VED-26: Add private subnets for connectivity to PDS.

Author: mfjarvis

infra/.terraform.lock.hcl

@@ -44,7 +44,7 @@ resource "aws_vpc_endpoint" "sqs_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.sqs"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -74,7 +74,7 @@ resource "aws_vpc_endpoint" "s3_endpoint" {
   vpc_id       = aws_vpc.default.id
   service_name = "com.amazonaws.${var.aws_region}.s3"
 
-  route_table_ids = [aws_route_table.default.id]
+  route_table_ids = [aws_route_table.private.id]
 
   policy = jsonencode({
     Version = "2012-10-17",
@@ -105,7 +105,7 @@ resource "aws_vpc_endpoint" "kinesis_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kinesis-firehose"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -135,7 +135,7 @@ resource "aws_vpc_endpoint" "dynamodb" {
   vpc_id       = aws_vpc.default.id
   service_name = "com.amazonaws.${var.aws_region}.dynamodb"
 
-  route_table_ids = [aws_route_table.default.id]
+  route_table_ids = [aws_route_table.private.id]
 
   tags = {
     Name = "immunisation-dynamo-endpoint"
@@ -147,7 +147,7 @@ resource "aws_vpc_endpoint" "ecr_api" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.api"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -160,7 +160,7 @@ resource "aws_vpc_endpoint" "ecr_dkr" {
   service_name      = "com.amazonaws.${var.aws_region}.ecr.dkr"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -173,7 +173,7 @@ resource "aws_vpc_endpoint" "cloud_watch" {
   service_name      = "com.amazonaws.${var.aws_region}.logs"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {
@@ -187,7 +187,7 @@ resource "aws_vpc_endpoint" "kinesis_stream_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kinesis-streams"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -225,7 +225,7 @@ resource "aws_vpc_endpoint" "kms_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.kms"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
 
@@ -265,7 +265,7 @@ resource "aws_vpc_endpoint" "lambda_endpoint" {
   service_name      = "com.amazonaws.${var.aws_region}.lambda"
   vpc_endpoint_type = "Interface"
 
-  subnet_ids          = values(aws_subnet.default_subnets)[*].id
+  subnet_ids          = values(aws_subnet.private)[*].id
   security_group_ids  = [aws_security_group.lambda_redis_sg.id]
   private_dns_enabled = true
   tags = {

infra/endpoints.tf

@@ -2,8 +2,8 @@ module "mesh" {
   source                      = "git::https://github.com/nhsdigital/terraform-aws-mesh-client.git//module?ref=v2.1.5"
   name_prefix                 = "local-immunisation"
   mesh_env                    = "integration"
-  subnet_ids                  = aws_subnets.default.ids
-  mailbox_ids                 = ["X26OT303"] #TBC 
+  subnet_ids                  = values(aws_subnet.private)[*].id
+  mailbox_ids                 = ["X26OT303"] #TBC
   verify_ssl                  = "true"
   get_message_max_concurrency = 10
   compress_threshold          = 1 * 1024 * 1024

infra/mesh.tf

@@ -1,5 +1,5 @@
 locals {
-  subnet_config = [
+  public_subnet_config = [
     {
       cidr_block        = "172.31.16.0/20"
       availability_zone = "eu-west-2a"
@@ -13,6 +13,20 @@ locals {
       availability_zone = "eu-west-2c"
     }
   ]
+  private_subnet_config = [
+    {
+      cidr_block        = "172.31.48.0/20"
+      availability_zone = "eu-west-2a"
+    },
+    {
+      cidr_block        = "172.31.64.0/20"
+      availability_zone = "eu-west-2b"
+    },
+    {
+      cidr_block        = "172.31.80.0/20"
+      availability_zone = "eu-west-2c"
+    }
+  ]
   environment = var.environment == "non-prod" ? "dev" : var.environment
 }
 
@@ -25,8 +39,9 @@ resource "aws_vpc" "default" {
   }
 }
 
-resource "aws_subnet" "default_subnets" {
-  for_each                = { for idx, subnet in local.subnet_config : idx => subnet }
+resource "aws_subnet" "public" {
+  for_each                = { for idx, subnet in local.public_subnet_config : idx => subnet }
+
   vpc_id                  = aws_vpc.default.id
   cidr_block              = each.value.cidr_block
   availability_zone       = each.value.availability_zone
@@ -40,26 +55,65 @@ resource "aws_internet_gateway" "default" {
   }
 }
 
-resource "aws_route_table" "default" {
+resource "aws_route_table" "public" {
   vpc_id = aws_vpc.default.id
   tags = {
-    Name = "imms-${local.environment}-fhir-api-rtb"
+    Name = "imms-${local.environment}-fhir-api-public-rtb"
   }
 }
 
-resource "aws_route_table_association" "subnet_associations" {
-  for_each       = aws_subnet.default_subnets
+resource "aws_route_table_association" "public_subnets" {
+  for_each       = aws_subnet.public
+
   subnet_id      = each.value.id
-  route_table_id = aws_route_table.default.id
+  route_table_id = aws_route_table.public.id
 }
 
-
-resource "aws_route" "igw_route" {
-  route_table_id         = aws_route_table.default.id
-  destination_cidr_block = "0.0.0.0/16"
+resource "aws_route" "igw" {
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = "0.0.0.0/0"
   gateway_id             = aws_internet_gateway.default.id
 }
 
+resource "aws_subnet" "private" {
+  for_each                = { for idx, subnet in local.private_subnet_config : idx => subnet }
+
+  vpc_id                  = aws_vpc.default.id
+  cidr_block              = each.value.cidr_block
+  availability_zone       = each.value.availability_zone
+}
+
+resource "aws_eip" "nat" {
+    domain = "vpc"
+
+    depends_on = [aws_internet_gateway.default]
+}
+
+resource "aws_nat_gateway" "default" {
+    allocation_id = aws_eip.nat.id
+    subnet_id = aws_subnet.public[0].id
+}
+
+resource "aws_route_table" "private" {
+  vpc_id = aws_vpc.default.id
+  tags = {
+    Name = "imms-${local.environment}-fhir-api-private-rtb"
+  }
+}
+
+resource "aws_route_table_association" "private_subnets" {
+  for_each       = aws_subnet.private
+
+  subnet_id      = each.value.id
+  route_table_id = aws_route_table.private.id
+}
+
+resource "aws_route" "nat" {
+  route_table_id         = aws_route_table.private.id
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id = aws_nat_gateway.default.id
+}
+
 resource "aws_route53_zone" "parent_hosted_zone" {
   name = var.parent_route53_zone_name
 }

infra/networking.tf

@@ -12,5 +12,5 @@ resource "aws_elasticache_cluster" "redis_cluster" {
 # Subnet Group for Redis
 resource "aws_elasticache_subnet_group" "redis_subnet_group" {
   name       = "immunisation-redis-subnet-group"
-  subnet_ids = values(aws_subnet.default_subnets)[*].id
+  subnet_ids = values(aws_subnet.private)[*].id
 }