Merge pull request #108 from NHSDigital/feature/eja-eli-240-remove-internet-gateway

eddalmond1 · web-flow · commit 377c8a4b89de · 2025-05-30T09:10:52.000+01:00
eli-240 removing internet gateway and associated public subnets
diff --git a/infrastructure/stacks/networking/README.md b/infrastructure/stacks/networking/README.md
@@ -40,16 +40,14 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Public HTTPS Request Flow
 
-1. External client makes HTTPS request → Internet Gateway
-2. Request routes to Load Balancer or API Gateway in public subnet
-3. Request forwards to Lambda (or other application) in private subnet
-4. Lambda processes the request and returns response
-5. Response returns to client through the same path
+1. External client makes HTTPS request to API Gateway
+2. Request forwards to Lambda (or other application) in private subnet
+3. Lambda processes the request and returns response
+4. Response returns to client through the same path
 
 ### Outbound Internet Access
 
-- Lambda functions in private subnets can make outbound internet calls via NAT Gateways
-- No direct inbound access to Lambda from the internet
+- No direct inbound or outbound access to Lambda from the internet
 
 ### Internal-Only Traffic
 
@@ -64,7 +62,6 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Network ACLs
 
-- **Public subnets:** Allow HTTP (80), HTTPS (443), ephemeral ports
 - **Private subnets:** Allow VPC traffic and responses to outbound requests
 
 ### Security Groups
@@ -74,8 +71,7 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd-
 
 ### Route Tables
 
-- **Public subnets:** Route to Internet Gateway for external access
-- **Private subnets:** Route to NAT Gateways for outbound-only access
+- **Private subnets:** Route to VPC Endpoints only
 
 ---
 
diff --git a/infrastructure/stacks/networking/acm_certificates.tf b/infrastructure/stacks/networking/acm_certificates.tf
@@ -28,8 +28,8 @@ resource "aws_acm_certificate" "domain_validation" {
   }
 
   tags = {
-    Region        = local.region
-    Stack         = local.stack_name
-    CerticateType = "DomainValidation"
+    Region          = local.region
+    Stack           = local.stack_name
+    CertificateType = "DomainValidation"
   }
 }
diff --git a/infrastructure/stacks/networking/internet_gateway.tf b/infrastructure/stacks/networking/internet_gateway.tf
diff --git a/infrastructure/stacks/networking/locals.tf b/infrastructure/stacks/networking/locals.tf
@@ -1,9 +1,6 @@
 locals {
   any_ip_cidr           = "0.0.0.0/0"
   vpc_cidr_block        = "10.0.0.0/16"
-  public_subnet_1_cidr  = "10.0.3.0/24"
-  public_subnet_2_cidr  = "10.0.4.0/24"
-  public_subnet_3_cidr  = "10.0.5.0/24"
   private_subnet_1_cidr = "10.0.6.0/24"
   private_subnet_2_cidr = "10.0.7.0/24"
   private_subnet_3_cidr = "10.0.8.0/24"
diff --git a/infrastructure/stacks/networking/network_acls.tf b/infrastructure/stacks/networking/network_acls.tf
@@ -42,68 +42,3 @@ resource "aws_network_acl" "private" {
     Stack = local.stack_name
   }
 }
-
-# Network ACL for Public Subnets
-resource "aws_network_acl" "public" {
-  vpc_id = aws_vpc.main.id
-  subnet_ids = [
-    aws_subnet.public_1.id,
-    aws_subnet.public_2.id,
-    aws_subnet.public_3.id
-  ]
-
-  # Allow all outbound traffic from public subnets
-  egress {
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = -1
-    from_port  = 0
-    to_port    = 0
-  }
-
-  # Allow inbound HTTP
-  ingress {
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 80
-    to_port    = 80
-  }
-
-  # Allow inbound HTTPS
-  ingress {
-    rule_no    = 110
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 443
-    to_port    = 443
-  }
-
-  # Allow responses to outbound requests (ephemeral ports)
-  ingress {
-    rule_no    = 120
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    protocol   = "tcp"
-    from_port  = 1024
-    to_port    = 65535
-  }
-
-  # Allow inbound VPC traffic
-  ingress {
-    rule_no    = 130
-    action     = "allow"
-    cidr_block = local.vpc_cidr_block
-    protocol   = -1
-    from_port  = 0
-    to_port    = 0
-  }
-
-  tags = {
-    Name  = "public-nacl",
-    Stack = local.stack_name
-  }
-}
diff --git a/infrastructure/stacks/networking/route_tables.tf b/infrastructure/stacks/networking/route_tables.tf
@@ -1,44 +1,3 @@
-# Public Route Tables
-resource "aws_route_table" "public_1" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-1",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_route_table" "public_2" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-2",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_route_table" "public_3" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name  = "public-route-3",
-    Stack = local.stack_name
-  }
-}
-
-# Associate Public Route Tables with Public Subnets
-resource "aws_route_table_association" "public_1" {
-  subnet_id      = aws_subnet.public_1.id
-  route_table_id = aws_route_table.public_1.id
-}
-
-resource "aws_route_table_association" "public_2" {
-  subnet_id      = aws_subnet.public_2.id
-  route_table_id = aws_route_table.public_2.id
-}
-
-resource "aws_route_table_association" "public_3" {
-  subnet_id      = aws_subnet.public_3.id
-  route_table_id = aws_route_table.public_3.id
-}
-
 # Private Route Tables
 resource "aws_route_table" "private_1" {
   vpc_id = aws_vpc.main.id
@@ -79,22 +38,3 @@ resource "aws_route_table_association" "private_association_3" {
   subnet_id      = aws_subnet.private_3.id
   route_table_id = aws_route_table.private_3.id
 }
-
-# Egress Internet Access
-resource "aws_route" "public_internet_access" {
-  route_table_id         = aws_route_table.public_1.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}
-
-resource "aws_route" "public_internet_access_2" {
-  route_table_id         = aws_route_table.public_2.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}
-
-resource "aws_route" "public_internet_access_3" {
-  route_table_id         = aws_route_table.public_3.id
-  destination_cidr_block = local.any_ip_cidr
-  gateway_id             = aws_internet_gateway.vpc_external_access.id
-}
diff --git a/infrastructure/stacks/networking/subnets.tf b/infrastructure/stacks/networking/subnets.tf
@@ -1,37 +1,3 @@
-# Public Subnets
-resource "aws_subnet" "public_1" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_1_cidr
-  availability_zone       = local.availability_zone_1
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-1",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_subnet" "public_2" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_2_cidr
-  availability_zone       = local.availability_zone_2
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-2",
-    Stack = local.stack_name
-  }
-}
-
-resource "aws_subnet" "public_3" {
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = local.public_subnet_3_cidr
-  availability_zone       = local.availability_zone_3
-  map_public_ip_on_launch = false
-  tags = {
-    Name  = "public-subnet-3",
-    Stack = local.stack_name
-  }
-}
-
 # Private Subnets
 resource "aws_subnet" "private_1" {
   vpc_id            = aws_vpc.main.id

Original file line number	Diff line number	Diff line change
`@@ -28,8 +28,8 @@ resource "aws_acm_certificate" "domain_validation" {`
`28`	`28`	`}`
`29`	`29`
`30`	`30`	`tags = {`
`31`		`- Region = local.region`
`32`		`- Stack = local.stack_name`
`33`		`- CerticateType = "DomainValidation"`
	`31`	`+ Region = local.region`
	`32`	`+ Stack = local.stack_name`
	`33`	`+ CertificateType = "DomainValidation"`
`34`	`34`	`}`
`35`	`35`	`}`