From e55f4c742a7b19508443e40186e1f5d21df3a1b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arturo=20Filast=C3=B2?= <arturo@filasto.net>
Date: Tue, 1 Oct 2024 16:35:45 +0200
Subject: [PATCH] Switch to nat gateway free network on both prod and dev

---
 tf/environments/dev/main.tf            |   2 +-
 tf/modules/network/main.tf             |  54 +--------
 tf/modules/network_noipv6/main.tf      | 145 -------------------------
 tf/modules/network_noipv6/outputs.tf   |  19 ----
 tf/modules/network_noipv6/variables.tf |  26 -----
 5 files changed, 7 insertions(+), 239 deletions(-)
 delete mode 100644 tf/modules/network_noipv6/main.tf
 delete mode 100644 tf/modules/network_noipv6/outputs.tf
 delete mode 100644 tf/modules/network_noipv6/variables.tf

diff --git a/tf/environments/dev/main.tf b/tf/environments/dev/main.tf
index b00f8cb7..d877a5da 100644
--- a/tf/environments/dev/main.tf
+++ b/tf/environments/dev/main.tf
@@ -112,7 +112,7 @@ module "ansible_inventory" {
 }
 
 module "network" {
-  source = "../../modules/network_noipv6"
+  source = "../../modules/network"
 
   az_count            = var.az_count
   vpc_main_cidr_block = "10.0.0.0/16"
diff --git a/tf/modules/network/main.tf b/tf/modules/network/main.tf
index e4427670..f224fda2 100644
--- a/tf/modules/network/main.tf
+++ b/tf/modules/network/main.tf
@@ -7,7 +7,7 @@ resource "aws_vpc" "main" {
   cidr_block           = var.vpc_main_cidr_block
   enable_dns_hostnames = true
   enable_dns_support   = true
-
+ 
   assign_generated_ipv6_cidr_block = true
 
   tags = var.tags
@@ -17,9 +17,7 @@ resource "aws_subnet" "public" {
   count = var.az_count
 
   cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
-
   ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)
-  assign_ipv6_address_on_creation = true
 
   availability_zone       = element(var.aws_availability_zones_available.names, count.index)
   vpc_id                  = aws_vpc.main.id
@@ -42,11 +40,10 @@ resource "aws_subnet" "private" {
   cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.private_net_offset + count.index)
 
   ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, local.private_net_offset + count.index)
-  assign_ipv6_address_on_creation = true
 
   availability_zone       = element(var.aws_availability_zones_available.names, count.index)
   vpc_id                  = aws_vpc.main.id
-  map_public_ip_on_launch = false
+  map_public_ip_on_launch = true
 
   depends_on = [aws_internet_gateway.gw]
 
@@ -59,26 +56,6 @@ resource "aws_subnet" "private" {
   }
 }
 
-
-resource "aws_eip" "nat" {
-  count      = var.az_count
-  domain     = "vpc"
-  depends_on = [aws_internet_gateway.gw]
-}
-
-resource "aws_nat_gateway" "nat_gw" {
-  count = var.az_count
-
-  allocation_id = element(aws_eip.nat[*].id, count.index)
-  subnet_id     = element(aws_subnet.public[*].id, count.index)
-
-  depends_on = [aws_internet_gateway.gw]
-
-  tags = {
-    Name = "ooni-nat-gw"
-  }
-}
-
 resource "aws_internet_gateway" "gw" {
   vpc_id = aws_vpc.main.id
   tags = {
@@ -86,14 +63,6 @@ resource "aws_internet_gateway" "gw" {
   }
 }
 
-resource "aws_egress_only_internet_gateway" "egress_gw" {
-  vpc_id = aws_vpc.main.id
-
-  tags = {
-    Name = "ooni-egressonly-gw"
-  }
-}
-
 resource "aws_route_table" "public" {
   vpc_id = aws_vpc.main.id
 
@@ -102,11 +71,6 @@ resource "aws_route_table" "public" {
     gateway_id = aws_internet_gateway.gw.id
   }
 
-  route {
-    ipv6_cidr_block        = "::/0"
-    egress_only_gateway_id = aws_egress_only_internet_gateway.egress_gw.id
-  }
-
   tags = {
     Name = "ooni-public-route-table"
   }
@@ -119,28 +83,22 @@ resource "aws_route_table_association" "public" {
 }
 
 resource "aws_route_table" "private" {
-  count  = var.az_count
   vpc_id = aws_vpc.main.id
 
   route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = element(aws_nat_gateway.nat_gw[*].id, count.index)
-  }
-
-  route {
-    ipv6_cidr_block        = "::/0"
-    egress_only_gateway_id = aws_egress_only_internet_gateway.egress_gw.id
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw.id
   }
 
   tags = {
-    Name = "ooni-private-route-table-${count.index}"
+    Name = "ooni-private-route-table"
   }
 }
 
 resource "aws_route_table_association" "private" {
   count          = var.az_count
   subnet_id      = element(aws_subnet.private[*].id, count.index)
-  route_table_id = element(aws_route_table.private[*].id, count.index)
+  route_table_id = aws_route_table.private.id
 
   lifecycle {
     create_before_destroy = true
diff --git a/tf/modules/network_noipv6/main.tf b/tf/modules/network_noipv6/main.tf
deleted file mode 100644
index 447284c7..00000000
--- a/tf/modules/network_noipv6/main.tf
+++ /dev/null
@@ -1,145 +0,0 @@
-locals {
-  private_net_offset  = 100
-  cloudhsm_net_offset = 200
-}
-
-resource "aws_vpc" "main" {
-  cidr_block           = var.vpc_main_cidr_block
-  enable_dns_hostnames = true
-  enable_dns_support   = true
- 
-  tags = var.tags
-}
-
-resource "aws_subnet" "public" {
-  count = var.az_count
-
-  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
-
-  availability_zone       = element(var.aws_availability_zones_available.names, count.index)
-  vpc_id                  = aws_vpc.main.id
-  map_public_ip_on_launch = true
-
-  depends_on = [aws_internet_gateway.gw]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tags = {
-    Name = "ooni-public-subnet-${count.index}"
-  }
-}
-
-resource "aws_subnet" "private" {
-  count = var.az_count
-
-  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.private_net_offset + count.index)
-
-  availability_zone       = element(var.aws_availability_zones_available.names, count.index)
-  vpc_id                  = aws_vpc.main.id
-  map_public_ip_on_launch = true
-
-  depends_on = [aws_internet_gateway.gw]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tags = {
-    Name = "ooni-private-subnet-${count.index}"
-  }
-}
-
-resource "aws_internet_gateway" "gw" {
-  vpc_id = aws_vpc.main.id
-  tags = {
-    Name = "ooni-internet-gw"
-  }
-}
-
-resource "aws_route_table" "public" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.gw.id
-  }
-
-  tags = {
-    Name = "ooni-public-route-table"
-  }
-}
-
-resource "aws_route_table_association" "public" {
-  count          = var.az_count
-  subnet_id      = element(aws_subnet.public[*].id, count.index)
-  route_table_id = aws_route_table.public.id
-}
-
-resource "aws_route_table" "private" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.gw.id
-  }
-
-  tags = {
-    Name = "ooni-private-route-table"
-  }
-}
-
-resource "aws_route_table_association" "private" {
-  count          = var.az_count
-  subnet_id      = element(aws_subnet.private[*].id, count.index)
-  route_table_id = aws_route_table.private.id
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
-locals {
-  cloudhsm_network_count = (var.enable_codesign_network ? 1 : 0) * var.az_count
-}
-
-resource "aws_subnet" "cloudhsm" {
-  count      = local.cloudhsm_network_count
-  cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, local.cloudhsm_net_offset + count.index)
-
-  availability_zone       = var.aws_availability_zones_available.names[count.index]
-  vpc_id                  = aws_vpc.main.id
-  map_public_ip_on_launch = false
-
-  depends_on = [aws_internet_gateway.gw]
-
-  lifecycle {
-    create_before_destroy = true
-  }
-
-  tags = {
-    Name = "ooni-cloudhsm-subnet-${count.index}"
-  }
-}
-
-resource "aws_route_table" "cloudhsm" {
-  count = local.cloudhsm_network_count
-
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.gw.id
-  }
-
-  tags = {
-    Name = "ooni-cloudhsm-route-table"
-  }
-}
-
-resource "aws_route_table_association" "cloudhsm" {
-  count          = local.cloudhsm_network_count
-  subnet_id      = element(aws_subnet.cloudhsm[*].id, count.index)
-  route_table_id = aws_route_table.cloudhsm[count.index].id
-}
diff --git a/tf/modules/network_noipv6/outputs.tf b/tf/modules/network_noipv6/outputs.tf
deleted file mode 100644
index 555991dd..00000000
--- a/tf/modules/network_noipv6/outputs.tf
+++ /dev/null
@@ -1,19 +0,0 @@
-output "vpc_id" {
-  description = "The ID of the VPC"
-  value       = aws_vpc.main.id
-}
-
-output "vpc_subnet_public" {
-  description = "The value of the public subnet associated to the VPC"
-  value       = aws_subnet.public
-}
-
-output "vpc_subnet_private" {
-  description = "The value of the private subnet associated to the VPC"
-  value       = aws_subnet.private
-}
-
-output "vpc_subnet_cloudhsm" {
-  description = "The value of the cloudhsm subnet associated to the VPC"
-  value       = aws_subnet.cloudhsm
-}
diff --git a/tf/modules/network_noipv6/variables.tf b/tf/modules/network_noipv6/variables.tf
deleted file mode 100644
index 1416be87..00000000
--- a/tf/modules/network_noipv6/variables.tf
+++ /dev/null
@@ -1,26 +0,0 @@
-variable "az_count" {
-  description = "Number of AZs to cover in a given AWS region"
-  type        = number
-  default     = "2"
-}
-
-variable "aws_availability_zones_available" {
-  description = "content of data.aws_availability_zones.available"
-}
-
-variable "vpc_main_cidr_block" {
-  description = "the start address of the main VPC cidr"
-  default     = "10.0.0.0/16"
-}
-
-variable "tags" {
-  description = "tags to apply to the resources"
-  default     = {}
-  type        = map(string)
-}
-
-variable "enable_codesign_network" {
-  description = "Enable codesign network"
-  default     = false
-  type        = bool
-}