feat: Add pattern for Amazon VPC Lattice (#1846)

docs/patterns/vpc-lattice.md

@@ -0,0 +1,7 @@
+---
+title: Amazon VPC Lattice
+---
+
+{%
+   include-markdown "../../patterns/vpc-lattice/README.md"
+%}

patterns/vpc-lattice/README.md

@@ -0,0 +1,14 @@
+# Amazon VPC Lattice
+
+This folder contains use case-driven patterns covering different aspects of the Amazon VPC Lattice service.
+
+## Use cases
+
+- [Simple Client to Server Communication](./client-server-communication/)
+
+    This pattern describes how to expose a simple API within an Amazon EKS cluster deployed in VPC A to a client application hosted in VPC B through Amazon VPC Lattice.
+
+## Supporting resources
+
+- [Documentation](https://docs.aws.amazon.com/vpc-lattice/latest/ug/what-is-vpc-lattice.html)
+- [AWS Gateway API Controller](https://www.gateway-api-controller.eks.aws.dev/)

patterns/vpc-lattice/client-server-communication/README.md

@@ -0,0 +1,39 @@
+# Amazon VPC Lattice - Simple Client to Server Communication
+
+This pattern demonstrates how to expose an EKS cluster hosted application to an internal consumer through Amazon VPC Lattice.
+
+## Scenario
+
+With this soluton we showcase how to configure Amazon VPC Lattice using the AWS Gateway API Controller in order to manage Amazon VPC Lattice resources through native K8S Gateway API objects. This pattern deploys two distinct VPCs with a client application running in one of them and a server application in the other. The server application is deployed inside an EKS cluster and made exposed to the client application through Amazon VPC Lattice which establishes connectivity between the two applications. Further we demonstrate how to configure a custom domain name for the exposed service using Amazon Route53 and the external-dns project.
+
+![diagram](assets/diagram.png)
+
+
+## Deploy
+
+See [here](https://aws-ia.github.io/terraform-aws-eks-blueprints/getting-started/#prerequisites) for the prerequisites and steps to deploy this pattern.
+
+## Validate
+
+In order to test the connectivty between the client and server, please follow the steps outlined below:
+
+1. Login to the management console of your AWS account and navigate to the EC2 service
+2. Select your the EC2 Instance with the name **client**, click **Connect**, choose **Session Manager** and click **Connect**
+3. Within the console test the connecvity to the server application by entering the following command:
+
+    ```sh
+    $ curl -i http://server.example.com
+    HTTP/1.1 200 OK
+    date: Thu, 14 Dec 2023 08:29:39 GMT
+    content-length: 54
+    content-type: text/plain; charset=utf-8
+
+    Requesting to Pod(server-6f487b9bcd-5qm4v): server pod
+
+    ```
+
+## Destroy
+
+{%
+   include-markdown "../../../docs/_partials/destroy.md"
+%}

patterns/vpc-lattice/client-server-communication/charts/demo-application/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

patterns/vpc-lattice/client-server-communication/charts/demo-application/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v2
+name: demo-application
+description: A Helm chart to deploy the demo-application
+type: application
+version: 1.0.0

patterns/vpc-lattice/client-server-communication/charts/demo-application/templates/deployment.yaml

@@ -0,0 +1,22 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: server
+  labels:
+    app: server
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: server
+  template:
+    metadata:
+      labels:
+        app: server
+    spec:
+      containers:
+      - name: server
+        image: public.ecr.aws/x2j8p8w7/http-server:latest
+        env:
+        - name: PodName
+          value: "server pod"

patterns/vpc-lattice/client-server-communication/charts/demo-application/templates/gateway-class.yaml

@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: GatewayClass
+metadata:
+  name: amazon-vpc-lattice
+spec:
+  controllerName: application-networking.k8s.aws/gateway-api-controller

patterns/vpc-lattice/client-server-communication/charts/demo-application/templates/gateway.yaml

@@ -0,0 +1,11 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: Gateway
+metadata:
+  name: my-services
+  namespace: apps
+spec:
+  gatewayClassName: amazon-vpc-lattice
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80

patterns/vpc-lattice/client-server-communication/charts/demo-application/templates/httproute.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: server
+  namespace: apps
+spec:
+  hostnames:
+    - server.example.com
+  parentRefs:
+    - name: my-services
+      sectionName: http
+  rules:
+    - backendRefs:
+        - name: server
+          kind: Service
+          port: 8090
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

patterns/vpc-lattice/client-server-communication/charts/demo-application/templates/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: server
+spec:
+  selector:
+    app: server
+  ports:
+    - protocol: TCP
+      port: 8090
+      targetPort: 8090

patterns/vpc-lattice/client-server-communication/client.tf

@@ -0,0 +1,102 @@
+################################################################################
+# Client application (with private access over SSM Systems Manager)
+################################################################################
+
+module "client" {
+  source  = "terraform-aws-modules/ec2-instance/aws"
+  version = "5.5.0"
+
+  name = "client"
+
+  instance_type               = "t2.micro"
+  subnet_id                   = module.client_vpc.private_subnets[0]
+  create_iam_instance_profile = true
+  iam_role_description        = "IAM role for client"
+  iam_role_policies = {
+    AmazonSSMManagedInstanceCore = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+  }
+  vpc_security_group_ids = [module.client_sg.security_group_id]
+
+  tags = local.tags
+}
+
+module "vpc_endpoints" {
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.0"
+
+  vpc_id = module.client_vpc.vpc_id
+
+  endpoints = { for service in toset(["ssm", "ssmmessages", "ec2messages"]) :
+    replace(service, ".", "_") =>
+    {
+      service             = service
+      subnet_ids          = module.client_vpc.private_subnets
+      private_dns_enabled = true
+      tags                = { Name = "${local.name}-${service}" }
+    }
+  }
+
+  security_group_ids = [module.endpoint_sg.security_group_id]
+
+  tags = local.tags
+}
+
+module "client_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "client"
+  description = "Security Group for EC2 Instance Egress"
+
+  vpc_id = module.client_vpc.vpc_id
+
+  egress_with_cidr_blocks = [
+    {
+      from_port   = 0
+      to_port     = 0
+      protocol    = "-1"
+      cidr_blocks = "0.0.0.0/0"
+
+    },
+  ]
+
+  tags = local.tags
+}
+
+module "endpoint_sg" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "~> 5.0"
+
+  name        = "ssm-endpoint"
+  description = "Security Group for EC2 Instance Egress"
+
+  vpc_id = module.client_vpc.vpc_id
+
+  ingress_with_cidr_blocks = [for subnet in module.client_vpc.private_subnets_cidr_blocks :
+    {
+      from_port   = 443
+      to_port     = 443
+      protocol    = "TCP"
+      cidr_blocks = subnet
+    }
+  ]
+
+  tags = local.tags
+}
+
+################################################################################
+# Client VPC
+################################################################################
+
+module "client_vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.4"
+
+  name = local.name
+  cidr = local.client_vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.client_vpc_cidr, 4, k)]
+
+  tags = local.tags
+}