search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
680 stars 289 forks source link

Refactor code used to route traffic down VPNs #2798

Closed dms1981 closed 9 months ago

dms1981 commented 1 year ago

User Story

As a Modernisation Platform Engineer I want to revisit the Terraform code that routes traffic via VPNs So that I reduce the amount of repetitious code, and automate the provision of routes via VPNs

User Type(s)

Modernisation Platform Engineer

Value

As part of the following PR I created a resource declaration and provided it with static routes from a local value: https://github.com/ministryofjustice/modernisation-platform/pull/2797

However, as this scenario is likely to occur whenever we attach a VPN to our Transit Gateway, we would be better served by something that allows us to consolidate the routes into our vpn_attachments.json.

This would prevent excessive use of "aws_ec2_transit_gateway_route" resource blocks with hard coded values in them, and remove the need for their creation in conjunction with new VPNs.

Questions / Assumptions / Hypothesis

Definition of done

Reference

How to write good user stories https://github.com/ministryofjustice/modernisation-platform/pull/2797/files

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] commented 11 months ago

This issue is stale because it has been open 90 days with no activity.

dms1981 commented 9 months ago

I've had a look at this one compared to the state of our VPN code today. We only declare two blocks of VPN routes now, so I don't think this warrants the use of engineering time, particularly as only one of the blocks relates to static routes via a VPN tunnel.

In case someone is looking at this in future, though, I'd probably do the following: In vpn_attachments.json I'd include a field for each VPN block called remote_routes. Replace any blocks for VPN routes with something like this:

resource "aws_ec2_transit_gateway_route" "parole_board_routes" {
  for_each                       = (nested for expression I'd need to write)
  destination_cidr_block         = each.value
  transit_gateway_attachment_id  = aws_vpn_connection.this[each.key].transit_gateway_attachment_id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.$route-table-name.id
}

The nested expression would be tricky. It would need to create a key > value for each route route so that it did something like the following

{
  VPN-1_10.0.0.0_16 = "10.0.0.0/16",
  VPN-1_10.1.0.0_16 = "10.1.0.0/16",
  VPN-2_10.2.0.0_16 = "10.2.0.0/16",
  VPN-2_10.3.0.0_16 = "10.3.0.0/16",
}