From 69efdd638fa40a02115b25002695f69e2ca3da7d Mon Sep 17 00:00:00 2001
From: Dustin Scott <dscott@redhat.com>
Date: Wed, 17 Jul 2024 13:07:48 -0500
Subject: [PATCH 1/2] feat: support pre-existing subnets

This also replaces the internal module in favor of an AWS-managed module and
produces the same outcome.

Signed-off-by: Dustin Scott <dscott@redhat.com>
---
 bastion.tf                                    |   4 +-
 cluster.tf                                    |   6 +-
 modules/terraform-rosa-networking/.gitignore  |   4 -
 modules/terraform-rosa-networking/data.tf     |  18 ---
 .../internet_gateway.tf                       |  11 --
 modules/terraform-rosa-networking/locals.tf   |  16 ---
 .../terraform-rosa-networking/nat_gateway.tf  |  35 ------
 modules/terraform-rosa-networking/output.tf   |  27 -----
 modules/terraform-rosa-networking/provider.tf |   8 --
 modules/terraform-rosa-networking/route.tf    |  71 -----------
 modules/terraform-rosa-networking/subnet.tf   |  39 ------
 .../test/multi-az/main.tf                     |  19 ---
 .../test/single-az/main.tf                    |  31 -----
 .../terraform-rosa-networking/variables.tf    |  39 ------
 modules/terraform-rosa-networking/vpc.tf      |  16 ---
 network.tf                                    | 112 +++++++++++++++---
 outputs.tf                                    |  27 +++--
 variables.tf                                  | 110 +++++++++++------
 18 files changed, 196 insertions(+), 397 deletions(-)
 delete mode 100644 modules/terraform-rosa-networking/.gitignore
 delete mode 100644 modules/terraform-rosa-networking/data.tf
 delete mode 100644 modules/terraform-rosa-networking/internet_gateway.tf
 delete mode 100644 modules/terraform-rosa-networking/locals.tf
 delete mode 100644 modules/terraform-rosa-networking/nat_gateway.tf
 delete mode 100644 modules/terraform-rosa-networking/output.tf
 delete mode 100644 modules/terraform-rosa-networking/provider.tf
 delete mode 100644 modules/terraform-rosa-networking/route.tf
 delete mode 100644 modules/terraform-rosa-networking/subnet.tf
 delete mode 100644 modules/terraform-rosa-networking/test/multi-az/main.tf
 delete mode 100644 modules/terraform-rosa-networking/test/single-az/main.tf
 delete mode 100644 modules/terraform-rosa-networking/variables.tf
 delete mode 100644 modules/terraform-rosa-networking/vpc.tf

diff --git a/bastion.tf b/bastion.tf
index 08d82730..936e69fe 100644
--- a/bastion.tf
+++ b/bastion.tf
@@ -44,7 +44,7 @@ resource "aws_security_group" "bastion_host" {
 
   description = "Security group for Bastion access"
   name        = "${var.cluster_name}-bastion"
-  vpc_id      = module.network.vpc_id
+  vpc_id      = local.vpc_id
 
   # TODO: we technically should not need this if we are using sshuttle
   ingress {
@@ -71,7 +71,7 @@ resource "aws_instance" "bastion_host" {
 
   ami                    = data.aws_ami.rhel9[0].id
   instance_type          = "t2.micro"
-  subnet_id              = module.network.private_subnet_ids[0]
+  subnet_id              = local.private_subnet_ids[0]
   key_name               = aws_key_pair.bastion_host[0].key_name
   vpc_security_group_ids = [aws_security_group.bastion_host[0].id]
 
diff --git a/cluster.tf b/cluster.tf
index f19c4c81..7b79f0b8 100644
--- a/cluster.tf
+++ b/cluster.tf
@@ -7,7 +7,7 @@ data "aws_region" "current" {}
 #
 locals {
   # networking
-  subnet_ids = var.private ? module.network.private_subnet_ids : concat(module.network.private_subnet_ids, module.network.public_subnet_ids)
+  subnet_ids = var.private ? local.private_subnet_ids : concat(local.private_subnet_ids, local.public_subnet_ids)
 
   # autoscaling
   autoscaling = var.max_replicas != null
@@ -46,7 +46,7 @@ resource "rhcs_cluster_rosa_classic" "rosa" {
   aws_private_link   = var.private
   aws_subnet_ids     = local.subnet_ids
   machine_cidr       = var.vpc_cidr
-  availability_zones = module.network.private_subnet_azs
+  availability_zones = local.availability_zones
   multi_az           = var.multi_az
   pod_cidr           = var.pod_cidr
   service_cidr       = var.service_cidr
@@ -94,7 +94,7 @@ resource "rhcs_cluster_rosa_hcp" "rosa" {
   private            = var.private
   aws_subnet_ids     = local.subnet_ids
   machine_cidr       = var.vpc_cidr
-  availability_zones = module.network.private_subnet_azs
+  availability_zones = local.availability_zones
   pod_cidr           = var.pod_cidr
   service_cidr       = var.service_cidr
 
diff --git a/modules/terraform-rosa-networking/.gitignore b/modules/terraform-rosa-networking/.gitignore
deleted file mode 100644
index 73e483c6..00000000
--- a/modules/terraform-rosa-networking/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-**/*.tfstate
-**/*.backup
-**/*.terraform
-**/*.terraform.lock.hcl
\ No newline at end of file
diff --git a/modules/terraform-rosa-networking/data.tf b/modules/terraform-rosa-networking/data.tf
deleted file mode 100644
index bf8ca0df..00000000
--- a/modules/terraform-rosa-networking/data.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-data "aws_region" "current" {}
-
-data "aws_availability_zones" "available" {
-  filter {
-    name   = "region-name"
-    values = [data.aws_region.current.name]
-  }
-
-  filter {
-    name   = "group-name"
-    values = [data.aws_region.current.name]
-  }
-
-  filter {
-    name   = "state"
-    values = ["available"]
-  }
-}
diff --git a/modules/terraform-rosa-networking/internet_gateway.tf b/modules/terraform-rosa-networking/internet_gateway.tf
deleted file mode 100644
index 12414dea..00000000
--- a/modules/terraform-rosa-networking/internet_gateway.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-resource "aws_internet_gateway" "rosa" {
-  count = local.create_networking ? 1 : 0
-
-  vpc_id = aws_vpc.rosa[0].id
-
-  tags = merge(var.tags, { "Name" = var.cluster_name })
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
diff --git a/modules/terraform-rosa-networking/locals.tf b/modules/terraform-rosa-networking/locals.tf
deleted file mode 100644
index f57bcd59..00000000
--- a/modules/terraform-rosa-networking/locals.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-locals {
-  create_networking = (length(var.network.private_subnet_ids) == 0) && (length(var.network.public_subnet_ids) == 0)
-
-  vpc_cidr = "${var.network.vpc_network}/${var.network.vpc_cidr_size}"
-
-  private_subnet_count = local.create_networking ? (var.network.multi_az ? 3 : 1) : length(var.network.private_subnet_ids)
-  public_subnet_count  = local.create_networking ? (var.network.multi_az ? 3 : 1) : length(var.network.public_subnet_ids)
-
-  _all_cidrs = [
-    for index in range(local.private_subnet_count + local.public_subnet_count) :
-    cidrsubnet(local.vpc_cidr, (var.network.subnet_cidr_size - var.network.vpc_cidr_size), index)
-  ]
-
-  subnets_private = slice(local._all_cidrs, 0, local.private_subnet_count)
-  subnets_public  = slice(local._all_cidrs, local.public_subnet_count, (length(local._all_cidrs)))
-}
diff --git a/modules/terraform-rosa-networking/nat_gateway.tf b/modules/terraform-rosa-networking/nat_gateway.tf
deleted file mode 100644
index 0ffa7d37..00000000
--- a/modules/terraform-rosa-networking/nat_gateway.tf
+++ /dev/null
@@ -1,35 +0,0 @@
-resource "aws_eip" "rosa_nat_gateway" {
-  count = local.public_subnet_count
-
-  tags = merge(var.tags,
-    {
-      "Name" = "${var.cluster_name}-natgw-${aws_subnet.rosa_public[count.index].availability_zone}"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-
-  depends_on = [aws_internet_gateway.rosa]
-}
-
-resource "aws_nat_gateway" "rosa_public" {
-  count = local.public_subnet_count
-
-  subnet_id         = aws_subnet.rosa_public[count.index].id
-  allocation_id     = aws_eip.rosa_nat_gateway[count.index].id
-  connectivity_type = "public"
-
-  tags = merge(var.tags,
-    {
-      "Name" = "${var.cluster_name}-natgw-${aws_subnet.rosa_public[count.index].availability_zone}"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-
-  depends_on = [aws_internet_gateway.rosa]
-}
diff --git a/modules/terraform-rosa-networking/output.tf b/modules/terraform-rosa-networking/output.tf
deleted file mode 100644
index 55ca5bc6..00000000
--- a/modules/terraform-rosa-networking/output.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-output "private_subnet_ids" {
-  value = length(var.network.private_subnet_ids) > 0 ? var.network.private_subnet_ids : [for net in aws_subnet.rosa_private : net.id]
-}
-
-output "public_subnet_ids" {
-  value = length(var.network.public_subnet_ids) > 0 ? var.network.public_subnet_ids : [for net in aws_subnet.rosa_public : net.id]
-}
-
-output "private_subnet_azs" {
-  value = length(var.network.private_subnet_ids) > 0 ? [] : [for net in aws_subnet.rosa_private : net.availability_zone]
-}
-
-output "public_subnet_azs" {
-  value = length(var.network.public_subnet_ids) > 0 ? [] : [for net in aws_subnet.rosa_public : net.availability_zone]
-}
-
-output "vpc_id" {
-  value = aws_vpc.rosa[0].id
-}
-
-output "vpc_cidr" {
-  value = aws_vpc.rosa[0].cidr_block
-}
-
-output "private_route_table_ids" {
-  value = aws_route_table.rosa_private[*].id
-}
diff --git a/modules/terraform-rosa-networking/provider.tf b/modules/terraform-rosa-networking/provider.tf
deleted file mode 100644
index 991dcf2a..00000000
--- a/modules/terraform-rosa-networking/provider.tf
+++ /dev/null
@@ -1,8 +0,0 @@
-terraform {
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.20.0"
-    }
-  }
-}
diff --git a/modules/terraform-rosa-networking/route.tf b/modules/terraform-rosa-networking/route.tf
deleted file mode 100644
index cdfd86e2..00000000
--- a/modules/terraform-rosa-networking/route.tf
+++ /dev/null
@@ -1,71 +0,0 @@
-#
-# public subnet routes
-#
-# NOTE: tags configured separately as not to conflict with tags from the install process
-#
-resource "aws_route_table" "rosa_public" {
-  count = local.public_subnet_count
-
-  vpc_id = aws_vpc.rosa[0].id
-
-  tags = merge(var.tags,
-    {
-      "Name" = "${var.cluster_name}-public-${aws_subnet.rosa_private[count.index].availability_zone}"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
-
-resource "aws_route" "rosa_public" {
-  count = local.public_subnet_count
-
-  route_table_id         = aws_route_table.rosa_public[count.index].id
-  destination_cidr_block = "0.0.0.0/0"
-  gateway_id             = aws_internet_gateway.rosa[0].id
-}
-
-resource "aws_route_table_association" "rosa_public" {
-  count = local.public_subnet_count
-
-  subnet_id      = aws_subnet.rosa_public[count.index].id
-  route_table_id = aws_route_table.rosa_public[count.index].id
-}
-
-#
-# private subnet routes
-#
-# NOTE: tags configured separately as not to conflict with tags from the install process
-#
-resource "aws_route_table" "rosa_private" {
-  count = local.private_subnet_count
-
-  vpc_id = aws_vpc.rosa[0].id
-
-  tags = merge(var.tags,
-    {
-      "Name" = "${var.cluster_name}-private-${aws_subnet.rosa_private[count.index].availability_zone}"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
-
-resource "aws_route" "rosa_private" {
-  count = local.private_subnet_count
-
-  route_table_id         = aws_route_table.rosa_private[count.index].id
-  destination_cidr_block = "0.0.0.0/0"
-  nat_gateway_id         = aws_nat_gateway.rosa_public[count.index].id
-}
-
-resource "aws_route_table_association" "rosa_private" {
-  count = local.private_subnet_count
-
-  subnet_id      = aws_subnet.rosa_private[count.index].id
-  route_table_id = aws_route_table.rosa_private[count.index].id
-}
diff --git a/modules/terraform-rosa-networking/subnet.tf b/modules/terraform-rosa-networking/subnet.tf
deleted file mode 100644
index 4e9270e7..00000000
--- a/modules/terraform-rosa-networking/subnet.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-resource "aws_subnet" "rosa_public" {
-  count = local.public_subnet_count
-
-  vpc_id                  = aws_vpc.rosa[0].id
-  cidr_block              = local.subnets_public[count.index]
-  availability_zone       = data.aws_availability_zones.available.names[count.index]
-  map_public_ip_on_launch = true
-
-  tags = merge(var.tags,
-    {
-      "Name"                   = "${var.cluster_name}-public-${data.aws_availability_zones.available.names[count.index]}",
-      "kubernetes.io/role/elb" = "1"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
-
-resource "aws_subnet" "rosa_private" {
-  count = local.private_subnet_count
-
-  vpc_id                  = aws_vpc.rosa[0].id
-  cidr_block              = local.subnets_private[count.index]
-  availability_zone       = data.aws_availability_zones.available.names[count.index]
-  map_public_ip_on_launch = false
-
-  tags = merge(var.tags,
-    {
-      "Name"                            = "${var.cluster_name}-private-${data.aws_availability_zones.available.names[count.index]}",
-      "kubernetes.io/role/internal-elb" = "1"
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
diff --git a/modules/terraform-rosa-networking/test/multi-az/main.tf b/modules/terraform-rosa-networking/test/multi-az/main.tf
deleted file mode 100644
index ec73bf76..00000000
--- a/modules/terraform-rosa-networking/test/multi-az/main.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-provider "aws" {
-  region = "us-east-2"
-}
-
-module "test" {
-  source = "../../"
-
-  cluster_name = "dscott-multi"
-
-  network = {
-    private_link       = true
-    multi_az           = true
-    vpc_network        = "10.20.0.0"
-    vpc_cidr_size      = 16
-    private_subnet_ids = []
-    public_subnet_ids  = []
-    subnet_cidr_size   = 20
-  }
-}
diff --git a/modules/terraform-rosa-networking/test/single-az/main.tf b/modules/terraform-rosa-networking/test/single-az/main.tf
deleted file mode 100644
index a3be028e..00000000
--- a/modules/terraform-rosa-networking/test/single-az/main.tf
+++ /dev/null
@@ -1,31 +0,0 @@
-provider "aws" {
-  region = "us-east-1"
-}
-
-module "test" {
-  source = "../../"
-
-  cluster_name = "dscott-small"
-
-  network = {
-    private_link       = false
-    multi_az           = true
-    vpc_network        = "10.10.0.0"
-    vpc_cidr_size      = 23
-    private_subnet_ids = []
-    public_subnet_ids  = []
-    subnet_cidr_size   = 26
-  }
-
-  tags = {
-    "cost-center"   = "CC468"
-    "service-phase" = "lab"
-    "app-code"      = "MOBB-001"
-    "owner"         = "dscott_redhat.com"
-    "provisioner"   = "Terraform"
-  }
-}
-
-output "output" {
-  value = module.test
-}
diff --git a/modules/terraform-rosa-networking/variables.tf b/modules/terraform-rosa-networking/variables.tf
deleted file mode 100644
index 6b13bd5e..00000000
--- a/modules/terraform-rosa-networking/variables.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-variable "cluster_name" {
-  description = "Name of the cluster to create"
-  type        = string
-  default     = "dscott"
-}
-
-# TODO: no validation on this input currently
-variable "network" {
-  description = "Cluster networking variables"
-  type = object({
-    private_link       = bool
-    multi_az           = bool
-    vpc_network        = string
-    vpc_cidr_size      = number
-    private_subnet_ids = list(string)
-    public_subnet_ids  = list(string)
-    subnet_cidr_size   = number
-  })
-  default = {
-    private_link       = false
-    multi_az           = false
-    vpc_network        = "10.10.0.0"
-    vpc_cidr_size      = 16
-    private_subnet_ids = []
-    public_subnet_ids  = []
-    subnet_cidr_size   = 20
-  }
-
-  validation {
-    condition     = (length(var.network.public_subnet_ids) == 0 && length(var.network.private_subnet_ids) == 0) || (length(var.network.public_subnet_ids) > 0 && length(var.network.private_subnet_ids) > 0)
-    error_message = "Public/Private subnets must either both be specified or omitted.  Found private: [${length(var.network.private_subnet_ids)}], public: [${length(var.network.public_subnet_ids)}]."
-  }
-}
-
-variable "tags" {
-  description = "Tags applied to all objects"
-  type        = map(string)
-  default     = {}
-}
diff --git a/modules/terraform-rosa-networking/vpc.tf b/modules/terraform-rosa-networking/vpc.tf
deleted file mode 100644
index e9cc15e1..00000000
--- a/modules/terraform-rosa-networking/vpc.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-resource "aws_vpc" "rosa" {
-  count = local.create_networking ? 1 : 0
-
-  cidr_block           = local.vpc_cidr
-  enable_dns_hostnames = true
-
-  tags = merge(var.tags,
-    {
-      "Name" = var.cluster_name
-    }
-  )
-
-  lifecycle {
-    ignore_changes = [tags]
-  }
-}
diff --git a/network.tf b/network.tf
index 0e5c56cd..84b4b2be 100644
--- a/network.tf
+++ b/network.tf
@@ -1,17 +1,101 @@
-module "network" {
-  source = "./modules/terraform-rosa-networking"
-
-  cluster_name = var.cluster_name
-
-  network = {
-    private_link       = var.private
-    multi_az           = var.multi_az
-    vpc_network        = split("/", var.vpc_cidr)[0]
-    vpc_cidr_size      = tonumber(split("/", var.vpc_cidr)[1])
-    subnet_cidr_size   = var.subnet_cidr_size
-    public_subnet_ids  = []
-    private_subnet_ids = []
+data "aws_availability_zones" "available" {
+  filter {
+    name   = "region-name"
+    values = [data.aws_region.current.name]
+  }
+
+  filter {
+    name   = "group-name"
+    values = [data.aws_region.current.name]
   }
 
-  tags = var.tags
+  filter {
+    name   = "state"
+    values = ["available"]
+  }
+}
+
+data "aws_subnet" "selected" {
+  count = length(var.private_subnet_ids)
+
+  id = var.private_subnet_ids[count.index]
+}
+
+locals {
+  create_networking = length(var.private_subnet_ids) < 1
+
+  # retrieve the availability zones either from those which were input, or those which are availabie if 
+  # we will be creating the netwokring on behalf of the user.
+  availability_zones = local.create_networking ? (
+    var.multi_az ?
+    slice(
+      [for zone in data.aws_availability_zones.available.names : zone],
+      0,
+      3
+    ) :
+    slice(
+      [for zone in data.aws_availability_zones.available.names : zone],
+      0,
+      1
+    )
+  ) : [for subnet in data.aws_subnet.selected : subnet.availability_zone]
+
+  # retrieve the subnet count.  if we are creating the networking, we derive the subnet count from the 
+  # multi_az variable.  if we are not creating the networking, we are simply counting the subnets that 
+  # the user has passed in.
+  private_subnet_count = local.create_networking ? (var.multi_az ? 3 : 1) : length(var.private_subnet_ids)
+  public_subnet_count  = local.create_networking ? (var.multi_az ? 3 : 1) : length(var.public_subnet_ids)
+
+  # retrieve the subnet cidrs based on the requested VPC address range and the requested subnet CIDR size.
+  subnet_cidrs = local.create_networking ? [
+    for index in range(local.private_subnet_count + local.public_subnet_count) :
+    cidrsubnet(var.vpc_cidr, (var.subnet_cidr_size - tonumber(split("/", var.vpc_cidr)[1])), index)
+  ] : []
+
+  # retrieve the private and public subnet cidrs.
+  private_subnet_cidrs = local.create_networking ? slice(local.subnet_cidrs, 0, local.private_subnet_count) : []
+  public_subnet_cidrs  = local.create_networking ? slice(local.subnet_cidrs, local.public_subnet_count, (length(local.subnet_cidrs))) : []
+}
+
+module "network" {
+  count = local.create_networking ? 1 : 0
+
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "5.9.0"
+
+  name = var.cluster_name
+  cidr = var.vpc_cidr
+
+  azs             = local.availability_zones
+  private_subnets = var.multi_az ? local.private_subnet_cidrs : [local.private_subnet_cidrs[0]]
+  public_subnets  = var.multi_az ? local.public_subnet_cidrs : [local.public_subnet_cidrs[0]]
+
+  # nat gateway
+  enable_nat_gateway = true
+  single_nat_gateway = false
+
+  # dhcp option set
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  # tagging
+  tags                = var.tags
+  private_subnet_tags = { "kubernetes.io/role/internal-elb" = "1" }
+  public_subnet_tags  = { "kubernetes.io/role/elb" = "1" }
+}
+
+# derive the values based on whether we created networking, so that they are simpler to consume in other parts of the automation
+locals {
+  # vpc
+  vpc_id = local.create_networking ? module.network[0].vpc_id : data.aws_subnet.selected[0].vpc_id
+
+  # subnet ids
+  private_subnet_ids = local.create_networking ? module.network[0].private_subnets : var.private_subnet_ids
+  public_subnet_ids  = local.create_networking ? module.network[0].public_subnets : var.public_subnet_ids
+
+  # route table ids
+  # NOTE: the subnet lookup does not provide insight to the route table ids, so return a null value if the user passed
+  #       us the subnet ids (create_networking).
+  private_route_table_ids = local.create_networking ? module.network[0].private_route_table_ids : null
+  public_route_table_ids  = local.create_networking ? module.network[0].public_route_table_ids : null
 }
diff --git a/outputs.tf b/outputs.tf
index a63e2469..47ded7c6 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,31 +1,41 @@
+#
+# networking outputs
+#
 output "vpc_id" {
-  value = module.network.vpc_id
+  value = local.vpc_id
 }
 
 output "vpc_cidr" {
-  value = module.network.vpc_cidr
+  value = var.vpc_cidr
 }
 
 output "public_subnet_ids" {
-  value = module.network.public_subnet_ids
+  value = local.public_subnet_ids
 }
 
 output "private_subnet_ids" {
-  value = module.network.private_subnet_ids
+  value = local.private_subnet_ids
 }
 
 output "public_subnet_azs" {
-  value = module.network.public_subnet_azs
+  value = local.availability_zones
 }
 
 output "private_subnet_azs" {
-  value = module.network.private_subnet_azs
+  value = local.availability_zones
 }
 
 output "private_route_table_ids" {
-  value = module.network.private_route_table_ids
+  value = local.private_route_table_ids
 }
 
+output "public_route_table_ids" {
+  value = local.public_route_table_ids
+}
+
+#
+# oidc outputs
+#
 output "oidc_config_id" {
   value = local.cluster_oidc_config_id
 }
@@ -34,6 +44,9 @@ output "oidc_endpoint_url" {
   value = local.cluster_oidc_endpoint_url
 }
 
+#
+# cluster access outputs
+#
 output "cluster_api_url" {
   value = local.cluster_api_url
 }
diff --git a/variables.tf b/variables.tf
index 86bb0be9..66dc1876 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,18 +1,38 @@
-variable "private" {
-  description = "Set to true to provision a private cluster, which restricts access from the public internet."
+#
+# rosa / openshift configuration
+#
+variable "cluster_name" {
+  description = "The name of the cluster.  This is also used as a prefix to name related components."
+  type        = string
+}
+
+variable "hosted_control_plane" {
+  description = "Provision a ROSA cluster using a Hosted Control Plane."
   type        = bool
   default     = false
 }
 
-variable "bastion_public_ssh_key" {
+variable "ocp_version" {
   description = <<EOF
-  Location to an SSH public key file on the local system which is used to provide connectivity to the bastion host
-  when the 'private' variable is set to 'true'.
+  The version of OpenShift to use.  You can use the command 'rosa list versions' to see all available OpenShift 
+  versions available to ROSA.
   EOF
   type        = string
-  default     = "~/.ssh/id_rsa.pub"
+  default     = "4.15.18"
+}
+
+variable "token" {
+  description = <<EOF
+  OCM token used to authenticate against the OpenShift Cluster Manager API.  See
+  https://console.redhat.com/openshift/token/rosa/show to access your token.
+  EOF
+  type        = string
+  sensitive   = true
 }
 
+#
+# compute configuration
+#
 variable "region" {
   description = "The AWS region to provision a ROSA cluster and required components into."
   type        = string
@@ -29,12 +49,7 @@ variable "multi_az" {
   default     = false
 }
 
-variable "hosted_control_plane" {
-  description = "Provision a ROSA cluster using a Hosted Control Plane."
-  type        = bool
-  default     = false
-}
-
+# WARN: this is deprecated and should be superceded by using 'replicas' and 'max_replicas'.
 variable "autoscaling" {
   description = <<EOF
   Enable autoscaling for the default machine pool, this is ignored for HCP clusters as autoscaling is not supported
@@ -48,6 +63,15 @@ variable "autoscaling" {
   default     = null
 }
 
+variable "compute_machine_type" {
+  description = <<EOF
+  The machine type used by the initial worker nodes, for example, m5.xlarge.  You can use the command 'rosa list 
+  instance-types' to see all available instance types available to ROSA.
+  EOF
+  type        = string
+  default     = "m5.xlarge"
+}
+
 variable "replicas" {
   description = <<EOF
   Minimum number of replicas for the default machine pool.  If unset, a default value is configured based on the 
@@ -69,27 +93,32 @@ variable "max_replicas" {
   default     = null
 }
 
-variable "token" {
-  description = <<EOF
-  OCM token used to authenticate against the OpenShift Cluster Manager API.  See
-  https://console.redhat.com/openshift/token/rosa/show to access your token.
-  EOF
-  type        = string
-  sensitive   = true
+#
+# networking configuration
+#
+
+# cloud networking
+variable "private" {
+  description = "Set to true to provision a private cluster, which restricts access from the public internet."
+  type        = bool
+  default     = false
 }
 
-variable "cluster_name" {
-  description = "The name of the cluster.  This is also used as a prefix to name related components."
-  type        = string
+variable "private_subnet_ids" {
+  description = <<EOF
+  Pre-existing private subnets that will be used to place the ROSA cluster in.
+  EOF
+  type        = list(string)
+  default     = []
 }
 
-variable "ocp_version" {
+variable "public_subnet_ids" {
   description = <<EOF
-  The version of OpenShift to use.  You can use the command 'rosa list versions' to see all available OpenShift 
-  versions available to ROSA.
+  Pre-existing public subnets that will be used to create public-facing components for the ROSA cluster.  If specified, 
+  private_subnet_ids must also be specified.
   EOF
-  type        = string
-  default     = "4.15.18"
+  type        = list(string)
+  default     = []
 }
 
 variable "vpc_cidr" {
@@ -107,6 +136,7 @@ variable "subnet_cidr_size" {
   default     = 20
 }
 
+# openshift internal networking
 variable "pod_cidr" {
   description = "The internal pod CIDR network used for assigning IP addresses to pods."
   type        = string
@@ -119,12 +149,9 @@ variable "service_cidr" {
   default     = "172.30.0.0/16"
 }
 
-variable "tags" {
-  description = "Tags applied to all objects."
-  type        = map(string)
-  default     = {}
-}
-
+#
+# identity provider configuration
+#
 variable "admin_password" {
   description = <<EOF
   Password for the 'admin' user. IDP is not created if unspecified.  Password must be 14 characters or more, contain 
@@ -143,11 +170,20 @@ variable "developer_password" {
   sensitive   = true
 }
 
-variable "compute_machine_type" {
+#
+# other configuraton
+#
+variable "bastion_public_ssh_key" {
   description = <<EOF
-  The machine type used by the initial worker nodes, for example, m5.xlarge.  You can use the command 'rosa list 
-  instance-types' to see all available instance types available to ROSA.
+  Location to an SSH public key file on the local system which is used to provide connectivity to the bastion host
+  when the 'private' variable is set to 'true'.
   EOF
   type        = string
-  default     = "m5.xlarge"
+  default     = "~/.ssh/id_rsa.pub"
+}
+
+variable "tags" {
+  description = "Tags applied to all objects."
+  type        = map(string)
+  default     = {}
 }

From d84c2a8121a4f831d9b7f0054dfd7dd63eca6ec8 Mon Sep 17 00:00:00 2001
From: Dustin Scott <dscott@redhat.com>
Date: Wed, 17 Jul 2024 13:14:58 -0500
Subject: [PATCH 2/2] docs: update README to indicate that this should be
 consumed as example

Signed-off-by: Dustin Scott <dscott@redhat.com>
---
 README.md | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 3b65fdc8..b59864a9 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,9 @@
 # Summary
 
-This repository can be used as a module to create a ROSA cluster with the following components:
+This repository is intended to show an example of a starting point for implementing your own ROSA automation.  This 
+example provisions the following:
 
-- ROSA networking in either private/public architecture
+- ROSA networking in either private/public architecture (you may pass your pre-existing subnet IDs if you have a pre-existing network)
 - ROSA cluster in either [Classic](https://docs.openshift.com/rosa/architecture/rosa-architecture-models.html#rosa-classic-architecture_rosa-architecture-models) 
 or [Hosted Control Plane](https://docs.openshift.com/rosa/architecture/rosa-architecture-models.html#rosa-hcp-architecture_rosa-architecture-models) architecture
 - [Default machine pool](https://docs.openshift.com/rosa/rosa_cluster_admin/rosa_nodes/rosa-nodes-machinepools-about.html) with desired replica count
@@ -10,7 +11,16 @@ or [Hosted Control Plane](https://docs.openshift.com/rosa/architecture/rosa-arch
 - Local HTPasswd [identity provider](https://docs.openshift.com/rosa/authentication/sd-configuring-identity-providers.html) with an "developer" user with basic privileges
 
 
-# Usage
+# Usage as Example
+
+This is the desired workflow for consuming this repository.  There are a couple good examples of how to 
+use this in our upstream documentation:
+
+- [Provision a ROSA Classic Cluster with Terraform](https://cloud.redhat.com/experts/rosa/terraform/classic/)
+- [Provision a ROSA Hosted Control Plane Cluster with Terraform](https://cloud.redhat.com/experts/rosa/terraform/hcp/)
+
+
+# Usage as Module
 
 The following Terraform is an example file to deploy a public ROSA cluster via this module.  This file
 can be created wherever you would like to run Terraform from as a `main.tf` file.  A complete list of variables
@@ -19,6 +29,9 @@ and modifications is available via the [variables.tf](variables.tf) file:
 **NOTE:** this is an overly simplistic file to demonstrate a simple installation.  You will need to tailor your 
 automation to your needs.  If there is functionality that is missing that you would like to see, please open an issue!
 
+**WARN:** this repository is not tested to the level of many community Terraform modules, although it is versioned.  Please
+consider this when consuming this repository as a Terraform module.
+
 ```
 variable "token" {
   type      = string