From e8e281b888c33b2808583db13e32f9e3450b70a6 Mon Sep 17 00:00:00 2001 From: Yuchen Ying Date: Mon, 10 Jun 2024 07:29:15 -0700 Subject: [PATCH] Provide a knob to optionally skip creating the VPC related resources (#330) --- cloud/aws/templates/aws_oidc/app.tf | 6 ++--- cloud/aws/templates/aws_oidc/external_vpc.tf | 24 +++++++++++++++++++ cloud/aws/templates/aws_oidc/main.tf | 12 +++++----- cloud/aws/templates/aws_oidc/variables.tf | 11 +++++++++ cloud/aws/templates/aws_oidc/vpc.tf | 25 ++++++++++++++++++++ 5 files changed, 69 insertions(+), 9 deletions(-) create mode 100644 cloud/aws/templates/aws_oidc/external_vpc.tf diff --git a/cloud/aws/templates/aws_oidc/app.tf b/cloud/aws/templates/aws_oidc/app.tf index f754a633..78d8f7d2 100644 --- a/cloud/aws/templates/aws_oidc/app.tf +++ b/cloud/aws/templates/aws_oidc/app.tf @@ -317,13 +317,13 @@ module "ecs_fargate_service" { desired_count = var.fargate_desired_task_count default_certificate_arn = var.ssl_certificate_arn ssl_policy = "ELBSecurityPolicy-FS-1-2-Res-2020-10" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id task_definition_arn = var.monitoring_stack_enabled ? aws_ecs_task_definition.civiform_with_monitoring.arn : aws_ecs_task_definition.civiform_only.arn container_name = "${var.app_prefix}-civiform" ecs_cluster_name = module.ecs_cluster.aws_ecs_cluster_cluster_name ecs_cluster_arn = module.ecs_cluster.aws_ecs_cluster_cluster_arn - private_subnets = module.vpc.private_subnets - public_subnets = module.vpc.public_subnets + private_subnets = local.vpc_private_subnets + public_subnets = local.vpc_public_subnets max_cpu_threshold = var.ecs_max_cpu_threshold min_cpu_threshold = var.ecs_min_cpu_threshold max_cpu_evaluation_period = var.ecs_max_cpu_evaluation_period diff --git a/cloud/aws/templates/aws_oidc/external_vpc.tf b/cloud/aws/templates/aws_oidc/external_vpc.tf new file mode 100644 index 00000000..3aead4b7 --- /dev/null +++ b/cloud/aws/templates/aws_oidc/external_vpc.tf @@ -0,0 +1,24 @@ +// File containing the necessary data sources if local.enable_managed_vpc=false. +// +// The "local.enable_managed_vpc" variable will be set to false if all of +// "var.external_vpc" fields are set. + +data "aws_vpc" "external" { + count = local.enable_managed_vpc ? 0 : 1 + id = var.external_vpc.id +} + +data "aws_db_subnet_group" "external" { + count = local.enable_managed_vpc ? 0 : 1 + name = var.external_vpc.database_subnet_group_name +} + +data "aws_subnet" "external_private" { + count = local.enable_managed_vpc ? 0 : 1 + id = var.external_vpc.private_subnet_id +} + +data "aws_subnet" "external_public" { + count = local.enable_managed_vpc ? 0 : 1 + id = var.external_vpc.public_subnet_id +} diff --git a/cloud/aws/templates/aws_oidc/main.tf b/cloud/aws/templates/aws_oidc/main.tf index 9764345f..3878571d 100644 --- a/cloud/aws/templates/aws_oidc/main.tf +++ b/cloud/aws/templates/aws_oidc/main.tf @@ -51,7 +51,7 @@ resource "aws_db_instance" "civiform" { username = aws_secretsmanager_secret_version.postgres_username_secret_version.secret_string password = aws_secretsmanager_secret_version.postgres_password_secret_version.secret_string vpc_security_group_ids = [aws_security_group.rds.id] - db_subnet_group_name = module.vpc.database_subnet_group_name + db_subnet_group_name = local.vpc_database_subnet_group_name parameter_group_name = aws_db_parameter_group.civiform.name publicly_accessible = false skip_final_snapshot = local.skip_final_snapshot @@ -116,7 +116,7 @@ resource "aws_security_group" "rds" { Type = "Civiform DB Security Group" } name = "${var.app_prefix}-civiform_rds" - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id ingress { from_port = 5432 @@ -148,14 +148,14 @@ module "pgadmin" { app_prefix = var.app_prefix aws_region = var.aws_region - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id lb_arn = module.ecs_fargate_service.aws_lb_civiform_lb_arn lb_ssl_cert_arn = var.ssl_certificate_arn lb_access_sg_id = module.ecs_fargate_service.aws_security_group_lb_access_sg_id cidr_allowlist = var.pgadmin_cidr_allowlist ecs_cluster_arn = module.ecs_cluster.aws_ecs_cluster_cluster_arn - subnet_ids = module.vpc.private_subnets + subnet_ids = local.vpc_private_subnets db_sg_id = aws_security_group.rds.id db_address = data.aws_db_instance.civiform.address @@ -173,9 +173,9 @@ module "dbaccess" { app_prefix = var.app_prefix aws_region = var.aws_region - vpc_id = module.vpc.vpc_id + vpc_id = local.vpc_id cidr_allowlist = var.dbaccess_cidr_allowlist db_sg_id = aws_security_group.rds.id public_key = var.dbaccess_public_key - public_subnet = module.vpc.public_subnets[0] + public_subnet = local.vpc_public_subnets[0] } diff --git a/cloud/aws/templates/aws_oidc/variables.tf b/cloud/aws/templates/aws_oidc/variables.tf index c1dfc9b1..b9c5b955 100644 --- a/cloud/aws/templates/aws_oidc/variables.tf +++ b/cloud/aws/templates/aws_oidc/variables.tf @@ -507,3 +507,14 @@ variable "postgresql_version" { description = "Version of PostgreSQL to use. When set to only the major version, picks the latest minor version. Otherwise, deploys exactly the version specified." default = "16" } + +variable "external_vpc" { + type = map(string) + description = "A map with external VPC settings. All values need to set to use an external VPC (VPC resources not managed by this Terraform config)" + default = { + database_subnet_group_name = "" + id = "" + private_subnet_id = "" + public_subnet_id = "" + } +} diff --git a/cloud/aws/templates/aws_oidc/vpc.tf b/cloud/aws/templates/aws_oidc/vpc.tf index 51ba0dc6..52baba8a 100644 --- a/cloud/aws/templates/aws_oidc/vpc.tf +++ b/cloud/aws/templates/aws_oidc/vpc.tf @@ -2,10 +2,30 @@ data "aws_availability_zones" "available" {} +locals { + // If any field of var.external_vpc is not set, we will switch to use the + // managed VPC (use this Terraform config to create the VPC network). + enable_managed_vpc = anytrue([ + var.external_vpc.database_subnet_group_name == "", + var.external_vpc.id == "", + var.external_vpc.private_subnet_id == "", + var.external_vpc.public_subnet_id == "", + ]) +} + +locals { + vpc_id = local.enable_managed_vpc ? module.vpc[0].vpc_id : data.aws_vpc.external[0].id + vpc_private_subnets = local.enable_managed_vpc ? module.vpc[0].private_subnets : data.aws_subnet.external_private[*].id + vpc_public_subnets = local.enable_managed_vpc ? module.vpc[0].public_subnets : data.aws_subnet.external_public[*].id + vpc_database_subnet_group_name = local.enable_managed_vpc ? module.vpc[0].database_subnet_group_name : data.aws_db_subnet_group.external[0].name +} + module "vpc" { source = "terraform-aws-modules/vpc/aws" version = "5.1.1" + count = local.enable_managed_vpc ? 1 : 0 + name = "${var.app_prefix}-${var.vpc_name}" cidr = var.vpc_cidr azs = data.aws_availability_zones.available.names @@ -71,3 +91,8 @@ module "vpc" { } } + +moved { + from = module.vpc + to = module.vpc[0] +}