# PRD: Layer 10 - Network

**Scope:** Deployment account. VPC, subnets, routing, VPC endpoints, and security groups for EKS, RDS, and ALB.

**Dependencies:** PRD_00-cross-cutting, PRD_00-bootstrap (Parameter Store contract).

## 1. Purpose and Execution Order

| ID | Requirement |
| ---- | ------------- |
| R-N10-001 | This layer SHALL provision the VPC, subnets, routing, endpoints, and security groups required for EKS Auto Mode, RDS, and the ALB. |
| R-N10-002 | The layer SHALL run after bootstrap and before EKS, RDS, and application layers. |
| R-N10-003 | Outputs SHALL be published to Parameter Store so that layers 20, 30, 35, 40, 45, and 50 can consume VPC, subnet, and security group identifiers. |

## 2. VPC and Subnets

| ID | Requirement |
| ---- | ------------- |
| R-N10-101 | A VPC SHALL be provisioned spanning at least two Availability Zones. |
| R-N10-102 | Public subnets SHALL be provisioned for the ALB (ingress). |
| R-N10-103 | Private subnets SHALL be provisioned for the EKS cluster (worker/compute). |
| R-N10-104 | DB subnets (private) SHALL be provisioned for RDS PostgreSQL. |
| R-N10-105 | Subnet design SHALL support high availability and alignment with EKS and RDS placement requirements. |

## 3. Routing and Endpoints

| ID | Requirement |
| ---- | ------------- |
| R-N10-201 | NAT SHALL be provided for private subnet outbound traffic where required (e.g. node internet access for pulls, ArgoCD, etc.). |
| R-N10-202 | VPC endpoints SHALL be provisioned as needed for constraints and cost; at minimum S3, ECR, STS, Secrets Manager, SSM, and CloudWatch Logs SHALL be considered based on private subnet requirements. |
| R-N10-203 | Routing tables SHALL be configured so that public, private, and DB subnets have appropriate default and specific routes. |

## 4. Security Groups

| ID | Requirement |
| ---- | ------------- |
| R-N10-301 | An ALB security group SHALL be created allowing inbound TCP 443 (HTTPS). |
| R-N10-302 | An EKS/workload security group SHALL be created allowing inbound traffic from the ALB security group to the application port, and egress as needed (e.g. to RDS, S3, internet via NAT). |
| R-N10-303 | An RDS security group SHALL be created allowing inbound TCP 5432 only from the EKS/workload security group. |
| R-N10-304 | Security groups SHALL follow least privilege; no unnecessary open ranges. |

## 5. Parameter Store Outputs

| ID | Requirement |
| ---- | ------------- |
| R-N10-401 | The layer SHALL publish to Parameter Store under `wikijs/<region>/<env>/10-network/`: at least VPC ID, subnet IDs (e.g. as JSON or separate keys for public, private, db), and security group IDs. |
| R-N10-402 | Published keys SHALL be sufficient for layers 20 (EKS), 30 (RDS), 35 (S3/IRSA optional), 40, 45, and 50 to reference network resources. |
| R-N10-403 | The layer SHALL publish only under its own prefix. |

## 6. Destroy Behavior

| ID | Requirement |
| ---- | ------------- |
| R-N10-501 | On `terraform destroy`, the layer SHALL remove VPC, subnets, routing, endpoints, and security groups in an order that respects dependencies (e.g. no references from EKS or RDS). |
| R-N10-502 | The layer SHALL delete its own Parameter Store prefix after successful destroy. |
| R-N10-503 | A provision workflow and a destroy workflow SHALL exist; destroy SHALL run after 20-eks, 30-data-rds, 35-storage-s3-assets, 40-platform, 45-argocd, and 50-app-wikijs. |

## 7. Implementation Notes

- **Workflow files:** Use `.yaml` extension (e.g. `tf-10-network-provision.yaml`, `tf-10-network-destroy.yaml`).
- **Parameter Store (writes):** Under `wikijs/<region>/<env>/10-network/`: `vpc_id`, `public_subnet_ids`, `private_subnet_ids`, `database_subnet_ids` (JSON arrays), `alb_sg_id`, `workload_sg_id`, `rds_sg_id`, `endpoint_sg_id`.
- **Single-account:** This layer runs entirely in the deployment account; no cross-account provider or role assumption.