From 01758c7ff77d3a1b69054c9d287ebdfbfe70f19d Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 20:20:57 +0700
Subject: [PATCH 1/6] feat: add tf modules and dev environment

---
 backend/main.tf                   | 188 ++++++++++++
 backend/outputs.tf                |  14 +
 backend/variables.tf              |  19 ++
 env/dev/backend.tf                |  21 ++
 env/dev/main.tf                   | 120 ++++++++
 env/dev/outputs.tf                |  34 +++
 env/dev/variables.tf              | 131 ++++++++
 modules/bastion/main.tf           |  60 ++++
 modules/bastion/outputs.tf        |   9 +
 modules/bastion/variables.tf      |  45 +++
 modules/ecr/main.tf               |  69 +++++
 modules/ecr/outputs.tf            |   4 +
 modules/ecr/variables.tf          |  24 ++
 modules/eks-access/main.tf        |  22 ++
 modules/eks-access/outputs.tf     |  14 +
 modules/eks-access/variables.tf   |  34 +++
 modules/eks/main.tf               | 492 ++++++++++++++++++++++++++++++
 modules/eks/outputs.tf            |  34 +++
 modules/eks/variables.tf          |  81 +++++
 modules/kms/main.tf               |  87 ++++++
 modules/kms/outputs.tf            |   9 +
 modules/kms/variables.tf          |  14 +
 modules/ssm/main.tf               |  27 ++
 modules/ssm/outputs.tf            |  14 +
 modules/ssm/variables.tf          |   9 +
 modules/vpc-endpoint/main.tf      | 221 ++++++++++++++
 modules/vpc-endpoint/outputs.tf   |  88 ++++++
 modules/vpc-endpoint/variables.tf |  40 +++
 modules/vpc/main.tf               | 151 +++++++++
 modules/vpc/outputs.tf            |  29 ++
 modules/vpc/variables.tf          |  34 +++
 templates/bootstrap.sh.tpl        |  10 +
 templates/nodeadm.yml.tpl         |  17 ++
 33 files changed, 2165 insertions(+)
 create mode 100644 backend/main.tf
 create mode 100644 backend/outputs.tf
 create mode 100644 backend/variables.tf
 create mode 100644 env/dev/backend.tf
 create mode 100644 env/dev/main.tf
 create mode 100644 env/dev/outputs.tf
 create mode 100644 env/dev/variables.tf
 create mode 100644 modules/bastion/main.tf
 create mode 100644 modules/bastion/outputs.tf
 create mode 100644 modules/bastion/variables.tf
 create mode 100644 modules/ecr/main.tf
 create mode 100644 modules/ecr/outputs.tf
 create mode 100644 modules/ecr/variables.tf
 create mode 100644 modules/eks-access/main.tf
 create mode 100644 modules/eks-access/outputs.tf
 create mode 100644 modules/eks-access/variables.tf
 create mode 100644 modules/eks/main.tf
 create mode 100644 modules/eks/outputs.tf
 create mode 100644 modules/eks/variables.tf
 create mode 100644 modules/kms/main.tf
 create mode 100644 modules/kms/outputs.tf
 create mode 100644 modules/kms/variables.tf
 create mode 100644 modules/ssm/main.tf
 create mode 100644 modules/ssm/outputs.tf
 create mode 100644 modules/ssm/variables.tf
 create mode 100644 modules/vpc-endpoint/main.tf
 create mode 100644 modules/vpc-endpoint/outputs.tf
 create mode 100644 modules/vpc-endpoint/variables.tf
 create mode 100644 modules/vpc/main.tf
 create mode 100644 modules/vpc/outputs.tf
 create mode 100644 modules/vpc/variables.tf
 create mode 100644 templates/bootstrap.sh.tpl
 create mode 100644 templates/nodeadm.yml.tpl

diff --git a/backend/main.tf b/backend/main.tf
new file mode 100644
index 0000000..aff6fdb
--- /dev/null
+++ b/backend/main.tf
@@ -0,0 +1,188 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.83.1"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "devopslite-tf-state"
+    key            = "s3-backend/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "devopslite-tf-state"
+  }
+}
+
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+resource "aws_s3_bucket" "tf_state_bucket" {
+  # checkov:skip=CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
+  # checkov:skip=CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
+  # checkov:skip=CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
+  # checkov:skip=CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
+  bucket        = "${var.project}-tf-state"
+  force_destroy = true
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-tf-state"
+    }
+  )
+}
+
+resource "aws_s3_bucket_public_access_block" "tf_bucket_public_access_block" {
+  bucket = aws_s3_bucket.tf_state_bucket.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+resource "aws_s3_bucket_ownership_controls" "tf_bucket_ownership_controls" {
+  depends_on = [
+    aws_s3_bucket.tf_state_bucket
+  ]
+
+  bucket = aws_s3_bucket.tf_state_bucket.id
+
+  rule {
+    object_ownership = "BucketOwnerEnforced"
+  }
+}
+
+resource "aws_s3_bucket_versioning" "tf_bucket_versioning" {
+  bucket = aws_s3_bucket.tf_state_bucket.id
+
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "tf_bucket_encryption" {
+  bucket = aws_s3_bucket.tf_state_bucket.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm     = "aws:kms"
+      kms_master_key_id = aws_kms_key.tf_kms_key.arn
+    }
+  }
+}
+
+resource "aws_kms_key" "tf_kms_key" {
+  description             = "The KMS key is used to encrypt the S3 bucket as a backend for terraform"
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name   = "${var.project}-tf-state-key"
+      Bucket = aws_s3_bucket.tf_state_bucket.arn
+    }
+  )
+}
+
+resource "aws_kms_alias" "tf_kms_key_alias" {
+  name          = "alias/${var.project}-${var.region}-kms-key"
+  target_key_id = aws_kms_key.tf_kms_key.key_id
+}
+
+resource "aws_kms_key_policy" "tf_kms_key_policy" {
+  key_id = aws_kms_key.tf_kms_key.key_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "key-default-1"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow administration of the key"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user"
+        },
+        Action = [
+          "kms:ReplicateKey",
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow use of the key"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user",
+          Service = [
+            "s3.amazonaws.com",
+            "dynamodb.amazonaws.com"
+          ]
+        },
+        Action = [
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyWithoutPlaintext"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_dynamodb_table" "terraform_dynamodb_table" {
+  name         = "${var.project}-tf-state"
+  hash_key     = "LockID"
+  billing_mode = "PAY_PER_REQUEST"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  server_side_encryption {
+    enabled     = true
+    kms_key_arn = aws_kms_key.tf_kms_key.arn
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name   = "${var.project}-tf-state"
+      Bucket = aws_s3_bucket.tf_state_bucket.arn
+    }
+  )
+}
diff --git a/backend/outputs.tf b/backend/outputs.tf
new file mode 100644
index 0000000..6948ed2
--- /dev/null
+++ b/backend/outputs.tf
@@ -0,0 +1,14 @@
+output "bucket_name" {
+  description = "S3 bucket name"
+  value       = aws_s3_bucket.tf_state_bucket.bucket
+}
+
+output "bucket_arn" {
+  description = "S3 bucket ARN"
+  value       = aws_s3_bucket.tf_state_bucket.arn
+}
+
+output "dynamodb_name" {
+  description = "DynamoDB name"
+  value       = aws_dynamodb_table.terraform_dynamodb_table.name
+}
diff --git a/backend/variables.tf b/backend/variables.tf
new file mode 100644
index 0000000..9791758
--- /dev/null
+++ b/backend/variables.tf
@@ -0,0 +1,19 @@
+variable "region" {
+  description = "AWS region"
+  default     = "us-east-1"
+  type        = string
+}
+
+variable "project" {
+  description = "The project name to use for unique resource naming"
+  default     = "devopslite"
+  type        = string
+}
+
+variable "default_tags" {
+  type = map(string)
+  default = {
+    Provisioner = "terraform"
+    Project     = "devopslite"
+  }
+}
diff --git a/env/dev/backend.tf b/env/dev/backend.tf
new file mode 100644
index 0000000..3eb8742
--- /dev/null
+++ b/env/dev/backend.tf
@@ -0,0 +1,21 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.83.1"
+    }
+
+    tls = {
+      source  = "hashicorp/tls"
+      version = "4.0.6"
+    }
+  }
+
+  backend "s3" {
+    bucket         = "devopslite-tf-state"
+    key            = "dev/terraform.tfstate"
+    region         = "us-east-1"
+    encrypt        = true
+    dynamodb_table = "devopslite-tf-state"
+  }
+}
diff --git a/env/dev/main.tf b/env/dev/main.tf
new file mode 100644
index 0000000..0d91403
--- /dev/null
+++ b/env/dev/main.tf
@@ -0,0 +1,120 @@
+provider "aws" {
+  region = var.aws_region
+}
+
+module "vpc" {
+  source               = "../../modules/vpc"
+  aws_region           = var.aws_region
+  default_tags         = var.default_tags
+  project              = var.project
+  environment          = var.environment
+  private_subnets_cidr = var.private_subnets_cidr
+  public_subnets_cidr  = var.public_subnets_cidr
+  vpc_cidr             = var.vpc_cidr
+}
+
+module "vpc_endpoint" {
+  source          = "../../modules/vpc-endpoint"
+  aws_region      = var.aws_region
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  private_subnets = module.vpc.aws_subnets_private
+  route_table_ids = [module.vpc.private_route_table]
+  vpc_cidr        = [module.vpc.cidr_block]
+  vpc_id          = module.vpc.vpc_id
+
+  depends_on = [module.vpc]
+}
+
+module "kms" {
+  source       = "../../modules/kms"
+  default_tags = var.default_tags
+  project      = var.project
+  environment  = var.environment
+}
+
+module "ssm" {
+  source      = "../../modules/ssm"
+  project     = var.project
+  environment = var.environment
+}
+
+module "bastion" {
+  source                        = "../../modules/bastion"
+  default_tags                  = var.default_tags
+  project                       = var.project
+  environment                   = var.environment
+  ami_id                        = var.bastion_ami_id
+  bastion_instance_profile_name = module.ssm.ssm_instance_profile_name
+  instance_type                 = var.bation_instance_type
+  private_subnet_id             = module.vpc.aws_subnets_private[0]
+  vpc_cidr                      = [module.vpc.cidr_block]
+  vpc_id                        = module.vpc.vpc_id
+
+  depends_on = [
+    module.vpc,
+    module.ssm
+  ]
+}
+
+module "ecr_fe" {
+  source          = "../../modules/ecr"
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  kms_key_arn     = module.kms.kms_arn
+  repository_name = "devopslite-fe"
+
+  depends_on = [module.kms]
+}
+
+module "ecr_be" {
+  source          = "../../modules/ecr"
+  default_tags    = var.default_tags
+  project         = var.project
+  environment     = var.environment
+  kms_key_arn     = module.kms.kms_arn
+  repository_name = "devopslite-be"
+
+  depends_on = [module.kms]
+}
+
+module "eks" {
+  source                      = "../../modules/eks"
+  default_tags                = var.default_tags
+  project                     = var.project
+  environment                 = var.environment
+  bastion_sg_id               = module.bastion.bastion_sg_id
+  vpc_id                      = module.vpc.vpc_id
+  vpc_cidr                    = [module.vpc.cidr_block]
+  private_subnets             = module.vpc.aws_subnets_private
+  eks_cluster_version         = var.eks_cluster_version
+  kms_key_arn                 = module.kms.kms_arn
+  custom_ami_id               = var.custom_ami_id
+  node_group_name             = var.node_group_name
+  node_capacity_type          = var.node_capacity_type
+  node_instance_type          = var.node_instance_type
+  node_group_desired_capacity = var.node_group_desired_capacity
+  node_group_min_size         = var.node_group_min_size
+  node_group_max_size         = var.node_group_max_size
+
+  depends_on = [
+    module.vpc,
+    module.kms,
+    module.bastion
+  ]
+}
+
+module "eks_access" {
+  source            = "../../modules/eks-access"
+  project           = var.project
+  environment       = var.environment
+  access_entry_type = var.access_entry_type
+  access_scope_type = var.access_scope_type
+  kubernetes_groups = var.kubernetes_groups
+  policy_arn        = var.policy_arn
+  principal_arn     = var.principal_arn
+
+  depends_on = [module.eks]
+}
diff --git a/env/dev/outputs.tf b/env/dev/outputs.tf
new file mode 100644
index 0000000..ee2ca63
--- /dev/null
+++ b/env/dev/outputs.tf
@@ -0,0 +1,34 @@
+output "eks_cluster_endpoint" {
+  description = "The endpoint for the EKS cluster."
+  value       = module.eks.eks_cluster_endpoint
+}
+
+output "eks_cluster_id" {
+  description = "The ID of the EKS cluster."
+  value       = module.eks.eks_cluster_id
+}
+
+output "eks_cluster_oidc_issuer_url" {
+  description = "The OIDC issuer URL for the EKS cluster."
+  value       = module.eks.eks_cluster_oidc_issuer_url
+}
+
+output "eks_cluster_security_group_id" {
+  description = "The security group ID for the EKS cluster."
+  value       = module.eks.eks_cluster_security_group_id
+}
+
+output "eks_cluster_serviceaccount_role_arn" {
+  description = "The ARN of the IAM role used by service accounts in the EKS cluster."
+  value       = module.eks.eks_cluster_serviceaccount_role_arn
+}
+
+output "eks_node_group_arn" {
+  description = "The ARN of the EKS node group."
+  value       = module.eks.eks_node_group_arn
+}
+
+output "eks_node_group_role_arn" {
+  description = "The ARN of the IAM role used by the EKS node group."
+  value       = module.eks.eks_node_group_role_arn
+}
diff --git a/env/dev/variables.tf b/env/dev/variables.tf
new file mode 100644
index 0000000..0f5638f
--- /dev/null
+++ b/env/dev/variables.tf
@@ -0,0 +1,131 @@
+variable "access_entry_type" {
+  description = "Type of access entry (STANDARD, EC2, EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX)"
+  type        = string
+  default     = "STANDARD"
+}
+
+variable "access_scope_type" {
+  description = "Type of access scope (namespace or cluster)"
+  type        = string
+  default     = "cluster"
+}
+
+variable "aws_region" {
+  type    = string
+  default = "us-east-1"
+}
+
+variable "bastion_ami_id" {
+  description = "AMI ID for Bastion Host"
+  type        = string
+  default     = "ami-05576a079321f21f8" # Amazon Linux 2023 AMI
+}
+
+variable "bation_instance_type" {
+  description = "Instance type for bastion host"
+  type        = string
+  default     = "t3.micro"
+}
+
+variable "custom_ami_id" {
+  description = "Custom AMI ID for EKS nodes"
+  type        = string
+  default     = "ami-0476ff2866e16ac8a"
+}
+
+variable "default_tags" {
+  type = map(string)
+  default = {
+    Environment = "dev"
+    Provisioner = "terraform"
+    Project     = "devopslite"
+  }
+}
+
+variable "eks_cluster_version" {
+  description = "Kubernetes version for the EKS cluster"
+  type        = string
+  default     = "1.31"
+}
+
+variable "environment" {
+  type    = string
+  default = "dev"
+}
+
+variable "kubernetes_groups" {
+  description = "List of Kubernetes groups to grant access to the EKS cluster"
+  type        = list(string)
+  default     = ["admin"]
+}
+
+variable "node_capacity_type" {
+  description = "Capacity type for the EKS node group (ON_DEMAND or SPOT)"
+  type        = string
+  default     = "ON_DEMAND"
+}
+
+variable "node_group_desired_capacity" {
+  description = "Desired number of nodes in the EKS node group"
+  type        = number
+  default     = 2
+}
+
+variable "node_group_max_size" {
+  description = "Maximum number of nodes in the EKS node group"
+  type        = number
+  default     = 3
+}
+
+variable "node_group_min_size" {
+  description = "Minimum number of nodes in the EKS node group"
+  type        = number
+  default     = 1
+}
+
+variable "node_group_name" {
+  description = "Name of the EKS node group"
+  type        = string
+  default     = "ng"
+}
+
+variable "node_instance_type" {
+  description = "Instance type for the EKS nodes"
+  type        = string
+  default     = "t3.small"
+}
+
+variable "policy_arn" {
+  description = "ARN of the IAM policy to associate with the principal"
+  type        = string
+  default     = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
+}
+
+variable "principal_arn" {
+  description = "ARN of the principal to grant access to the EKS cluster"
+  type        = string
+  default     = null
+}
+
+variable "private_subnets_cidr" {
+  description = "CIDR blocks for the private subnets"
+  type        = list(string)
+  default     = ["172.16.10.0/24", "172.16.20.0/24", "172.16.30.0/24"]
+}
+
+variable "project" {
+  type    = string
+  default = "devopslite"
+}
+
+variable "public_subnets_cidr" {
+  description = "CIDR blocks for the public subnets"
+  type        = list(string)
+  default     = ["172.16.1.0/24", "172.16.2.0/24", "172.16.3.0/24"]
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for the VPC"
+  type        = string
+  default     = "172.16.0.0/16"
+}
diff --git a/modules/bastion/main.tf b/modules/bastion/main.tf
new file mode 100644
index 0000000..c48741b
--- /dev/null
+++ b/modules/bastion/main.tf
@@ -0,0 +1,60 @@
+data "aws_region" "current" {}
+
+resource "aws_security_group" "bastion_sg" {
+  name        = "${var.project}-${var.environment}-bastion-sg"
+  vpc_id      = var.vpc_id
+  description = "Security group for bastion host"
+  ingress {
+    description = "Allow SSH from VPC CIDR"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.vpc_cidr
+  }
+  egress {
+    description = "Allow all traffic to all destinations"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-bastion-sg"
+    }
+  )
+}
+
+resource "aws_instance" "bastion_host" {
+  # checkov:skip=CKV_AWS_126: "Ensure that detailed monitoring is enabled for EC2 instances"
+  ami                    = var.ami_id
+  instance_type          = var.instance_type
+  subnet_id              = var.private_subnet_id
+  vpc_security_group_ids = [aws_security_group.bastion_sg.id]
+  iam_instance_profile   = var.bastion_instance_profile_name
+  ebs_optimized          = true
+
+  metadata_options {
+    http_endpoint = "enabled"
+    http_tokens   = "required"
+  }
+
+  root_block_device {
+    encrypted = true
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-bastion-host"
+    }
+  )
+  user_data = base64encode(<<-EOF
+    #!/bin/bash
+    yum install -y https://s3.${data.aws_region.current.name}.amazonaws.com/amazon-ssm-${data.aws_region.current.name}/latest/linux_amd64/amazon-ssm-agent.rpm
+    systemctl enable amazon-ssm-agent
+    systemctl start amazon-ssm-agent
+    EOF
+  )
+}
diff --git a/modules/bastion/outputs.tf b/modules/bastion/outputs.tf
new file mode 100644
index 0000000..9fc848e
--- /dev/null
+++ b/modules/bastion/outputs.tf
@@ -0,0 +1,9 @@
+output "bastion_instance_id" {
+  value       = aws_instance.bastion_host.id
+  description = "The ID of bastion ec2 instance"
+}
+
+output "bastion_sg_id" {
+  value       = aws_security_group.bastion_sg.id
+  description = "The ID of bastion security group"
+}
diff --git a/modules/bastion/variables.tf b/modules/bastion/variables.tf
new file mode 100644
index 0000000..93c5bd1
--- /dev/null
+++ b/modules/bastion/variables.tf
@@ -0,0 +1,45 @@
+variable "ami_id" {
+  type        = string
+  description = "AMI ID for Bastion Host"
+}
+
+variable "bastion_instance_profile_name" {
+  type        = string
+  description = "Name of bastion IAM Instance Profile"
+}
+
+variable "default_tags" {
+  type        = map(string)
+  default     = {}
+  description = "The default tags to apply to resources"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment name"
+}
+
+variable "instance_type" {
+  type        = string
+  description = "Instance type for bastion host"
+}
+
+variable "private_subnet_id" {
+  type        = string
+  description = "ID of the private subnet"
+}
+
+variable "project" {
+  type        = string
+  description = "Project name"
+}
+
+variable "vpc_cidr" {
+  type        = list(string)
+  description = "VPC CIDR"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC"
+}
diff --git a/modules/ecr/main.tf b/modules/ecr/main.tf
new file mode 100644
index 0000000..8985d1e
--- /dev/null
+++ b/modules/ecr/main.tf
@@ -0,0 +1,69 @@
+resource "aws_ecr_repository" "repository" {
+  name                 = var.repository_name
+  image_tag_mutability = "IMMUTABLE"
+  force_delete         = true
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  encryption_configuration {
+    encryption_type = "KMS"
+    kms_key         = var.kms_key_arn
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-${var.repository_name}"
+    }
+  )
+}
+
+resource "aws_ecr_lifecycle_policy" "policy_untagged" {
+  repository = aws_ecr_repository.repository.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 1,
+            "description": "Expire images older than 7 days",
+            "selection": {
+                "tagStatus": "untagged",
+                "countType": "sinceImagePushed",
+                "countUnit": "days",
+                "countNumber": 7
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_ecr_lifecycle_policy" "policy_tagged" {
+  repository = aws_ecr_repository.repository.name
+
+  policy = <<EOF
+{
+    "rules": [
+        {
+            "rulePriority": 2,
+            "description": "Keep last 7 images",
+            "selection": {
+                "tagStatus": "tagged",
+                "tagPrefixList": ["v"],
+                "countType": "imageCountMoreThan",
+                "countNumber": 7
+            },
+            "action": {
+                "type": "expire"
+            }
+        }
+    ]
+}
+EOF
+}
diff --git a/modules/ecr/outputs.tf b/modules/ecr/outputs.tf
new file mode 100644
index 0000000..adbdd33
--- /dev/null
+++ b/modules/ecr/outputs.tf
@@ -0,0 +1,4 @@
+output "repository_url" {
+  description = "The URL of the repository (in the form aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName)"
+  value       = aws_ecr_repository.repository.repository_url
+}
diff --git a/modules/ecr/variables.tf b/modules/ecr/variables.tf
new file mode 100644
index 0000000..7def988
--- /dev/null
+++ b/modules/ecr/variables.tf
@@ -0,0 +1,24 @@
+variable "default_tags" {
+  description = "List of default tags to be used for each environment"
+  type        = map(string)
+}
+
+variable "environment" {
+  description = "Environment name used, for example: dev, staging, sandbox, uat, production"
+  type        = string
+}
+
+variable "kms_key_arn" {
+  description = "KMS key to encrypt the ECR repository"
+  type        = string
+}
+
+variable "project" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "repository_name" {
+  description = "Name of the ECR repository"
+  type        = string
+}
diff --git a/modules/eks-access/main.tf b/modules/eks-access/main.tf
new file mode 100644
index 0000000..fdb3545
--- /dev/null
+++ b/modules/eks-access/main.tf
@@ -0,0 +1,22 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  default_principal_arn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+}
+
+resource "aws_eks_access_entry" "eks_access_entry" {
+  cluster_name      = "${var.project}-${var.environment}-eks-cluster"
+  principal_arn     = var.principal_arn == null ? local.default_principal_arn : var.principal_arn
+  kubernetes_groups = var.kubernetes_groups
+  type              = var.access_entry_type
+}
+
+resource "aws_eks_access_policy_association" "eks_access_policy" {
+  cluster_name  = "${var.project}-${var.environment}-eks-cluster"
+  policy_arn    = var.policy_arn
+  principal_arn = var.principal_arn == null ? local.default_principal_arn : var.principal_arn
+
+  access_scope {
+    type = var.access_scope_type
+  }
+}
diff --git a/modules/eks-access/outputs.tf b/modules/eks-access/outputs.tf
new file mode 100644
index 0000000..0b7e8c1
--- /dev/null
+++ b/modules/eks-access/outputs.tf
@@ -0,0 +1,14 @@
+output "eks_access_entry_arn" {
+  description = "The ARN of the EKS access entry."
+  value       = aws_eks_access_entry.eks_access_entry.access_entry_arn
+}
+
+output "eks_access_entry_principal_arn" {
+  description = "The ARN of the principal associated with the EKS access entry."
+  value       = aws_eks_access_entry.eks_access_entry.principal_arn
+}
+
+output "eks_access_entry_type" {
+  description = "The type of access entry."
+  value       = aws_eks_access_entry.eks_access_entry.type
+}
diff --git a/modules/eks-access/variables.tf b/modules/eks-access/variables.tf
new file mode 100644
index 0000000..b2ae2a0
--- /dev/null
+++ b/modules/eks-access/variables.tf
@@ -0,0 +1,34 @@
+variable "access_entry_type" {
+  description = "Type of access entry (STANDARD, EC2, EC2_LINUX, EC2_WINDOWS, FARGATE_LINUX)"
+  type        = string
+}
+
+variable "access_scope_type" {
+  description = "Type of access scope (namespace or cluster)"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (e.g., dev, prod)"
+  type        = string
+}
+
+variable "kubernetes_groups" {
+  description = "List of Kubernetes groups to grant access to the EKS cluster"
+  type        = list(string)
+}
+
+variable "policy_arn" {
+  description = "ARN of the IAM policy to associate with the principal"
+  type        = string
+}
+
+variable "principal_arn" {
+  description = "ARN of the principal to grant access to the EKS cluster"
+  type        = string
+}
+
+variable "project" {
+  description = "Project name"
+  type        = string
+}
diff --git a/modules/eks/main.tf b/modules/eks/main.tf
new file mode 100644
index 0000000..b06eb8b
--- /dev/null
+++ b/modules/eks/main.tf
@@ -0,0 +1,492 @@
+#------------------------------------------------------------------------------
+# Data Sources
+#------------------------------------------------------------------------------
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_policy" "AmazonEC2ContainerRegistryPullOnly" {
+  arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryPullOnly"
+}
+
+data "aws_iam_policy" "AmazonEKSBlockStoragePolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
+}
+
+data "aws_iam_policy" "AmazonEKSClusterPolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+}
+
+data "aws_iam_policy" "AmazonEKSComputePolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSComputePolicy"
+}
+
+data "aws_iam_policy" "AmazonEKSLoadBalancingPolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy"
+}
+
+data "aws_iam_policy" "AmazonEKSNetworkingPolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy"
+}
+
+data "aws_iam_policy" "AmazonEKSWorkerNodePolicy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
+}
+
+data "aws_iam_policy" "AmazonEKS_CNI_Policy" {
+  arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+}
+
+data "aws_iam_policy" "AmazonSSMManagedInstanceCore" {
+  arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+data "tls_certificate" "eks_cluster_sa_tls" {
+  url = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
+}
+
+locals {
+  eks_custom_ami_userdata_templates = {
+    "bootstrap" = templatefile("${path.module}/../../templates/bootstrap.sh.tpl", { cluster_name = aws_eks_cluster.eks_cluster.name }),
+    "nodeadm" = templatefile("${path.module}/../../templates/nodeadm.yml.tpl", {
+      cluster_name         = aws_eks_cluster.eks_cluster.name,
+      endpoint             = aws_eks_cluster.eks_cluster.endpoint,
+      certificateAuthority = aws_eks_cluster.eks_cluster.certificate_authority[0].data,
+      cidr                 = aws_eks_cluster.eks_cluster.kubernetes_network_config[0].service_ipv4_cidr
+    }),
+  }
+}
+
+#------------------------------------------------------------------------------
+# Security Groups
+#------------------------------------------------------------------------------
+resource "aws_security_group" "eks_node_sg" {
+  name        = "${var.project}-${var.environment}-eks-node-sg"
+  vpc_id      = var.vpc_id
+  description = "Security group for EKS nodes"
+
+  ingress {
+    description = "Allow all traffic from VPC CIDR"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = var.vpc_cidr
+  }
+
+  ingress {
+    description     = "Allow traffic from EKS Control Plane SG"
+    from_port       = 0
+    to_port         = 65535
+    protocol        = "tcp"
+    security_groups = [aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id]
+  }
+
+  egress {
+    description = "Allow all traffic to all destinations"
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-eks-node-sg"
+    }
+  )
+}
+
+resource "aws_security_group_rule" "eks_control_plane_ingress_rule" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 65535
+  protocol                 = "tcp"
+  security_group_id        = aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+  source_security_group_id = aws_security_group.eks_node_sg.id
+  description              = "Allow traffic from EKS node group to control plane"
+
+  depends_on = [
+    aws_security_group.eks_node_sg,
+    aws_eks_cluster.eks_cluster
+  ]
+}
+
+resource "aws_security_group_rule" "eks_control_plane_bastion_ingress_rule" {
+  type                     = "ingress"
+  from_port                = 0
+  to_port                  = 65535
+  protocol                 = "tcp"
+  security_group_id        = aws_eks_cluster.eks_cluster.vpc_config[0].cluster_security_group_id
+  source_security_group_id = var.bastion_sg_id
+  description              = "Allow traffic from EKS node group to control plane"
+
+  depends_on = [
+    aws_eks_cluster.eks_cluster
+  ]
+}
+
+#------------------------------------------------------------------------------
+# IAM Resources
+#------------------------------------------------------------------------------
+resource "aws_iam_role" "eks_cluster_role" {
+  name                  = "${var.project}_${var.environment}_eks_cluster_role"
+  description           = "IAM role for EKS cluster"
+  force_detach_policies = true
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "sts:AssumeRole",
+          "sts:TagSession"
+        ],
+        Effect = "Allow",
+        Principal = {
+          Service = "eks.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSBlockStoragePolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSBlockStoragePolicy.arn
+  role       = aws_iam_role.eks_cluster_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSClusterPolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSClusterPolicy.arn
+  role       = aws_iam_role.eks_cluster_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSComputePolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSComputePolicy.arn
+  role       = aws_iam_role.eks_cluster_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSLoadBalancingPolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSLoadBalancingPolicy.arn
+  role       = aws_iam_role.eks_cluster_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSNetworkingPolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSNetworkingPolicy.arn
+  role       = aws_iam_role.eks_cluster_role.name
+}
+
+resource "aws_iam_role" "eks_node_group_role" {
+  name        = "${var.project}_${var.environment}_eks_node_group_role"
+  description = "IAM role for EKS node group"
+
+  assume_role_policy = jsonencode({
+    Statement = [{
+      Action = "sts:AssumeRole"
+      Effect = "Allow"
+      Principal = {
+        Service = "ec2.amazonaws.com"
+      }
+    }]
+    Version = "2012-10-17"
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_node_group_AmazonEC2ContainerRegistryPullOnly" {
+  policy_arn = data.aws_iam_policy.AmazonEC2ContainerRegistryPullOnly.arn
+  role       = aws_iam_role.eks_node_group_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_node_group_AmazonEKSWorkerNodePolicy" {
+  policy_arn = data.aws_iam_policy.AmazonEKSWorkerNodePolicy.arn
+  role       = aws_iam_role.eks_node_group_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_node_group_AmazonEKS_CNI_Policy" {
+  policy_arn = data.aws_iam_policy.AmazonEKS_CNI_Policy.arn
+  role       = aws_iam_role.eks_node_group_role.name
+}
+
+resource "aws_iam_role_policy_attachment" "eks_node_group_AmazonSSMManagedInstanceCore" {
+  policy_arn = data.aws_iam_policy.AmazonSSMManagedInstanceCore.arn
+  role       = aws_iam_role.eks_node_group_role.name
+}
+
+resource "aws_iam_openid_connect_provider" "eks_cluster_sa_oidc_provider" {
+  client_id_list  = ["sts.amazonaws.com"]
+  thumbprint_list = [data.tls_certificate.eks_cluster_sa_tls.certificates[0].sha1_fingerprint]
+  url             = data.tls_certificate.eks_cluster_sa_tls.url
+}
+
+data "aws_iam_policy_document" "eks_cluster_sa_assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(aws_iam_openid_connect_provider.eks_cluster_sa_oidc_provider.url, "https://", "")}:sub"
+      values   = ["system:serviceaccount:kube-system:aws-node"]
+    }
+
+    principals {
+      identifiers = [aws_iam_openid_connect_provider.eks_cluster_sa_oidc_provider.arn]
+      type        = "Federated"
+    }
+  }
+}
+
+resource "aws_iam_role" "eks_cluster_serviceaccount_role" {
+  name               = "${var.project}_${var.environment}_eks_serviceaccount_role"
+  description        = "IAM role for EKS service account"
+  assume_role_policy = data.aws_iam_policy_document.eks_cluster_sa_assume_role_policy.json
+}
+
+resource "aws_iam_policy" "eks_cluster_serviceaccount_vpc_cni_policy" {
+  name = "${var.project}_${var.environment}_EKSClusterServiceAccountVPCCniPolicy"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "ec2:AssignPrivateIpAddresses",
+          "ec2:AttachNetworkInterface",
+          "ec2:CreateNetworkInterface",
+          "ec2:DeleteNetworkInterface",
+          "ec2:DescribeInstances",
+          "ec2:DescribeNetworkInterfaces",
+          "ec2:DetachNetworkInterface",
+          "ec2:ModifyNetworkInterfaceAttribute",
+          "ec2:UnassignPrivateIpAddresses"
+        ],
+        Effect = "Allow",
+        Resource = [
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:network-interface/*",
+          "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:instance/*"
+        ]
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "eks_cluster_serviceaccount_vpc_cni_policy_attachment" {
+  policy_arn = aws_iam_policy.eks_cluster_serviceaccount_vpc_cni_policy.arn
+  role       = aws_iam_role.eks_cluster_serviceaccount_role.name
+}
+
+resource "aws_iam_role" "ebs_csi_driver_role" {
+  name        = "${var.project}_${var.environment}_ebs_csi_driver_role"
+  description = "IAM role for EBS CSI driver"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRoleWithWebIdentity",
+        Principal = {
+          Federated = aws_iam_openid_connect_provider.eks_cluster_sa_oidc_provider.arn
+        },
+        Effect = "Allow",
+        Condition = {
+          StringEquals = {
+            "${replace(aws_iam_openid_connect_provider.eks_cluster_sa_oidc_provider.url, "https://", "")}:sub" = "system:serviceaccount:kube-system:ebs-csi-controller-sa"
+          }
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_policy" "ebs_csi_driver_policy" {
+  # checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
+  # checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  name        = "${var.project}_${var.environment}_ebs_csi_driver_policy"
+  description = "IAM policy for EBS CSI driver"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = [
+          "ec2:AttachVolume",
+          "ec2:CreateSnapshot",
+          "ec2:CreateTags",
+          "ec2:CreateVolume",
+          "ec2:DeleteSnapshot",
+          "ec2:DeleteTags",
+          "ec2:DeleteVolume",
+          "ec2:DescribeAvailabilityZones",
+          "ec2:DescribeInstances",
+          "ec2:DescribeSnapshots",
+          "ec2:DescribeTags",
+          "ec2:DescribeVolumes",
+          "ec2:DetachVolume",
+          "ec2:ModifyVolume"
+        ],
+        Effect   = "Allow",
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ebs_csi_driver_policy_attachment" {
+  policy_arn = aws_iam_policy.ebs_csi_driver_policy.arn
+  role       = aws_iam_role.ebs_csi_driver_role.name
+}
+
+#------------------------------------------------------------------------------
+# EKS Resources
+#------------------------------------------------------------------------------
+resource "aws_eks_cluster" "eks_cluster" {
+  name     = "${var.project}-${var.environment}-eks-cluster"
+  role_arn = aws_iam_role.eks_cluster_role.arn
+  version  = var.eks_cluster_version
+
+  encryption_config {
+    resources = ["secrets"]
+
+    provider {
+      key_arn = var.kms_key_arn
+    }
+  }
+
+  enabled_cluster_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
+
+  vpc_config {
+    subnet_ids              = var.private_subnets
+    endpoint_private_access = true
+    endpoint_public_access  = false
+  }
+
+  access_config {
+    authentication_mode = "API_AND_CONFIG_MAP"
+  }
+
+  bootstrap_self_managed_addons = true
+
+  timeouts {
+    delete = "30m"
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.eks_cluster_AmazonEKSBlockStoragePolicy,
+    aws_iam_role_policy_attachment.eks_cluster_AmazonEKSClusterPolicy,
+    aws_iam_role_policy_attachment.eks_cluster_AmazonEKSComputePolicy,
+    aws_iam_role_policy_attachment.eks_cluster_AmazonEKSLoadBalancingPolicy,
+    aws_iam_role_policy_attachment.eks_cluster_AmazonEKSNetworkingPolicy,
+  ]
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-eks-cluster"
+    }
+  )
+}
+
+resource "aws_launch_template" "eks_node_group_launch_template" {
+  name_prefix            = "${var.project}-${var.environment}-eks-ng-"
+  image_id               = var.custom_ami_id
+  instance_type          = var.node_instance_type
+  update_default_version = true
+
+  block_device_mappings {
+    device_name = "/dev/xvda"
+    ebs {
+      volume_size = 20
+      volume_type = "gp3"
+    }
+  }
+
+  ebs_optimized = true
+
+  metadata_options {
+    http_endpoint               = "enabled"
+    http_tokens                 = "required"
+    http_put_response_hop_limit = 1
+    instance_metadata_tags      = "enabled"
+  }
+
+  vpc_security_group_ids = [aws_security_group.eks_node_sg.id]
+  user_data              = base64encode(local.eks_custom_ami_userdata_templates["nodeadm"])
+
+  tag_specifications {
+    resource_type = "instance"
+    tags = merge(
+      var.default_tags,
+      {
+        Name = "${var.project}-${var.environment}-eks-ng-node"
+      }
+    )
+  }
+}
+
+resource "aws_eks_node_group" "eks_node_group" {
+  cluster_name    = aws_eks_cluster.eks_cluster.name
+  node_group_name = "${var.project}-${var.environment}-${var.node_group_name}"
+  node_role_arn   = aws_iam_role.eks_node_group_role.arn
+  subnet_ids      = var.private_subnets
+  capacity_type   = upper(var.node_capacity_type)
+
+  launch_template {
+    id      = aws_launch_template.eks_node_group_launch_template.id
+    version = aws_launch_template.eks_node_group_launch_template.latest_version
+  }
+
+  scaling_config {
+    desired_size = var.node_group_desired_capacity
+    min_size     = var.node_group_min_size
+    max_size     = var.node_group_max_size
+  }
+
+  update_config {
+    max_unavailable = 1
+  }
+
+  depends_on = [
+    aws_iam_role_policy_attachment.eks_node_group_AmazonEC2ContainerRegistryPullOnly,
+    aws_iam_role_policy_attachment.eks_node_group_AmazonEKSWorkerNodePolicy,
+    aws_iam_role_policy_attachment.eks_node_group_AmazonEKS_CNI_Policy,
+    aws_iam_role_policy_attachment.eks_node_group_AmazonSSMManagedInstanceCore
+  ]
+}
+
+#------------------------------------------------------------------------------
+# EKS Addons
+#------------------------------------------------------------------------------
+resource "aws_eks_addon" "addon_kube_proxy" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  addon_name    = "kube-proxy"
+  addon_version = "v1.31.3-eksbuild.2"
+  depends_on = [
+    aws_eks_node_group.eks_node_group
+  ]
+}
+
+resource "aws_eks_addon" "addon_vpc_cni" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  addon_name    = "vpc-cni"
+  addon_version = "v1.19.2-eksbuild.1"
+  depends_on = [
+    aws_eks_node_group.eks_node_group
+  ]
+}
+
+resource "aws_eks_addon" "addon_coredns" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  addon_name    = "coredns"
+  addon_version = "v1.11.4-eksbuild.2"
+  depends_on = [
+    aws_eks_node_group.eks_node_group
+  ]
+}
+
+resource "aws_eks_addon" "addon_ebs_csi_driver" {
+  cluster_name  = aws_eks_cluster.eks_cluster.name
+  addon_name    = "aws-ebs-csi-driver"
+  addon_version = "v1.38.1-eksbuild.1"
+  depends_on = [
+    aws_eks_node_group.eks_node_group,
+    aws_iam_role_policy_attachment.ebs_csi_driver_policy_attachment
+  ]
+}
diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf
new file mode 100644
index 0000000..b8dec88
--- /dev/null
+++ b/modules/eks/outputs.tf
@@ -0,0 +1,34 @@
+output "eks_cluster_endpoint" {
+  description = "Endpoint for the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.endpoint
+}
+
+output "eks_cluster_id" {
+  description = "ID of the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.id
+}
+
+output "eks_cluster_oidc_issuer_url" {
+  description = "OIDC issuer URL for the EKS cluster"
+  value       = aws_eks_cluster.eks_cluster.identity[0].oidc[0].issuer
+}
+
+output "eks_cluster_security_group_id" {
+  description = "Security group ID for EKS nodes"
+  value       = aws_security_group.eks_node_sg.id
+}
+
+output "eks_cluster_serviceaccount_role_arn" {
+  description = "ARN of the IAM role used by EKS service account"
+  value       = aws_iam_role.eks_cluster_serviceaccount_role.arn
+}
+
+output "eks_node_group_arn" {
+  description = "ARN of the EKS node group"
+  value       = aws_eks_node_group.eks_node_group.arn
+}
+
+output "eks_node_group_role_arn" {
+  description = "ARN of the IAM role used by EKS node group"
+  value       = aws_iam_role.eks_node_group_role.arn
+}
diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
new file mode 100644
index 0000000..115228c
--- /dev/null
+++ b/modules/eks/variables.tf
@@ -0,0 +1,81 @@
+variable "bastion_sg_id" {
+  type        = string
+  description = "The ID of Bastion host security group"
+  default     = null
+}
+
+variable "custom_ami_id" {
+  description = "Custom AMI ID for EKS nodes"
+  type        = string
+}
+
+variable "default_tags" {
+  description = "Default tags to apply to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "eks_cluster_version" {
+  description = "Kubernetes version for the EKS cluster"
+  type        = string
+}
+
+variable "environment" {
+  description = "Environment name (e.g., dev, prod)"
+  type        = string
+}
+
+variable "kms_key_arn" {
+  description = "ARN of the KMS key used to encrypt secrets"
+  type        = string
+}
+
+variable "node_capacity_type" {
+  description = "Capacity type for the EKS node group (ON_DEMAND or SPOT)"
+  type        = string
+}
+
+variable "node_group_desired_capacity" {
+  description = "Desired number of nodes in the EKS node group"
+  type        = number
+}
+
+variable "node_group_max_size" {
+  description = "Maximum number of nodes in the EKS node group"
+  type        = number
+}
+
+variable "node_group_min_size" {
+  description = "Minimum number of nodes in the EKS node group"
+  type        = number
+}
+
+variable "node_group_name" {
+  description = "Name of the EKS node group"
+  type        = string
+}
+
+variable "node_instance_type" {
+  description = "Instance type for the EKS nodes"
+  type        = string
+}
+
+variable "private_subnets" {
+  description = "List of private subnet IDs for the EKS cluster and node group"
+  type        = list(string)
+}
+
+variable "project" {
+  description = "Project name"
+  type        = string
+}
+
+variable "vpc_cidr" {
+  description = "VPC CIDR"
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC"
+  type        = string
+}
diff --git a/modules/kms/main.tf b/modules/kms/main.tf
new file mode 100644
index 0000000..af763b4
--- /dev/null
+++ b/modules/kms/main.tf
@@ -0,0 +1,87 @@
+data "aws_caller_identity" "current" {}
+
+resource "aws_kms_key" "kms_key" {
+  description             = "KMS key used to encrypt data for all services in this demo"
+  enable_key_rotation     = true
+  deletion_window_in_days = 7
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-kms-key"
+    }
+  )
+}
+
+resource "aws_kms_alias" "kms_alias" {
+  name          = "alias/${var.project}-${var.environment}-kms-key"
+  target_key_id = aws_kms_key.kms_key.key_id
+}
+
+resource "aws_kms_key_policy" "kms_key_policy" {
+  key_id = aws_kms_key.kms_key.key_id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Id      = "key-default-1"
+    Statement = [
+      {
+        Sid    = "Enable IAM User Permissions"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+        },
+        Action   = "kms:*"
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow administration of the key"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user"
+        },
+        Action = [
+          "kms:ReplicateKey",
+          "kms:Create*",
+          "kms:Describe*",
+          "kms:Enable*",
+          "kms:List*",
+          "kms:Put*",
+          "kms:Update*",
+          "kms:Revoke*",
+          "kms:Disable*",
+          "kms:Get*",
+          "kms:Delete*",
+          "kms:ScheduleKeyDeletion",
+          "kms:CancelKeyDeletion"
+        ],
+        Resource = "*"
+      },
+      {
+        Sid    = "Allow use of the key"
+        Effect = "Allow"
+        Principal = {
+          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user",
+          Service = [
+            "ec2.amazonaws.com",
+            "ecr.amazonaws.com",
+            "eks.amazonaws.com",
+            "logs.amazonaws.com",
+            "vpc-flow-logs.amazonaws.com",
+            "waf.amazonaws.com",
+            "waf-regional.amazonaws.com",
+          ]
+        },
+        Action = [
+          "kms:DescribeKey",
+          "kms:Encrypt",
+          "kms:Decrypt",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey",
+          "kms:GenerateDataKeyWithoutPlaintext"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
diff --git a/modules/kms/outputs.tf b/modules/kms/outputs.tf
new file mode 100644
index 0000000..7e3e693
--- /dev/null
+++ b/modules/kms/outputs.tf
@@ -0,0 +1,9 @@
+output "kms_arn" {
+  description = "KMS key arn"
+  value       = aws_kms_key.kms_key.arn
+}
+
+output "kms_key_id" {
+  description = "KMS key id"
+  value       = aws_kms_key.kms_key.key_id
+}
diff --git a/modules/kms/variables.tf b/modules/kms/variables.tf
new file mode 100644
index 0000000..b361396
--- /dev/null
+++ b/modules/kms/variables.tf
@@ -0,0 +1,14 @@
+variable "default_tags" {
+  description = "List of default tags to be used for each environment"
+  type        = map(string)
+}
+
+variable "environment" {
+  description = "Environment name used, for example: dev, staging, sandbox, uat, production"
+  type        = string
+}
+
+variable "project" {
+  description = "Name of the project"
+  type        = string
+}
diff --git a/modules/ssm/main.tf b/modules/ssm/main.tf
new file mode 100644
index 0000000..e7c2779
--- /dev/null
+++ b/modules/ssm/main.tf
@@ -0,0 +1,27 @@
+resource "aws_iam_role" "ssm_role" {
+  name        = "${var.project}_${var.environment}_ssm_role"
+  description = "IAM role for SSM"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Action = "sts:AssumeRole",
+        Effect = "Allow",
+        Principal = {
+          Service = "ec2.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ssm_policy_attachment" {
+  role       = aws_iam_role.ssm_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
+
+resource "aws_iam_instance_profile" "ssm_instance_profile" {
+  name = "${var.project}_${var.environment}_ssm_instance_profile"
+  role = aws_iam_role.ssm_role.name
+}
diff --git a/modules/ssm/outputs.tf b/modules/ssm/outputs.tf
new file mode 100644
index 0000000..a5a05b0
--- /dev/null
+++ b/modules/ssm/outputs.tf
@@ -0,0 +1,14 @@
+output "ssm_instance_profile_arn" {
+  value       = aws_iam_instance_profile.ssm_instance_profile.arn
+  description = "The ARN of the ssm instance profile"
+}
+
+output "ssm_instance_profile_name" {
+  value       = aws_iam_instance_profile.ssm_instance_profile.name
+  description = "Name of the IAM instance profile for SSM"
+}
+
+output "ssm_role_arn" {
+  value       = aws_iam_role.ssm_role.arn
+  description = "The ARN of SSM IAM role"
+}
diff --git a/modules/ssm/variables.tf b/modules/ssm/variables.tf
new file mode 100644
index 0000000..fec976b
--- /dev/null
+++ b/modules/ssm/variables.tf
@@ -0,0 +1,9 @@
+variable "project" {
+  type        = string
+  description = "Project name"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment name"
+}
\ No newline at end of file
diff --git a/modules/vpc-endpoint/main.tf b/modules/vpc-endpoint/main.tf
new file mode 100644
index 0000000..d634a7e
--- /dev/null
+++ b/modules/vpc-endpoint/main.tf
@@ -0,0 +1,221 @@
+resource "aws_security_group" "vpc_endpoint_sg" {
+  name        = "${var.project}-${var.environment}-vpc-endpoint-sg"
+  vpc_id      = var.vpc_id
+  description = "Security Group for VPC Endpoints"
+
+  ingress {
+    description = "Allow all traffic to VPC Endpoint"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.vpc_cidr
+  }
+
+  egress {
+    description = "Allow all traffic to all destinations"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-vpc-endpoint-sg"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ec2" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ec2"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ec2-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ec2messages" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ec2messages"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ec2messages-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ecr_api" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ecr.api"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ecr-api-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ecr_dkr" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ecr.dkr"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ecr-dkr-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "eks" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.eks"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-eks-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "eks_auth" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.eks-auth"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-eks-auth-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "elb" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.elasticloadbalancing"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-elb-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "kms" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.kms"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-kms-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "logs" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.logs"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-logs-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id            = var.vpc_id
+  service_name      = "com.amazonaws.${var.aws_region}.s3"
+  vpc_endpoint_type = "Gateway"
+  route_table_ids   = var.route_table_ids
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-s3-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ssm" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ssm"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ssm-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "ssmmessages" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.ssmmessages"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-ssmmessages-vpc-endpoint"
+    }
+  )
+}
+
+resource "aws_vpc_endpoint" "sts" {
+  vpc_id              = var.vpc_id
+  service_name        = "com.amazonaws.${var.aws_region}.sts"
+  vpc_endpoint_type   = "Interface"
+  private_dns_enabled = true
+  subnet_ids          = var.private_subnets
+  security_group_ids  = [aws_security_group.vpc_endpoint_sg.id]
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-sts-vpc-endpoint"
+    }
+  )
+}
diff --git a/modules/vpc-endpoint/outputs.tf b/modules/vpc-endpoint/outputs.tf
new file mode 100644
index 0000000..a5c979f
--- /dev/null
+++ b/modules/vpc-endpoint/outputs.tf
@@ -0,0 +1,88 @@
+output "ec2_endpoint_id" {
+  description = "ID of EC2 VPC Endpoint"
+  value       = aws_vpc_endpoint.ec2.id
+}
+
+output "ec2messages_endpoint_id" {
+  description = "ID of EC2 Messages VPC Endpoint"
+  value       = aws_vpc_endpoint.ec2messages.id
+}
+
+output "ecr_api_endpoint_id" {
+  description = "ID of ECR API VPC Endpoint"
+  value       = aws_vpc_endpoint.ecr_api.id
+}
+
+output "ecr_dkr_endpoint_id" {
+  description = "ID of ECR DKR VPC Endpoint"
+  value       = aws_vpc_endpoint.ecr_dkr.id
+}
+
+output "eks_auth_endpoint_id" {
+  description = "ID of EKS Auth VPC Endpoint"
+  value       = aws_vpc_endpoint.eks_auth.id
+}
+
+output "eks_endpoint_id" {
+  description = "ID of EKS VPC Endpoint"
+  value       = aws_vpc_endpoint.eks.id
+}
+
+output "elb_endpoint_id" {
+  description = "ID of ELB VPC Endpoint"
+  value       = aws_vpc_endpoint.elb.id
+}
+
+output "kms_endpoint_id" {
+  description = "ID of KMS VPC Endpoint"
+  value       = aws_vpc_endpoint.kms.id
+}
+
+output "logs_endpoint_id" {
+  description = "ID of Cloudwatch Logs VPC Endpoint"
+  value       = aws_vpc_endpoint.logs.id
+}
+
+output "s3_endpoint_id" {
+  description = "ID of S3 VPC Endpoint"
+  value       = aws_vpc_endpoint.s3.id
+}
+
+output "ssm_endpoint_id" {
+  description = "ID of SSM VPC Endpoint"
+  value       = aws_vpc_endpoint.ssm.id
+}
+
+output "ssmmessages_endpoint_id" {
+  description = "ID of SSM Messages VPC Endpoint"
+  value       = aws_vpc_endpoint.ssmmessages.id
+}
+
+output "sts_endpoint_id" {
+  description = "ID of STS VPC Endpoint"
+  value       = aws_vpc_endpoint.sts.id
+}
+
+output "vpc_endpoint_ids" {
+  description = "List of VPC Endpoint Ids"
+  value = [
+    aws_vpc_endpoint.ec2.id,
+    aws_vpc_endpoint.ec2messages.id,
+    aws_vpc_endpoint.ecr_api.id,
+    aws_vpc_endpoint.ecr_dkr.id,
+    aws_vpc_endpoint.eks.id,
+    aws_vpc_endpoint.eks_auth.id,
+    aws_vpc_endpoint.elb.id,
+    aws_vpc_endpoint.kms.id,
+    aws_vpc_endpoint.logs.id,
+    aws_vpc_endpoint.s3.id,
+    aws_vpc_endpoint.ssm.id,
+    aws_vpc_endpoint.ssmmessages.id,
+    aws_vpc_endpoint.sts.id
+  ]
+}
+
+output "vpc_endpoint_sg_id" {
+  description = "ID of Security Group for VPC Endpoints"
+  value       = aws_security_group.vpc_endpoint_sg.id
+}
diff --git a/modules/vpc-endpoint/variables.tf b/modules/vpc-endpoint/variables.tf
new file mode 100644
index 0000000..ea69bf1
--- /dev/null
+++ b/modules/vpc-endpoint/variables.tf
@@ -0,0 +1,40 @@
+variable "aws_region" {
+  description = "AWS region to deploy resources in"
+  type        = string
+}
+
+variable "default_tags" {
+  type        = map(string)
+  description = "Default tags to apply to all resources"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment name (e.g., dev, prod)"
+}
+
+variable "private_subnets" {
+  type        = list(string)
+  description = "List of private subnets"
+}
+
+variable "project" {
+  type        = string
+  description = "Project name"
+}
+
+
+variable "route_table_ids" {
+  type        = list(string)
+  description = "List of Route Table IDs for VPC Endpoint"
+}
+
+variable "vpc_cidr" {
+  description = "VPC CIDR"
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC"
+}
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
new file mode 100644
index 0000000..c036e8e
--- /dev/null
+++ b/modules/vpc/main.tf
@@ -0,0 +1,151 @@
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
+resource "aws_vpc" "vpc" {
+  # checkov:skip=CKV2_AWS_11: Ensure VPC flow logging is enabled in all VPCs
+  cidr_block           = var.vpc_cidr
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-vpc"
+    }
+  )
+}
+
+resource "aws_default_security_group" "default_sg" {
+  vpc_id = aws_vpc.vpc.id
+}
+
+resource "aws_subnet" "public_subnet" {
+  count                   = length(var.public_subnets_cidr)
+  vpc_id                  = aws_vpc.vpc.id
+  cidr_block              = element(var.public_subnets_cidr, count.index)
+  availability_zone       = element(data.aws_availability_zones.available.names, count.index)
+  map_public_ip_on_launch = false
+  depends_on              = [aws_vpc.vpc]
+
+  tags = merge(
+    var.default_tags,
+    {
+      VPC   = "${var.project}-${var.environment}"
+      State = "public"
+      Name  = "${var.project}-${var.environment}-public-${count.index}"
+    }
+  )
+}
+
+resource "aws_subnet" "private_subnet" {
+  count             = length(var.private_subnets_cidr)
+  vpc_id            = aws_vpc.vpc.id
+  cidr_block        = element(var.private_subnets_cidr, count.index)
+  availability_zone = element(data.aws_availability_zones.available.names, count.index)
+  depends_on        = [aws_vpc.vpc]
+
+  tags = merge(
+    var.default_tags,
+    {
+      VPC   = "${var.project}-${var.environment}"
+      State = "private"
+      Name  = "${var.project}-${var.environment}-private-${count.index}"
+    }
+  )
+}
+
+resource "aws_internet_gateway" "internet_gw" {
+  vpc_id     = aws_vpc.vpc.id
+  depends_on = [aws_vpc.vpc]
+
+  tags = merge(
+    var.default_tags,
+    {
+      VPC  = "${var.project}-${var.environment}"
+      Name = "${var.project}-${var.environment}-gw"
+    }
+  )
+}
+
+resource "aws_eip" "eip_nat_gw" {
+  domain           = "vpc"
+  public_ipv4_pool = "amazon"
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-eip-nat-gw"
+    }
+  )
+}
+
+resource "aws_nat_gateway" "nat_gw" {
+  allocation_id = aws_eip.eip_nat_gw.id
+  subnet_id     = aws_subnet.public_subnet[0].id
+  depends_on    = [aws_internet_gateway.internet_gw]
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name = "${var.project}-${var.environment}-nat-gw"
+    }
+  )
+}
+
+resource "aws_route_table" "public_route_table" {
+  vpc_id     = aws_vpc.vpc.id
+  depends_on = [aws_vpc.vpc]
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.internet_gw.id
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name  = "${var.project}-${var.environment}-public-rtb"
+      State = "public"
+    }
+  )
+}
+
+resource "aws_route_table" "private_route_table" {
+  vpc_id     = aws_vpc.vpc.id
+  depends_on = [aws_vpc.vpc]
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_nat_gateway.nat_gw.id
+  }
+
+  tags = merge(
+    var.default_tags,
+    {
+      Name  = "${var.project}-${var.environment}-private-rtb"
+      State = "private"
+    }
+  )
+}
+
+resource "aws_route_table_association" "route_association_public" {
+  count          = length(var.public_subnets_cidr)
+  subnet_id      = aws_subnet.public_subnet[count.index].id
+  route_table_id = aws_route_table.public_route_table.id
+
+  depends_on = [
+    aws_route_table.public_route_table,
+    aws_subnet.public_subnet
+  ]
+}
+
+resource "aws_route_table_association" "route_association_private" {
+  count          = length(var.private_subnets_cidr)
+  subnet_id      = aws_subnet.private_subnet[count.index].id
+  route_table_id = aws_route_table.private_route_table.id
+
+  depends_on = [
+    aws_route_table.private_route_table,
+    aws_subnet.private_subnet
+  ]
+}
diff --git a/modules/vpc/outputs.tf b/modules/vpc/outputs.tf
new file mode 100644
index 0000000..0d2ffba
--- /dev/null
+++ b/modules/vpc/outputs.tf
@@ -0,0 +1,29 @@
+output "aws_subnets_private" {
+  description = "A list of the private subnets"
+  value       = aws_subnet.private_subnet.*.id
+}
+
+output "aws_subnets_public" {
+  description = "A list of the public subnets"
+  value       = aws_subnet.public_subnet.*.id
+}
+
+output "cidr_block" {
+  description = "The CDIR block used for the VPC"
+  value       = aws_vpc.vpc.cidr_block
+}
+
+output "private_route_table" {
+  description = "The id of the private route table"
+  value       = aws_route_table.private_route_table.id
+}
+
+output "public_route_table" {
+  description = "The id of the public route table"
+  value       = aws_route_table.public_route_table.id
+}
+
+output "vpc_id" {
+  description = "The id of the VPC"
+  value       = aws_vpc.vpc.id
+}
diff --git a/modules/vpc/variables.tf b/modules/vpc/variables.tf
new file mode 100644
index 0000000..37c7167
--- /dev/null
+++ b/modules/vpc/variables.tf
@@ -0,0 +1,34 @@
+variable "aws_region" {
+  description = "AWS region to deploy resources in"
+  type        = string
+}
+
+variable "default_tags" {
+  description = "List of default tags to be used for each environment"
+  type        = map(string)
+}
+
+variable "environment" {
+  description = "Environment name used, for example: dev, staging, sandbox, uat, production"
+  type        = string
+}
+
+variable "private_subnets_cidr" {
+  description = "List of CIDRs used for private subnets"
+  type        = list(string)
+}
+
+variable "project" {
+  description = "Name of the project"
+  type        = string
+}
+
+variable "public_subnets_cidr" {
+  description = "List of CIDRs used for public subnets"
+  type        = list(string)
+}
+
+variable "vpc_cidr" {
+  description = "The CDIR block used for the VPC"
+  type        = string
+}
diff --git a/templates/bootstrap.sh.tpl b/templates/bootstrap.sh.tpl
new file mode 100644
index 0000000..ef4b489
--- /dev/null
+++ b/templates/bootstrap.sh.tpl
@@ -0,0 +1,10 @@
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="//"
+
+--//
+Content-Type: text/x-shellscript; charset="us-ascii"
+
+#!/bin/bash -xe
+/etc/eks/bootstrap.sh ${cluster_name}
+
+--//--
diff --git a/templates/nodeadm.yml.tpl b/templates/nodeadm.yml.tpl
new file mode 100644
index 0000000..063fbce
--- /dev/null
+++ b/templates/nodeadm.yml.tpl
@@ -0,0 +1,17 @@
+MIME-Version: 1.0
+Content-Type: multipart/mixed; boundary="//"
+
+--//
+Content-Type: application/node.eks.aws
+
+---
+apiVersion: node.eks.aws/v1alpha1
+kind: NodeConfig
+spec:
+  cluster:
+    name: ${cluster_name}
+    apiServerEndpoint: ${endpoint}
+    certificateAuthority: ${certificateAuthority}
+    cidr: ${cidr}
+
+--//--

From a6cfab3825315efd7bd63df447a12739ce870fbf Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 20:25:01 +0700
Subject: [PATCH 2/6] chore: update AMI ID for dev environment

---
 env/dev/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/env/dev/variables.tf b/env/dev/variables.tf
index 0f5638f..ebb1cf8 100644
--- a/env/dev/variables.tf
+++ b/env/dev/variables.tf
@@ -30,7 +30,7 @@ variable "bation_instance_type" {
 variable "custom_ami_id" {
   description = "Custom AMI ID for EKS nodes"
   type        = string
-  default     = "ami-0476ff2866e16ac8a"
+  default     = "ami-0e28a3d4672edb444" # Get ID after Packer builds AMI
 }
 
 variable "default_tags" {

From c92661e1b822b8a2fc1611b1b6c0955ed41786ad Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 22:23:46 +0700
Subject: [PATCH 3/6] ci: add flow to create backend s3 bucket

---
 .github/workflows/create-backend.yml | 50 ++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 .github/workflows/create-backend.yml

diff --git a/.github/workflows/create-backend.yml b/.github/workflows/create-backend.yml
new file mode 100644
index 0000000..142a154
--- /dev/null
+++ b/.github/workflows/create-backend.yml
@@ -0,0 +1,50 @@
+name: Create Backend S3 Bucket
+
+on:
+  workflow_dispatch:
+
+permissions: read-all
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  create-backend:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Comment backend block
+        run: sed -i '/backend "s3"/,/}/s/^/# /' backend/main.tf
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
+        with:
+          terraform_version: '1.10.4'
+
+      - name: Terraform apply
+        run: |
+          cd backend
+          terraform init
+          terraform apply -auto-approve
+      
+      - name: Uncomment backend block
+        run: sed -i '/backend "s3"/,/}/s/^# //' backend/main.tf
+
+      - name: Migrate state to S3 bucket
+        run: terraform init -migrate-state
+
+  slack-notify:
+    needs:
+      - terraform-check
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+       - name: Slack notification
+         uses: come25136/workflow-notification-for-slack@main
+         with:
+           repo_token: ${{ secrets.GITHUB_TOKEN }}
+           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}

From 6abbbc7b347f2796cdce18d78330bd890ff3330d Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 22:24:59 +0700
Subject: [PATCH 4/6] ci: fix syntax

---
 .github/workflows/create-backend.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/create-backend.yml b/.github/workflows/create-backend.yml
index 142a154..c77ca94 100644
--- a/.github/workflows/create-backend.yml
+++ b/.github/workflows/create-backend.yml
@@ -39,7 +39,7 @@ jobs:
 
   slack-notify:
     needs:
-      - terraform-check
+      - create-backend
     if: always()
     runs-on: ubuntu-latest
     steps:

From 5ca27efedd8b109e4496b2c899145b3ef639dde3 Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 22:30:55 +0700
Subject: [PATCH 5/6] ci(fix): update IAM credentials to environment

---
 .github/workflows/create-backend.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/create-backend.yml b/.github/workflows/create-backend.yml
index c77ca94..c069c26 100644
--- a/.github/workflows/create-backend.yml
+++ b/.github/workflows/create-backend.yml
@@ -9,6 +9,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  AWS_REGION: us-east-1
+  AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+
 jobs:
   create-backend:
     runs-on: ubuntu-latest

From 7eb46b831dc6705cf73b2d180c1c0daad4380191 Mon Sep 17 00:00:00 2001
From: Daniel Pham <trungdung2811@gmail.com>
Date: Thu, 16 Jan 2025 22:33:25 +0700
Subject: [PATCH 6/6] chore: rebase main branch

---
 backend/main.tf      | 188 -------------------------------------------
 backend/outputs.tf   |  14 ----
 backend/variables.tf |  19 -----
 3 files changed, 221 deletions(-)
 delete mode 100644 backend/main.tf
 delete mode 100644 backend/outputs.tf
 delete mode 100644 backend/variables.tf

diff --git a/backend/main.tf b/backend/main.tf
deleted file mode 100644
index aff6fdb..0000000
--- a/backend/main.tf
+++ /dev/null
@@ -1,188 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "5.83.1"
-    }
-  }
-
-  backend "s3" {
-    bucket         = "devopslite-tf-state"
-    key            = "s3-backend/terraform.tfstate"
-    region         = "us-east-1"
-    encrypt        = true
-    dynamodb_table = "devopslite-tf-state"
-  }
-}
-
-provider "aws" {
-  region = "us-east-1"
-}
-
-data "aws_caller_identity" "current" {}
-
-resource "aws_s3_bucket" "tf_state_bucket" {
-  # checkov:skip=CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
-  # checkov:skip=CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
-  # checkov:skip=CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
-  # checkov:skip=CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
-  bucket        = "${var.project}-tf-state"
-  force_destroy = true
-
-  tags = merge(
-    var.default_tags,
-    {
-      Name = "${var.project}-tf-state"
-    }
-  )
-}
-
-resource "aws_s3_bucket_public_access_block" "tf_bucket_public_access_block" {
-  bucket = aws_s3_bucket.tf_state_bucket.id
-
-  block_public_acls       = true
-  block_public_policy     = true
-  ignore_public_acls      = true
-  restrict_public_buckets = true
-}
-
-resource "aws_s3_bucket_ownership_controls" "tf_bucket_ownership_controls" {
-  depends_on = [
-    aws_s3_bucket.tf_state_bucket
-  ]
-
-  bucket = aws_s3_bucket.tf_state_bucket.id
-
-  rule {
-    object_ownership = "BucketOwnerEnforced"
-  }
-}
-
-resource "aws_s3_bucket_versioning" "tf_bucket_versioning" {
-  bucket = aws_s3_bucket.tf_state_bucket.id
-
-  versioning_configuration {
-    status = "Enabled"
-  }
-}
-
-resource "aws_s3_bucket_server_side_encryption_configuration" "tf_bucket_encryption" {
-  bucket = aws_s3_bucket.tf_state_bucket.id
-
-  rule {
-    apply_server_side_encryption_by_default {
-      sse_algorithm     = "aws:kms"
-      kms_master_key_id = aws_kms_key.tf_kms_key.arn
-    }
-  }
-}
-
-resource "aws_kms_key" "tf_kms_key" {
-  description             = "The KMS key is used to encrypt the S3 bucket as a backend for terraform"
-  enable_key_rotation     = true
-  deletion_window_in_days = 7
-
-  tags = merge(
-    var.default_tags,
-    {
-      Name   = "${var.project}-tf-state-key"
-      Bucket = aws_s3_bucket.tf_state_bucket.arn
-    }
-  )
-}
-
-resource "aws_kms_alias" "tf_kms_key_alias" {
-  name          = "alias/${var.project}-${var.region}-kms-key"
-  target_key_id = aws_kms_key.tf_kms_key.key_id
-}
-
-resource "aws_kms_key_policy" "tf_kms_key_policy" {
-  key_id = aws_kms_key.tf_kms_key.key_id
-
-  policy = jsonencode({
-    Version = "2012-10-17"
-    Id      = "key-default-1"
-    Statement = [
-      {
-        Sid    = "Enable IAM User Permissions"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        },
-        Action   = "kms:*"
-        Resource = "*"
-      },
-      {
-        Sid    = "Allow administration of the key"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user"
-        },
-        Action = [
-          "kms:ReplicateKey",
-          "kms:Create*",
-          "kms:Describe*",
-          "kms:Enable*",
-          "kms:List*",
-          "kms:Put*",
-          "kms:Update*",
-          "kms:Revoke*",
-          "kms:Disable*",
-          "kms:Get*",
-          "kms:Delete*",
-          "kms:ScheduleKeyDeletion",
-          "kms:CancelKeyDeletion"
-        ],
-        Resource = "*"
-      },
-      {
-        Sid    = "Allow use of the key"
-        Effect = "Allow"
-        Principal = {
-          AWS = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cloud_user",
-          Service = [
-            "s3.amazonaws.com",
-            "dynamodb.amazonaws.com"
-          ]
-        },
-        Action = [
-          "kms:DescribeKey",
-          "kms:Encrypt",
-          "kms:Decrypt",
-          "kms:ReEncrypt*",
-          "kms:GenerateDataKey",
-          "kms:GenerateDataKeyWithoutPlaintext"
-        ],
-        Resource = "*"
-      }
-    ]
-  })
-}
-
-resource "aws_dynamodb_table" "terraform_dynamodb_table" {
-  name         = "${var.project}-tf-state"
-  hash_key     = "LockID"
-  billing_mode = "PAY_PER_REQUEST"
-
-  attribute {
-    name = "LockID"
-    type = "S"
-  }
-
-  point_in_time_recovery {
-    enabled = true
-  }
-
-  server_side_encryption {
-    enabled     = true
-    kms_key_arn = aws_kms_key.tf_kms_key.arn
-  }
-
-  tags = merge(
-    var.default_tags,
-    {
-      Name   = "${var.project}-tf-state"
-      Bucket = aws_s3_bucket.tf_state_bucket.arn
-    }
-  )
-}
diff --git a/backend/outputs.tf b/backend/outputs.tf
deleted file mode 100644
index 6948ed2..0000000
--- a/backend/outputs.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-output "bucket_name" {
-  description = "S3 bucket name"
-  value       = aws_s3_bucket.tf_state_bucket.bucket
-}
-
-output "bucket_arn" {
-  description = "S3 bucket ARN"
-  value       = aws_s3_bucket.tf_state_bucket.arn
-}
-
-output "dynamodb_name" {
-  description = "DynamoDB name"
-  value       = aws_dynamodb_table.terraform_dynamodb_table.name
-}
diff --git a/backend/variables.tf b/backend/variables.tf
deleted file mode 100644
index 9791758..0000000
--- a/backend/variables.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-variable "region" {
-  description = "AWS region"
-  default     = "us-east-1"
-  type        = string
-}
-
-variable "project" {
-  description = "The project name to use for unique resource naming"
-  default     = "devopslite"
-  type        = string
-}
-
-variable "default_tags" {
-  type = map(string)
-  default = {
-    Provisioner = "terraform"
-    Project     = "devopslite"
-  }
-}