Facets-cloud
diff --git a/‎aws/network/aws_network/1.0/README.md‎
Lines changed: 36 additions & 0 deletions b/‎aws/network/aws_network/1.0/README.md‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎aws/network/aws_network/1.0/facets.yaml‎
Lines changed: 179 additions & 0 deletions b/‎aws/network/aws_network/1.0/facets.yaml‎
Lines changed: 179 additions & 0 deletions
diff --git a/‎aws/network/aws_network/1.0/locals.tf‎
Lines changed: 132 additions & 0 deletions b/‎aws/network/aws_network/1.0/locals.tf‎
Lines changed: 132 additions & 0 deletions
@@ -0,0 +1,36 @@
+# AWS VPC Network Module
+
+## Overview
+
+The AWS VPC module creates a Kubernetes-optimized Virtual Private Cloud with auto-calculated subnets across availability zones. This module provides a production-ready network foundation with fixed IP allocation patterns optimized for Kubernetes workloads, including private, public, and database subnets with comprehensive VPC endpoint support.
+
+## Configurability
+
+- **VPC Configuration**: 
+  - Fixed /16 CIDR block allocation optimized for Kubernetes workloads
+  - Automatic availability zone selection (3 AZs) or manual specification (2-5 AZs)
+  - Pre-calculated subnet allocations: Private (8K IPs/AZ), Public (256 IPs/AZ), Database (256 IPs/AZ)
+- **NAT Gateway Strategy**: Choose between single NAT Gateway for cost optimization or per-AZ NAT Gateways for high availability
+- **VPC Endpoints**: Comprehensive AWS service endpoint configuration including:
+  - **Gateway Endpoints** (no additional charges): S3, DynamoDB
+  - **Interface Endpoints** (charges apply): ECR API/Docker, EKS, EC2, SSM, KMS, CloudWatch, STS, Lambda
+  - Cost-optimized defaults with optional premium endpoints
+- **Network Security**: Built-in security groups and NACLs optimized for Kubernetes traffic patterns
+- **Validation & UI Enhancements**:
+  - CIDR block validation ensuring /16 allocation
+  - Availability zone count validation (2-5 AZs)
+  - Toggle-based endpoint configuration with cost awareness
+  - YAML editor for custom tagging and advanced configurations
+
+## Usage
+
+This module is designed as the foundational network layer for Kubernetes workloads on AWS.
+
+Common use cases:
+
+- Creating secure, isolated network environments for Kubernetes clusters
+- Implementing cost-optimized networking with strategic VPC endpoint placement
+- Supporting multi-AZ deployments with proper subnet allocation for high availability
+- Enabling secure container registry access with ECR VPC endpoints
+- Reducing data transfer costs through strategic VPC endpoint configuration
+- Supporting enterprise compliance requirements with private networking and endpoint security
@@ -0,0 +1,179 @@
+intent: network
+flavor: aws_network
+version: '1.0'
+description: Creates a Kubernetes-optimized AWS VPC with auto-calculated subnets across
+  availability zones. Fixed allocation - Private (8K IPs/AZ), Public (256 IPs/AZ),
+  Database (256 IPs/AZ)
+clouds:
+- aws
+spec:
+  type: object
+  properties:
+    vpc_cidr:
+      type: string
+      title: VPC CIDR Block
+      description: CIDR block for the VPC (must be /16 for optimal Kubernetes workloads)
+      pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}/16$
+      x-ui-overrides-only: true
+      x-ui-error-message: VPC CIDR must be a /16 block (e.g., 10.0.0.0/16)
+      x-ui-placeholder: 10.0.0.0/16
+    auto_select_azs:
+      type: boolean
+      title: Auto Select Availability Zones
+      description: Automatically select 3 availability zones from the region
+      default: true
+    availability_zones:
+      type: array
+      title: Availability Zones
+      description: List of availability zones to use (2-5 AZs supported). Only used
+        when auto_select_azs is false
+      x-ui-overrides-only: true
+      x-ui-visible-if:
+        field: spec.auto_select_azs
+        values:
+        - false
+      minItems: 2
+      maxItems: 5
+    nat_gateway:
+      type: object
+      title: NAT Gateway Configuration
+      properties:
+        strategy:
+          type: string
+          title: NAT Gateway Strategy
+          description: Choose whether to create one NAT Gateway or one per availability
+            zone
+          enum:
+          - single
+          - per_az
+          default: single
+      required:
+      - strategy
+    vpc_endpoints:
+      type: object
+      title: VPC Endpoints Configuration
+      description: Configure VPC endpoints for AWS services to reduce data transfer
+        costs and improve security
+      x-ui-toggle: true
+      properties:
+        enable_s3:
+          type: boolean
+          title: Enable S3 VPC Endpoint
+          description: Create a Gateway endpoint for Amazon S3 (no additional charges)
+          default: true
+        enable_dynamodb:
+          type: boolean
+          title: Enable DynamoDB VPC Endpoint
+          description: Create a Gateway endpoint for Amazon DynamoDB (no additional
+            charges)
+          default: true
+        enable_ecr_api:
+          type: boolean
+          title: Enable ECR API VPC Endpoint
+          description: Create an Interface endpoint for Amazon ECR API (charges apply)
+          default: true
+        enable_ecr_dkr:
+          type: boolean
+          title: Enable ECR Docker VPC Endpoint
+          description: Create an Interface endpoint for Amazon ECR Docker registry
+            (charges apply)
+          default: true
+        enable_eks:
+          type: boolean
+          title: Enable EKS VPC Endpoint
+          description: Create an Interface endpoint for Amazon EKS (charges apply)
+          default: false
+        enable_ec2:
+          type: boolean
+          title: Enable EC2 VPC Endpoint
+          description: Create an Interface endpoint for Amazon EC2 (charges apply)
+          default: false
+        enable_ssm:
+          type: boolean
+          title: Enable SSM VPC Endpoint
+          description: Create an Interface endpoint for AWS Systems Manager (charges
+            apply)
+          default: true
+        enable_ssm_messages:
+          type: boolean
+          title: Enable SSM Messages VPC Endpoint
+          description: Create an Interface endpoint for SSM Messages (charges apply)
+          default: true
+        enable_ec2_messages:
+          type: boolean
+          title: Enable EC2 Messages VPC Endpoint
+          description: Create an Interface endpoint for EC2 Messages (charges apply)
+          default: true
+        enable_kms:
+          type: boolean
+          title: Enable KMS VPC Endpoint
+          description: Create an Interface endpoint for AWS KMS (charges apply)
+          default: false
+        enable_logs:
+          type: boolean
+          title: Enable CloudWatch Logs VPC Endpoint
+          description: Create an Interface endpoint for CloudWatch Logs (charges apply)
+          default: false
+        enable_monitoring:
+          type: boolean
+          title: Enable CloudWatch Monitoring VPC Endpoint
+          description: Create an Interface endpoint for CloudWatch Monitoring (charges
+            apply)
+          default: false
+        enable_sts:
+          type: boolean
+          title: Enable STS VPC Endpoint
+          description: Create an Interface endpoint for AWS STS (charges apply)
+          default: false
+        enable_lambda:
+          type: boolean
+          title: Enable Lambda VPC Endpoint
+          description: Create an Interface endpoint for AWS Lambda (charges apply)
+          default: false
+    tags:
+      type: object
+      title: Additional Tags
+      description: Optional additional tags to apply to all VPC resources. These will
+        be merged with the standard environment tags.
+      x-ui-yaml-editor: true
+  required:
+  - vpc_cidr
+  - nat_gateway
+inputs:
+  cloud_account:
+    type: '@facets/aws_cloud_account'
+    displayName: Cloud Account
+    description: The AWS Cloud Account where the VPC will be created
+    optional: false
+    providers:
+    - aws
+outputs:
+  default:
+    type: '@facets/aws-vpc-details'
+sample:
+  kind: network
+  flavor: aws_network
+  version: '1.0'
+  spec:
+    vpc_cidr: 10.0.0.0/16
+    auto_select_azs: true
+    nat_gateway:
+      strategy: single
+    vpc_endpoints:
+      enable_s3: true
+      enable_dynamodb: true
+      enable_ecr_api: true
+      enable_ecr_dkr: true
+      enable_eks: false
+      enable_ec2: false
+      enable_ssm: true
+      enable_ssm_messages: true
+      enable_ec2_messages: true
+      enable_kms: false
+      enable_logs: false
+      enable_monitoring: false
+      enable_sts: false
+      enable_lambda: false
+iac:
+  validated_files:
+  - variables.tf
@@ -0,0 +1,132 @@
+# Data source to get all available AZs in the region
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+# Local values for simplified K8s-optimized calculations
+locals {
+  # Extract commonly used values to avoid repeated lookups
+  spec               = var.instance.spec
+  auto_select_azs    = lookup(local.spec, "auto_select_azs", true)
+  availability_zones = lookup(local.spec, "availability_zones", [])
+  vpc_cidr           = local.spec.vpc_cidr
+  nat_gateway        = local.spec.nat_gateway
+  vpc_endpoints_spec = lookup(local.spec, "vpc_endpoints", null)
+  tags_spec          = lookup(local.spec, "tags", {})
+  aws_region         = var.inputs.cloud_account.attributes.aws_region
+
+  # Determine which availability zones to use
+  selected_azs = local.auto_select_azs ? (
+    length(data.aws_availability_zones.available.names) >= 3 ?
+    slice(data.aws_availability_zones.available.names, 0, 3) :
+    data.aws_availability_zones.available.names
+  ) : local.availability_zones
+
+  # Validate AZ count (2-5 AZs supported)
+  num_azs           = length(local.selected_azs)
+  validate_az_count = local.num_azs >= 2 && local.num_azs <= 5 ? true : tobool("Number of AZs must be between 2 and 5 for /16 VPC")
+
+  # Fixed subnet allocation for K8s-optimized VPC
+  # VPC: /16 (65,536 IPs)
+  # Private: /19 per AZ (8,192 IPs) - for K8s pods + nodes + AWS services
+  # Public: /24 per AZ (256 IPs) - for NAT + ALB
+  # Database: /24 per AZ (256 IPs) - for RDS + managed databases
+  vpc_prefix             = 16
+  private_subnet_prefix  = 19 # 8,192 IPs per AZ
+  public_subnet_prefix   = 24 # 256 IPs per AZ
+  database_subnet_prefix = 24 # 256 IPs per AZ
+
+  # Calculate newbits for cidrsubnets function
+  private_newbits  = local.private_subnet_prefix - local.vpc_prefix  # 19 - 16 = 3
+  public_newbits   = local.public_subnet_prefix - local.vpc_prefix   # 24 - 16 = 8
+  database_newbits = local.database_subnet_prefix - local.vpc_prefix # 24 - 16 = 8
+
+  # Create ordered list of newbits for cidrsubnets function
+  # Order: private subnets, public subnets, database subnets
+  all_subnet_newbits = concat(
+    [for i in range(local.num_azs) : local.private_newbits], # Private subnets
+    [for i in range(local.num_azs) : local.public_newbits],  # Public subnets
+    [for i in range(local.num_azs) : local.database_newbits] # Database subnets
+  )
+
+  # Generate all subnet CIDRs using cidrsubnets function - prevents overlaps
+  all_subnet_cidrs = cidrsubnets(local.vpc_cidr, local.all_subnet_newbits...)
+
+  # Extract subnet CIDRs by type
+  private_subnet_cidrs  = slice(local.all_subnet_cidrs, 0, local.num_azs)
+  public_subnet_cidrs   = slice(local.all_subnet_cidrs, local.num_azs, local.num_azs * 2)
+  database_subnet_cidrs = slice(local.all_subnet_cidrs, local.num_azs * 2, local.num_azs * 3)
+
+  # Create subnet mappings with AZ and CIDR (one subnet per type per AZ)
+  private_subnets = [
+    for az_index in range(local.num_azs) : {
+      az_index   = az_index
+      az         = local.selected_azs[az_index]
+      cidr_block = local.private_subnet_cidrs[az_index]
+    }
+  ]
+
+  public_subnets = [
+    for az_index in range(local.num_azs) : {
+      az_index   = az_index
+      az         = local.selected_azs[az_index]
+      cidr_block = local.public_subnet_cidrs[az_index]
+    }
+  ]
+
+  database_subnets = [
+    for az_index in range(local.num_azs) : {
+      az_index   = az_index
+      az         = local.selected_azs[az_index]
+      cidr_block = local.database_subnet_cidrs[az_index]
+    }
+  ]
+
+  # Calculate IP allocation summary
+  total_private_ips  = local.num_azs * 8192
+  total_public_ips   = local.num_azs * 256
+  total_database_ips = local.num_azs * 256
+  total_used_ips     = local.total_private_ips + local.total_public_ips + local.total_database_ips
+  reserved_ips       = 65536 - local.total_used_ips
+
+  # VPC endpoints configuration with defaults
+  vpc_endpoints = local.vpc_endpoints_spec != null ? local.vpc_endpoints_spec : {
+    enable_s3           = true
+    enable_dynamodb     = true
+    enable_ecr_api      = true
+    enable_ecr_dkr      = true
+    enable_eks          = false
+    enable_ec2          = false
+    enable_ssm          = true
+    enable_ssm_messages = true
+    enable_ec2_messages = true
+    enable_kms          = false
+    enable_logs         = false
+    enable_monitoring   = false
+    enable_sts          = false
+    enable_lambda       = false
+  }
+
+  # Resource naming prefix
+  name_prefix = "${var.environment.unique_name}-${var.instance_name}"
+
+  # Common tags
+  common_tags = merge(
+    var.environment.cloud_tags,
+    local.tags_spec,
+    {
+      Name        = local.name_prefix
+      Environment = var.environment.name
+    }
+  )
+
+  # EKS tags for public subnets (for external load balancers)
+  eks_public_tags = {
+    "kubernetes.io/role/elb" = "1"
+  }
+
+  # EKS tags for private subnets (for internal load balancers)
+  eks_private_tags = {
+    "kubernetes.io/role/internal-elb" = "1"
+  }
+}