Merge pull request #3633 from nhsuk/allow_outgoing_connections

bogsi17 · web-flow · commit 6bf5adc57b43 · 2025-06-03T13:07:37.000+01:00
Enable PDS lookups from data-replication stack
diff --git a/.github/workflows/data-replication-pipeline.yml b/.github/workflows/data-replication-pipeline.yml
@@ -31,6 +31,11 @@ on:
         description: ARN of the DB snapshot to use (optional)
         required: false
         type: string
+      egress_cidr:
+        description: CIDR blocks to allow egress traffic.
+        type: string
+        required: true
+        default: "[]"
 
 env:
   aws_role: ${{ inputs.environment == 'production'
@@ -193,6 +198,7 @@ jobs:
           terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
           terraform plan -var="image_digest=${{ env.DOCKER_DIGEST }}" -var="db_secret_arn=${{ env.DB_SECRET_ARN }}" \
           -var="imported_snapshot=${{ env.SNAPSHOT_ARN }}" -var-file="env/${{ inputs.environment }}.tfvars" \
+          -var='allowed_egress_cidr_blocks=${{ inputs.egress_cidr }}' \
           -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
         uses: actions/upload-artifact@v4
diff --git a/terraform/data_replication/network.tf b/terraform/data_replication/network.tf
@@ -2,6 +2,9 @@ resource "aws_vpc" "vpc" {
   cidr_block           = "10.0.0.0/16"
   enable_dns_hostnames = true
   enable_dns_support   = true
+  tags = {
+    Name = "data-replication-vpc-${var.environment}"
+  }
 }
 
 resource "aws_subnet" "subnet_a" {
@@ -18,6 +21,9 @@ resource "aws_subnet" "subnet_b" {
 
 resource "aws_route_table" "private" {
   vpc_id = aws_vpc.vpc.id
+  tags = {
+    Name = "data-replication-private-rt-${var.environment}"
+  }
 }
 
 resource "aws_route_table_association" "private" {
@@ -26,6 +32,63 @@ resource "aws_route_table_association" "private" {
   subnet_id      = local.subnet_list[count.index]
 }
 
+resource "aws_subnet" "public_subnet" {
+  vpc_id            = aws_vpc.vpc.id
+  cidr_block        = "10.0.3.0/24"
+  availability_zone = "${var.region}a"
+}
+
+resource "aws_internet_gateway" "internet_gateway" {
+  count  = local.shared_egress_infrastructure_count
+  vpc_id = aws_vpc.vpc.id
+  tags = {
+    Name = "data-replication-igw-${var.environment}"
+  }
+}
+
+resource "aws_eip" "nat_ip" {
+  count      = local.shared_egress_infrastructure_count
+  domain     = "vpc"
+  depends_on = [aws_internet_gateway.internet_gateway]
+}
+
+resource "aws_nat_gateway" "nat_gateway" {
+  count             = local.shared_egress_infrastructure_count
+  subnet_id         = aws_subnet.public_subnet.id
+  allocation_id     = aws_eip.nat_ip[0].id
+  connectivity_type = "public"
+  depends_on        = [aws_internet_gateway.internet_gateway]
+  tags = {
+    Name = "data-replication-nat-gateway-${var.environment}"
+  }
+}
+
+resource "aws_route" "private_to_public" {
+  count                  = length(var.allowed_egress_cidr_blocks)
+  route_table_id         = aws_route_table.private.id
+  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
+  nat_gateway_id         = aws_nat_gateway.nat_gateway[0].id
+}
+
+resource "aws_route" "public_to_igw" {
+  count                  = length(var.allowed_egress_cidr_blocks)
+  route_table_id         = aws_route_table.public.id
+  destination_cidr_block = var.allowed_egress_cidr_blocks[count.index]
+  gateway_id             = aws_internet_gateway.internet_gateway[0].id
+}
+
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.vpc.id
+  tags = {
+    Name = "data-replication-public-rt-${var.environment}"
+  }
+}
+
+resource "aws_route_table_association" "public" {
+  route_table_id = aws_route_table.public.id
+  subnet_id      = aws_subnet.public_subnet.id
+}
+
 locals {
   vpc_endpoints = tomap(
     {
diff --git a/terraform/data_replication/variables.tf b/terraform/data_replication/variables.tf
@@ -82,8 +82,10 @@ variable "rails_master_key_path" {
 }
 
 locals {
-  name_prefix = "mavis-${var.environment}-data-replication"
-  subnet_list = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]
+  name_prefix                        = "mavis-${var.environment}-data-replication"
+  subnet_list                        = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]
+  shared_egress_infrastructure_count = min(length(var.allowed_egress_cidr_blocks), 1)
+
   task_envs = [
     {
       name  = "DB_HOST"
@@ -125,3 +127,9 @@ locals {
     }
   ]
 }
+
+variable "allowed_egress_cidr_blocks" {
+  type        = list(string)
+  description = "CIDR blocks for the allowed outbound traffic from the data replication service."
+  default     = []
+}

Original file line number	Diff line number	Diff line change
`@@ -82,8 +82,10 @@ variable "rails_master_key_path" {`
`82`	`82`	`}`
`83`	`83`
`84`	`84`	`locals {`
`85`		`- name_prefix = "mavis-${var.environment}-data-replication"`
`86`		`- subnet_list = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]`
	`85`	`+ name_prefix = "mavis-${var.environment}-data-replication"`
	`86`	`+ subnet_list = [aws_subnet.subnet_a.id, aws_subnet.subnet_b.id]`
	`87`	`+ shared_egress_infrastructure_count = min(length(var.allowed_egress_cidr_blocks), 1)`
	`88`	`+`
`87`	`89`	`task_envs = [`
`88`	`90`	`{`
`89`	`91`	`name = "DB_HOST"`
`@@ -125,3 +127,9 @@ locals {`
`125`	`127`	`}`
`126`	`128`	`]`
`127`	`129`	`}`
	`130`	`+`
	`131`	`+variable "allowed_egress_cidr_blocks" {`
	`132`	`+ type = list(string)`
	`133`	`+ description = "CIDR blocks for the allowed outbound traffic from the data replication service."`
	`134`	`+ default = []`
	`135`	`+}`