feat(aws-privatelink): simplify lab config to TF_VAR env vars with auto-derived AZs

All three labs now share a consistent variable interface:
- Required: owner_email, falcon_client_id, falcon_client_secret, falcon_cloud
- Optional: region, environment, instance_type, ami_id
- Removed: name_prefix, availability_zones, vpc_cidr, subnet_cidrs

AZs auto-derive from the region. VPC CIDRs are hardcoded in locals.
Environment variable is used as the resource name prefix (default: dev).
Adds PrivateLink readiness check in user_data to avoid 4-min sensor
fallback timeout on first boot.

Author: luckb0x

aws-privatelink/docs/architecture-01-per-vpc.md

@@ -7,9 +7,8 @@ interface endpoints, its own `cloudsink.net` private hosted zone, its own S3
 gateway endpoint, and one private Amazon Linux 2023 test host. There is no
 shared network infrastructure between VPCs.
 
-This Terraform example deploys in one consumer Region, `us-east-2` by
-default, with two Availability Zones. For a US-2 Falcon CID, the VPC endpoints
-are created in `us-east-2` and connect to the CrowdStrike endpoint service in
+This Terraform example deploys in any supported consumer Region. For a US-2
+Falcon CID, the VPC endpoints connect to the CrowdStrike endpoint service in
 `us-west-2` over cross-region PrivateLink. The example composes the same
 `endpoint-vpc` and `sensor-host` modules used by the multi-account examples
 (02, 03), wired to a single AWS account.
@@ -23,7 +22,6 @@ are created in `us-east-2` and connect to the CrowdStrike endpoint service in
 - [Deployment](#deployment)
   - [Export credentials](#export-credentials)
   - [Apply](#apply)
-  - [Pick a different consumer Region](#pick-a-different-consumer-region)
 - [Teardown](#teardown)
 - [Operational notes](#operational-notes)
 - [Verification](#verification)
@@ -133,12 +131,23 @@ lab S3 bucket so the test host can install without internet egress.
 ### Export credentials
 
 ```bash
-export AWS_PROFILE=...                           # or any other AWS auth method
-export TF_VAR_falcon_client_id='...'             # CrowdStrike API client ID
-export TF_VAR_falcon_client_secret='...'         # CrowdStrike API secret
-export TF_VAR_owner_email='you@example.com'      # required owner tag
+# Required
+export AWS_PROFILE=...                           # AWS credentials for the target account
+export TF_VAR_falcon_client_id='...'             # Falcon API client ID (Sensor Download: Read)
+export TF_VAR_falcon_client_secret='...'         # Falcon API client secret
+export TF_VAR_falcon_cloud='us-2'                # Falcon cloud for this CID (us-1, us-2, eu-1)
+export TF_VAR_owner_email='you@example.com'      # Owner tag for resource accountability
+
+# Optional
+export TF_VAR_region='us-east-2'                 # Region where the lab is deployed
+export TF_VAR_environment='dev'                  # Resource name prefix and environment tag
+export TF_VAR_instance_type='t3.small'           # EC2 instance size for sensor hosts
+export TF_VAR_ami_id='ami-0abcdef1234567890'     # Only set if the default is deprecated; must be Amazon Linux 2023
 ```
 
+Avoid deploying to Falcon home Regions (`us-west-1`, `us-west-2`, `eu-central-1`)
+since the lab is designed to demonstrate cross-region PrivateLink connectivity.
+
 ### Apply
 
 ```bash
@@ -162,21 +171,6 @@ On first apply, Terraform will:
 Expect about 3-5 minutes from `apply complete` to the host appearing in the
 Falcon console.
 
-### Pick a different consumer Region
-
-The lab defaults to `us-east-2` because it demonstrates cross-region
-connectivity without deploying the consumer VPC in a Falcon home Region.
-
-To change the consumer Region, set:
-
-```bash
-export TF_VAR_region='eu-west-1'
-export TF_VAR_availability_zones='["eu-west-1a", "eu-west-1b"]'
-export TF_VAR_subnet_cidrs='["10.50.1.0/24", "10.50.2.0/24"]'
-```
-
-Avoid the unsupported Regions listed in the root README.
-
 ## Teardown
 
 ```bash

aws-privatelink/examples/01-per-vpc/main.tf

@@ -1,33 +1,35 @@
 # Single-account, single-region stack. Creates one VPC with CrowdStrike
 # PrivateLink endpoints, S3 bucket, PHZ, and a private sensor host. Uses
-# the same endpoint-vpc + sensor-host modules as 02 and 03 — the only
-# difference is that both modules share one provider and no RAM / TGW is
-# needed.
+# the same endpoint-vpc + sensor-host modules as 02 and 03.
 #
 # The RPM and CID come from fetch.tf (root-level), so the Falcon API is
 # hit once per apply.
 
+data "aws_availability_zones" "available" {
+  state = "available"
+}
+
 locals {
-  name_prefix = "${var.environment}-${var.name_prefix}"
+  azs          = slice(data.aws_availability_zones.available.names, 0, 2)
+  vpc_cidr     = "10.50.0.0/16"
+  subnet_cidrs = [cidrsubnet(local.vpc_cidr, 8, 1), cidrsubnet(local.vpc_cidr, 8, 2)]
 }
 
 module "endpoint_vpc" {
   source = "../../modules/endpoint-vpc"
 
   region             = var.region
-  availability_zones = var.availability_zones
-  name_prefix        = local.name_prefix
+  availability_zones = local.azs
+  name_prefix        = var.environment
 
-  vpc_cidr     = var.vpc_cidr
-  subnet_cidrs = var.subnet_cidrs
+  vpc_cidr     = local.vpc_cidr
+  subnet_cidrs = local.subnet_cidrs
 
   falcon_cloud    = var.falcon_cloud
   sensor_rpm_path = local.fetched_rpm_path
 
-  # Single-account: no RAM subnet sharing needed.
   ram_principals = []
 
-  # Wire instance SG into the endpoints SG ingress.
   consumer_sg_ids = {
     sensor-host = module.sensor_host.instance_sg_id
   }
@@ -37,7 +39,7 @@ module "sensor_host" {
   source = "../../modules/sensor-host"
 
   region      = var.region
-  name_prefix = local.name_prefix
+  name_prefix = var.environment
 
   vpc_id     = module.endpoint_vpc.vpc_id
   subnet_ids = module.endpoint_vpc.subnet_ids_list
@@ -48,6 +50,8 @@ module "sensor_host" {
   sensor_bucket_name    = module.endpoint_vpc.sensor_bucket_name
   sensor_bucket_rpm_key = module.endpoint_vpc.sensor_bucket_rpm_key
 
-  falcon_cloud = var.falcon_cloud
-  falcon_cid   = local.fetched_cid
+  falcon_cloud  = var.falcon_cloud
+  falcon_cid    = local.fetched_cid
+  instance_type = var.instance_type
+  ami_id        = var.ami_id
 }

aws-privatelink/examples/01-per-vpc/outputs.tf

@@ -2,6 +2,7 @@ output "deployment" {
   description = "Everything you need to SSM into, verify, and operate the stack."
   value = {
     region                     = var.region
+    environment                = var.environment
     instance_ids               = module.sensor_host.instance_ids
     ami_id                     = module.sensor_host.ami_id
     sensor_bucket              = module.endpoint_vpc.sensor_bucket_name

aws-privatelink/examples/01-per-vpc/providers.tf

@@ -3,8 +3,7 @@ locals {
     Environment = var.environment
     OwnerEmail  = var.owner_email
     ManagedBy   = "terraform"
-    Project     = "aws-privatelink-reference"
-    Example     = "01-per-vpc"
+    Project     = "aws-privatelink"
   }
 }
 

aws-privatelink/examples/01-per-vpc/variables.tf

@@ -1,63 +1,59 @@
-variable "region" {
-  description = "Consumer region where the VPC and endpoints are created."
-  type        = string
-  default     = "us-east-2"
-}
+### Required — credentials & identity ########################################
 
-variable "availability_zones" {
-  description = "Two AZs in the consumer region. One private subnet (and one endpoint ENI) is placed per AZ."
-  type        = list(string)
-  default     = ["us-east-2a", "us-east-2b"]
-}
-
-variable "vpc_cidr" {
-  description = "VPC CIDR for the consumer VPC."
+variable "owner_email" {
+  description = "OwnerEmail tag value applied to every resource."
   type        = string
-  default     = "10.50.0.0/16"
-}
 
-variable "subnet_cidrs" {
-  description = "Private subnet CIDRs, one per AZ in availability_zones (order-aligned)."
-  type        = list(string)
-  default     = ["10.50.1.0/24", "10.50.2.0/24"]
+  validation {
+    condition     = can(regex("^[^@\\s]+@[^@\\s]+\\.[^@\\s]+$", var.owner_email))
+    error_message = "owner_email must be a valid email address (e.g. you@example.com)."
+  }
 }
 
-variable "name_prefix" {
-  description = "Base name prefix. Combined with var.environment to produce the effective prefix applied to all resources."
+variable "falcon_client_id" {
+  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope."
   type        = string
-  default     = "cs-privatelink"
+  sensitive   = true
 }
 
-variable "environment" {
-  description = "Environment tag value applied to every resource."
+variable "falcon_client_secret" {
+  description = "CrowdStrike Falcon API client secret."
   type        = string
-  default     = "demo"
+  sensitive   = true
 }
 
-variable "owner_email" {
-  description = "OwnerEmail tag value applied to every resource. Required — every deployment is tied to an accountable owner."
+variable "falcon_cloud" {
+  description = "CrowdStrike Falcon cloud (us-1, us-2, or eu-1)."
   type        = string
 
   validation {
-    condition     = can(regex("^[^@\\s]+@[^@\\s]+\\.[^@\\s]+$", var.owner_email))
-    error_message = "owner_email must be a valid email address (e.g. you@example.com)."
+    condition     = contains(["us-1", "us-2", "eu-1"], var.falcon_cloud)
+    error_message = "falcon_cloud must be one of us-1, us-2, eu-1."
   }
 }
 
-variable "falcon_client_id" {
-  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Export as TF_VAR_falcon_client_id."
+### Optional — deployment configuration #####################################
+
+variable "region" {
+  description = "AWS region to deploy into. AZs are auto-derived."
   type        = string
-  sensitive   = true
+  default     = "us-east-2"
 }
 
-variable "falcon_client_secret" {
-  description = "CrowdStrike Falcon API client secret. Export as TF_VAR_falcon_client_secret."
+variable "environment" {
+  description = "Environment name used as the resource prefix and tag value."
   type        = string
-  sensitive   = true
+  default     = "dev"
 }
 
-variable "falcon_cloud" {
-  description = "CrowdStrike Falcon cloud (us-1, us-2, or eu-1)."
+variable "instance_type" {
+  description = "EC2 instance type for sensor hosts."
+  type        = string
+  default     = "t3.small"
+}
+
+variable "ami_id" {
+  description = "Amazon Linux 2023 AMI ID. Only set if the default becomes unavailable. Must be AL2023."
   type        = string
-  default     = "us-2"
+  default     = null
 }

aws-privatelink/examples/02-shared-vpc/main.tf

@@ -1,21 +1,19 @@
 # Two-account shared VPC. The owner provisions a single VPC with all the
 # PrivateLink plumbing and RAM-shares its subnets to the workload account.
-# The workload launches a sensor host directly into those shared subnets —
-# no workload VPC, no cross-account R53, no cross-account SSM params.
+# The workload launches a sensor host directly into those shared subnets.
 #
-# Cross-cutting wiring:
-#   * endpoint_vpc.consumer_sg_ids <- sensor_host.instance_sg_id (the SG
-#     reference breaks out of the workload account into the endpoints SG
-#     because both SGs live in the owner's VPC)
-#   * endpoint_vpc.authorized_role_arns <- sensor_host.instance_role_arn
-#     (grants the workload instance role s3:GetObject on the sensor bucket)
-#
-# for_each on the consumer_sg_ids uses a literal string key ("workload-host"),
-# so it's plan-time known; the SG ID value is apply-time computed. That's
-# what lets this compose without a resource cycle or depends_on hack.
+# The RPM and CID come from fetch.tf (root-level), so the Falcon API is
+# hit once per apply.
+
+data "aws_availability_zones" "available" {
+  provider = aws.owner
+  state    = "available"
+}
 
 locals {
-  name_prefix = "${var.environment}-${var.name_prefix}"
+  azs          = slice(data.aws_availability_zones.available.names, 0, 2)
+  vpc_cidr     = "10.60.0.0/16"
+  subnet_cidrs = [cidrsubnet(local.vpc_cidr, 8, 1), cidrsubnet(local.vpc_cidr, 8, 2)]
 }
 
 module "endpoint_vpc" {
@@ -26,11 +24,11 @@ module "endpoint_vpc" {
   }
 
   region             = var.region
-  availability_zones = var.availability_zones
-  name_prefix        = local.name_prefix
+  availability_zones = local.azs
+  name_prefix        = var.environment
 
-  vpc_cidr     = var.vpc_cidr
-  subnet_cidrs = var.subnet_cidrs
+  vpc_cidr     = local.vpc_cidr
+  subnet_cidrs = local.subnet_cidrs
 
   falcon_cloud    = var.falcon_cloud
   sensor_rpm_path = local.fetched_rpm_path
@@ -54,7 +52,7 @@ module "sensor_host" {
   }
 
   region      = var.region
-  name_prefix = local.name_prefix
+  name_prefix = var.environment
 
   vpc_id     = module.endpoint_vpc.vpc_id
   subnet_ids = module.endpoint_vpc.subnet_ids_list
@@ -65,6 +63,8 @@ module "sensor_host" {
   sensor_bucket_name    = module.endpoint_vpc.sensor_bucket_name
   sensor_bucket_rpm_key = module.endpoint_vpc.sensor_bucket_rpm_key
 
-  falcon_cloud = var.falcon_cloud
-  falcon_cid   = local.fetched_cid
+  falcon_cloud  = var.falcon_cloud
+  falcon_cid    = local.fetched_cid
+  instance_type = var.instance_type
+  ami_id        = var.ami_id
 }

aws-privatelink/examples/02-shared-vpc/outputs.tf

@@ -2,6 +2,7 @@ output "deployment" {
   description = "Everything you need to SSM into, verify, and operate the stack. SSM commands target the workload account — prepend --profile $workload_profile on the workstation."
   value = {
     region                     = var.region
+    environment                = var.environment
     owner_profile              = var.owner_profile
     workload_profile           = var.workload_profile
     workload_account_id        = var.workload_account_id

aws-privatelink/examples/02-shared-vpc/providers.tf

@@ -3,13 +3,10 @@ locals {
     Environment = var.environment
     OwnerEmail  = var.owner_email
     ManagedBy   = "terraform"
-    Project     = "aws-privatelink-reference"
-    Example     = "02-shared-vpc"
+    Project     = "aws-privatelink"
   }
 }
 
-# Owner account — hosts the VPC, endpoints, PHZ, sensor bucket, RAM share.
-# One AWS allowlist ticket is filed against this account.
 provider "aws" {
   alias   = "owner"
   region  = var.region
@@ -20,9 +17,6 @@ provider "aws" {
   }
 }
 
-# Workload account — launches EC2 into the RAM-shared subnets. No VPC of its
-# own. Any number of workload accounts share this shape; the module just gets
-# called once per account with a matching provider alias.
 provider "aws" {
   alias   = "workload"
   region  = var.region