Skip to content

feat(aws-privatelink): simplify lab config to TF_VAR env vars#317

Closed
luckb0x wants to merge 4 commits into
mainfrom
atlas/task-99
Closed

feat(aws-privatelink): simplify lab config to TF_VAR env vars#317
luckb0x wants to merge 4 commits into
mainfrom
atlas/task-99

Conversation

@luckb0x
Copy link
Copy Markdown
Member

@luckb0x luckb0x commented May 23, 2026

Summary

  • Simplifies all 3 labs to a consistent TF_VAR environment variable interface
  • Auto-derives AZs from region (no manual AZ/subnet mapping needed)
  • Makes falcon_cloud required, removes name_prefix in favor of environment as prefix
  • Adds PrivateLink endpoint readiness check in user_data to eliminate 4-min sensor fallback timeout on first boot
  • Removes redundant "Pick a different consumer Region" doc section

Configuration interface (all labs)

Required: TF_VAR_owner_email, TF_VAR_falcon_client_id, TF_VAR_falcon_client_secret, TF_VAR_falcon_cloud
Optional: TF_VAR_region, TF_VAR_environment, TF_VAR_instance_type, TF_VAR_ami_id

Test plan

  • terraform validate passes on all 3 examples
  • Lab 01 deployed and verified (sensor connected, AID assigned, endpoints available)
  • Lab 02 deploy (requires two AWS accounts)
  • Lab 03 deploy (requires two AWS accounts + TGW)

luckb0x added 4 commits May 12, 2026 23:11
@luckb0x
feat(aws-privatelink): replace with cross-region PrivateLink implemen…
f27646a 
…tation

Replace existing aws-privatelink contents with new modular Terraform
implementation supporting per-VPC, shared-VPC, and TGW-based cross-region
architectures for CrowdStrike PrivateLink connectivity.
@luckb0x
chore(aws-privatelink): remove legacy cloudformation and s3bucket art…
33bf38d 
…ifacts

Delete old CloudFormation templates and Lambda zip bundles that are
superseded by the new Terraform-based PrivateLink modules.
@luckb0x
refactor(aws-privatelink): unify examples on endpoint-vpc + sensor-ho…
ff252d9 
…st modules

Delete the monolithic privatelink-stack module (~700 lines) that duplicated
logic already present in endpoint-vpc and sensor-host. Rewrite example 01
(per-VPC) to compose the same two modules used by examples 02 and 03,
proving the single-account case is just a simpler wiring of the same
building blocks.

Additional cleanup:
- Remove all .tfvars references; inputs come exclusively via TF_VAR_ env vars
- Add explicit random provider declaration to all root modules
- Fix variable descriptions (s/Prefer exporting/Export/)
- Update architecture doc to show env var exports instead of HCL snippets
@luckb0x
feat(aws-privatelink): simplify lab config to TF_VAR env vars with au…
cd6b5d5 
…to-derived AZs

All three labs now share a consistent variable interface:
- Required: owner_email, falcon_client_id, falcon_client_secret, falcon_cloud
- Optional: region, environment, instance_type, ami_id
- Removed: name_prefix, availability_zones, vpc_cidr, subnet_cidrs

AZs auto-derive from the region. VPC CIDRs are hardcoded in locals.
Environment variable is used as the resource name prefix (default: dev).
Adds PrivateLink readiness check in user_data to avoid 4-min sensor
fallback timeout on first boot.
@luckb0x luckb0x closed this May 23, 2026
@luckb0x luckb0x deleted the atlas/task-99 branch May 23, 2026 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@luckb0x