Explicit AZ control to prevent breaking changes in infra

Author: RussellGilmore

README.md

@@ -71,7 +71,6 @@ No modules.
 | [local_file.red_private_key_file](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
 | [tls_private_key.red_private_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [aws_ami.red_ami](https://registry.terraform.io/providers/hashicorp/aws/6.0.0/docs/data-sources/ami) | data source |
-| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/6.0.0/docs/data-sources/availability_zones) | data source |
 | [aws_route53_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/6.0.0/docs/data-sources/route53_zone) | data source |
 
 ## Inputs
@@ -83,6 +82,7 @@ No modules.
 | <a name="input_ami_name"></a> [ami\_name](#input\_ami\_name) | The name of the AMI to use for the instance | `string` | `"ubuntu/images/hvm-ssd-gp3/ubuntu-noble-24.04-arm64-server-20250610"` | no |
 | <a name="input_ami_owner"></a> [ami\_owner](#input\_ami\_owner) | The owner of the AMI to use for the instance | `string` | `"099720109477"` | no |
 | <a name="input_apex_domain"></a> [apex\_domain](#input\_apex\_domain) | The apex domain to use for the public DNS record | `string` | `""` | no |
+| <a name="input_availability_zone"></a> [availability\_zone](#input\_availability\_zone) | The availability zone to use for the subnet. Leave empty to use the default behavior. | `string` | `""` | no |
 | <a name="input_create_ec2_key_pair"></a> [create\_ec2\_key\_pair](#input\_create\_ec2\_key\_pair) | Controls whether an EC2 key pair should be created | `bool` | `false` | no |
 | <a name="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc) | Controls whether networking resources should be created for public exposed server | `bool` | `true` | no |
 | <a name="input_disable_api_stop"></a> [disable\_api\_stop](#input\_disable\_api\_stop) | Controls whether API stop is disabled | `bool` | `false` | no |

red-instance/public_vpc.tf

@@ -1,14 +1,3 @@
-# This file creates a VPC, a public subnet, an internet gateway, a route table, and associates the route table with the subnet.
-
-# Data source to get available AZs that support the instance type
-data "aws_availability_zones" "available" {
-  count = var.create_vpc ? 1 : 0
-  state = "available"
-
-  # Filter to exclude AZs that typically don't support ARM instances
-  exclude_names = ["us-east-1e"] # Add other problematic AZs as needed
-}
-
 # The resources are created conditionally based on the value of the create_vpc variable.
 # Justification: This is for development purposes, Flow Logs and other features are not required for a red instance.
 # trivy:ignore:AVD-AWS-0178
@@ -27,7 +16,7 @@ resource "aws_vpc" "main" {
   )
 }
 
-# Create a public subnet with explicit AZ
+# Create a public subnet with smart AZ selection
 # Justification: This is a public subnet for the red instance
 # trivy:ignore:AVD-AWS-0164
 resource "aws_subnet" "public" {
@@ -36,8 +25,8 @@ resource "aws_subnet" "public" {
   cidr_block              = "10.0.1.0/24"
   map_public_ip_on_launch = true
 
-  # Use the first available AZ that supports ARM instances
-  availability_zone = data.aws_availability_zones.available[0].names[0]
+  # Only specify AZ if explicitly provided
+  availability_zone = var.availability_zone != "" ? var.availability_zone : null
 
   tags = merge(
     {

red-instance/variables.tf

@@ -82,6 +82,12 @@ variable "user_data_script_path" {
   default     = ""
 }
 
+variable "availability_zone" {
+  description = "The availability zone to use for the subnet. Leave empty to use the default behavior."
+  type        = string
+  default     = ""
+}
+
 ####################################################################################################
 # Optional Variables for Red Instance Features
 variable "create_vpc" {

tests/dns-only/main.tf

@@ -25,8 +25,9 @@ module "red-instance" {
   volume_size   = 16
 
   # Basic networking setup
-  create_vpc   = true
-  allocate_eip = true
+  create_vpc        = true
+  availability_zone = "us-east-1a"
+  allocate_eip      = true
 
   # Enable DNS but no other optional features
   enable_public_dns = true

tests/full-force/main.tf

@@ -26,6 +26,7 @@ module "red-instance" {
 
   # Enable all optional features
   create_vpc              = true
+  availability_zone       = "us-east-1a"
   allocate_eip            = true
   create_ec2_key_pair     = true
   enable_public_dns       = true

tests/manual/enabled/main.tf

@@ -27,6 +27,7 @@ module "red-instance" {
   dns_name                = "red-instance.rag-space.com"
   create_ec2_key_pair     = true
   create_vpc              = true
+  availability_zone       = "us-east-1a"
 
   additional_tags = {
     Environment = "Has-VPC"