Update template-infra:base to version 0.15.2.post11.dev0+eddae5c

navapbc · Feb 13, 2025 · d32bc55 · d32bc55
1 parent 51d6412
commit d32bc55
Show file tree

Hide file tree

Showing 11 changed files with 41 additions and 48 deletions.
diff --git a/.template-infra/base.yml b/.template-infra/base.yml
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: v0.15.2-10-g50da2c8
+_commit: v0.15.2-11-geddae5c
 _src_path: https://github.com/navapbc/template-infra
 base_code_repository_url: [email protected]:navapbc/platform-test-nextjs.git
 base_default_region: us-east-1

diff --git a/infra/modules/database/resources/main.tf b/infra/modules/database/resources/main.tf
@@ -58,7 +58,7 @@ resource "aws_rds_cluster" "db" {
     min_capacity = 0.5
   }
 
-  db_subnet_group_name   = var.database_subnet_group_name
+  db_subnet_group_name   = module.network.database_subnet_group_name
   vpc_security_group_ids = [aws_security_group.db.id]
 
   enabled_cloudwatch_logs_exports = ["postgresql"]

diff --git a/infra/modules/database/resources/networking.tf b/infra/modules/database/resources/networking.tf
@@ -1,16 +1,22 @@
 # Network Configuration
 # ---------------------
 
+module "network" {
+  source       = "../../network/data"
+  name         = var.network_name
+  project_name = var.project_name
+}
+
 resource "aws_security_group" "db" {
   name_prefix = "${var.name}-db"
   description = "Database layer security group"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
 }
 
 resource "aws_security_group" "role_manager" {
   name_prefix = "${var.name}-role-manager"
   description = "Database role manager security group"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
 }
 
 resource "aws_vpc_security_group_egress_rule" "role_manager_egress_to_db" {
@@ -40,11 +46,11 @@ resource "aws_vpc_security_group_egress_rule" "role_manager_egress_to_vpc_endpoi
   from_port                    = 443
   to_port                      = 443
   ip_protocol                  = "tcp"
-  referenced_security_group_id = var.aws_services_security_group_id
+  referenced_security_group_id = module.network.aws_services_security_group_id
 }
 
 resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_ingress_from_role_manager" {
-  security_group_id = var.aws_services_security_group_id
+  security_group_id = module.network.aws_services_security_group_id
   description       = "Allow inbound requests to VPC endpoints from role manager"
 
   from_port                    = 443

diff --git a/infra/modules/database/resources/role_manager.tf b/infra/modules/database/resources/role_manager.tf
@@ -24,7 +24,7 @@ resource "aws_lambda_function" "role_manager" {
   reserved_concurrent_executions = 1
 
   vpc_config {
-    subnet_ids         = var.private_subnet_ids
+    subnet_ids         = module.network.database_subnet_ids
     security_group_ids = [aws_security_group.role_manager.id]
   }
 

diff --git a/infra/modules/database/resources/variables.tf b/infra/modules/database/resources/variables.tf
@@ -1,8 +1,3 @@
-variable "aws_services_security_group_id" {
-  type        = string
-  description = "Security group ID for VPC endpoints that access AWS Services"
-}
-
 variable "database_name" {
   description = "the name of the Postgres database. Defaults to 'app'."
   default     = "app"
@@ -12,11 +7,6 @@ variable "database_name" {
   }
 }
 
-variable "database_subnet_group_name" {
-  type        = string
-  description = "Name of database subnet group"
-}
-
 variable "is_temporary" {
   description = "Whether the service is meant to be spun up temporarily (e.g. for automated infra tests). This is used to disable deletion protection."
   type        = bool
@@ -32,17 +22,17 @@ variable "name" {
   }
 }
 
+variable "network_name" {
+  description = "The name of the network within which the database will run"
+  type        = string
+}
+
 variable "port" {
   description = "value of the port on which the database accepts connections. Defaults to 5432."
   default     = 5432
 }
 
-variable "private_subnet_ids" {
-  type        = list(any)
-  description = "list of private subnet IDs to put the role provisioner and role checker lambda functions in"
-}
-
-variable "vpc_id" {
+variable "project_name" {
+  description = "The name of the project"
   type        = string
-  description = "Uniquely identifies the VPC."
 }
diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf
@@ -103,7 +103,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" {
           "LaunchType" : "FARGATE",
           "NetworkConfiguration" : {
             "AwsvpcConfiguration" : {
-              "Subnets" : var.private_subnet_ids,
+              "Subnets" : module.network.private_subnet_ids,
               "SecurityGroups" : [aws_security_group.app.id],
             }
           },

diff --git a/infra/modules/service/load_balancer.tf b/infra/modules/service/load_balancer.tf
@@ -9,7 +9,7 @@ resource "aws_lb" "alb" {
   idle_timeout    = "120"
   internal        = false
   security_groups = [aws_security_group.alb.id]
-  subnets         = var.public_subnet_ids
+  subnets         = module.network.public_subnet_ids
 
   # Use a separate line to support automated terraform destroy commands
   # checkov:skip=CKV_AWS_150:Allow deletion for automated tests
@@ -115,7 +115,7 @@ resource "aws_lb_target_group" "app_tg" {
   name_prefix          = "app-"
   port                 = var.container_port
   protocol             = "HTTP"
-  vpc_id               = var.vpc_id
+  vpc_id               = module.network.vpc_id
   target_type          = "ip"
   deregistration_delay = "30"
 

diff --git a/infra/modules/service/main.tf b/infra/modules/service/main.tf
@@ -70,7 +70,7 @@ resource "aws_ecs_service" "app" {
 
   network_configuration {
     assign_public_ip = false
-    subnets          = var.private_subnet_ids
+    subnets          = module.network.private_subnet_ids
     security_groups  = [aws_security_group.app.id]
   }
 

diff --git a/infra/modules/service/networking.tf b/infra/modules/service/networking.tf
@@ -2,6 +2,12 @@
 # Network Configuration
 #-----------------------
 
+module "network" {
+  source       = "../../modules/network/data"
+  name         = var.network_name
+  project_name = var.project_name
+}
+
 resource "aws_security_group" "alb" {
   # Specify name_prefix instead of name because when a change requires creating a new
   # security group, sometimes the change requires the new security group to be created
@@ -17,7 +23,7 @@ resource "aws_security_group" "alb" {
     ignore_changes = [description]
   }
 
-  vpc_id = var.vpc_id
+  vpc_id = module.network.vpc_id
 
   # TODO(https://github.com/navapbc/template-infra/issues/163) Disallow incoming traffic to port 80
   # checkov:skip=CKV_AWS_260:Disallow ingress from 0.0.0.0:0 to port 80 when implementing HTTPS support in issue #163
@@ -53,7 +59,7 @@ resource "aws_security_group" "app" {
   # before the old one is destroyed. In this situation, the new one needs a unique name
   name_prefix = "${var.service_name}-app"
   description = "Allow inbound TCP access to application container port"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
   lifecycle {
     create_before_destroy = true
   }
@@ -78,7 +84,7 @@ resource "aws_vpc_security_group_ingress_rule" "service_ingress_from_load_balanc
 }
 
 resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_ingress_from_service" {
-  security_group_id = var.aws_services_security_group_id
+  security_group_id = module.network.aws_services_security_group_id
   description       = "Allow inbound requests to VPC endpoints from role manager"
 
   from_port                    = 443

diff --git a/infra/modules/service/scheduled_jobs.tf b/infra/modules/service/scheduled_jobs.tf
@@ -43,7 +43,7 @@ resource "aws_sfn_state_machine" "scheduled_jobs" {
           "LaunchType" : "FARGATE",
           "NetworkConfiguration" : {
             "AwsvpcConfiguration" : {
-              "Subnets" : var.private_subnet_ids,
+              "Subnets" : module.network.private_subnet_ids,
               "SecurityGroups" : [aws_security_group.app.id],
             }
           },

diff --git a/infra/modules/service/variables.tf b/infra/modules/service/variables.tf
@@ -1,8 +1,3 @@
-variable "aws_services_security_group_id" {
-  type        = string
-  description = "Security group ID for VPC endpoints that access AWS Services"
-}
-
 variable "certificate_arn" {
   type        = string
   description = "The ARN of the certificate to use for the application"
@@ -129,14 +124,15 @@ variable "memory" {
   description = "Amount (in MiB) of memory used by the task. e.g. 2048"
 }
 
-variable "private_subnet_ids" {
-  type        = list(any)
-  description = "Private subnet ids in VPC"
+variable "network_name" {
+  type        = string
+  description = "The name of the network within which the service will run"
+
 }
 
-variable "public_subnet_ids" {
-  type        = list(any)
-  description = "Public subnet ids in VPC"
+variable "project_name" {
+  type        = string
+  description = "The name of the project"
 }
 
 variable "scheduled_jobs" {
@@ -165,11 +161,6 @@ variable "service_name" {
   }
 }
 
-variable "vpc_id" {
-  type        = string
-  description = "Uniquely identifies the VPC."
-}
-
 variable "ephemeral_write_volumes" {
   type        = set(string)
   description = "A set of absolute paths in the container to be mounted as writable for the life of the task. These need to be declared with `VOLUME` instructions in the container build file."