Tencent Cloud VPC Foundation

tencent-vpc-foundation

A production-ready Tencent Cloud network foundation: a multi-AZ VPC with subnets, a standard NAT gateway (EIP + per-subnet SNAT and a default route for outbound-only internet egress), and a least-privilege base security group. Subnets opt in to internet egress one at a time; everything else stays private with no public addressing.

Status: static-validated, live-test pending. Validated with tofu validate + tflint + checkov against the tencentcloudstack/tencentcloud provider. Not yet applied against a live Tencent Cloud account (no sandbox subscription), so it ships under live-test quarantine.

Design & secure defaults

• No inbound exposure by default. The base security group denies all inbound traffic until you declare ingress_rules; egress is allowed and (optionally) intra-VPC traffic is permitted via allow_intra_security_group.
• Outbound-only egress. Only subnets with nat = true get a default route to the NAT gateway and a matching SNAT entry. There is no internet gateway and no public IP on any instance, so workloads are never directly addressable.
• Two route tables, explicit isolation. Private subnets attach to a route table with only the implicit local route (no 0.0.0.0/0); NAT subnets attach to a separate table whose default route points at the NAT gateway.
• Standard (v2) NAT gateway by default, with a traffic-billed EIP, so nat_bandwidth_mbps is a ceiling on the EIP's egress. Standard NAT fixes the gateway's own bandwidth and concurrency, so nat_bandwidth_mbps/ nat_max_concurrent only size the gateway when you opt into traditional NAT (nat_product_version = 1). Tencent accepts only fixed tiers, which the variables validate.

Provider

tencentcloudstack/tencentcloud >= 1.81.0, < 2.0. Requires Terraform/OpenTofu >= 1.6.

License

Commercial — LicenseRef-IaCBazaar-Commercial. See the IaC Bazaar terms.