Understanding VPC, Filter Blocks in Terraform

 

Confirm the Default VPC (AWS Console)

1. Open AWS Console → VPC

2. Go to Your VPCs

3. Identify the VPC marked Default = Yes

4. Go to Subnets

   • Notice one subnet per Availability Zone

💡 Key Concept

EC2 instances are launched into subnets, and subnets belong to VPCs.

---

🔬 LAB 2 — Create Terraform Project

Create main.tf:

provider "aws" {
  region = "us-east-1"
}

Initialize:

terraform init

---

🔬 LAB 3 — Look Up the Default VPC (Data Source)

Add to main.tf:

data "aws_vpc" "default" {
  default = true
}

Add output:

output "default_vpc_id" {
  value = data.aws_vpc.default.id
}

Run:

terraform apply -auto-approve

✅ Terraform prints the default VPC ID.

💡 Key Concept

data blocks read existing infrastructure — they do NOT create anything.

---

🔬 LAB 4 — Find Subnets Using a filter Block (Core Concept)

Now we want subnets that belong ONLY to the default VPC.

Add:

data "aws_subnets" "default" {
  filter {
    name   = "vpc-id"
    values = [data.aws_vpc.default.id]
  }
}

Add output:

output "default_subnet_ids" {
  value = data.aws_subnets.default.ids
}

Apply:

terraform apply -auto-approve

---

🔍 Understanding the filter Block (IMPORTANT)

What the filter block does

It tells Terraform:
“Only return AWS resources that match this condition.”

In this case:

“Give me only the subnets that belong to the default VPC.”

---

Line-by-line explanation

filter {
  name   = "vpc-id"
  values = [data.aws_vpc.default.id]
}

• filter {}
  Defines a condition AWS must match

• name = "vpc-id"
  The AWS API attribute we are filtering on
  (This is an AWS field, not a Terraform keyword)

• values = [...]
  Acceptable value(s) for that attribute
  Here, it dynamically uses the default VPC ID

---

What Terraform is doing behind the scenes

Terraform sends AWS a request like:

“List all subnets WHERE vpc-id = vpc-xxxxxxxx”

AWS returns only matching subnets.

---

remember this

Think of AWS like a database:

SELECT * FROM subnets WHERE vpc_id = 'vpc-xxxxxxxx';

That’s exactly what the filter block does.

---

Why this is better than hardcoding

❌ Bad:

subnet_id = "subnet-0abc123"

✅ Good:

subnet_id = data.aws_subnets.default.ids[0]

Benefits:

• Works across AWS accounts

• Works across regions

• Real-world Terraform pattern

⚠️ Note for students

The order of subnet IDs is not guaranteed.
Using [0] is fine for labs, but production code should be deterministic.

---

🔬 LAB 5 — Launch EC2 in the Default VPC

Add:

resource "aws_instance" "web" {
  ami           = "ami-0c02fb55956c7d316" # Amazon Linux 2 (us-east-1)
  instance_type = "t3.micro"

  subnet_id = data.aws_subnets.default.ids[0]

  tags = {
    Name = "terraform-default-vpc-lab"
  }
}

Apply:

terraform apply -auto-approve

✅ EC2 instance launches in the default VPC.

---

🔬 LAB 6 — Use the Default Security Group (Optional but Best Practice)

Add:

data "aws_security_group" "default" {
  name   = "default"
  vpc_id = data.aws_vpc.default.id
}

Update EC2:

vpc_security_group_ids = [ data.aws_security_group.default.id ]

Apply again.

💡 Teaching Point

Never assume defaults — always declare dependencies explicitly.

---

🔬 LAB 7 — Cleanup (Critical Habit)

terraform destroy -auto-approve

---

🧠 Key Takeaways (Interview / Exam Ready)

• ❌ aws_instance has no vpc_id

• ✅ EC2 → Subnet → VPC

• ✅ filter blocks safely query AWS

• ❌ Hardcoding IDs is fragile

• ✅ Default VPC is OK for labs, not production

---