Remove NAT gateways from environment template

The LBFargateWebApp tasks will be launched in the public subnets.
aws · Nov 21, 2019 · 7b6fae8 · 7b6fae8
1 parent ea8990c
commit 7b6fae8
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 80 deletions.
diff --git a/internal/pkg/cli/env_init.go b/internal/pkg/cli/env_init.go
@@ -191,10 +191,6 @@ func (opts *InitEnvOpts) humanizeEnvironmentEvents(resourceEvents []deploy.Resou
 			return event.Type == "AWS::EC2::Subnet" &&
 				strings.HasPrefix(event.LogicalName, "Private")
 		},
-		textNATGateway: func(event deploy.Resource) bool {
-			return event.Type == "AWS::EC2::EIP" ||
-				event.Type == "AWS::EC2::NatGateway"
-		},
 		textRouteTables: func(event deploy.Resource) bool {
 			return strings.Contains(event.LogicalName, "Route")
 		},
@@ -211,8 +207,7 @@ func (opts *InitEnvOpts) humanizeEnvironmentEvents(resourceEvents []deploy.Resou
 		textInternetGateway: 2,
 		textPublicSubnets:   2,
 		textPrivateSubnets:  2,
-		textNATGateway:      4,
-		textRouteTables:     10,
+		textRouteTables:     4,
 		textECSCluster:      1,
 		textALB:             4,
 	}

diff --git a/internal/pkg/cli/env_init_test.go b/internal/pkg/cli/env_init_test.go
@@ -213,7 +213,6 @@ func TestInitEnvOpts_Execute(t *testing.T) {
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textInternetGateway, termprogress.StatusInProgress)),
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textPublicSubnets, termprogress.StatusInProgress)),
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textPrivateSubnets, termprogress.StatusInProgress)),
-					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textNATGateway, termprogress.StatusInProgress)),
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textRouteTables, termprogress.StatusInProgress)),
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textECSCluster, termprogress.StatusInProgress)),
 					termprogress.TabRow(fmt.Sprintf("%s\t[%s]", textALB, termprogress.StatusInProgress)),

diff --git a/internal/pkg/cli/progress.go b/internal/pkg/cli/progress.go
@@ -16,15 +16,14 @@ type progress interface {
 }
 
 // envProgressOrder is the order in which we want to progress text to appear on the terminal.
-var envProgressOrder = []termprogress.Text{textVPC, textInternetGateway, textPublicSubnets, textPrivateSubnets, textNATGateway, textRouteTables, textECSCluster, textALB}
+var envProgressOrder = []termprogress.Text{textVPC, textInternetGateway, textPublicSubnets, textPrivateSubnets, textRouteTables, textECSCluster, textALB}
 
 // Row descriptions displayed while deploying an environment.
 const (
 	textVPC             termprogress.Text = "- Virtual private cloud on 2 availability zones to hold your services"
 	textInternetGateway termprogress.Text = "  - Internet gateway to connect the network to the internet"
 	textPublicSubnets   termprogress.Text = "  - Public subnets for internet facing services "
 	textPrivateSubnets  termprogress.Text = "  - Private subnets for services that can't be reached from the internet"
-	textNATGateway      termprogress.Text = "  - NAT gateway for private services to send requests to the internet"
 	textRouteTables     termprogress.Text = "  - Routing tables for services to talk with each other"
 	textECSCluster      termprogress.Text = "- ECS Cluster to hold your services "
 	textALB             termprogress.Text = "- Application load balancer to distribute traffic "

diff --git a/templates/environment/cf.yml b/templates/environment/cf.yml
@@ -55,7 +55,6 @@ Conditions:
     - !Condition DelegateDNS
     - !Condition CreatePublicLoadBalancer
 
-
 Resources:
   VPC:
     Type: AWS::EC2::VPC
@@ -106,30 +105,6 @@ Resources:
       AvailabilityZone: !Select [ 1, !GetAZs '' ]
       MapPublicIpOnLaunch: false
 
-  NatGateway1EIP:
-    Type: AWS::EC2::EIP
-    DependsOn: InternetGatewayAttachment
-    Properties:
-      Domain: vpc
-
-  NatGateway2EIP:
-    Type: AWS::EC2::EIP
-    DependsOn: InternetGatewayAttachment
-    Properties:
-      Domain: vpc
-
-  NATGateway1:
-    Type: AWS::EC2::NatGateway
-    Properties:
-      AllocationId: !GetAtt NatGateway1EIP.AllocationId
-      SubnetId: !Ref PublicSubnet1
-
-  NATGateway2:
-    Type: AWS::EC2::NatGateway
-    Properties:
-      AllocationId: !GetAtt NatGateway2EIP.AllocationId
-      SubnetId: !Ref PublicSubnet2
-
   PublicRouteTable:
     Type: AWS::EC2::RouteTable
     Properties:
@@ -155,41 +130,6 @@ Resources:
       RouteTableId: !Ref PublicRouteTable
       SubnetId: !Ref PublicSubnet2
 
-  PrivateRouteTable1:
-    Type: AWS::EC2::RouteTable
-    Properties:
-      VpcId: !Ref VPC
-
-  DefaultPrivateRoute1:
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref PrivateRouteTable1
-      DestinationCidrBlock: 0.0.0.0/0
-      NatGatewayId: !Ref NATGateway1
-
-  PrivateSubnet1RouteTableAssociation:
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      RouteTableId: !Ref PrivateRouteTable1
-      SubnetId: !Ref PrivateSubnet1
-
-  PrivateRouteTable2:
-    Type: AWS::EC2::RouteTable
-    Properties:
-      VpcId: !Ref VPC
-
-  DefaultPrivateRoute2:
-    Type: AWS::EC2::Route
-    Properties:
-      RouteTableId: !Ref PrivateRouteTable2
-      DestinationCidrBlock: 0.0.0.0/0
-      NatGatewayId: !Ref NATGateway2
-
-  PrivateSubnet2RouteTableAssociation:
-    Type: AWS::EC2::SubnetRouteTableAssociation
-    Properties:
-      RouteTableId: !Ref PrivateRouteTable2
-      SubnetId: !Ref PrivateSubnet2
 
   Cluster:
     Type: AWS::ECS::Cluster
@@ -198,8 +138,7 @@ Resources:
     Condition: CreatePublicLoadBalancer
     Type: AWS::EC2::SecurityGroup
     Properties:
-      GroupDescription: Automatically created Security Group for ELB
-      # TODO: https
+      GroupDescription: Access to the public facing load balancer
       SecurityGroupIngress:
         - CidrIp: 0.0.0.0/0
           Description: Allow from anyone on port 80
@@ -222,6 +161,9 @@ Resources:
       Subnets: [ !Ref PublicSubnet1, !Ref PublicSubnet2 ]
       Type: application
 
+
+  # Assign a dummy target group that with no real services as targets, so that we can create
+  # the listeners for the services.
   DefaultHTTPTargetGroup:
     Type: AWS::ElasticLoadBalancingV2::TargetGroup
     Properties:
@@ -615,8 +557,6 @@ Outputs:
     Export:
       Name: !Sub ${AWS::StackName}-PrivateSubnets
 
-  # TODO: Export individual subnets?
-
   PublicLoadBalancerDNSName:
     Condition: CreatePublicLoadBalancer
     Value: !GetAtt PublicLoadBalancer.DNSName

diff --git a/templates/lb-fargate-service/cf.yml b/templates/lb-fargate-service/cf.yml
@@ -113,18 +113,31 @@ Resources:
             Action: 'sts:AssumeRole'
       ManagedPolicyArns:
         - 'arn:aws:iam::aws:policy/PowerUserAccess'
+
   ContainerSecurityGroup:
     Type: AWS::EC2::SecurityGroup
     Properties:
       GroupDescription: !Join ['', [!Ref ProjectName, '-', !Ref EnvName, '-', !Ref AppName, ContainerSecurityGroup]]
       VpcId:
         Fn::ImportValue:
           !Sub "${ProjectName}-${EnvName}-VpcId"
-      SecurityGroupIngress:
-        - IpProtocol: -1
-          SourceSecurityGroupId:
-            Fn::ImportValue:
-              !Sub "${ProjectName}-${EnvName}-PublicLoadBalancerSecurityGroupId"
+  ContainerSecurityGroupIngressFromPublicALB:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from the public ALB
+      GroupId: !Ref 'ContainerSecurityGroup'
+      IpProtocol: -1
+      SourceSecurityGroupId:
+        Fn::ImportValue:
+          !Sub "${ProjectName}-${EnvName}-PublicLoadBalancerSecurityGroupId"
+  ContainerSecurityGroupIngressFromSelf:
+    Type: AWS::EC2::SecurityGroupIngress
+    Properties:
+      Description: Ingress from other containers in the same security group
+      GroupId: !Ref 'ContainerSecurityGroup'
+      IpProtocol: -1
+      SourceSecurityGroupId: !Ref 'ContainerSecurityGroup'
+
   Service:
     Type: AWS::ECS::Service
     Properties:
@@ -141,17 +154,18 @@ Resources:
       LaunchType: FARGATE
       NetworkConfiguration:
         AwsvpcConfiguration:
+          AssignPublicIp: ENABLED
           Subnets:
             - Fn::Select:
               - 0
               - Fn::Split:
                 - ','
-                - Fn::ImportValue: !Sub '${ProjectName}-${EnvName}-PrivateSubnets'
+                - Fn::ImportValue: !Sub '${ProjectName}-${EnvName}-PublicSubnets'
             - Fn::Select:
               - 1
               - Fn::Split:
                 - ','
-                - Fn::ImportValue: !Sub '${ProjectName}-${EnvName}-PrivateSubnets'
+                - Fn::ImportValue: !Sub '${ProjectName}-${EnvName}-PublicSubnets'
           SecurityGroups:
             - !Ref ContainerSecurityGroup
       LoadBalancers: