Merge pull request #5400 from ministryofjustice/feature/extend-ap-ing…

…estion-vpc 🌐 Extend Analytical Platform Ingestion's VPC
ministryofjustice · Mar 18, 2024 · cf8a793 · cf8a793
2 parents 96f7938 + f357ec2
commit cf8a793
Show file tree

Hide file tree

Showing 9 changed files with 95 additions and 78 deletions.
diff --git a/terraform/environments/analytical-platform-ingestion/application_variables.json b/terraform/environments/analytical-platform-ingestion/application_variables.json
diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
@@ -0,0 +1,27 @@
+locals {
+  environment_configuration = local.environment_configurations[local.environment]
+  environment_configurations = {
+    development = {
+      /* VPC */
+      vpc_cidr                   = "10.0.0.0/16"
+      vpc_private_subnets        = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+      vpc_public_subnets         = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
+      vpc_enable_nat_gateway     = true
+      vpc_one_nat_gateway_per_az = true
+
+      /* Observability Platform */
+      observability_platform = "development"
+    }
+    production = {
+      /* VPC */
+      vpc_cidr                   = "10.0.0.0/16"
+      vpc_private_subnets        = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+      vpc_public_subnets         = ["10.0.11.0/24", "10.0.12.0/24", "10.0.13.0/24"]
+      vpc_enable_nat_gateway     = true
+      vpc_one_nat_gateway_per_az = true
+
+      /* Observability Platform */
+      observability_platform = "production"
+    }
+  }
+}
diff --git a/terraform/environments/analytical-platform-ingestion/locals.tf b/terraform/environments/analytical-platform-ingestion/locals.tf
diff --git a/terraform/environments/analytical-platform-ingestion/observability-platform.tf b/terraform/environments/analytical-platform-ingestion/observability-platform.tf
@@ -2,8 +2,8 @@ module "observability_platform_tenant" {
   source  = "ministryofjustice/observability-platform-tenant/aws"
   version = "1.0.0"
 
-  observability_platform_account_id = local.environment_management.account_ids["observability-platform-${local.application_data.accounts[local.environment].observability_platform}"]
+  observability_platform_account_id = local.environment_management.account_ids["observability-platform-${local.environment_configuration.observability_platform}"]
   enable_xray                       = true
 
   tags = local.tags
-}
+}
diff --git a/terraform/environments/analytical-platform-ingestion/secrets.tf b/terraform/environments/analytical-platform-ingestion/secrets.tf
diff --git a/terraform/environments/analytical-platform-ingestion/security-group-rules.tf b/terraform/environments/analytical-platform-ingestion/security-group-rules.tf
@@ -0,0 +1,9 @@
+resource "aws_security_group_rule" "vpc_endpoints_allow_all_vpc" {
+  cidr_blocks       = [module.vpc.vpc_cidr_block]
+  description       = "Allow all traffic in from VPC CIDR"
+  from_port         = 0
+  protocol          = -1
+  security_group_id = aws_security_group.vpc_endpoints.id
+  to_port           = 65535
+  type              = "ingress"
+}
diff --git a/terraform/environments/analytical-platform-ingestion/security-groups.tf b/terraform/environments/analytical-platform-ingestion/security-groups.tf
@@ -0,0 +1,6 @@
+resource "aws_security_group" "vpc_endpoints" {
+  description = "Security Group for controlling all VPC endpoint traffic"
+  name        = format("%s-vpc-endpoint-sg", local.application_name)
+  vpc_id      = module.vpc.vpc_id
+  tags        = local.tags
+}
diff --git a/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf b/terraform/environments/analytical-platform-ingestion/vpc-endpoints.tf
@@ -0,0 +1,44 @@
+module "vpc_endpoints" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.0"
+
+  vpc_id             = module.vpc.vpc_id
+  subnet_ids         = module.vpc.private_subnets
+  security_group_ids = [aws_security_group.vpc_endpoints.id]
+
+  endpoints = {
+    logs = {
+      service             = "logs"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      tags = merge(
+        local.tags,
+        { Name = format("%s-logs-vpc-endpoint", local.application_name) }
+      )
+    },
+    sts = {
+      service             = "sts"
+      service_type        = "Interface"
+      private_dns_enabled = true
+      tags = merge(
+        local.tags,
+        { Name = format("%s-sts-vpc-endpoint", local.application_name) }
+      )
+    },
+    s3 = {
+      service      = "s3"
+      service_type = "Gateway"
+      route_table_ids = flatten([
+        module.vpc.default_route_table_id,
+        module.vpc.private_route_table_ids,
+        module.vpc.public_route_table_ids
+      ])
+      tags = merge(
+        local.tags,
+        { Name = format("%s-s3-vpc-endpoint", local.application_name) }
+      )
+    }
+  }
+}
diff --git a/terraform/environments/analytical-platform-ingestion/vpc.tf b/terraform/environments/analytical-platform-ingestion/vpc.tf
@@ -4,69 +4,18 @@ module "vpc" {
   version = "~> 5.0"
 
   name            = "${local.application_name}-${local.environment}"
-  azs             = local.availability_zones
-  cidr            = local.application_data.accounts[local.environment].vpc_cidr
-  private_subnets = local.private_subnets
+  azs             = slice(data.aws_availability_zones.available.names, 0, 3)
+  cidr            = local.environment_configuration.vpc_cidr
+  public_subnets  = local.environment_configuration.vpc_public_subnets
+  private_subnets = local.environment_configuration.vpc_private_subnets
+
+  enable_nat_gateway     = local.environment_configuration.vpc_enable_nat_gateway
+  one_nat_gateway_per_az = local.environment_configuration.vpc_one_nat_gateway_per_az
 
-  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
   enable_flow_log                      = true
   create_flow_log_cloudwatch_log_group = true
   create_flow_log_cloudwatch_iam_role  = true
   flow_log_max_aggregation_interval    = 60
 
   tags = local.tags
 }
-
-module "vpc_endpoints" {
-  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "~> 5.0"
-
-  security_group_ids = [aws_security_group.vpc_endpoints.id]
-  subnet_ids         = module.vpc.private_subnets
-  vpc_id             = module.vpc.vpc_id
-
-  endpoints = {
-    logs = {
-      service      = "logs"
-      service_type = "Interface"
-      tags = merge(
-        local.tags,
-        { Name = format("%s-logs-api-vpc-endpoint", local.application_name) }
-      )
-    },
-    sts = {
-      service      = "sts"
-      service_type = "Interface"
-      tags = merge(
-        local.tags,
-        { Name = format("%s-sts-vpc-endpoint", local.application_name) }
-      )
-    },
-    s3 = {
-      service         = "s3"
-      service_type    = "Gateway"
-      route_table_ids = module.vpc.private_route_table_ids
-      tags = merge(
-        local.tags,
-        { Name = format("%s-s3-vpc-endpoint", local.application_name) }
-      )
-    }
-  }
-}
-
-resource "aws_security_group" "vpc_endpoints" {
-  description = "Security Group for controlling all VPC endpoint traffic"
-  name        = format("%s-vpc-endpoint-sg", local.application_name)
-  vpc_id      = module.vpc.vpc_id
-  tags        = local.tags
-}
-
-resource "aws_security_group_rule" "allow_all_vpc" {
-  cidr_blocks       = [module.vpc.vpc_cidr_block]
-  description       = "Allow all traffic in from VPC CIDR"
-  from_port         = 0
-  protocol          = -1
-  security_group_id = aws_security_group.vpc_endpoints.id
-  to_port           = 65535
-  type              = "ingress"
-}