fix: remove nat gateways from dev environment (#87)

This removes the nat gateways in place, for the dev environment since they are cost intensive and we do not need them for now. Closes #84
ooni · Aug 9, 2024 · 764ad7b · 764ad7b
1 parent cbabb30
commit 764ad7b
Show file tree

Hide file tree

Showing 5 changed files with 187 additions and 2 deletions.
diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
@@ -107,7 +107,7 @@ module "ansible_inventory" {
 }
 
 module "network" {
-  source = "../../modules/network"
+  source = "../../modules/network_noipv6"
 
   az_count            = var.az_count
   vpc_main_cidr_block = "10.0.0.0/16"

diff --git a/tf/modules/ecs_cluster/main.tf b/tf/modules/ecs_cluster/main.tf
@@ -157,7 +157,6 @@ resource "aws_launch_template" "container_host" {
   network_interfaces {
     associate_public_ip_address = true
     delete_on_termination       = true
-    ipv6_address_count          = 1
     security_groups = [
       aws_security_group.container_host.id,
     ]

diff --git a/tf/modules/network_noipv6/main.tf b/tf/modules/network_noipv6/main.tf
@@ -0,0 +1,141 @@
+locals {
+  private_net_offset  = 100
+  cloudhsm_net_offset = 200
+}
+
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_main_cidr_block
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  tags = var.tags
+}
+
+resource "aws_subnet" "public" {
+  count = var.az_count
+
+  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
+
+  availability_zone       = element(var.aws_availability_zones_available.names, count.index)
+  vpc_id                  = aws_vpc.main.id
+  map_public_ip_on_launch = true
+
+  depends_on = [aws_internet_gateway.gw]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "ooni-public-subnet-${count.index}"
+  }
+}
+
+resource "aws_subnet" "private" {
+  count = var.az_count
+
+  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.private_net_offset + count.index)
+
+  availability_zone       = element(var.aws_availability_zones_available.names, count.index)
+  vpc_id                  = aws_vpc.main.id
+  map_public_ip_on_launch = false
+
+  depends_on = [aws_internet_gateway.gw]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "ooni-private-subnet-${count.index}"
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = aws_vpc.main.id
+  tags = {
+    Name = "ooni-internet-gw"
+  }
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+
+  tags = {
+    Name = "ooni-public-route-table"
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  count          = var.az_count
+  subnet_id      = element(aws_subnet.public[*].id, count.index)
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table" "private" {
+  count  = var.az_count
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "ooni-private-route-table-${count.index}"
+  }
+}
+
+resource "aws_route_table_association" "private" {
+  count          = var.az_count
+  subnet_id      = element(aws_subnet.private[*].id, count.index)
+  route_table_id = element(aws_route_table.private[*].id, count.index)
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+locals {
+  cloudhsm_network_count = (var.enable_codesign_network ? 1 : 0) * var.az_count
+}
+
+resource "aws_subnet" "cloudhsm" {
+  count      = local.cloudhsm_network_count
+  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.cloudhsm_net_offset + count.index)
+
+  availability_zone       = var.aws_availability_zones_available.names[count.index]
+  vpc_id                  = aws_vpc.main.id
+  map_public_ip_on_launch = false
+
+  depends_on = [aws_internet_gateway.gw]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = {
+    Name = "ooni-cloudhsm-subnet-${count.index}"
+  }
+}
+
+resource "aws_route_table" "cloudhsm" {
+  count = local.cloudhsm_network_count
+
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
+  }
+
+  tags = {
+    Name = "ooni-cloudhsm-route-table"
+  }
+}
+
+resource "aws_route_table_association" "cloudhsm" {
+  count          = local.cloudhsm_network_count
+  subnet_id      = element(aws_subnet.cloudhsm[*].id, count.index)
+  route_table_id = aws_route_table.cloudhsm[count.index].id
+}
diff --git a/tf/modules/network_noipv6/outputs.tf b/tf/modules/network_noipv6/outputs.tf
@@ -0,0 +1,19 @@
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = aws_vpc.main.id
+}
+
+output "vpc_subnet_public" {
+  description = "The value of the public subnet associated to the VPC"
+  value       = aws_subnet.public
+}
+
+output "vpc_subnet_private" {
+  description = "The value of the private subnet associated to the VPC"
+  value       = aws_subnet.private
+}
+
+output "vpc_subnet_cloudhsm" {
+  description = "The value of the cloudhsm subnet associated to the VPC"
+  value       = aws_subnet.cloudhsm
+}
diff --git a/tf/modules/network_noipv6/variables.tf b/tf/modules/network_noipv6/variables.tf
@@ -0,0 +1,26 @@
+variable "az_count" {
+  description = "Number of AZs to cover in a given AWS region"
+  type        = number
+  default     = "2"
+}
+
+variable "aws_availability_zones_available" {
+  description = "content of data.aws_availability_zones.available"
+}
+
+variable "vpc_main_cidr_block" {
+  description = "the start address of the main VPC cidr"
+  default     = "10.0.0.0/16"
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
+
+variable "enable_codesign_network" {
+  description = "Enable codesign network"
+  default     = false
+  type        = bool
+}