From aab8c201451605117aff5cbf310d013b90a7555c Mon Sep 17 00:00:00 2001 From: vincentsarago Date: Sat, 24 Jun 2023 15:37:42 +0200 Subject: [PATCH 1/2] put the raster service in a private subnet --- infrastructure/aws/cdk/app.py | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/infrastructure/aws/cdk/app.py b/infrastructure/aws/cdk/app.py index 8cff3c8..ad38792 100644 --- a/infrastructure/aws/cdk/app.py +++ b/infrastructure/aws/cdk/app.py @@ -134,7 +134,30 @@ def __init__( # noqa: C901 """Define stack.""" super().__init__(scope, id, **kwargs) - vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0) + # vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0) + + vpc = ec2.Vpc( + self, + f"{id}-vpc", + subnet_configuration=[ + ec2.SubnetConfiguration( + name="ingress", + cidr_mask=24, + subnet_type=ec2.SubnetType.PUBLIC, + ), + ec2.SubnetConfiguration( + name="application", + cidr_mask=24, + subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS, + ), + ec2.SubnetConfiguration( + name="rds", + cidr_mask=28, + subnet_type=ec2.SubnetType.PRIVATE_ISOLATED, + ), + ], + nat_gateways=1, + ) interface_endpoints = [ ( @@ -163,6 +186,8 @@ def __init__( # noqa: C901 ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL ), database_name="postgres", + # should set the subnet to `PRIVATE_ISOLATED` but then we need either a bastion host to connect to the db + # or an API to ingest/delete data in the DB vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC), backup_retention=Duration.days(7), deletion_protection=eoapi_settings.stage.lower() == "production", @@ -229,6 +254,9 @@ def __init__( # noqa: C901 platform="linux/amd64", ), vpc=vpc, + vpc_subnets=ec2.SubnetSelection( + subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS + ), allow_public_subnet=True, handler="handler.handler", memory_size=eoraster_settings.memory, @@ -250,6 +278,7 @@ def __init__( # noqa: C901 ) db.connections.allow_from(eoraster_function, port_range=ec2.Port.tcp(5432)) + raster_api = apigw.HttpApi( self, f"{id}-raster-endpoint", @@ -305,7 +334,6 @@ def __init__( # noqa: C901 platform="linux/amd64", ), vpc=vpc, - allow_public_subnet=True, handler="handler.handler", memory_size=eostac_settings.memory, timeout=Duration.seconds(eostac_settings.timeout), @@ -360,6 +388,8 @@ def __init__( # noqa: C901 if "DB_MAX_CONN_SIZE" not in env: env["DB_MAX_CONN_SIZE"] = "1" + if "DB_MIN_CONN_SIZE" not in env: + env["DB_MIN_CONN_SIZE"] = "1" eovector_function = aws_lambda.Function( self, @@ -374,7 +404,6 @@ def __init__( # noqa: C901 platform="linux/amd64", ), vpc=vpc, - allow_public_subnet=True, handler="handler.handler", memory_size=eovector_settings.memory, timeout=Duration.seconds(eovector_settings.timeout), From 5845582c786f61d8b6d20a708d50a175685481c1 Mon Sep 17 00:00:00 2001 From: vincentsarago Date: Sat, 24 Jun 2023 23:22:14 +0200 Subject: [PATCH 2/2] add notice --- infrastructure/aws/cdk/app.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/infrastructure/aws/cdk/app.py b/infrastructure/aws/cdk/app.py index ad38792..b7191e4 100644 --- a/infrastructure/aws/cdk/app.py +++ b/infrastructure/aws/cdk/app.py @@ -158,6 +158,10 @@ def __init__( # noqa: C901 ], nat_gateways=1, ) + print( + """The eoAPI stack use AWS NatGateway for the Raster service so it can reach the internet. +This might incurs some cost (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html).""" + ) interface_endpoints = [ (