Template infra deploy #9604851139

.template-version

@@ -1 +1 @@
-2cda6da18c84aa5a3dfb038ab32be4fac363af21
+157ee0f570c012b68a9e4f2575ff7a48be7dfcc4

docs/infra/set-up-app-env.md

@@ -10,13 +10,16 @@ Before setting up the application's environments you'll need to have:
 
 1. [A compatible application in the app folder](https://github.com/navapbc/template-infra/blob/main/template-only-docs/application-requirements.md)
 2. [Set up the AWS account that this environment is going to use](/docs/infra/set-up-aws-account.md).
-3. [Configure the app](/infra/app/app-config/main.tf). Make sure you update `has_database` to `true` or `false` depending on whether or not your application has a database to integrate with.
-   1. If you're configuring your production environment, make sure to update the `service_cpu`, `service_memory`, and `service_desired_instance_count` settings based on the project's needs. If your application is sensitive to performance, consider doing a load test.
-   2. Make sure your application environment is using the AWS Account you want to use by checking the `account_name` property in the environment configuration and updating it if necessary.
+3. [Configure the app](/infra/app/app-config/main.tf).
+   1. Make sure you update `has_database` to `true` or `false` depending on whether or not your application has a database to integrate with.
+   2. Make sure you update `has_external_non_aws_service` to `true` or `false` depending on whether your application utilizes any non-AWS services. Other applications within the same git repo count as external services, so if your application makes API calls to another application service in the same git repo, set `has_external_non_aws_service` to `true`.
+   3. If you're configuring your production environment, make sure to update the `service_cpu`, `service_memory`, and `service_desired_instance_count` settings based on the project's needs. If your application is sensitive to performance, consider doing a load test.
+   4. Make sure your application environment is using the AWS Account you want to use by checking the `account_name` property in the environment configuration and updating it if necessary.
 4. [Create a nondefault VPC to be used by the application](./set-up-network.md)
-5. (If the application has a database) [Set up the database for the application](./set-up-database.md)
-6. (If you have an incident management service) [Set up monitoring](./set-up-monitoring-alerts.md)
-7. [Set up the application build repository](./set-up-app-build-repository.md)
+5. (If the application has external non-AWS services) [Set up network access to the public internet](./public-internet-access.md)
+6. (If the application has a database) [Set up the database for the application](./set-up-database.md)
+7. (If you have an incident management service) [Set up monitoring](./set-up-monitoring-alerts.md)
+8. [Set up the application build repository](./set-up-app-build-repository.md)
 
 ## 1. Configure backend
 
@@ -59,4 +62,3 @@ TF_CLI_ARGS_apply="-var=image_tag=<IMAGE_TAG>" make infra-update-app-service APP
 
 Configure email alerts, external incident management service integration and additional Cloudwatch Alerts.
 [Configure monitoring module](./set-up-monitoring-alerts.md)
-

docs/infra/set-up-network.md

@@ -16,7 +16,7 @@ Before setting up the network you'll need to have:
    2. Optionally, [configure HTTPS support](/docs/infra/https-support.md). You can also come back to setting up HTTPS support at a later time.
 3. [Configure the app](/infra/app/app-config/main.tf).
    1. Update `has_database` to `true` or `false` depending on whether or not your application has a database to integrate with. This setting determines whether or not to create VPC endpoints needed by the database layer.
-   2. Update `has_external_non_aws_service` to `true` or `false` depending on whether or not your application makes calls to an external non-AWS service. This setting determines whether or not to create NAT gateways, which allows the service in the private subnet to make requests to the internet.
+   2. Update `has_external_non_aws_service` to `true` or `false` depending on whether or not your application makes calls over the public internet. Set this to `true` (a) if your application makes calls to a SaaS service, or (b) if your application needs to call services from another application in the same git repo. This setting determines whether or not to create NAT gateways, which allows the service in the private subnet to make requests to the internet. For more information, see [set up network access to the public internet](./set-up-public-internet-access.md)
    3. If you made changes to the configuration of the networks in the optional step 2 above and or to the default application environments: Update `network_name` for your application environments. This mapping ensures that each network is configured appropriately based on the application(s) in that network (see `local.apps_in_network` in [/infra/networks/main.tf](/infra/networks/main.tf)) Failure to set the network name properly means that the network layer may not receive the correct application configurations for `has_database` and `has_external_non_aws_service`.
 
 ## 1. Configure backend

docs/infra/set-up-public-internet-access.md

@@ -0,0 +1,32 @@
+# Public internet access
+
+Some applications depend on external services that are not provided directly by AWS. External services include:
+
+1. Software as a service (SaaS) providers like New Relic
+2. Custom API applications in the same git repository
+
+Applications that depend on external services need access to the public internet via a NAT (Network Address Translation) gateway. This document describes how to configure public internet access for your application. The setup process will:
+
+1. Create a [NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) for each availability zone in your virtual network
+
+Note: To access services that are provided directly by AWS, you can access them over the public internet by enabling public internet access, or you can alternatively use [VPC endpoints](https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html) to keep network traffic entirely within the VPC.
+
+## 1. Configure `has_external_non_aws_service` property in app-config module
+
+In the `infra/<app_name>/app-config` module, set `has_external_non_aws_service` to `true`.
+
+## 2. Create or update the network
+
+If you are creating new network(s), follow the instructions in [set up network](./set-up-network.md)
+
+If you are updating existing networks, run the following command for each network used by your application's environments (look at `network_name` for each environment in your application's `app-config` module).
+
+```bash
+make infra-update-network NETWORK_NAME=<NETWORK_NAME>
+```
+
+## 3. Check that your application can access the internet
+
+Check that your application can access the internet. If your application already has an endpoint or background job that calls the internet, you can exercise that code path without needing to re-deploy the application. If not, you can test internet access by introducing a simple endpoint that accesses some public URL (e.g. google.com).
+
+Repeat this step for each application environment.

docs/infra/style-guide.md

@@ -23,29 +23,29 @@ Here are some exceptions (and additions) to Hashicorp's Terraform style guide.
 
 #### Modules
 
-* Use module names based on the logical function of the module rather than the underlying proprietary service used for implementing the module. For example, use "database" instead of "rds", or "storage" instead of "s3".
-* Organize resources according to the infrastructure layers described in [module architecture](/docs/infra/module-architecture.md).
-* [Use shared configuration](/docs/infra/module-dependencies.md) instead of the [tfe_outputs data source](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/outputs) to share state between two state files.
+- Use module names based on the logical function of the module rather than the underlying proprietary service used for implementing the module. For example, use "database" instead of "rds", or "storage" instead of "s3".
+- Organize resources according to the infrastructure layers described in [module architecture](/docs/infra/module-architecture.md).
+- [Use shared configuration](/docs/infra/module-dependencies.md) instead of the [tfe_outputs data source](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/outputs) to share state between two state files.
 
 #### Variables
 
-* Include additional type information in string variable names to clarify the value being stored. For example, use `access_policy_arn` instead of `access_policy`. Common examples of suffixes include: `_id`, `_arn`, and `_name`.
-* Include units in numerical variable names. For example, use `max_request_seconds` instead of `max_request_time`.
-* Use plural nouns for lists. For example, use `subnet_ids` to represent a list of subnet ids.
-* Use `values_by_key` for maps that map keys to values. For example use `account_ids_by_name` to represent a map from account names to account ids.
-* For boolean feature flags, use the prefix `enable_`, as in `enable_https`.
+- Include additional type information in string variable names to clarify the value being stored. For example, use `access_policy_arn` instead of `access_policy`. Common examples of suffixes include: `_id`, `_arn`, and `_name`.
+- Include units in numerical variable names. For example, use `max_request_seconds` instead of `max_request_time`.
+- Use plural nouns for lists. For example, use `subnet_ids` to represent a list of subnet ids.
+- Use `values_by_key` for maps that map keys to values. For example use `account_ids_by_name` to represent a map from account names to account ids.
+- For boolean feature flags, use the prefix `enable_`, as in `enable_https`.
 
 #### .gitignore
 
-* Do not commit the `.terraform.lock.hcl` dependency lock file. As of Feb 2023, Terraform lock files, while well intentioned, have a tendency to get into a confusing state that requires recreating the lock file, which defeats the purpose. Moreover, lock files are per environment, which can make it difficult for people to upgrade dependencies (e.g. upgrade an AWS provider) across environments if certain environments are locked down (e.g. production).
+- Do not commit the `.terraform.lock.hcl` dependency lock file. As of Feb 2023, Terraform lock files, while well intentioned, have a tendency to get into a confusing state that requires recreating the lock file, which defeats the purpose. Moreover, lock files are per environment, which can make it difficult for people to upgrade dependencies (e.g. upgrade an AWS provider) across environments if certain environments are locked down (e.g. production).
 
 #### Integration and unit testing
 
-* For testing, use [Terratest](https://terratest.gruntwork.io/docs/) instead of the [Terraform test framework](https://developer.hashicorp.com/terraform/language/tests).
+- For testing, use [Terratest](https://terratest.gruntwork.io/docs/) instead of the [Terraform test framework](https://developer.hashicorp.com/terraform/language/tests).
 
 #### Policy
 
-* For policy enforcement and compliance checks, [Tfsec](https://github.com/aquasecurity/tfsec) is used instead of [Terraform's policy enforcement framework](https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement)
+- For policy enforcement and compliance checks, [Tfsec](https://github.com/aquasecurity/tfsec) is used instead of [Terraform's policy enforcement framework](https://developer.hashicorp.com/terraform/cloud-docs/policy-enforcement)
 
 ## Shell script style