BAU: Ensure Proxy resources only deployed in dev

whi-tw · whi-tw · commit 5c0b558e014e · 2025-04-01T12:08:32.000+01:00
diff --git a/ci/terraform/account-management/mm-api-dev-access.tf b/ci/terraform/account-management/mm-api-dev-access.tf
@@ -140,7 +140,14 @@ resource "aws_instance" "developer_proxy" {
   iam_instance_profile = aws_iam_instance_profile.developer_proxy_profile[count.index].name
 
   user_data_replace_on_change = true
-  user_data                   = <<-EOT
+
+  # TL;DR of user data:
+  # - Update and upgrade packages
+  # - Install nginx
+  # - Write nginx proxy config to /etc/nginx/conf.d/api-proxy.conf
+  # - Remove `ssm-user` user's sudo access
+  # - Enable and start nginx
+  user_data = <<-EOT
     #cloud-config
     package_update: true
     package_upgrade: true
@@ -208,6 +215,9 @@ resource "aws_instance" "developer_proxy" {
 }
 
 locals {
+  # ssm, ssmmessages, ec2messages, logs are required for SSM session manager
+  # execute-api is required for nginx to connect to the API Gateway
+  # s3 is required for `dnf` to access the package repositories
   required_vpc_interface_endpoints = local.is_dev ? ["ssm", "ssmmessages", "ec2messages", "execute-api", "logs"] : []
   required_vpc_gateway_endpoints   = local.is_dev ? ["s3"] : []
 }
diff --git a/ci/terraform/modules/is-this-the-primary-environment/README.md b/ci/terraform/modules/is-this-the-primary-environment/README.md
@@ -38,5 +38,6 @@ which could lead to inconsistencies.
 | Name | Description |
 |------|-------------|
 | <a name="output_is_primary_environment"></a> [is\_primary\_environment](#output\_is\_primary\_environment) | true if this environment is the primary environment in this account:region else false |
+| <a name="output_is_primary_environment_with_coresident_dev"></a> [is\_primary\_environment\_with\_coresident\_dev](#output\_is\_primary\_environment\_with\_coresident\_dev) | true if this environment is a primary environment with a coresident dev environment in this account:region else false |
 <!-- END_TF_DOCS -->
 <!-- prettier-ignore-end -->
diff --git a/ci/terraform/modules/is-this-the-primary-environment/main.tf b/ci/terraform/modules/is-this-the-primary-environment/main.tf
@@ -22,10 +22,17 @@ variable "environment" {
 }
 
 locals {
-  primary_environment_names = ["production", "staging", "dev", "build"]
+  primary_environment_with_coresident_dev_names = ["dev", "build"]
+  primary_environment_names                     = concat(local.primary_environment_with_coresident_dev_names, ["production", "staging"])
 }
 
 output "is_primary_environment" {
   value       = contains(local.primary_environment_names, var.environment)
   description = "true if this environment is the primary environment in this account:region else false"
 }
+
+output "is_primary_environment_with_coresident_dev" {
+  # This is true if the environment is a primary environment and there is a dev environment in this account:region
+  value       = contains(local.primary_environment_with_coresident_dev_names, var.environment) ? true : false
+  description = "true if this environment is a primary environment with a coresident dev environment in this account:region else false"
+}
diff --git a/ci/terraform/shared/session-manager.tf b/ci/terraform/shared/session-manager.tf
@@ -1,5 +1,5 @@
 locals {
-  session_manager_resource_count = module.primary_environment.is_primary_environment ? 1 : 0
+  session_manager_resource_count = module.primary_environment.is_primary_environment_with_coresident_dev ? 1 : 0
 }
 data "aws_iam_policy_document" "ssm_kms_access" {
   count = local.session_manager_resource_count

Original file line number	Diff line number	Diff line change
`@@ -22,10 +22,17 @@ variable "environment" {`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`locals {`
`25`		`- primary_environment_names = ["production", "staging", "dev", "build"]`
	`25`	`+ primary_environment_with_coresident_dev_names = ["dev", "build"]`
	`26`	`+ primary_environment_names = concat(local.primary_environment_with_coresident_dev_names, ["production", "staging"])`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`output "is_primary_environment" {`
`29`	`30`	`value = contains(local.primary_environment_names, var.environment)`
`30`	`31`	`description = "true if this environment is the primary environment in this account:region else false"`
`31`	`32`	`}`
	`33`	`+`
	`34`	`+output "is_primary_environment_with_coresident_dev" {`
	`35`	`+ # This is true if the environment is a primary environment and there is a dev environment in this account:region`
	`36`	`+ value = contains(local.primary_environment_with_coresident_dev_names, var.environment) ? true : false`
	`37`	`+ description = "true if this environment is a primary environment with a coresident dev environment in this account:region else false"`
	`38`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`locals {`
`2`		`- session_manager_resource_count = module.primary_environment.is_primary_environment ? 1 : 0`
	`2`	`+ session_manager_resource_count = module.primary_environment.is_primary_environment_with_coresident_dev ? 1 : 0`
`3`	`3`	`}`
`4`	`4`	`data "aws_iam_policy_document" "ssm_kms_access" {`
`5`	`5`	`count = local.session_manager_resource_count`