refactor(aws-privatelink): unify examples on endpoint-vpc + sensor-host modules

Delete the monolithic privatelink-stack module (~700 lines) that duplicated
logic already present in endpoint-vpc and sensor-host. Rewrite example 01
(per-VPC) to compose the same two modules used by examples 02 and 03,
proving the single-account case is just a simpler wiring of the same
building blocks.

Additional cleanup:
- Remove all .tfvars references; inputs come exclusively via TF_VAR_ env vars
- Add explicit random provider declaration to all root modules
- Fix variable descriptions (s/Prefer exporting/Export/)
- Update architecture doc to show env var exports instead of HCL snippets

Author: luckb0x

aws-privatelink/.gitignore

@@ -10,11 +10,9 @@ tfplan
 # Provider plugins + local module caches
 .terraform/
 
-# Variable files (often hold secrets)
+# Variable files (safety net — all inputs come via TF_VAR_ env vars)
 *.tfvars
 *.tfvars.json
-!example.tfvars
-!*.example.tfvars
 
 # Override files
 override.tf

aws-privatelink/docs/architecture-01-per-vpc.md

@@ -10,7 +10,9 @@ shared network infrastructure between VPCs.
 This Terraform example deploys in one consumer Region, `us-east-2` by
 default, with two Availability Zones. For a US-2 Falcon CID, the VPC endpoints
 are created in `us-east-2` and connect to the CrowdStrike endpoint service in
-`us-west-2` over cross-region PrivateLink.
+`us-west-2` over cross-region PrivateLink. The example composes the same
+`endpoint-vpc` and `sensor-host` modules used by the multi-account examples
+(02, 03), wired to a single AWS account.
 
 ## Table of contents
 
@@ -137,8 +139,6 @@ export TF_VAR_falcon_client_secret='...'         # CrowdStrike API secret
 export TF_VAR_owner_email='you@example.com'      # required owner tag
 ```
 
-Using `TF_VAR_*` avoids writing secrets into a `.tfvars` file.
-
 ### Apply
 
 ```bash
@@ -169,10 +169,10 @@ connectivity without deploying the consumer VPC in a Falcon home Region.
 
 To change the consumer Region, set:
 
-```hcl
-region             = "eu-west-1"
-availability_zones = ["eu-west-1a", "eu-west-1b"]
-subnet_cidrs       = ["10.50.1.0/24", "10.50.2.0/24"]
+```bash
+export TF_VAR_region='eu-west-1'
+export TF_VAR_availability_zones='["eu-west-1a", "eu-west-1b"]'
+export TF_VAR_subnet_cidrs='["10.50.1.0/24", "10.50.2.0/24"]'
 ```
 
 Avoid the unsupported Regions listed in the root README.

aws-privatelink/examples/01-per-vpc/main.tf

@@ -1,8 +1,8 @@
-# Single-region stack. Creates one VPC with endpoints across two AZs, S3
-# bucket, PHZ, IAM, and sensor host. service_region on the CrowdStrike
-# endpoints is derived inside the module from var.falcon_cloud vs.
-# var.region, so the stack reaches the US-2 service from wherever it is
-# deployed without any customer-facing toggle.
+# Single-account, single-region stack. Creates one VPC with CrowdStrike
+# PrivateLink endpoints, S3 bucket, PHZ, and a private sensor host. Uses
+# the same endpoint-vpc + sensor-host modules as 02 and 03 — the only
+# difference is that both modules share one provider and no RAM / TGW is
+# needed.
 #
 # The RPM and CID come from fetch.tf (root-level), so the Falcon API is
 # hit once per apply.
@@ -11,8 +11,8 @@ locals {
   name_prefix = "${var.environment}-${var.name_prefix}"
 }
 
-module "privatelink" {
-  source = "../../modules/privatelink-stack"
+module "endpoint_vpc" {
+  source = "../../modules/endpoint-vpc"
 
   region             = var.region
   availability_zones = var.availability_zones
@@ -22,6 +22,32 @@ module "privatelink" {
   subnet_cidrs = var.subnet_cidrs
 
   falcon_cloud    = var.falcon_cloud
-  falcon_cid      = local.fetched_cid
   sensor_rpm_path = local.fetched_rpm_path
+
+  # Single-account: no RAM subnet sharing needed.
+  ram_principals = []
+
+  # Wire instance SG into the endpoints SG ingress.
+  consumer_sg_ids = {
+    sensor-host = module.sensor_host.instance_sg_id
+  }
+}
+
+module "sensor_host" {
+  source = "../../modules/sensor-host"
+
+  region      = var.region
+  name_prefix = local.name_prefix
+
+  vpc_id     = module.endpoint_vpc.vpc_id
+  subnet_ids = module.endpoint_vpc.subnet_ids_list
+
+  endpoints_sg_id   = module.endpoint_vpc.endpoints_sg_id
+  s3_prefix_list_id = module.endpoint_vpc.s3_prefix_list_id
+
+  sensor_bucket_name    = module.endpoint_vpc.sensor_bucket_name
+  sensor_bucket_rpm_key = module.endpoint_vpc.sensor_bucket_rpm_key
+
+  falcon_cloud = var.falcon_cloud
+  falcon_cid   = local.fetched_cid
 }

aws-privatelink/examples/01-per-vpc/outputs.tf

@@ -2,12 +2,12 @@ output "deployment" {
   description = "Everything you need to SSM into, verify, and operate the stack."
   value = {
     region                     = var.region
-    instance_ids               = module.privatelink.instance_ids
-    ami_id                     = module.privatelink.ami_id
-    sensor_bucket              = module.privatelink.sensor_bucket
-    ssm_start_session_commands = module.privatelink.ssm_start_session_commands
-    verification_commands      = module.privatelink.verification_commands
-    crowdstrike_endpoint_dns   = module.privatelink.crowdstrike_endpoint_dns
+    instance_ids               = module.sensor_host.instance_ids
+    ami_id                     = module.sensor_host.ami_id
+    sensor_bucket              = module.endpoint_vpc.sensor_bucket_name
+    ssm_start_session_commands = module.sensor_host.ssm_start_session_commands
+    verification_commands      = module.sensor_host.verification_commands
+    crowdstrike_endpoint_dns   = module.endpoint_vpc.crowdstrike_endpoint_dns
   }
 }
 

aws-privatelink/examples/01-per-vpc/variables.tf

@@ -45,13 +45,13 @@ variable "owner_email" {
 }
 
 variable "falcon_client_id" {
-  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Prefer exporting as TF_VAR_falcon_client_id."
+  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Export as TF_VAR_falcon_client_id."
   type        = string
   sensitive   = true
 }
 
 variable "falcon_client_secret" {
-  description = "CrowdStrike Falcon API client secret. Prefer exporting as TF_VAR_falcon_client_secret."
+  description = "CrowdStrike Falcon API client secret. Export as TF_VAR_falcon_client_secret."
   type        = string
   sensitive   = true
 }

aws-privatelink/examples/01-per-vpc/versions.tf

@@ -14,5 +14,9 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.2"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6"
+    }
   }
 }

aws-privatelink/examples/02-shared-vpc/variables.tf

@@ -65,13 +65,13 @@ variable "owner_email" {
 }
 
 variable "falcon_client_id" {
-  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Prefer exporting as TF_VAR_falcon_client_id."
+  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Export as TF_VAR_falcon_client_id."
   type        = string
   sensitive   = true
 }
 
 variable "falcon_client_secret" {
-  description = "CrowdStrike Falcon API client secret. Prefer exporting as TF_VAR_falcon_client_secret."
+  description = "CrowdStrike Falcon API client secret. Export as TF_VAR_falcon_client_secret."
   type        = string
   sensitive   = true
 }

aws-privatelink/examples/02-shared-vpc/versions.tf

@@ -15,5 +15,9 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.2"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6"
+    }
   }
 }

aws-privatelink/examples/03-tgw-profiles/variables.tf

@@ -77,13 +77,13 @@ variable "owner_email" {
 }
 
 variable "falcon_client_id" {
-  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Prefer exporting as TF_VAR_falcon_client_id."
+  description = "CrowdStrike Falcon API client ID with Sensor Download: Read scope. Export as TF_VAR_falcon_client_id."
   type        = string
   sensitive   = true
 }
 
 variable "falcon_client_secret" {
-  description = "CrowdStrike Falcon API client secret. Prefer exporting as TF_VAR_falcon_client_secret."
+  description = "CrowdStrike Falcon API client secret. Export as TF_VAR_falcon_client_secret."
   type        = string
   sensitive   = true
 }

aws-privatelink/examples/03-tgw-profiles/versions.tf

@@ -15,5 +15,9 @@ terraform {
       source  = "hashicorp/null"
       version = ">= 3.2"
     }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.6"
+    }
   }
 }