VED-26: Add private subnets for connectivity to PDS. (#644)

* VED-26: Add private subnets for connectivity to PDS.

* VED-26: Add more tags. TF init.

* VED-26: Name subnets. Don't map public IPs to avoid hitting account limits.

Author: mfjarvis

infra/.terraform.lock.hcl

@@ -37,14 +37,23 @@ resource "aws_security_group" "lambda_redis_sg" {
     protocol  = "-1"
     self      = true
   }
+
+  egress {
+    description = "HTTPS outbound for PDS callout"
+    cidr_blocks = ["0.0.0.0/0"]
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    self        = false
+  }
 }
 
 resource "aws_vpc_endpoint" "sqs_endpoint" {
   vpc_id            = aws_vpc.default.id
   service_name      = "com.amazonaws.${var.aws_region}.sqs"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -74,7 +83,7 @@ resource "aws_vpc_endpoint" "s3_endpoint" {
   vpc_id       = aws_vpc.default.id
   service_name = "com.amazonaws.${var.aws_region}.s3"
 
-  route_table_ids = [aws_route_table.default.id]
+  route_table_ids = [aws_route_table.private.id]
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -105,7 +114,7 @@ resource "aws_vpc_endpoint" "kinesis_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kinesis-firehose"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -135,7 +144,7 @@ resource "aws_vpc_endpoint" "dynamodb" {
   vpc_id       = aws_vpc.default.id
   service_name = "com.amazonaws.${var.aws_region}.dynamodb"
 
-  route_table_ids = [aws_route_table.default.id]
+  route_table_ids = [aws_route_table.private.id]
 
   tags = {
     Name = "immunisation-dynamo-endpoint"
@@ -147,7 +156,7 @@ resource "aws_vpc_endpoint" "ecr_api" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.api"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -160,7 +169,7 @@ resource "aws_vpc_endpoint" "ecr_dkr" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.dkr"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -173,7 +182,7 @@ resource "aws_vpc_endpoint" "cloud_watch" {
   service_name      = "com.amazonaws.${var.aws_region}.logs"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -187,7 +196,7 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kinesis-streams"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -220,7 +229,7 @@ resource "aws_vpc_endpoint" "kms_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kms"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -255,7 +264,7 @@ resource "aws_vpc_endpoint" "lambda_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.lambda"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {

infra/endpoints.tf

@@ -1,64 +1,139 @@
 locals {
-  subnet_config = [
+  public_subnet_config = [
     {
+      name              = "imms-${var.environment}-fhir-api-public-subnet-a"
       cidr_block        = "172.31.16.0/20"
       availability_zone = "eu-west-2a"
     },
     {
+      name              = "imms-${var.environment}-fhir-api-public-subnet-b"
       cidr_block        = "172.31.32.0/20"
       availability_zone = "eu-west-2b"
     },
     {
+      name              = "imms-${var.environment}-fhir-api-public-subnet-c"
       cidr_block        = "172.31.0.0/20"
       availability_zone = "eu-west-2c"
     }
   ]
+  private_subnet_config = [
+    {
+      name              = "imms-${var.environment}-fhir-api-private-subnet-a"
+      cidr_block        = "172.31.48.0/20"
+      availability_zone = "eu-west-2a"
+    },
+    {
+      name              = "imms-${var.environment}-fhir-api-private-subnet-b"
+      cidr_block        = "172.31.64.0/20"
+      availability_zone = "eu-west-2b"
+    },
+    {
+      name              = "imms-${var.environment}-fhir-api-private-subnet-c"
+      cidr_block        = "172.31.80.0/20"
+      availability_zone = "eu-west-2c"
+    }
+  ]
 }
 
 resource "aws_vpc" "default" {
   cidr_block           = "172.31.0.0/16"
   enable_dns_support   = true
   enable_dns_hostnames = true
+
   tags = {
     Name = "imms-${var.environment}-fhir-api-vpc"
   }
 }
 
-resource "aws_subnet" "default_subnets" {
-  for_each                = { for idx, subnet in local.subnet_config : idx => subnet }
-  vpc_id                  = aws_vpc.default.id
-  cidr_block              = each.value.cidr_block
-  availability_zone       = each.value.availability_zone
-  map_public_ip_on_launch = true
+resource "aws_subnet" "public" {
+  for_each = { for idx, subnet in local.public_subnet_config : idx => subnet }
+
+  vpc_id            = aws_vpc.default.id
+  cidr_block        = each.value.cidr_block
+  availability_zone = each.value.availability_zone
+
+  tags = {
+    Name = each.value.name
+  }
 }
 
 resource "aws_internet_gateway" "default" {
   vpc_id = aws_vpc.default.id
+
   tags = {
     Name = "imms-${var.environment}-fhir-api-igw"
   }
 }
 
-resource "aws_route_table" "default" {
+resource "aws_route_table" "public" {
   vpc_id = aws_vpc.default.id
+
   tags = {
-    Name = "imms-${var.environment}-fhir-api-rtb"
+    Name = "imms-${var.environment}-fhir-api-public-rtb"
   }
 }
 
-resource "aws_route_table_association" "subnet_associations" {
-  for_each       = aws_subnet.default_subnets
+resource "aws_route_table_association" "public_subnets" {
+  for_each = aws_subnet.public
+
   subnet_id      = each.value.id
-  route_table_id = aws_route_table.default.id
+  route_table_id = aws_route_table.public.id
 }
 
-
-resource "aws_route" "igw_route" {
-  route_table_id         = aws_route_table.default.id
-  destination_cidr_block = "0.0.0.0/16"
+resource "aws_route" "igw" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.default.id
 }
 
+resource "aws_subnet" "private" {
+  for_each = { for idx, subnet in local.private_subnet_config : idx => subnet }
+
+  vpc_id            = aws_vpc.default.id
+  cidr_block        = each.value.cidr_block
+  availability_zone = each.value.availability_zone
+
+  tags = {
+    Name = each.value.name
+  }
+}
+
+resource "aws_eip" "nat" {
+  domain = "vpc"
+
+  depends_on = [aws_internet_gateway.default]
+}
+
+resource "aws_nat_gateway" "default" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = aws_subnet.public[0].id
+
+  tags = {
+    Name = "imms-${var.environment}-fhir-api-nat"
+  }
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.default.id
+
+  tags = {
+    Name = "imms-${var.environment}-fhir-api-private-rtb"
+  }
+}
+
+resource "aws_route_table_association" "private_subnets" {
+  for_each = aws_subnet.private
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_route" "nat" {
+  route_table_id         = aws_route_table.private.id
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.default.id
+}
+
 resource "aws_route53_zone" "parent_hosted_zone" {
   name = var.parent_route53_zone_name
 }
@@ -74,3 +149,17 @@ resource "aws_route53_record" "imms_ns" {
   ttl     = 172800
   records = [for ns in aws_route53_zone.child_hosted_zone.name_servers : "${ns}."]
 }
+
+# TODO - remove once state has been updated
+moved {
+  from = aws_subnet.default_subnets
+  to   = aws_subnet.public
+}
+moved {
+  from = aws_route_table.default
+  to   = aws_route_table.public
+}
+moved {
+  from = aws_route.igw_route
+  to   = aws_route.igw
+}

infra/networking.tf

@@ -12,5 +12,5 @@ resource "aws_elasticache_cluster" "redis_cluster" {
 # Subnet Group for Redis
 resource "aws_elasticache_subnet_group" "redis_subnet_group" {
   name       = "immunisation-redis-subnet-group"
-  subnet_ids = values(aws_subnet.default_subnets)[*].id
+  subnet_ids = values(aws_subnet.private)[*].id
 }