Refactor virus scanner configuration for improved clarity and maintainability

MatthewMoore-NHS · MatthewMoore-NHS · commit f9166788a002 · 2025-06-12T10:50:24.000+01:00
diff --git a/infrastructure/virusscanner.tf b/infrastructure/virusscanner.tf
@@ -11,7 +11,7 @@ data "aws_ssm_parameter" "virus_scanning_subnet_cidr_range" {
   name = "/prs/virus-scanner/subnet-cidr-range"
 }
 
-resource "aws_subnet" "virus_scanning_subnet1" {
+resource "aws_subnet" "virus_scanning_a" {
   count = local.is_production ? 1 : 0
 
   availability_zone = "eu-west-2a"
@@ -25,7 +25,7 @@ resource "aws_subnet" "virus_scanning_subnet1" {
   }
 }
 
-resource "aws_subnet" "virus_scanning_subnet2" {
+resource "aws_subnet" "virus_scanning_b" {
   count = local.is_production ? 1 : 0
 
   availability_zone = "eu-west-2b"
@@ -39,7 +39,7 @@ resource "aws_subnet" "virus_scanning_subnet2" {
   }
 }
 
-resource "aws_route_table" "virus_scanning_route_table" {
+resource "aws_route_table" "virus_scanning" {
   count = local.is_production ? 1 : 0
 
   vpc_id = module.ndr-vpc-ui.vpc_id
@@ -56,18 +56,18 @@ resource "aws_route_table" "virus_scanning_route_table" {
   }
 }
 
-resource "aws_route_table_association" "virus_scanning_subnet1_route_table_association" {
+resource "aws_route_table_association" "virus_scanning_a" {
   count = local.is_production ? 1 : 0
 
-  subnet_id      = aws_subnet.virus_scanning_subnet1[0].id
-  route_table_id = aws_route_table.virus_scanning_route_table[0].id
+  subnet_id      = aws_subnet.virus_scanning_a[0].id
+  route_table_id = aws_route_table.virus_scanning[0].id
 }
 
-resource "aws_route_table_association" "virus_scanning_subnet2_route_table_association" {
+resource "aws_route_table_association" "virus_scanning_b" {
   count = local.is_production ? 1 : 0
 
-  subnet_id      = aws_subnet.virus_scanning_subnet2[0].id
-  route_table_id = aws_route_table.virus_scanning_route_table[0].id
+  subnet_id      = aws_subnet.virus_scanning_b[0].id
+  route_table_id = aws_route_table.virus_scanning[0].id
 }
 
 module "cloud_storage_security" {
@@ -77,8 +77,8 @@ module "cloud_storage_security" {
   version                      = "1.7.1+css8.07.002"
   cidr                         = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available
   email                        = data.aws_ssm_parameter.cloud_security_admin_email.value
-  subnet_a_id                  = aws_subnet.virus_scanning_subnet1[0].id
-  subnet_b_id                  = aws_subnet.virus_scanning_subnet2[0].id
+  subnet_a_id                  = aws_subnet.virus_scanning_a[0].id
+  subnet_b_id                  = aws_subnet.virus_scanning_b[0].id
   vpc                          = module.ndr-vpc-ui.vpc_id
   min_running_agents           = 0
   allow_access_to_all_kms_keys = false
@@ -91,15 +91,15 @@ module "cloud_storage_security" {
   }
 }
 
-resource "aws_ssm_parameter" "virus_scan_notifications_sns_topic_arn" {
+resource "aws_ssm_parameter" "virus_scanning_notifications_sns_topic_arn" {
   count = local.is_production ? 1 : 0
 
   name  = "/prs/${var.environment}/virus-scan-notifications-sns-topic-arn"
   type  = "String"
   value = module.cloud_storage_security[0].proactive_notifications_topic_arn
 }
 
-resource "aws_sns_topic_subscription" "proactive_notifications_sns_topic_subscription" {
+resource "aws_sns_topic_subscription" "proactive_virus_scanning_notifications" {
   for_each  = local.is_production ? toset(nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))) : []
   endpoint  = each.value
   protocol  = "email"

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ data "aws_ssm_parameter" "virus_scanning_subnet_cidr_range" {`
`11`	`11`	`name = "/prs/virus-scanner/subnet-cidr-range"`
`12`	`12`	`}`
`13`	`13`
`14`		`-resource "aws_subnet" "virus_scanning_subnet1" {`
	`14`	`+resource "aws_subnet" "virus_scanning_a" {`
`15`	`15`	`count = local.is_production ? 1 : 0`
`16`	`16`
`17`	`17`	`availability_zone = "eu-west-2a"`
`@@ -25,7 +25,7 @@ resource "aws_subnet" "virus_scanning_subnet1" {`
`25`	`25`	`}`
`26`	`26`	`}`
`27`	`27`
`28`		`-resource "aws_subnet" "virus_scanning_subnet2" {`
	`28`	`+resource "aws_subnet" "virus_scanning_b" {`
`29`	`29`	`count = local.is_production ? 1 : 0`
`30`	`30`
`31`	`31`	`availability_zone = "eu-west-2b"`
`@@ -39,7 +39,7 @@ resource "aws_subnet" "virus_scanning_subnet2" {`
`39`	`39`	`}`
`40`	`40`	`}`
`41`	`41`
`42`		`-resource "aws_route_table" "virus_scanning_route_table" {`
	`42`	`+resource "aws_route_table" "virus_scanning" {`
`43`	`43`	`count = local.is_production ? 1 : 0`
`44`	`44`
`45`	`45`	`vpc_id = module.ndr-vpc-ui.vpc_id`
`@@ -56,18 +56,18 @@ resource "aws_route_table" "virus_scanning_route_table" {`
`56`	`56`	`}`
`57`	`57`	`}`
`58`	`58`
`59`		`-resource "aws_route_table_association" "virus_scanning_subnet1_route_table_association" {`
	`59`	`+resource "aws_route_table_association" "virus_scanning_a" {`
`60`	`60`	`count = local.is_production ? 1 : 0`
`61`	`61`
`62`		`- subnet_id = aws_subnet.virus_scanning_subnet1[0].id`
`63`		`- route_table_id = aws_route_table.virus_scanning_route_table[0].id`
	`62`	`+ subnet_id = aws_subnet.virus_scanning_a[0].id`
	`63`	`+ route_table_id = aws_route_table.virus_scanning[0].id`
`64`	`64`	`}`
`65`	`65`
`66`		`-resource "aws_route_table_association" "virus_scanning_subnet2_route_table_association" {`
	`66`	`+resource "aws_route_table_association" "virus_scanning_b" {`
`67`	`67`	`count = local.is_production ? 1 : 0`
`68`	`68`
`69`		`- subnet_id = aws_subnet.virus_scanning_subnet2[0].id`
`70`		`- route_table_id = aws_route_table.virus_scanning_route_table[0].id`
	`69`	`+ subnet_id = aws_subnet.virus_scanning_b[0].id`
	`70`	`+ route_table_id = aws_route_table.virus_scanning[0].id`
`71`	`71`	`}`
`72`	`72`
`73`	`73`	`module "cloud_storage_security" {`
`@@ -77,8 +77,8 @@ module "cloud_storage_security" {`
`77`	`77`	`version = "1.7.1+css8.07.002"`
`78`	`78`	`cidr = [var.cloud_security_console_black_hole_address] # This is a reserved address that does not lead anywhere to make sure CloudStorageSecurity console is not available`
`79`	`79`	`email = data.aws_ssm_parameter.cloud_security_admin_email.value`
`80`		`- subnet_a_id = aws_subnet.virus_scanning_subnet1[0].id`
`81`		`- subnet_b_id = aws_subnet.virus_scanning_subnet2[0].id`
	`80`	`+ subnet_a_id = aws_subnet.virus_scanning_a[0].id`
	`81`	`+ subnet_b_id = aws_subnet.virus_scanning_b[0].id`
`82`	`82`	`vpc = module.ndr-vpc-ui.vpc_id`
`83`	`83`	`min_running_agents = 0`
`84`	`84`	`allow_access_to_all_kms_keys = false`
`@@ -91,15 +91,15 @@ module "cloud_storage_security" {`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`
`94`		`-resource "aws_ssm_parameter" "virus_scan_notifications_sns_topic_arn" {`
	`94`	`+resource "aws_ssm_parameter" "virus_scanning_notifications_sns_topic_arn" {`
`95`	`95`	`count = local.is_production ? 1 : 0`
`96`	`96`
`97`	`97`	`name = "/prs/${var.environment}/virus-scan-notifications-sns-topic-arn"`
`98`	`98`	`type = "String"`
`99`	`99`	`value = module.cloud_storage_security[0].proactive_notifications_topic_arn`
`100`	`100`	`}`
`101`	`101`
`102`		`-resource "aws_sns_topic_subscription" "proactive_notifications_sns_topic_subscription" {`
	`102`	`+resource "aws_sns_topic_subscription" "proactive_virus_scanning_notifications" {`
`103`	`103`	`for_each = local.is_production ? toset(nonsensitive(split(",", data.aws_ssm_parameter.cloud_security_notification_email_list.value))) : []`
`104`	`104`	`endpoint = each.value`
`105`	`105`	`protocol = "email"`