic last name…

billowy-army-68599

10/04/2023, 3:39 PM

ha! Briggs originates where I grew up, so run across a lot them. Where are you based?

icy-dress-83371

10/04/2023, 3:41 PM

Toronto, Canada, but my family comes from Scotland

billowy-army-68599

10/04/2023, 3:43 PM

welcome to the community in any case! Let me know how else we can help, and sorry for the delay initially

28 Views

Open in Slack

Previous Next