navapbc · coilysiren · Jan 21, 2025 · Jan 27, 2025 · Jan 28, 2025 · Jan 28, 2025
diff --git a/infra/app-rails/database/main.tf b/infra/app-rails/database/main.tf
@@ -50,9 +50,7 @@ module "database" {
   source = "../../modules/database/resources"
   name   = "${local.prefix}${local.database_config.cluster_name}"
 
-  vpc_id                         = module.network.vpc_id
-  database_subnet_group_name     = module.network.database_subnet_group_name
-  private_subnet_ids             = module.network.database_subnet_ids
-  aws_services_security_group_id = module.network.aws_services_security_group_id
-  is_temporary                   = local.is_temporary
+  network_name = module.project_config.network_name
+  project_name = module.project_config.project_name
+  is_temporary = local.is_temporary
 }
diff --git a/infra/app-rails/service/main.tf b/infra/app-rails/service/main.tf
@@ -63,10 +63,8 @@ module "service" {
 
   image_tag = local.image_tag
 
-  vpc_id                         = module.network.vpc_id
-  public_subnet_ids              = module.network.public_subnet_ids
-  private_subnet_ids             = module.network.private_subnet_ids
-  aws_services_security_group_id = module.network.aws_services_security_group_id
+  network_name = local.environment_config.network_name
+  project_name = module.project_config.project_name
 
   domain_name     = module.domain.domain_name
   hosted_zone_id  = module.domain.hosted_zone_id

diff --git a/infra/app/database/main.tf b/infra/app/database/main.tf
@@ -50,9 +50,7 @@ module "database" {
   source = "../../modules/database/resources"
   name   = "${local.prefix}${local.database_config.cluster_name}"
 
-  vpc_id                         = module.network.vpc_id
-  database_subnet_group_name     = module.network.database_subnet_group_name
-  private_subnet_ids             = module.network.database_subnet_ids
-  aws_services_security_group_id = module.network.aws_services_security_group_id
-  is_temporary                   = local.is_temporary
+  network_name = local.environment_config.network_name
+  project_name = module.project_config.project_name
+  is_temporary = local.is_temporary
 }
diff --git a/infra/app/service/main.tf b/infra/app/service/main.tf
@@ -63,10 +63,8 @@ module "service" {
 
   image_tag = local.image_tag
 
-  vpc_id                         = module.network.vpc_id
-  public_subnet_ids              = module.network.public_subnet_ids
-  private_subnet_ids             = module.network.private_subnet_ids
-  aws_services_security_group_id = module.network.aws_services_security_group_id
+  network_name = local.environment_config.network_name
+  project_name = module.project_config.project_name
 
   domain_name     = module.domain.domain_name
   hosted_zone_id  = module.domain.hosted_zone_id

diff --git a/infra/app/service/network.tf b/infra/app/service/network.tf
diff --git a/infra/modules/database/resources/main.tf b/infra/modules/database/resources/main.tf
@@ -58,7 +58,7 @@ resource "aws_rds_cluster" "db" {
     min_capacity = 0.5
   }
 
-  db_subnet_group_name   = var.database_subnet_group_name
+  db_subnet_group_name   = module.network.database_subnet_group_name
   vpc_security_group_ids = [aws_security_group.db.id]
 
   enabled_cloudwatch_logs_exports = ["postgresql"]

diff --git a/infra/modules/database/resources/networking.tf b/infra/modules/database/resources/networking.tf
@@ -1,16 +1,22 @@
 # Network Configuration
 # ---------------------
 
+module "network" {
+  source       = "../../network/data"
+  name         = var.network_name
+  project_name = var.project_name
+}
+
 resource "aws_security_group" "db" {
   name_prefix = "${var.name}-db"
   description = "Database layer security group"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
 }
 
 resource "aws_security_group" "role_manager" {
   name_prefix = "${var.name}-role-manager"
   description = "Database role manager security group"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
 }
 
 resource "aws_vpc_security_group_egress_rule" "role_manager_egress_to_db" {
@@ -40,11 +46,11 @@ resource "aws_vpc_security_group_egress_rule" "role_manager_egress_to_vpc_endpoi
   from_port                    = 443
   to_port                      = 443
   ip_protocol                  = "tcp"
-  referenced_security_group_id = var.aws_services_security_group_id
+  referenced_security_group_id = module.network.aws_services_security_group_id
 }
 
 resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_ingress_from_role_manager" {
-  security_group_id = var.aws_services_security_group_id
+  security_group_id = module.network.aws_services_security_group_id
   description       = "Allow inbound requests to VPC endpoints from role manager"
 
   from_port                    = 443

diff --git a/infra/modules/database/resources/role_manager.tf b/infra/modules/database/resources/role_manager.tf
@@ -24,7 +24,7 @@ resource "aws_lambda_function" "role_manager" {
   reserved_concurrent_executions = 1
 
   vpc_config {
-    subnet_ids         = var.private_subnet_ids
+    subnet_ids         = module.network.database_subnet_ids
     security_group_ids = [aws_security_group.role_manager.id]
   }
 

diff --git a/infra/modules/database/resources/variables.tf b/infra/modules/database/resources/variables.tf
@@ -1,8 +1,3 @@
-variable "aws_services_security_group_id" {
-  type        = string
-  description = "Security group ID for VPC endpoints that access AWS Services"
-}
-
 variable "database_name" {
   description = "the name of the Postgres database. Defaults to 'app'."
   default     = "app"
@@ -12,11 +7,6 @@ variable "database_name" {
   }
 }
 
-variable "database_subnet_group_name" {
-  type        = string
-  description = "Name of database subnet group"
-}
-
 variable "is_temporary" {
   description = "Whether the service is meant to be spun up temporarily (e.g. for automated infra tests). This is used to disable deletion protection."
   type        = bool
@@ -32,17 +22,17 @@ variable "name" {
   }
 }
 
+variable "network_name" {
+  description = "The name of the network within which the database will run"
+  type        = string
+}
+
 variable "port" {
   description = "value of the port on which the database accepts connections. Defaults to 5432."
   default     = 5432
 }
 
-variable "private_subnet_ids" {
-  type        = list(any)
-  description = "list of private subnet IDs to put the role provisioner and role checker lambda functions in"
-}
-
-variable "vpc_id" {
+variable "project_name" {
+  description = "The name of the project"
   type        = string
-  description = "Uniquely identifies the VPC."
 }
diff --git a/infra/modules/service/events_jobs.tf b/infra/modules/service/events_jobs.tf
@@ -103,7 +103,7 @@ resource "aws_sfn_state_machine" "file_upload_jobs" {
           "LaunchType" : "FARGATE",
           "NetworkConfiguration" : {
             "AwsvpcConfiguration" : {
-              "Subnets" : var.private_subnet_ids,
+              "Subnets" : module.network.private_subnet_ids,
               "SecurityGroups" : [aws_security_group.app.id],
             }
           },

diff --git a/infra/modules/service/load_balancer.tf b/infra/modules/service/load_balancer.tf
@@ -9,7 +9,7 @@ resource "aws_lb" "alb" {
   idle_timeout    = "120"
   internal        = false
   security_groups = [aws_security_group.alb.id]
-  subnets         = var.public_subnet_ids
+  subnets         = module.network.public_subnet_ids
 
   # Use a separate line to support automated terraform destroy commands
   # checkov:skip=CKV_AWS_150:Allow deletion for automated tests
@@ -115,7 +115,7 @@ resource "aws_lb_target_group" "app_tg" {
   name_prefix          = "app-"
   port                 = var.container_port
   protocol             = "HTTP"
-  vpc_id               = var.vpc_id
+  vpc_id               = module.network.vpc_id
   target_type          = "ip"
   deregistration_delay = "30"
 

diff --git a/infra/modules/service/main.tf b/infra/modules/service/main.tf
@@ -33,6 +33,10 @@ locals {
   )
 }
 
+module "project_config" {
+  source = "../../project-config"
+}
+
 #-------------------
 # Service Execution
 #-------------------
@@ -53,7 +57,7 @@ resource "aws_ecs_service" "app" {
 
   network_configuration {
     assign_public_ip = false
-    subnets          = var.private_subnet_ids
+    subnets          = module.network.private_subnet_ids
     security_groups  = [aws_security_group.app.id]
   }
 

diff --git a/infra/modules/service/networking.tf b/infra/modules/service/networking.tf
@@ -2,6 +2,12 @@
 # Network Configuration
 #-----------------------
 
+module "network" {
+  source       = "../../modules/network/data"
+  name         = var.network_name
+  project_name = var.project_name
+}
+
 resource "aws_security_group" "alb" {
   # Specify name_prefix instead of name because when a change requires creating a new
   # security group, sometimes the change requires the new security group to be created
@@ -17,7 +23,7 @@ resource "aws_security_group" "alb" {
     ignore_changes = [description]
   }
 
-  vpc_id = var.vpc_id
+  vpc_id = module.network.vpc_id
 
   # TODO(https://github.com/navapbc/template-infra/issues/163) Disallow incoming traffic to port 80
   # checkov:skip=CKV_AWS_260:Disallow ingress from 0.0.0.0:0 to port 80 when implementing HTTPS support in issue #163
@@ -53,7 +59,7 @@ resource "aws_security_group" "app" {
   # before the old one is destroyed. In this situation, the new one needs a unique name
   name_prefix = "${var.service_name}-app"
   description = "Allow inbound TCP access to application container port"
-  vpc_id      = var.vpc_id
+  vpc_id      = module.network.vpc_id
   lifecycle {
     create_before_destroy = true
   }
@@ -78,7 +84,7 @@ resource "aws_vpc_security_group_ingress_rule" "service_ingress_from_load_balanc
 }
 
 resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_ingress_from_service" {
-  security_group_id = var.aws_services_security_group_id
+  security_group_id = module.network.aws_services_security_group_id
   description       = "Allow inbound requests to VPC endpoints from role manager"
 
   from_port                    = 443

diff --git a/infra/modules/service/scheduled_jobs.tf b/infra/modules/service/scheduled_jobs.tf
@@ -43,7 +43,7 @@ resource "aws_sfn_state_machine" "scheduled_jobs" {
           "LaunchType" : "FARGATE",
           "NetworkConfiguration" : {
             "AwsvpcConfiguration" : {
-              "Subnets" : var.private_subnet_ids,
+              "Subnets" : module.network.private_subnet_ids,
               "SecurityGroups" : [aws_security_group.app.id],
             }
           },

diff --git a/infra/modules/service/variables.tf b/infra/modules/service/variables.tf
@@ -1,8 +1,3 @@
-variable "aws_services_security_group_id" {
-  type        = string
-  description = "Security group ID for VPC endpoints that access AWS Services"
-}
-
 variable "certificate_arn" {
   type        = string
   description = "The ARN of the certificate to use for the application"
@@ -129,14 +124,15 @@ variable "memory" {
   description = "Amount (in MiB) of memory used by the task. e.g. 2048"
 }
 
-variable "private_subnet_ids" {
-  type        = list(any)
-  description = "Private subnet ids in VPC"
+variable "network_name" {
+  type        = string
+  description = "The name of the network within which the service will run"
+
 }
 
-variable "public_subnet_ids" {
-  type        = list(any)
-  description = "Public subnet ids in VPC"
+variable "project_name" {
+  type        = string
+  description = "The name of the project"
 }
 
 variable "scheduled_jobs" {
@@ -165,11 +161,6 @@ variable "service_name" {
   }
 }
 
-variable "vpc_id" {
-  type        = string
-  description = "Uniquely identifies the VPC."
-}
-
 # Custom Template-diverging variables
 variable "container_read_only" {
   type        = bool