From d231a5fa5c941d80674cb7ce15e84c2a0eb952b7 Mon Sep 17 00:00:00 2001
From: Benjamin Kincaid <ben.kincaid@rocketinsights.com>
Date: Tue, 12 Jul 2022 15:14:43 -0400
Subject: [PATCH] VPC flags and security group blocs using VPC cidrs to allow
 the test controller to use VPC resources provisioned outside the module

Signed-off-by: Benjamin Kincaid <ben.kincaid@rocketinsights.com>
---
 README.md                            |  20 +++
 main.tf                              | 190 ++++++++++++++++++---------
 modules/test-controller/README.md    |   1 +
 modules/test-controller/main.tf      |   2 +-
 modules/test-controller/variables.tf |   6 +
 outputs.tf                           |  32 ++---
 variables.tf                         | 100 ++++++++++++++
 7 files changed, 270 insertions(+), 81 deletions(-)

diff --git a/README.md b/README.md
index 5142534..11606bc 100644
--- a/README.md
+++ b/README.md
@@ -251,13 +251,27 @@ Specifically:
 | <a name="input_base_domain"></a> [base\_domain](#input\_base\_domain) | Base domain to use for ACM Cert and Route53 record management. | `string` | `""` | no |
 | <a name="input_cluster_instance_type"></a> [cluster\_instance\_type](#input\_cluster\_instance\_type) | If test controller launch type is EC2, the instance size to use. | `string` | `"c5ad.12xlarge"` | no |
 | <a name="input_create_certbot_lambda"></a> [create\_certbot\_lambda](#input\_create\_certbot\_lambda) | Boolean to create the certbot lambda to update the letsencrypt cert for the test controller. | `bool` | `true` | no |
+| <a name="input_create_networking"></a> [create\_networking](#input\_create\_networking) | Flag to create VPCs and related resources | `string` | `true` | no |
 | <a name="input_create_uhs_seed_generator"></a> [create\_uhs\_seed\_generator](#input\_create\_uhs\_seed\_generator) | Determines whether or not to create uhs seed generator resources | `bool` | `true` | no |
 | <a name="input_ec2_public_key"></a> [ec2\_public\_key](#input\_ec2\_public\_key) | SSH public key to use in EC2 instances. | `string` | `""` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | AWS tag to indicate environment name of each infrastructure object. | `string` | n/a | yes |
+| <a name="input_hosted_zone_id"></a> [hosted\_zone\_id](#input\_hosted\_zone\_id) | Id of hosted zone in Route53 | `string` | `null` | no |
 | <a name="input_lets_encrypt_email"></a> [lets\_encrypt\_email](#input\_lets\_encrypt\_email) | Email to associate with let's encrypt certificate | `string` | n/a | yes |
 | <a name="input_private_subnet_tags"></a> [private\_subnet\_tags](#input\_private\_subnet\_tags) | Tags associated with private subnets | `map(string)` | `{}` | no |
+| <a name="input_private_subnets_use1"></a> [private\_subnets\_use1](#input\_private\_subnets\_use1) | Private subnets in VPC us-east-1 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_private_subnets_use2"></a> [private\_subnets\_use2](#input\_private\_subnets\_use2) | Private subnets in VPC us-east-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_private_subnets_usw2"></a> [private\_subnets\_usw2](#input\_private\_subnets\_usw2) | Private subnets in VPC us-west-2 (required if create\_networking==false) | `list(string)` | `null` | no |
 | <a name="input_public_subnet_tags"></a> [public\_subnet\_tags](#input\_public\_subnet\_tags) | Tags associated with public subnets | `map(string)` | `{}` | no |
+| <a name="input_public_subnets_use1"></a> [public\_subnets\_use1](#input\_public\_subnets\_use1) | Public subnets in VPC us-east-1 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_public_subnets_use2"></a> [public\_subnets\_use2](#input\_public\_subnets\_use2) | Public subnets in VPC us-east-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_public_subnets_usw2"></a> [public\_subnets\_usw2](#input\_public\_subnets\_usw2) | Public subnets in VPC us-west-2 (required if create\_networking==false) | `list(string)` | `null` | no |
 | <a name="input_resource_tags"></a> [resource\_tags](#input\_resource\_tags) | Tags to set for all resources | `map(string)` | `{}` | no |
+| <a name="input_route_tables_use1"></a> [route\_tables\_use1](#input\_route\_tables\_use1) | Route tables in VPC us-east-1 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_route_tables_use2"></a> [route\_tables\_use2](#input\_route\_tables\_use2) | Route tables in VPC us-east-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_route_tables_usw2"></a> [route\_tables\_usw2](#input\_route\_tables\_usw2) | Route tables in VPC us-west-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_s3_interface_endpoint_use1"></a> [s3\_interface\_endpoint\_use1](#input\_s3\_interface\_endpoint\_use1) | S3 endpoint for VPC in us-east-1 (required if create\_networking==false) | `string` | `null` | no |
+| <a name="input_s3_interface_endpoint_use2"></a> [s3\_interface\_endpoint\_use2](#input\_s3\_interface\_endpoint\_use2) | S3 endpoint for VPC in us-east-2 (required if create\_networking==false) | `string` | `null` | no |
+| <a name="input_s3_interface_endpoint_usw2"></a> [s3\_interface\_endpoint\_usw2](#input\_s3\_interface\_endpoint\_usw2) | S3 endpoint for VPC in us-west-2 (required if create\_networking==false) | `string` | `null` | no |
 | <a name="input_subnet_prefix_extension"></a> [subnet\_prefix\_extension](#input\_subnet\_prefix\_extension) | CIDR block bits extension to calculate CIDR blocks of each subnetwork. | `number` | `4` | no |
 | <a name="input_test_controller_app_container_base_image"></a> [test\_controller\_app\_container\_base\_image](#input\_test\_controller\_app\_container\_base\_image) | An optional custom container base image for the test controller and releated services | `string` | `"ubuntu:20.04"` | no |
 | <a name="input_test_controller_cpu"></a> [test\_controller\_cpu](#input\_test\_controller\_cpu) | The ECS task CPU | `string` | `"4096"` | no |
@@ -279,6 +293,12 @@ Specifically:
 | <a name="input_use1_main_network_block"></a> [use1\_main\_network\_block](#input\_use1\_main\_network\_block) | Base CIDR block to be used in us-east-1. | `string` | `"10.0.0.0/16"` | no |
 | <a name="input_use2_main_network_block"></a> [use2\_main\_network\_block](#input\_use2\_main\_network\_block) | Base CIDR block to be used in us-east-2. | `string` | `"10.10.0.0/16"` | no |
 | <a name="input_usw2_main_network_block"></a> [usw2\_main\_network\_block](#input\_usw2\_main\_network\_block) | Base CIDR block to be used in us-west-2. | `string` | `"10.20.0.0/16"` | no |
+| <a name="input_vpc_azs_use1"></a> [vpc\_azs\_use1](#input\_vpc\_azs\_use1) | AZs of VPC in us-east-1 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_vpc_azs_use2"></a> [vpc\_azs\_use2](#input\_vpc\_azs\_use2) | AZs of VPC in us-east-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_vpc_azs_usw2"></a> [vpc\_azs\_usw2](#input\_vpc\_azs\_usw2) | AZs of VPC in us-east-2 (required if create\_networking==false) | `list(string)` | `null` | no |
+| <a name="input_vpc_id_use1"></a> [vpc\_id\_use1](#input\_vpc\_id\_use1) | ID of VPC in us-east-1 (required if create\_networking==false) | `string` | `null` | no |
+| <a name="input_vpc_id_use2"></a> [vpc\_id\_use2](#input\_vpc\_id\_use2) | ID of VPC in us-east-2 (required if create\_networking==false) | `string` | `null` | no |
+| <a name="input_vpc_id_usw2"></a> [vpc\_id\_usw2](#input\_vpc\_id\_usw2) | ID of VPC in us-west-2 (required if create\_networking==false) | `string` | `null` | no |
 | <a name="input_zone_offset"></a> [zone\_offset](#input\_zone\_offset) | CIDR block bits extension offset to calculate Public subnets, avoiding collisions with Private subnets. | `number` | `8` | no |
 
 ## Outputs
diff --git a/main.tf b/main.tf
index 687cbc5..2c65255 100644
--- a/main.tf
+++ b/main.tf
@@ -5,12 +5,39 @@ locals {
     Environment = var.environment
   }
   tags = merge(var.resource_tags, local.required_tags)
-}
 
-locals {
-  vpc_route_tables      = concat(module.vpc.public_route_table_ids, module.vpc.private_route_table_ids)
-  vpc_use2_route_tables = concat(module.vpc_use2.public_route_table_ids, module.vpc_use2.private_route_table_ids)
-  vpc_usw2_route_tables = concat(module.vpc_usw2.public_route_table_ids, module.vpc_usw2.private_route_table_ids)
+  # ids
+  vpc_id_use1 = try(module.vpc[0].vpc_id, var.vpc_id_use1)
+  vpc_id_use2 = try(module.vpc_use2[0].vpc_id, var.vpc_id_use2)
+  vpc_id_usw2 = try(module.vpc_usw2[0].vpc_id, var.vpc_id_usw2)
+
+  # public subnets
+  public_subnets_use1 = try(module.vpc[0].public_subnets, var.public_subnets_use1)
+  public_subnets_use2 = try(module.vpc_use2[0].public_subnets, var.public_subnets_use2)
+  public_subnets_usw2 = try(module.vpc_usw2[0].public_subnets, var.public_subnets_usw2)
+
+  # private subnets
+  private_subnets_use1 = try(module.vpc[0].private_subnets, var.private_subnets_use1)
+  private_subnets_use2 = try(module.vpc_use2[0].private_subnets, var.private_subnets_use2)
+  private_subnets_usw2 = try(module.vpc_usw2[0].private_subnets, var.private_subnets_usw2)
+
+  # route tables
+  route_tables_use1 = try(concat(module.vpc[0].public_route_table_ids, module.vpc[0].private_route_table_ids), var.route_tables_use1)
+  route_tables_use2 = try(concat(module.vpc_use2[0].public_route_table_ids, module.vpc_use2[0].private_route_table_ids), var.route_tables_use2)
+  route_tables_usw2 = try(concat(module.vpc_usw2[0].public_route_table_ids, module.vpc_usw2[0].private_route_table_ids), var.route_tables_usw2)
+
+  # azs
+  vpc_azs_use1 = try(module.vpc[0].azs, var.vpc_azs_use1)
+  vpc_azs_use2 = try(module.vpc_use2[0].azs, var.vpc_azs_use2)
+  vpc_azs_usw2 = try(module.vpc_usw2[0].azs, var.vpc_azs_usw2)
+
+  # VPC endpoints
+  s3_interface_endpoint_use1 = try(module.vpc_endpoints_use1.s3_interface_endpoint, var.s3_interface_endpoint_use1)
+  s3_interface_endpoint_use2 = try(module.vpc_endpoints_use2.s3_interface_endpoint, var.s3_interface_endpoint_use2)
+  s3_interface_endpoint_usw2 = try(module.vpc_endpoints_usw2.s3_interface_endpoint, var.s3_interface_endpoint_usw2)
+
+  # Route53
+  hosted_zone_id = try(module.route53_dns[0].hosted_zone_id, var.hosted_zone_id)
 }
 
 # get the current aws region
@@ -25,22 +52,26 @@ data "aws_caller_identity" "current" {}
 
 # Region: us-east-1
 data "aws_availability_zones" "use1" {
+  count = var.create_networking ? 1 : 0
+
   state           = "available"
   exclude_names = [ "us-east-1a", "us-east-1b", "us-east-1f" ]
 }
 
 module "vpc" {
+  count = var.create_networking ? 1 : 0
+
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70.0"
 
   name = local.name
   cidr = var.use1_main_network_block
-  azs  = data.aws_availability_zones.use1.names
+  azs  = data.aws_availability_zones.use1[0].names
 
   private_subnets = [
     # this loop will create a one-line list as ["10.0.0.0/20", "10.0.16.0/20", "10.0.32.0/20", ...]
     # with a length depending on how many Zones are available
-    for zone_id in data.aws_availability_zones.use1.zone_ids :
+    for zone_id in data.aws_availability_zones.use1[0].zone_ids :
     cidrsubnet(var.use1_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) - 1)
   ]
 
@@ -48,7 +79,7 @@ module "vpc" {
     # this loop will create a one-line list as ["10.0.128.0/20", "10.0.144.0/20", "10.0.160.0/20", ...]
     # with a length depending on how many Zones are available
     # there is a zone Offset variable, to make sure no collisions are present with private subnet blocks
-    for zone_id in data.aws_availability_zones.use1.zone_ids :
+    for zone_id in data.aws_availability_zones.use1[0].zone_ids :
     cidrsubnet(var.use1_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) + var.zone_offset - 1)
   ]
 
@@ -64,11 +95,15 @@ module "vpc" {
 
 # Region: us-east-2
 data "aws_availability_zones" "use2" {
+  count = var.create_networking ? 1 : 0
+
   provider = aws.use2
   state    = "available"
 }
 
 module "vpc_use2" {
+  count = var.create_networking ? 1 : 0
+
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70.0"
 
@@ -78,12 +113,12 @@ module "vpc_use2" {
 
   name = local.name
   cidr = var.use2_main_network_block
-  azs  = data.aws_availability_zones.use2.names
+  azs  = data.aws_availability_zones.use2[0].names
 
   private_subnets = [
     # this loop will create a one-line list as ["10.0.0.0/20", "10.0.16.0/20", "10.0.32.0/20", ...]
     # with a length depending on how many Zones are available
-    for zone_id in data.aws_availability_zones.use2.zone_ids :
+    for zone_id in data.aws_availability_zones.use2[0].zone_ids :
     cidrsubnet(var.use2_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) - 1)
   ]
 
@@ -91,7 +126,7 @@ module "vpc_use2" {
     # this loop will create a one-line list as ["10.0.128.0/20", "10.0.144.0/20", "10.0.160.0/20", ...]
     # with a length depending on how many Zones are available
     # there is a zone Offset variable, to make sure no collisions are present with private subnet blocks
-    for zone_id in data.aws_availability_zones.use2.zone_ids :
+    for zone_id in data.aws_availability_zones.use2[0].zone_ids :
     cidrsubnet(var.use2_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) + var.zone_offset - 1)
   ]
 
@@ -107,12 +142,16 @@ module "vpc_use2" {
 
 # Region: us-west-2
 data "aws_availability_zones" "usw2" {
+  count = var.create_networking ? 1 : 0
+
   provider      = aws.usw2
   state         = "available"
   exclude_names = [ "us-west-2a" ]
 }
 
 module "vpc_usw2" {
+  count = var.create_networking ? 1 : 0
+
   source  = "terraform-aws-modules/vpc/aws"
   version = "2.70.0"
 
@@ -122,12 +161,12 @@ module "vpc_usw2" {
 
   name = local.name
   cidr = var.usw2_main_network_block
-  azs  = data.aws_availability_zones.usw2.names
+  azs  = data.aws_availability_zones.usw2[0].names
 
   private_subnets = [
     # this loop will create a one-line list as ["10.0.0.0/20", "10.0.16.0/20", "10.0.32.0/20", ...]
     # with a length depending on how many Zones are available
-    for zone_id in data.aws_availability_zones.usw2.zone_ids :
+    for zone_id in data.aws_availability_zones.usw2[0].zone_ids :
     cidrsubnet(var.usw2_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) - 1)
   ]
 
@@ -135,7 +174,7 @@ module "vpc_usw2" {
     # this loop will create a one-line list as ["10.0.128.0/20", "10.0.144.0/20", "10.0.160.0/20", ...]
     # with a length depending on how many Zones are available
     # there is a zone Offset variable, to make sure no collisions are present with private subnet blocks
-    for zone_id in data.aws_availability_zones.usw2.zone_ids :
+    for zone_id in data.aws_availability_zones.usw2[0].zone_ids :
     cidrsubnet(var.usw2_main_network_block, var.subnet_prefix_extension, tonumber(substr(zone_id, length(zone_id) - 1, 1)) + var.zone_offset - 1)
   ]
 
@@ -155,6 +194,8 @@ module "vpc_usw2" {
 
 # us-east-1 <-> us-east-2
 module "vpc_peering_connection_use1_use2" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-peering-connection"
 
   providers = {
@@ -162,14 +203,16 @@ module "vpc_peering_connection_use1_use2" {
     aws.accepter  = aws.use2
   }
 
-  requester_vpc_id       = module.vpc.vpc_id
-  accepter_vpc_id        = module.vpc_use2.vpc_id
-  requester_route_tables = local.vpc_route_tables
-  accepter_route_tables  = local.vpc_use2_route_tables
+  requester_vpc_id       = local.vpc_id_use1
+  accepter_vpc_id        = local.vpc_id_use2
+  requester_route_tables = local.route_tables_use1
+  accepter_route_tables  = local.route_tables_use2
 }
 
 # us-east-2 <-> us-west-2
 module "vpc_peering_connection_use1_usw2" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-peering-connection"
 
   providers = {
@@ -177,14 +220,16 @@ module "vpc_peering_connection_use1_usw2" {
     aws.accepter  = aws.usw2
   }
 
-  requester_vpc_id       = module.vpc.vpc_id
-  accepter_vpc_id        = module.vpc_usw2.vpc_id
-  requester_route_tables = local.vpc_route_tables
-  accepter_route_tables  = local.vpc_usw2_route_tables
+  requester_vpc_id       = local.vpc_id_use1
+  accepter_vpc_id        = local.vpc_id_usw2
+  requester_route_tables = local.route_tables_use1
+  accepter_route_tables  = local.route_tables_usw2
 }
 
 # us-east-2 <-> us-west-2
 module "vpc_peering_connection_use2_usw2" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-peering-connection"
 
   providers = {
@@ -192,25 +237,27 @@ module "vpc_peering_connection_use2_usw2" {
     aws.accepter  = aws.usw2
   }
 
-  requester_vpc_id       = module.vpc_use2.vpc_id
-  accepter_vpc_id        = module.vpc_usw2.vpc_id
-  requester_route_tables = local.vpc_use2_route_tables
-  accepter_route_tables  = local.vpc_usw2_route_tables
+  requester_vpc_id       = local.vpc_id_use2
+  accepter_vpc_id        = local.vpc_id_usw2
+  requester_route_tables = local.route_tables_use2
+  accepter_route_tables  = local.route_tables_usw2
 }
 
 #####################
 ### VPC Endpoints ###
 #####################
 module "vpc_endpoints_use1" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-endpoints"
 
   providers = {
     aws = aws.use1
   }
 
-  vpc_id          = module.vpc.vpc_id
-  public_subnets  = module.vpc.public_subnets
-  private_subnets = module.vpc.private_subnets
+  vpc_id          = local.vpc_id_use1
+  public_subnets  = local.public_subnets_use1
+  private_subnets = local.private_subnets_use1
   vpc_cidr_blocks = [
     var.use1_main_network_block,
     var.use2_main_network_block,
@@ -221,15 +268,17 @@ module "vpc_endpoints_use1" {
 }
 
 module "vpc_endpoints_use2" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-endpoints"
 
   providers = {
     aws = aws.use2
   }
 
-  vpc_id          = module.vpc_use2.vpc_id
-  public_subnets  = module.vpc_use2.public_subnets
-  private_subnets = module.vpc_use2.private_subnets
+  vpc_id          = local.vpc_id_use2
+  public_subnets  = local.public_subnets_use2
+  private_subnets = local.private_subnets_usw2
   vpc_cidr_blocks = [
     var.use1_main_network_block,
     var.use2_main_network_block,
@@ -240,15 +289,17 @@ module "vpc_endpoints_use2" {
 }
 
 module "vpc_endpoints_usw2" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/vpc-endpoints"
 
   providers = {
     aws = aws.usw2
   }
 
-  vpc_id          = module.vpc_usw2.vpc_id
-  public_subnets  = module.vpc_usw2.public_subnets
-  private_subnets = module.vpc_usw2.private_subnets
+  vpc_id          = local.vpc_id_use2
+  public_subnets  = local.public_subnets_use2
+  private_subnets =local.public_subnets_usw2
   vpc_cidr_blocks = [
     var.use1_main_network_block,
     var.use2_main_network_block,
@@ -322,13 +373,17 @@ module "ecs_cluster_security_group" {
   version = "3.1.0"
 
   name   = "ecs-cluster-sg"
-  vpc_id = module.vpc.vpc_id
+  vpc_id = local.vpc_id_use1
 
   # Allow all incoming traffic from within VPC
   ingress_with_cidr_blocks = [
     {
       rule        = "all-all"
-      cidr_blocks = "10.0.0.0/16"
+      cidr_blocks = join(",",[ 
+        var.use1_main_network_block,
+        var.use2_main_network_block,
+        var.usw2_main_network_block
+      ])
     }
   ]
   # Allow all outgoing traffic
@@ -363,7 +418,7 @@ module "ecs_cluster_asg" {
   user_data = data.template_file.user_data.rendered
 
   # Auto scaling group
-  vpc_zone_identifier       = module.vpc.private_subnets
+  vpc_zone_identifier       = local.private_subnets_use1
   health_check_type         = "EC2"
   min_size                  = 0
   max_size                  = 1
@@ -436,11 +491,16 @@ resource "aws_s3_bucket" "agent_outputs" {
 module "test_controller_service" {
   source = "./modules/test-controller"
 
-  vpc_id                                    = module.vpc.vpc_id
-  public_subnets                            = module.vpc.public_subnets
-  private_subnets                           = module.vpc.private_subnets
-  hosted_zone_id                            = module.route53_dns.hosted_zone_id 
-  azs                                       = module.vpc.azs
+  vpc_id                                    = local.vpc_id_use1
+  vpc_cidr_blocks                               = [
+        var.use1_main_network_block,
+        var.use2_main_network_block,
+        var.usw2_main_network_block
+  ]
+  public_subnets                            = local.public_subnets_use1
+  private_subnets                           = local.private_subnets_use1
+  hosted_zone_id                            = local.hosted_zone_id 
+  azs                                       = local.vpc_azs_use1
   cluster_id                                = module.ecs.ecs_cluster_id
   dns_base_domain                           = var.base_domain
   binaries_s3_bucket                        = aws_s3_bucket.binaries.id
@@ -448,7 +508,7 @@ module "test_controller_service" {
   outputs_s3_bucket                         = aws_s3_bucket.agent_outputs.id
   create_certbot_lambda                     = var.create_certbot_lambda
   lets_encrypt_email                        = var.lets_encrypt_email
-  s3_interface_endpoint                     = module.vpc_endpoints_use1.s3_interface_endpoint
+  s3_interface_endpoint                     = local.s3_interface_endpoint_use1
   launch_type                               = var.test_controller_launch_type
   cpu                                       = var.test_controller_cpu
   memory                                    = var.test_controller_memory
@@ -469,8 +529,8 @@ module "uhs_seed_generator" {
   
   count = var.create_uhs_seed_generator ? 1 : 0
 
-  vpc_id                 = module.vpc.vpc_id
-  private_subnets        = module.vpc.private_subnets
+  vpc_id                 = local.vpc_id_use1
+  private_subnets        = local.private_subnets_use1
   max_vcpus              = var.uhs_seed_generator_max_vcpus
   job_vcpu               = var.uhs_seed_generator_job_vcpu
   job_memory             = var.uhs_seed_generator_job_memory
@@ -498,14 +558,14 @@ module "test_controller_agent_use1" {
     aws = aws.use1
   }
 
-  vpc_id                    = module.vpc.vpc_id
-  public_subnets            = module.vpc.public_subnets
-  private_subnets           = module.vpc.private_subnets
+  vpc_id                    = local.vpc_id_use1
+  public_subnets            = local.public_subnets_use1
+  private_subnets           = local.private_subnets_use1
   public_key                = var.ec2_public_key
   binaries_s3_bucket        = aws_s3_bucket.binaries.id
   outputs_s3_bucket         = aws_s3_bucket.agent_outputs.id
   outputs_s3_bucket_arn     = aws_s3_bucket.agent_outputs.arn
-  s3_interface_endpoint     = module.vpc_endpoints_use1.s3_interface_endpoint
+  s3_interface_endpoint     = local.s3_interface_endpoint_use1
   controller_endpoint       = module.test_controller_service.agent_endpoint
   controller_port           = module.test_controller_service.agent_port
   log_group                 = aws_cloudwatch_log_group.agents_use1.name
@@ -528,14 +588,14 @@ module "test_controller_agent_use2" {
     aws = aws.use2
   }
 
-  vpc_id                    = module.vpc_use2.vpc_id
-  public_subnets            = module.vpc_use2.public_subnets
-  private_subnets           = module.vpc_use2.private_subnets
+  vpc_id                    = local.vpc_id_use2
+  public_subnets            = local.public_subnets_use2
+  private_subnets           = local.private_subnets_usw2
   public_key                = var.ec2_public_key
   binaries_s3_bucket        = aws_s3_bucket.binaries.id
   outputs_s3_bucket         = aws_s3_bucket.agent_outputs.id
   outputs_s3_bucket_arn     = aws_s3_bucket.agent_outputs.arn
-  s3_interface_endpoint     = module.vpc_endpoints_use1.s3_interface_endpoint
+  s3_interface_endpoint     = local.s3_interface_endpoint_use1
   controller_endpoint       = module.test_controller_service.agent_endpoint
   controller_port           = module.test_controller_service.agent_port
   log_group                 = aws_cloudwatch_log_group.agents_use2.name
@@ -558,14 +618,14 @@ module "test_controller_agent_usw2" {
     aws = aws.usw2
   }
 
-  vpc_id                    = module.vpc_usw2.vpc_id
-  public_subnets            = module.vpc_usw2.public_subnets
-  private_subnets           = module.vpc_usw2.private_subnets
+  vpc_id                    = local.vpc_id_use2
+  public_subnets            = local.public_subnets_use2
+  private_subnets           = local.public_subnets_usw2
   public_key                = var.ec2_public_key
   binaries_s3_bucket        = aws_s3_bucket.binaries.id
   outputs_s3_bucket         = aws_s3_bucket.agent_outputs.id
   outputs_s3_bucket_arn     = aws_s3_bucket.agent_outputs.arn
-  s3_interface_endpoint     = module.vpc_endpoints_use1.s3_interface_endpoint
+  s3_interface_endpoint     = local.s3_interface_endpoint_use1
   controller_endpoint       = module.test_controller_service.agent_endpoint
   controller_port           = module.test_controller_service.agent_port
   log_group                 = aws_cloudwatch_log_group.agents_usw2.name
@@ -582,8 +642,8 @@ module "test_controller_agent_usw2" {
 module "test_controller_deploy" {
   source = "./modules/test-controller-deploy"
 
-  vpc_id                           = module.vpc.vpc_id
-  private_subnets                  = module.vpc.private_subnets
+  vpc_id                           = local.vpc_id_use1
+  private_subnets                  = local.private_subnets_use1
   binaries_s3_bucket               = aws_s3_bucket.binaries.id
   cluster_name                     = module.ecs.ecs_cluster_name
   test_controller_ecr_repo         = module.test_controller_service.ecr_repo
@@ -593,7 +653,7 @@ module "test_controller_deploy" {
   github_repo_owner                = var.test_controller_github_repo_owner
   github_repo_branch               = var.test_controller_github_repo_branch
   github_access_token              = var.test_controller_github_access_token
-  s3_interface_endpoint            = module.vpc_endpoints_use1.s3_interface_endpoint
+  s3_interface_endpoint            = local.s3_interface_endpoint_use1
   node_container_build_image       = var.test_controller_node_container_build_image
   golang_container_build_image     = var.test_controller_golang_container_build_image
   app_container_base_image         = var.test_controller_app_container_base_image
@@ -607,6 +667,8 @@ module "test_controller_deploy" {
 ################################
 
 module "route53_dns" {
+  count = var.create_networking ? 1 : 0
+
   source = "./modules/route53_dns"
 
   dns_base_domain                   = var.base_domain
@@ -622,10 +684,10 @@ module "route53_dns" {
 module "bastion" {
   source = "./modules/bastion"
 
-  vpc_id          = module.vpc.vpc_id
-  public_subnets  = module.vpc.public_subnets
+  vpc_id          = local.vpc_id_use1
+  public_subnets  = local.public_subnets_use1
   public_key      = var.ec2_public_key
-  hosted_zone_id  = module.route53_dns.hosted_zone_id
+  hosted_zone_id  = local.hosted_zone_id
   certs_efs_id    = module.test_controller_service.certs_efs_id
   testruns_efs_id = module.test_controller_service.testruns_efs_id
   binaries_efs_id = module.test_controller_service.binaries_efs_id
diff --git a/modules/test-controller/README.md b/modules/test-controller/README.md
index f72e413..1e03ca0 100644
--- a/modules/test-controller/README.md
+++ b/modules/test-controller/README.md
@@ -91,6 +91,7 @@ No requirements.
 | <a name="input_uhs_seed_generator_job_definiton_arn"></a> [uhs\_seed\_generator\_job\_definiton\_arn](#input\_uhs\_seed\_generator\_job\_definiton\_arn) | Arn of uhs seed generator job definition | `string` | n/a | yes |
 | <a name="input_uhs_seed_generator_job_name"></a> [uhs\_seed\_generator\_job\_name](#input\_uhs\_seed\_generator\_job\_name) | Name of batch job used for uhs seed generation | `string` | n/a | yes |
 | <a name="input_uhs_seed_generator_job_queue_arn"></a> [uhs\_seed\_generator\_job\_queue\_arn](#input\_uhs\_seed\_generator\_job\_queue\_arn) | Arn of uhs seed generator job queue | `string` | n/a | yes |
+| <a name="input_vpc_cidr_blocks"></a> [vpc\_cidr\_blocks](#input\_vpc\_cidr\_blocks) | A list of VPC cidr blocks to add to the interface enpoint security group | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC id | `string` | `""` | no |
 
 ## Outputs
diff --git a/modules/test-controller/main.tf b/modules/test-controller/main.tf
index 0ec0ffd..057a722 100644
--- a/modules/test-controller/main.tf
+++ b/modules/test-controller/main.tf
@@ -567,7 +567,7 @@ module "efs_security_group" {
   ingress_with_cidr_blocks = [
     {
       rule        = "nfs-tcp"
-      cidr_blocks = "10.0.0.0/16"
+      cidr_blocks = join(",", var.vpc_cidr_blocks)
     }
   ]
 
diff --git a/modules/test-controller/variables.tf b/modules/test-controller/variables.tf
index 4553c02..b99ab6e 100644
--- a/modules/test-controller/variables.tf
+++ b/modules/test-controller/variables.tf
@@ -4,6 +4,12 @@ variable "vpc_id" {
   default     = ""
 }
 
+variable "vpc_cidr_blocks" {
+  description = "A list of VPC cidr blocks to add to the interface enpoint security group"
+  type = list(string)
+  default = ["10.0.0.0/8"]
+}
+
 variable "public_subnets" {
   description = "A list of public subnets inside the VPC"
   type        = list(string)
diff --git a/outputs.tf b/outputs.tf
index 057fa24..5e4d8f4 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -2,65 +2,65 @@
 # us-east-1
 output "vpc_id_use1" {
     description = "Id of VPC in us-east-1 region"
-    value = module.vpc.vpc_id
+    value = local.vpc_id_use1
 }
 output "public_subnets_use1" {
     description = "Public subnet Ids associated with VPC in us-east-1 region"
-    value = module.vpc.public_subnets
+    value = local.public_subnets_use1
 }
 output "private_subnets_use1" {
     description = "Private subnet Ids associated with VPC in us-east-1 region"
-    value = module.vpc.private_subnets
+    value = local.private_subnets_use1
 }
 output "azs_use1" {
     description = "Availability zones used by VPC located in us-east-1 region"
-    value = module.vpc.azs
+    value = local.vpc_azs_use1
 }
 output "s3_vpc_interface_endpoint_use1" {
     description = "S3 service interface endpoint asscoiated with VPC in us-east-1 region"
-    value = module.vpc_endpoints_use1.s3_interface_endpoint
+    value = local.s3_interface_endpoint_use1
 }
 # us-east-2
 output "vpc_id_use2" {
     description = "Id of VPC in us-east-2 region"
-    value = module.vpc_use2.vpc_id
+    value = local.vpc_id_use2
 }
 output "public_subnets_use2" {
     description = "Public subnet Ids associated with VPC in us-east-2 region"
-    value = module.vpc_use2.public_subnets
+    value = local.public_subnets_use2
 }
 output "private_subnets_use2" {
     description = "Private subnet Ids associated with VPC in us-east-2 region"
-    value = module.vpc_use2.private_subnets
+    value = local.private_subnets_use2
 }
 output "azs_use2" {
     description = "Availability zones used by VPC located in us-east-2 region"
-    value = module.vpc_use2.azs
+    value = local.vpc_azs_use2
 }
 output "s3_vpc_interface_endpoint_use2" {
     description = "S3 service interface endpoint asscoiated with VPC in us-east-2 region"
-    value = module.vpc_endpoints_use2.s3_interface_endpoint
+    value = local.s3_interface_endpoint_use2
 }
 # us-west-2
 output "vpc_id_usw2" {
     description = "Id of VPC in us-west-2 region"
-    value = module.vpc_usw2.vpc_id
+    value = local.vpc_id_usw2
 }
 output "public_subnets_usw2" {
     description = "Public subnet Ids associated with VPC in us-west-2 region"
-    value = module.vpc_usw2.public_subnets
+    value = local.public_subnets_usw2
 }
 output "private_subnets_usw2" {
     description = "Private subnet Ids associated with VPC in us-west-2 region"
-    value = module.vpc_usw2.private_subnets
+    value = local.private_subnets_usw2
 }
 output "azs_usw2" {
     description = "Availability zones used by VPC located in us-west-2 region"
-    value = module.vpc_usw2.azs
+    value = local.vpc_azs_usw2
 }
 output "s3_vpc_interface_endpoint_usw2" {
     description = "S3 service interface endpoint asscoiated with VPC in us-west-2 region"
-    value = module.vpc_endpoints_usw2.s3_interface_endpoint
+    value = local.s3_interface_endpoint_usw2
 }
 
 # ECS
@@ -78,7 +78,7 @@ output "ecs_cluster_name" {
 output "route53_endpoints" {
     description = "Route53 endpoints generated by test controller services"
     value = {
-        name_servers    = module.route53_dns.name_servers
+        name_servers    = try(module.route53_dns[0].name_servers, "")
         bastion         = module.bastion.bastion_enpoint
         ui_endpoint     = module.test_controller_service.ui_endpoint
         agent_endpoint  = module.test_controller_service.agent_endpoint
diff --git a/variables.tf b/variables.tf
index 3da8808..3ff654c 100644
--- a/variables.tf
+++ b/variables.tf
@@ -3,6 +3,11 @@ variable "base_domain" {
   description = "Base domain to use for ACM Cert and Route53 record management."
   default = ""
 }
+variable "hosted_zone_id" {
+  type = string
+  description = "Id of hosted zone in Route53"
+  default = null
+}
 
 #EC2
 variable "ec2_public_key" {
@@ -12,6 +17,101 @@ variable "ec2_public_key" {
 }
 
 # VPC Variables
+variable "create_networking" {
+  type = string
+  description = "Flag to create VPCs and related resources"
+  default = true
+}
+variable "vpc_id_use1" {
+  type = string
+  description = "ID of VPC in us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "vpc_id_use2" {
+  type = string
+  description = "ID of VPC in us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "vpc_id_usw2" {
+  type = string
+  description = "ID of VPC in us-west-2 (required if create_networking==false)"
+  default = null
+}
+variable "public_subnets_use1" {
+  type = list(string)
+  description = "Public subnets in VPC us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "public_subnets_use2" {
+  type = list(string)
+  description = "Public subnets in VPC us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "public_subnets_usw2" {
+  type = list(string)
+  description = "Public subnets in VPC us-west-2 (required if create_networking==false)"
+  default = null
+}
+variable "private_subnets_use1" {
+  type = list(string)
+  description = "Private subnets in VPC us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "private_subnets_use2" {
+  type = list(string)
+  description = "Private subnets in VPC us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "private_subnets_usw2" {
+  type = list(string)
+  description = "Private subnets in VPC us-west-2 (required if create_networking==false)"
+  default = null
+}
+variable "route_tables_use1" {
+  type = list(string)
+  description = "Route tables in VPC us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "route_tables_use2" {
+  type = list(string)
+  description = "Route tables in VPC us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "route_tables_usw2" {
+  type = list(string)
+  description = "Route tables in VPC us-west-2 (required if create_networking==false)"
+  default = null
+}
+variable "vpc_azs_use1" {
+  type = list(string)
+  description = "AZs of VPC in us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "vpc_azs_use2" {
+  type = list(string)
+  description = "AZs of VPC in us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "vpc_azs_usw2" {
+  type = list(string)
+  description = "AZs of VPC in us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "s3_interface_endpoint_use1" {
+  type = string
+  description = "S3 endpoint for VPC in us-east-1 (required if create_networking==false)"
+  default = null
+}
+variable "s3_interface_endpoint_use2" {
+  type = string
+  description = "S3 endpoint for VPC in us-east-2 (required if create_networking==false)"
+  default = null
+}
+variable "s3_interface_endpoint_usw2" {
+  type = string
+  description = "S3 endpoint for VPC in us-west-2 (required if create_networking==false)"
+  default = null
+}
 variable "use1_main_network_block" {
   type        = string
   description = "Base CIDR block to be used in us-east-1."