modernisation-platform icon indicating copy to clipboard operation
modernisation-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Refactor code used to route traffic down VPNs

Open dms1981 opened this issue 2 years ago • 1 comments

User Story

As a Modernisation Platform Engineer I want to revisit the Terraform code that routes traffic via VPNs So that I reduce the amount of repetitious code, and automate the provision of routes via VPNs

User Type(s)

Modernisation Platform Engineer

Value

As part of the following PR I created a resource declaration and provided it with static routes from a local value: https://github.com/ministryofjustice/modernisation-platform/pull/2797

However, as this scenario is likely to occur whenever we attach a VPN to our Transit Gateway, we would be better served by something that allows us to consolidate the routes into our vpn_attachments.json.

This would prevent excessive use of "aws_ec2_transit_gateway_route" resource blocks with hard coded values in them, and remove the need for their creation in conjunction with new VPNs.

Questions / Assumptions / Hypothesis

Definition of done

  • [ ] relevant readme has been updated
  • [ ] VPN static routes moved from locals.tf to vpn_attachments.json
  • [ ] "aws_ec2_transit_gateway_route" blocks replaced by single looping expression
  • [ ] tests are green

Reference

How to write good user stories https://github.com/ministryofjustice/modernisation-platform/pull/2797/files

dms1981 avatar Dec 09 '22 11:12 dms1981

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] avatar May 02 '23 01:05 github-actions[bot]

This issue is stale because it has been open 90 days with no activity.

github-actions[bot] avatar Dec 13 '23 01:12 github-actions[bot]

I've had a look at this one compared to the state of our VPN code today. We only declare two blocks of VPN routes now, so I don't think this warrants the use of engineering time, particularly as only one of the blocks relates to static routes via a VPN tunnel.

In case someone is looking at this in future, though, I'd probably do the following: In vpn_attachments.json I'd include a field for each VPN block called remote_routes. Replace any blocks for VPN routes with something like this:

resource "aws_ec2_transit_gateway_route" "parole_board_routes" {
  for_each                       = (nested for expression I'd need to write)
  destination_cidr_block         = each.value
  transit_gateway_attachment_id  = aws_vpn_connection.this[each.key].transit_gateway_attachment_id
  transit_gateway_route_table_id = aws_ec2_transit_gateway_route_table.$route-table-name.id
}

The nested expression would be tricky. It would need to create a key > value for each route route so that it did something like the following

{
  VPN-1_10.0.0.0_16 = "10.0.0.0/16",
  VPN-1_10.1.0.0_16 = "10.1.0.0/16",
  VPN-2_10.2.0.0_16 = "10.2.0.0/16",
  VPN-2_10.3.0.0_16 = "10.3.0.0/16",
}

dms1981 avatar Feb 09 '24 14:02 dms1981