feat: DBTP-1072 As a developer, when I create an API and a frontend s…

…ervice in the same environment and put the frontend service behind the IP Filter, I want the front end service to be able to access the api (#165)
uktrade · Jul 1, 2024 · 4bcce04 · 4bcce04
1 parent 33cd536
commit 4bcce04
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 11 deletions.
diff --git a/.envrc.sample b/.envrc.sample
@@ -0,0 +1,3 @@
+export AWS_PROFILE=sandbox
+export AWS_REGION=eu-west-2
+export AWS_DEFAULT_REGION=eu-west-2
diff --git a/README.md b/README.md
@@ -29,6 +29,12 @@ Various quality checks are run in AWS Codebuild in the `platform-tools` account
 
 ### Running the terraform unit tests locally
 
+Ensure that local variable `AWS_PROFILE` is set to `sandbox` and that you have run:
+
+```shell
+aws sso login
+```
+
 The faster, but less comprehensive, tests that run against the `terraform plan` for a module can be run by `cd`-ing into the module folder and running:
 
 ```shell

diff --git a/vpc/main.tf b/vpc/main.tf
@@ -103,15 +103,20 @@ resource "aws_nat_gateway" "public" {
   )
 }
 
-resource "aws_ssm_parameter" "nat_gateway_eip" {
+locals {
+  nat_gateway_eips = [
+    for key, nat in aws_eip.public : nat.public_ip
+  ]
+}
+
+# SSM parameter with combined EIP values
+resource "aws_ssm_parameter" "combined_nat_gateway_eips" {
   # checkov:skip=CKV_AWS_337:Ensure SSM parameters are using KMS CMK. Related ticket: https://uktrade.atlassian.net/browse/DBTP-946
   # checkov:skip=CKV2_AWS_34:AWS SSM Parameter should be Encrypted. Related ticket: https://uktrade.atlassian.net/browse/DBTP-946
-  for_each = toset(var.arg_config.nat_gateways)
-  name     = "/${var.arg_name}/nat-eip-${each.key}/ADDITIONAL_IP_LIST"
-  type     = "String"
-  value    = aws_eip.public[each.key].public_ip
-
-  tags = local.tags
+  name  = "/${var.arg_name}/ADDITIONAL_IP_LIST"
+  type  = "String"
+  value = join(",", local.nat_gateway_eips)
+  tags  = local.tags
 }
 
 

diff --git a/vpc/tests/unit.tftest.hcl b/vpc/tests/unit.tftest.hcl
@@ -47,16 +47,16 @@ run "aws_vpc_unit_test" {
 
   ### nat_gateway_eip aws_ssm_parameter ###
   assert {
-    condition     = aws_ssm_parameter.nat_gateway_eip["a"].name == "/vpc-test-name/nat-eip-a/ADDITIONAL_IP_LIST"
-    error_message = "Should be: /vpc-test-name/vpc-test-name-nat-eip-a"
+    condition     = aws_ssm_parameter.combined_nat_gateway_eips.name == "/vpc-test-name/ADDITIONAL_IP_LIST"
+    error_message = "Should be: /vpc-test-name/ADDITIONAL_IP_LIST"
   }
 
   assert {
-    condition     = aws_ssm_parameter.nat_gateway_eip["a"].type == "String"
+    condition     = aws_ssm_parameter.combined_nat_gateway_eips.type == "String"
     error_message = "Should be: String"
   }
 
-  # aws_ssm_parameter.nat_gateway_eip["a"].value cannot be tested on a plan
+  # aws_ssm_parameter.combined_nat_gateway_eips.value cannot be tested on a plan
 }
 
 run "aws_security_group_unit_test" {