Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create non-default VPC in network layer #72

Closed
wants to merge 26 commits into from
Closed

Create non-default VPC in network layer #72

wants to merge 26 commits into from

Conversation

lorenyu
Copy link
Collaborator

@lorenyu lorenyu commented Dec 7, 2023
edited
Loading

Ticket

Resolves #152

Changes

  • Add network configuration object in project-config mapping network names to network-specific configs
    • Currently the only configurable thing is the name of the database subnet group. Everything else is hardcoded to use defaults
  • Add infra/modules/network module that creates a nondefault VPC with a basic default configuration that contains:
    • 3 availability zones
    • 3 public subnets to be used by the load balancer
    • 3 private subnets to be used by the application layer
    • 3 database subnets to be used by the database layer
    • database subnet group containing the database subnets to be used by Amazon RDS Aurora
    • optional NAT gateway configurations
  • Modify the network layer (infra/networks/main.tf):
    • Call infra/modules/network to create non-default VPC
    • Add VPC endpoints that are needed for ECS Fargate to be able to fetch ECR images and log to CloudWatch
  • Add network_name property to the application environment config (env-config) to map environments to networks
  • Modify database and service layers to reference the network given by environment_config.network_name. This is done using the network_name AWS tag. Also reference the appropriate subnets (public and private subnets for the service layer and database subnets for the database layer) by using the network_name and network_type tags.
  • Modify infra/modules/service to accept two lists of subnets rather than one, a list of public subnets for the load balancer and a list of private subnets for the service
  • Add egress rule from service to VPC endpoints

Context for reviewers

It turns out we needed nondefault VPC sooner than realized so this is a bit of a rushed implementation of nondefault VPC that follows the WIP VPC tech spec.

Notably, in the default implementation we added a single NAT Gateway which is needed by ECS Fargate to start up the ECS task. It might be possible to achieve this without a NAT Gateway but that will take additional investigation.

Testing

In order to not break dev, I did everything in a new staging environment since staging didn't exist. I followed these steps for testing:

  1. I configured and created the network

    make infra-configure-network NETWORK_NAME=staging
make infra-update-network NETWORK_NAME=staging

  2. I deployed the database layer for the staging environment

    make infra-update-app-database APP_NAME=app ENVIRONMENT=staging

  3. I ran the role manager to provision the database roles and ran the role checker as well

    make infra-update-app-database-roles APP_NAME=app ENVIRONMENT=staging
    image 
    make infra-check-app-database-roles APP_NAME=app ENVIRONMENT=staging
    image

  4. I pushed the branch and ran the build-and-publish workflow.
    See workflow run

  5. I ran the deploy workflow from this branch, which runs migrations and deploys to the service layer
    See workflow run

  6. I hit an endpoint that touches the database to see that it works: http://app-staging-701758158.us-east-1.elb.amazonaws.com/migrations

Note: I temporarily turned off CI Infra Service since that's destined to fail since the service layer no longer points to the default VPC

lorenyu added 23 commits December 6, 2023 16:57
@lorenyu
Add network_configs property to project-config
2fe717e
@lorenyu
Pass NETWORK_NAME to make infra-configure-network
e209114
@lorenyu
Configure dev network
6257cd5
@lorenyu
Add infra/modules/network
1b890e4
@lorenyu
Remove network_name tag from network module
24e67bb
@lorenyu
Update network layer
7b46319
@lorenyu
Add network_name to env-config
fb33e6b
@lorenyu
Update service layer
ac6fcfa
@lorenyu
Update make infra-update-network
6904482
@lorenyu
Specify database subnet group name
1aa27c8
@lorenyu
Change env config to output network_name instead of object
a7e9c65
@lorenyu
Specify db network group name
c667390
@lorenyu
Fix subnet_type tag filter
387527e
@lorenyu
Force replacement of vendor packages with --upgrade
eb75dbe
@lorenyu
Add VPC endpoints
1e0e159
@lorenyu
Add staging option to cd-app
c5022a7
@lorenyu
Check in backends
c272dbd
@lorenyu
For testing, use dev account for staging environment
6c6f17c
@lorenyu
Allow service to hit vpc endpoints
c930389
@lorenyu
Set assign public ip to false
3120654
@lorenyu
Add shared NAT gateway
cebd385
@lorenyu
Remove redundant egress rule
b00ce19
@lorenyu
Remove redundant configs
b8beffd
@lorenyu lorenyu changed the title WIP Add network layer Create non-default VPC in network layer Dec 7, 2023
@lorenyu lorenyu mentioned this pull request Dec 7, 2023
Merged
@lorenyu
Copy link
Collaborator Author

lorenyu commented Dec 9, 2023

Done in navapbc/template-infra#496

@lorenyu lorenyu closed this Dec 9, 2023
@lorenyu lorenyu deleted the lorenyu/vpc branch December 9, 2023 02:30
@lorenyu lorenyu mentioned this pull request Dec 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lorenyu