Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Optional private subnet creation #127

Closed

Conversation

alexjurkiewicz
Copy link
Contributor

what

  • Add var.create_public_subnets and var.create_private_subnets

why

  • Sometimes you only want one of these subnet types
  • The module will always still reserve space in the CIDR block for both subnet types, so if you initially deploy only private subnets, you can enable public subnets later without affecting your existing private subnets.

Nuru
Nuru previously requested changes Feb 16, 2021
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aknysh @goruha What do you think?

private.tf Outdated Show resolved Hide resolved
public.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
variables.tf Outdated Show resolved Hide resolved
@alexjurkiewicz alexjurkiewicz force-pushed the optional-private-public branch from fd4c7da to ac4d191 Compare February 16, 2021 00:59
@mergify mergify bot dismissed Nuru’s stale review February 16, 2021 01:00

This Pull Request has been updated, so we're dismissing all reviews.

@alexjurkiewicz
Copy link
Contributor Author

Thanks for the feedback. Agreed on all points and updated.

I'll add some tests if you agree with the design 👍

@mergify
Copy link

mergify bot commented Feb 18, 2021

This pull request is now in conflict. Could you fix it @alexjurkiewicz? 🙏

Previously, var.context.enabled / var.enabled was ignored, and public
subnets were always created.
@alexjurkiewicz alexjurkiewicz force-pushed the optional-private-public branch from 0227cc6 to 315403e Compare February 18, 2021 22:08
@alexjurkiewicz
Copy link
Contributor Author

ping 🙏

@alexjurkiewicz alexjurkiewicz force-pushed the optional-private-public branch from 4790d78 to f7ee59e Compare March 14, 2021 21:56
This lets users create only private (or only public) subnets. The CIDR
range is still divided as per usual, so you can change your mind later
with minimal disruption.
@alexjurkiewicz alexjurkiewicz force-pushed the optional-private-public branch 2 times, most recently from a2f546c to d13a86f Compare March 14, 2021 22:19
@alexjurkiewicz alexjurkiewicz force-pushed the optional-private-public branch from d13a86f to 53c2dc5 Compare March 14, 2021 22:35
@mergify
Copy link

mergify bot commented Apr 6, 2021

This pull request is now in conflict. Could you fix it @alexjurkiewicz? 🙏

@alexjurkiewicz alexjurkiewicz requested review from Nuru and removed request for a team April 7, 2021 02:50
Copy link
Contributor

@Nuru Nuru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this module stops being useful if you are not creating both public and private subnets. Almost all of the benefit of this module comes from setting up the communication and routing between the private and public subnets, and if you only create private subnets they are not useful because they will be completely isolated.

@aknysh @osterman What do you think?

@@ -136,3 +136,15 @@ variable "root_block_device_encrypted" {
default = true
description = "Whether to encrypt the root block device"
}

variable "create_public_subnets" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cloud Posse convention is to use *_enabled for boolean flags

Suggested change
variable "create_public_subnets" {
variable "public_subnets_enabled" {

description = "Set to false to prevent the module from creating public subnets. Some of your CIDR block will still be reserved, so you can change this later without disruption."
}

variable "create_private_subnets" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cloud Posse convention is to use *_enabled for boolean flags

Suggested change
variable "create_private_subnets" {
variable "private_subnets_enabled" {

@@ -15,7 +15,7 @@ locals {
}

resource "aws_eip" "default" {
count = local.enabled ? local.nat_gateway_eip_count : 0
count = local.public_enabled ? local.nat_gateway_eip_count : 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This raises the question of whether or not we should even allow this module to create only private subnets, since they would have no means of egress.

In any case, this is wrong, because we only can and need to create a NAT gateway or instance if we have both public and private subnets.

Copy link
Member

@aknysh aknysh Apr 7, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, NAT gets created in public subnets.
Without NAT, the private subnets can't communicate with anything (and many applications will not work b/c of that).
@alexjurkiewicz what's the use case for having only private (and completely isolated from everything) subnets?
Especially taking into account that the module will always still reserve space in the CIDR block for both subnet types.

@Nuru Nuru changed the title Optional private/public subnet creation Optional private subnet creation Apr 7, 2021
@Nuru
Copy link
Contributor

Nuru commented Apr 7, 2021

@alexjurkiewicz
Please remove the option to create only private subnets.

  • Remove the variable create_public_subnets/public_subnets_enabled.
  • Fix the NAT creation flag to suppress NATs when private_subnets_enabled is false.

@mergify
Copy link

mergify bot commented Aug 28, 2021

This pull request is now in conflict. Could you fix it @alexjurkiewicz? 🙏

@alexjurkiewicz
Copy link
Contributor Author

I am not deploying our private subnets with this module any more. For the record, we created private subnets for data lake-related services which should not access the internet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants