Skip to content

Commit

Permalink
added OCSP destination IP for PRS to be routed via NAT gateway on the…
Browse files Browse the repository at this point in the history
… NACS Puplic ECS service (#276)

Co-authored-by: Jahir <[email protected]>
  • Loading branch information
juddin927 and juddin927 authored May 13, 2024
1 parent cb2a9d6 commit dd553c4
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 0 deletions.
1 change: 1 addition & 0 deletions buildspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ env:
TF_VAR_enable_rds_admin_bastion: "/moj-network-access-control/$ENV/enable_rds_admin_bastion"
TF_VAR_enable_rds_servers_bastion: "/moj-network-access-control/$ENV/enable_rds_servers_bastion"
TF_VAR_ocsp_dep_ip: "/moj-network-access-control/$ENV/ocsp_dep_ip"
TF_VAR_ocsp_prs_ip: "/moj-network-access-control/$ENV/ocsp_prs_ip"

phases:
install:
Expand Down
1 change: 1 addition & 0 deletions main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ module "radius_vpc" {
tags = module.label.tags
ssm_session_manager_endpoints = var.enable_rds_servers_bastion
ocsp_dep_ip = var.ocsp_dep_ip
ocsp_prs_ip = var.ocsp_prs_ip

providers = {
aws = aws.env
Expand Down
11 changes: 11 additions & 0 deletions modules/vpc/routes.tf
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,17 @@ resource "aws_route" "nat-gateway-public-ocsp-endpoint-1" {
module.vpc
]
}
resource "aws_route" "nat-gateway-public-ocsp-endpoint-2" {
count = length(module.vpc.public_route_table_ids)

route_table_id = split("_", local.public_table_id)[count.index]
destination_cidr_block = "${var.ocsp_prs_ip}/32"
nat_gateway_id = aws_nat_gateway.eu_west_2c.id

depends_on = [
module.vpc
]
}

resource "aws_nat_gateway" "eu_west_2c" {
allocation_id = aws_eip.nat_eu_west_2c.id
Expand Down
4 changes: 4 additions & 0 deletions modules/vpc/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,3 +59,7 @@ variable "ssm_session_manager_endpoints" {
variable "ocsp_dep_ip" {
type = string
}

variable "ocsp_prs_ip" {
type = string
}
2 changes: 2 additions & 0 deletions scripts/aws_ssm_get_parameters.sh
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ export PARAM4=$(aws ssm get-parameters --region eu-west-2 --with-decryption --na
"/moj-network-access-control/$ENV/enable_rds_admin_bastion" \
"/moj-network-access-control/$ENV/enable_rds_servers_bastion" \
"/moj-network-access-control/$ENV/ocsp_dep_ip" \
"/moj-network-access-control/$ENV/ocsp_prs_ip" \
--query Parameters)

declare -A parameters
Expand Down Expand Up @@ -82,3 +83,4 @@ parameters["shared_services_account_id"]="$(echo $PARAM3 | jq '.[] | select(.Nam
parameters["enable_rds_servers_bastion"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("enable_rds_servers_bastion")) | .Value' --raw-output)"
parameters["enable_rds_admin_bastion"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("enable_rds_admin_bastion")) | .Value' --raw-output)"
parameters["ocsp_dep_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("ocsp_dep_ip")) | .Value' --raw-output)"
parameters["ocsp_prs_ip"]="$(echo $PARAM4 | jq '.[] | select(.Name | test("ocsp_prs_ip")) | .Value' --raw-output)"
4 changes: 4 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,7 @@ variable "allowed_ips" {
description = "List of allowed IP addresses"
default = []
}

variable "ocsp_prs_ip" {
type = string
}

0 comments on commit dd553c4

Please sign in to comment.