Remove NAT gateway (#499)

* Add route table associations for S3 Gateway VPC endpoint * Remove NAT gateway ## Context When implementing non-default VPC in #72, we were running into issues where the ECS cluster would timeout when fetching the container image from ECR. Due to time pressure, we added a NAT gateway as a workaround, which bypasses the networking issues. The issue was that the S3 Gateway VPC endpoint did not have the route table associations it needed in the route tables for the private subnets. This change adds the required route table associations and removes the NAT gateway that was there as a workaround. ## Rollout NOTE: Network layer changes need to be manually applied on platform-test* repos since the network layer isn't automatically deployed as part of CD
navapbc · Dec 12, 2023 · 8bfab43 · 8bfab43
1 parent a875997
commit 8bfab43
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/docs/infra/set-up-network.md b/docs/infra/set-up-network.md
@@ -4,8 +4,7 @@ The network setup process will configure and deploy network resources needed by
 
 1. Create a nondefault VPC
 2. Create public subnets for publicly accessible resources such as the application load balancer, private subnets for the application service, and private subnets for the database.
-3. Create a NAT gateway for internet access from the private subnets
-4. Create VPC endpoints for the AWS services needed by ECS Fargate to fetch the container image and log to AWS CloudWatch. If your application has a database, it will also create VPC endpoints for the AWS services needed by the database layer and a security group to contain those VPC endpoints.
+3. Create VPC endpoints for the AWS services needed by ECS Fargate to fetch the container image and log to AWS CloudWatch. If your application has a database, it will also create VPC endpoints for the AWS services needed by the database layer and a security group to contain those VPC endpoints.
 
 ## Requirements
 

diff --git a/infra/networks/main.tf b/infra/networks/main.tf
@@ -63,7 +63,12 @@ module "network" {
   source                     = "../modules/network"
   name                       = var.network_name
   database_subnet_group_name = local.network_config.database_subnet_group_name
-  nat_gateway_config         = "shared"
+  nat_gateway_config         = "none"
+}
+
+data "aws_route_table" "private" {
+  count     = length(module.network.private_subnet_ids)
+  subnet_id = module.network.private_subnet_ids[count.index]
 }
 
 # VPC Endpoints for accessing AWS Services
@@ -95,4 +100,5 @@ resource "aws_vpc_endpoint" "aws_service" {
   security_group_ids  = each.key == "s3" ? null : [aws_security_group.aws_services[0].id]
   subnet_ids          = each.key == "s3" ? null : module.network.private_subnet_ids
   private_dns_enabled = each.key == "s3" ? null : true
+  route_table_ids     = each.key == "s3" ? data.aws_route_table.private[*].id : null
 }