Cherry pick of bug fix for manage IAM from on account

ministryofjustice · Jan 12, 2024 · 0cdcc59 · 0cdcc59
1 parent d15ffe8
commit 0cdcc59
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 15 deletions.
diff --git a/modules/eks/iam.tf b/modules/eks/iam.tf
@@ -1,3 +1,7 @@
+locals {
+  is_production = terraform.workspace == "production" ? true : false
+}
+
 # IAM Role for the EKS cluster
 
 resource "aws_iam_role" "cluster" {
@@ -434,7 +438,7 @@ data "aws_iam_policy_document" "cloudwatch_exporter_assume_role_policy_other_aws
 # IAM role for Cloudwatch Exporter in development aws account
 
 resource "aws_iam_role" "cloudwatch_exporter_development" {
-  count              = terraform.workspace == "development" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
   name               = "${var.prefix}-CloudwatchExporter"
 
@@ -444,7 +448,7 @@ resource "aws_iam_role" "cloudwatch_exporter_development" {
 }
 
 resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
-  count       = terraform.workspace == "development" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
   path        = "/"
   description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
@@ -457,15 +461,15 @@ resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_development" {
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_development" {
-  count      = terraform.workspace == "development" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_development[0].arn
   role       = aws_iam_role.cloudwatch_exporter_development[0].name
 
   provider = aws.development
 }
 
 resource "aws_iam_policy" "development_cloudwatch_exporter_role_allow_assume_policy" {
-  count       = terraform.workspace == "development" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   name        = "development_cloudwatch_exporter_role_allow_assume_policy"
   path        = "/"
   description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in development AWS account"
@@ -492,7 +496,7 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow_assume_IAMPolicy" {
-  count      = terraform.workspace == "development" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   policy_arn = aws_iam_policy.development_cloudwatch_exporter_role_allow_assume_policy[0].arn
   role       = aws_iam_role.cloudwatch_exporter.name
 
@@ -504,7 +508,7 @@ resource "aws_iam_role_policy_attachment" "development_cloudwatch_exporter_allow
 # IAM role for Cloudwatch Exporter in pre-production AWS account
 
 resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
-  count              = terraform.workspace == "pre-production" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   assume_role_policy = data.aws_iam_policy_document.cloudwatch_exporter_assume_role_policy_other_aws_accounts.json
   name               = "${var.prefix}-CloudwatchExporter"
 
@@ -514,7 +518,7 @@ resource "aws_iam_role" "cloudwatch_exporter_pre_production" {
 }
 
 resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
-  count       = terraform.workspace == "pre-production" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   name        = "${var.prefix}-CloudwatchExporterIAMPolicy"
   path        = "/"
   description = "IAM role policy for Cloudwatch Exporter in EKS Cluster for ${var.prefix}"
@@ -527,15 +531,15 @@ resource "aws_iam_policy" "cloudwatch_exporter_iam_policy_pre_production" {
 }
 
 resource "aws_iam_role_policy_attachment" "cloudwatch_exporter_IAMPolicy_pre_production" {
-  count      = terraform.workspace == "pre-production" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   policy_arn = aws_iam_policy.cloudwatch_exporter_iam_policy_pre_production[0].arn
   role       = aws_iam_role.cloudwatch_exporter_pre_production[0].name
 
   provider = aws.pre_production
 }
 
 resource "aws_iam_policy" "pre_production_cloudwatch_exporter_role_allow_assume_policy" {
-  count       = terraform.workspace == "pre-production" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   name        = "pre_production_cloudwatch_exporter_role_allow_assume_policy"
   path        = "/"
   description = "Policy that allows cloudwatch exporter in EKS Cluster for ${var.prefix} to assume role in pre-production AWS account"
@@ -562,7 +566,7 @@ POLICY
 }
 
 resource "aws_iam_role_policy_attachment" "pre_production_cloudwatch_exporter_allow_assume_IAMPolicy" {
-  count      = terraform.workspace == "pre-production" ? 0 : 1
+  count      = local.is_production  ? 1 : 0
   policy_arn = aws_iam_policy.pre_production_cloudwatch_exporter_role_allow_assume_policy[0].arn
   role       = aws_iam_role.cloudwatch_exporter.name
 

diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
@@ -1,3 +1,7 @@
+locals {
+  is_production = terraform.workspace == "production" ? true : false
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "5.1.1"
@@ -13,8 +17,10 @@ module "vpc" {
   manage_default_network_acl    = var.manage_default_network_acl
   manage_default_security_group = var.manage_default_security_group
   manage_default_route_table    = var.manage_default_route_table
-  reuse_nat_ips                 = true
-  external_nat_ip_ids           = aws_eip.gw.*.id
+  reuse_nat_ips                 = local.is_production
+  external_nat_ip_ids           = local.is_production ? aws_eip.gw.*.id : []
+  // Lower costs, by lowering availability
+  single_nat_gateway = local.is_production ? false : true
 
   private_subnets = [for cidr_block in cidrsubnets(var.cidr, 2, 2, 2) : cidrsubnets(cidr_block, 1, 1)[0]]
   private_subnet_tags = merge(
@@ -37,7 +43,6 @@ module "vpc" {
   private_route_table_tags = { for k, v in var.tags : k => v if k != "Name" }
   public_route_table_tags  = { for k, v in var.tags : k => v if k != "Name" }
 
-  depends_on = [aws_eip.gw]
 }
 
 resource "aws_flow_log" "vpc_flow_log" {
@@ -48,8 +53,8 @@ resource "aws_flow_log" "vpc_flow_log" {
 }
 
 resource "aws_eip" "gw" {
-  vpc              = true
-  count            = length(var.available_zones)
+  domain           = "vpc"
+  count            = terraform.workspace == "development" ? 0 : length(var.available_zones)
   public_ipv4_pool = var.byoip_pool_id
 
   tags = var.tags