VED-26: Attach Lambda functions and ECS tasks to private subnets only.

Author: mfjarvis

terraform/.terraform.lock.hcl

@@ -334,7 +334,7 @@ resource "aws_pipes_pipe" "fifo_pipe" {
       launch_type         = "FARGATE"
       network_configuration {
         aws_vpc_configuration {
-          subnets          = data.aws_subnets.default.ids
+          subnets          = local.private_subnet_ids
           assign_public_ip = "ENABLED"
         }
       }

terraform/ecs_batch_processor_config.tf

@@ -66,7 +66,7 @@ module "imms_event_endpoint_lambdas" {
   image_uri              = module.docker_image.image_uri
   policy_json            = data.aws_iam_policy_document.imms_policy_document.json
   environments           = local.imms_lambda_env_vars
-  vpc_subnet_ids         = data.aws_subnets.default.ids
+  vpc_subnet_ids         = local.private_subnet_ids
   vpc_security_group_ids = [data.aws_security_group.existing_securitygroup.id]
 }
 

terraform/endpoints.tf

@@ -276,7 +276,7 @@ resource "aws_lambda_function" "file_processor_lambda" {
   timeout       = 360
 
   vpc_config {
-    subnet_ids         = data.aws_subnets.default.ids
+    subnet_ids         = local.private_subnet_ids
     security_group_ids = [data.aws_security_group.existing_securitygroup.id]
   }
 

terraform/file_name_processor.tf

@@ -224,7 +224,7 @@ resource "aws_lambda_function" "redis_sync_lambda" {
   timeout       = 360
 
   vpc_config {
-    subnet_ids         = data.aws_subnets.default.ids
+    subnet_ids         = local.private_subnet_ids
     security_group_ids = [data.aws_security_group.existing_securitygroup.id]
   }
 

terraform/redis_sync_lambda.tf

@@ -31,19 +31,37 @@ locals {
   create_config_bucket = local.environment == local.config_bucket_env
   config_bucket_arn    = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].arn : data.aws_s3_bucket.existing_config_bucket[0].arn
   config_bucket_name   = local.create_config_bucket ? aws_s3_bucket.batch_config_bucket[0].bucket : data.aws_s3_bucket.existing_config_bucket[0].bucket
+
+  # Public subnet - The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
+  # public_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.gateway_id) > 0]
+  # Private subnet - The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.
+  private_subnet_ids = [for k, v in data.aws_route.internet_traffic_route_by_subnet : k if length(v.nat_gateway_id) > 0]
 }
 
 data "aws_vpc" "default" {
   default = true
 }
 
-data "aws_subnets" "default" {
+data "aws_subnets" "all" {
   filter {
     name   = "vpc-id"
     values = [data.aws_vpc.default.id]
   }
 }
 
+data "aws_route_table" "route_table_by_subnet" {
+  for_each = toset(data.aws_subnets.all.ids)
+
+  subnet_id = each.value
+}
+
+data "aws_route" "internet_traffic_route_by_subnet" {
+  for_each = data.aws_route_table.route_table_by_subnet
+
+  route_table_id         = each.value.id
+  destination_cidr_block = "0.0.0.0/0"
+}
+
 data "aws_kms_key" "existing_s3_encryption_key" {
   key_id = "alias/imms-batch-s3-shared-key"
 }