diff --git a/infrastructure/stacks/networking/README.md b/infrastructure/stacks/networking/README.md index 4bb7c715..4808576b 100644 --- a/infrastructure/stacks/networking/README.md +++ b/infrastructure/stacks/networking/README.md @@ -40,16 +40,14 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd- ### Public HTTPS Request Flow -1. External client makes HTTPS request → Internet Gateway -2. Request routes to Load Balancer or API Gateway in public subnet -3. Request forwards to Lambda (or other application) in private subnet -4. Lambda processes the request and returns response -5. Response returns to client through the same path +1. External client makes HTTPS request to API Gateway +2. Request forwards to Lambda (or other application) in private subnet +3. Lambda processes the request and returns response +4. Response returns to client through the same path ### Outbound Internet Access -- Lambda functions in private subnets can make outbound internet calls via NAT Gateways -- No direct inbound access to Lambda from the internet +- No direct inbound or outbound access to Lambda from the internet ### Internal-Only Traffic @@ -64,7 +62,6 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd- ### Network ACLs -- **Public subnets:** Allow HTTP (80), HTTPS (443), ephemeral ports - **Private subnets:** Allow VPC traffic and responses to outbound requests ### Security Groups @@ -74,8 +71,7 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd- ### Route Tables -- **Public subnets:** Route to Internet Gateway for external access -- **Private subnets:** Route to NAT Gateways for outbound-only access +- **Private subnets:** Route to VPC Endpoints only --- diff --git a/infrastructure/stacks/networking/acm_certificates.tf b/infrastructure/stacks/networking/acm_certificates.tf index ba5f9591..1232a683 100644 --- a/infrastructure/stacks/networking/acm_certificates.tf +++ b/infrastructure/stacks/networking/acm_certificates.tf @@ -28,8 +28,8 @@ resource "aws_acm_certificate" "domain_validation" { } tags = { - Region = local.region - Stack = local.stack_name - CerticateType = "DomainValidation" + Region = local.region + Stack = local.stack_name + CertificateType = "DomainValidation" } } diff --git a/infrastructure/stacks/networking/internet_gateway.tf b/infrastructure/stacks/networking/internet_gateway.tf deleted file mode 100644 index b2445c2d..00000000 --- a/infrastructure/stacks/networking/internet_gateway.tf +++ /dev/null @@ -1,7 +0,0 @@ -resource "aws_internet_gateway" "vpc_external_access" { - vpc_id = aws_vpc.main.id - tags = { - Name = "internet-gateway", - Stack = local.stack_name - } -} diff --git a/infrastructure/stacks/networking/locals.tf b/infrastructure/stacks/networking/locals.tf index e753f326..549b9b39 100644 --- a/infrastructure/stacks/networking/locals.tf +++ b/infrastructure/stacks/networking/locals.tf @@ -1,9 +1,6 @@ locals { any_ip_cidr = "0.0.0.0/0" vpc_cidr_block = "10.0.0.0/16" - public_subnet_1_cidr = "10.0.3.0/24" - public_subnet_2_cidr = "10.0.4.0/24" - public_subnet_3_cidr = "10.0.5.0/24" private_subnet_1_cidr = "10.0.6.0/24" private_subnet_2_cidr = "10.0.7.0/24" private_subnet_3_cidr = "10.0.8.0/24" diff --git a/infrastructure/stacks/networking/network_acls.tf b/infrastructure/stacks/networking/network_acls.tf index 7a9ca84d..1aa589ac 100644 --- a/infrastructure/stacks/networking/network_acls.tf +++ b/infrastructure/stacks/networking/network_acls.tf @@ -42,68 +42,3 @@ resource "aws_network_acl" "private" { Stack = local.stack_name } } - -# Network ACL for Public Subnets -resource "aws_network_acl" "public" { - vpc_id = aws_vpc.main.id - subnet_ids = [ - aws_subnet.public_1.id, - aws_subnet.public_2.id, - aws_subnet.public_3.id - ] - - # Allow all outbound traffic from public subnets - egress { - rule_no = 100 - action = "allow" - cidr_block = "0.0.0.0/0" - protocol = -1 - from_port = 0 - to_port = 0 - } - - # Allow inbound HTTP - ingress { - rule_no = 100 - action = "allow" - cidr_block = "0.0.0.0/0" - protocol = "tcp" - from_port = 80 - to_port = 80 - } - - # Allow inbound HTTPS - ingress { - rule_no = 110 - action = "allow" - cidr_block = "0.0.0.0/0" - protocol = "tcp" - from_port = 443 - to_port = 443 - } - - # Allow responses to outbound requests (ephemeral ports) - ingress { - rule_no = 120 - action = "allow" - cidr_block = "0.0.0.0/0" - protocol = "tcp" - from_port = 1024 - to_port = 65535 - } - - # Allow inbound VPC traffic - ingress { - rule_no = 130 - action = "allow" - cidr_block = local.vpc_cidr_block - protocol = -1 - from_port = 0 - to_port = 0 - } - - tags = { - Name = "public-nacl", - Stack = local.stack_name - } -} diff --git a/infrastructure/stacks/networking/route_tables.tf b/infrastructure/stacks/networking/route_tables.tf index 44fa0619..dfb24b86 100644 --- a/infrastructure/stacks/networking/route_tables.tf +++ b/infrastructure/stacks/networking/route_tables.tf @@ -1,44 +1,3 @@ -# Public Route Tables -resource "aws_route_table" "public_1" { - vpc_id = aws_vpc.main.id - tags = { - Name = "public-route-1", - Stack = local.stack_name - } -} - -resource "aws_route_table" "public_2" { - vpc_id = aws_vpc.main.id - tags = { - Name = "public-route-2", - Stack = local.stack_name - } -} - -resource "aws_route_table" "public_3" { - vpc_id = aws_vpc.main.id - tags = { - Name = "public-route-3", - Stack = local.stack_name - } -} - -# Associate Public Route Tables with Public Subnets -resource "aws_route_table_association" "public_1" { - subnet_id = aws_subnet.public_1.id - route_table_id = aws_route_table.public_1.id -} - -resource "aws_route_table_association" "public_2" { - subnet_id = aws_subnet.public_2.id - route_table_id = aws_route_table.public_2.id -} - -resource "aws_route_table_association" "public_3" { - subnet_id = aws_subnet.public_3.id - route_table_id = aws_route_table.public_3.id -} - # Private Route Tables resource "aws_route_table" "private_1" { vpc_id = aws_vpc.main.id @@ -79,22 +38,3 @@ resource "aws_route_table_association" "private_association_3" { subnet_id = aws_subnet.private_3.id route_table_id = aws_route_table.private_3.id } - -# Egress Internet Access -resource "aws_route" "public_internet_access" { - route_table_id = aws_route_table.public_1.id - destination_cidr_block = local.any_ip_cidr - gateway_id = aws_internet_gateway.vpc_external_access.id -} - -resource "aws_route" "public_internet_access_2" { - route_table_id = aws_route_table.public_2.id - destination_cidr_block = local.any_ip_cidr - gateway_id = aws_internet_gateway.vpc_external_access.id -} - -resource "aws_route" "public_internet_access_3" { - route_table_id = aws_route_table.public_3.id - destination_cidr_block = local.any_ip_cidr - gateway_id = aws_internet_gateway.vpc_external_access.id -} diff --git a/infrastructure/stacks/networking/subnets.tf b/infrastructure/stacks/networking/subnets.tf index 9f74dae3..e4173d72 100644 --- a/infrastructure/stacks/networking/subnets.tf +++ b/infrastructure/stacks/networking/subnets.tf @@ -1,37 +1,3 @@ -# Public Subnets -resource "aws_subnet" "public_1" { - vpc_id = aws_vpc.main.id - cidr_block = local.public_subnet_1_cidr - availability_zone = local.availability_zone_1 - map_public_ip_on_launch = false - tags = { - Name = "public-subnet-1", - Stack = local.stack_name - } -} - -resource "aws_subnet" "public_2" { - vpc_id = aws_vpc.main.id - cidr_block = local.public_subnet_2_cidr - availability_zone = local.availability_zone_2 - map_public_ip_on_launch = false - tags = { - Name = "public-subnet-2", - Stack = local.stack_name - } -} - -resource "aws_subnet" "public_3" { - vpc_id = aws_vpc.main.id - cidr_block = local.public_subnet_3_cidr - availability_zone = local.availability_zone_3 - map_public_ip_on_launch = false - tags = { - Name = "public-subnet-3", - Stack = local.stack_name - } -} - # Private Subnets resource "aws_subnet" "private_1" { vpc_id = aws_vpc.main.id