chore(iac/aws/networking): remove redundant Secrets Manager VPC endpoint#915
chore(iac/aws/networking): remove redundant Secrets Manager VPC endpoint#915cristim wants to merge 4 commits into
Conversation
|
@coderabbitai review |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
💤 Files with no reviewable changes (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughRemoves VPC endpoint resources and outputs from the AWS networking Terraform module, updates module header to state fck-nat handles egress, and adds a precondition on module-managed private subnets requiring ChangesVPC endpoint infrastructure removal
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Suggested labels
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
✅ Actions performedReview triggered.
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@terraform/modules/networking/aws/main.tf`:
- Around line 2-4: Add a Terraform validation that fails fast when NAT egress is
disabled but no IPv4 egress endpoints exist: check the variable
enable_nat_gateway and the module's endpoint flags (e.g.,
enable_secrets_manager_endpoint, enable_ecr_endpoint or general
enable_vpc_endpoints) and raise an error if enable_nat_gateway == false AND none
of the IPv4 endpoints are enabled; implement this as a validation block in the
networking module (referencing enable_nat_gateway and the endpoint variables) so
plans error out instead of relying on docs.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 1fe0b8ba-68b8-4296-bfb2-9de68d8e9e46
📒 Files selected for processing (2)
terraform/modules/networking/aws/main.tfterraform/modules/networking/aws/outputs.tf
💤 Files with no reviewable changes (1)
- terraform/modules/networking/aws/outputs.tf
…915) Add lifecycle.precondition to aws_subnet.private that fails at plan time when enable_nat_gateway is false. Without NAT, module-created private subnets have no IPv4 path to AWS services (Secrets Manager, ECR, etc.) and the module previously planned successfully in this broken configuration. Addresses CodeRabbit Major finding on PR #915.
|
Added |
|
Tip For best results, initiate chat on the files or code changes. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Show current state of the networking module files
fd -e tf . terraform/modules/networking/aws/ --exec cat {}Length of output: 23905
What works well
One minor nit — IPv6-only escape hatch not surfaced in the error If a caller is certain all their workloads are IPv6-native (and the matching AWS services actually support IPv6 endpoints in their region), the precondition still blocks them even though condition = var.enable_nat_gateway || var.enable_ipv6
error_message = "Private subnets require either enable_nat_gateway=true (IPv4 egress via fck-nat) or enable_ipv6=true (IPv6 egress via EIGW). Without at least one, workloads cannot reach AWS APIs."That said, given that several AWS services still lack dual-stack endpoints (SES, some regional Secrets Manager endpoints), keeping the condition as [approve] |
…al (#915) - Remove unused data "aws_region" "current" (the SM endpoint was its sole consumer; tflint flagged it as unused). - Restore trailing newline on outputs.tf. - Add lifecycle.precondition on aws_vpc.main that fails the plan when enable_nat_gateway is false: in-VPC workloads (Lambda, Fargate) need NAT for AWS API egress now that per-service interface endpoints are gone. Fails fast instead of relying on doc-only safety as flagged by CodeRabbit.
|
@coderabbitai review |
✅ Actions performedReview triggered.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
The interface endpoint was unconditional and redundant: every env runs fck-NAT (enable_nat_gateway = true), so in-VPC Secrets Manager consumers (main Lambda, cleanup Lambda, Fargate) will reach SM over NAT regardless. Removes: - aws_vpc_endpoint.secretsmanager (~$14/mo across 2 AZs) - aws_security_group.vpc_endpoints (the endpoint was its sole consumer) - the three matching outputs (vpc_endpoints_security_group_id, secretsmanager_endpoint_id, secretsmanager_endpoint_dns -- grep confirmed no consumers) Header comment updated to reflect actual topology (NAT present, per-service interface endpoints removed). Precondition for safety: enable_nat_gateway must remain true in every environment. If a future change turns NAT off, this endpoint (and likely the ECR ones too) needs to be reintroduced first.
…915) Add lifecycle.precondition to aws_subnet.private that fails at plan time when enable_nat_gateway is false. Without NAT, module-created private subnets have no IPv4 path to AWS services (Secrets Manager, ECR, etc.) and the module previously planned successfully in this broken configuration. Addresses CodeRabbit Major finding on PR #915.
…al (#915) - Remove unused data "aws_region" "current" (the SM endpoint was its sole consumer; tflint flagged it as unused). - Restore trailing newline on outputs.tf. - Add lifecycle.precondition on aws_vpc.main that fails the plan when enable_nat_gateway is false: in-VPC workloads (Lambda, Fargate) need NAT for AWS API egress now that per-service interface endpoints are gone. Fails fast instead of relying on doc-only safety as flagged by CodeRabbit.
Commit e395c03 already adds the same precondition on aws_subnet.private, which is the more accurate trigger (it fires only when private subnets are actually being created). Keeping both checked the same variable twice and emitted redundant errors. Drop the one on aws_vpc.main.
9a1fdce to
50d21f9
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
Adversarial review notesReviewed this as a single-egress-path risk surface (any blast radius that follows from "NAT is now sole IPv4 path to AWS APIs"). The PR was opened ~3 weeks ago, so I also re-verified each assumption against the current No actionable changes neededThe PR is sound and CR's prior round was addressed. Re-walked the dependency chain:
Considered, no change needed
Out-of-scope follow-upsNone. The PR's scope is exactly the endpoint removal + fail-fast precondition; the broader CR re-requested. |
|
@coderabbitai review |
✅ Action performedReview finished.
|
Summary
Removes the AWS Secrets Manager VPC interface endpoint and its dedicated security group / unused outputs. The endpoint is redundant: every environment already runs fck-NAT (
enable_nat_gateway = trueinterraform/environments/aws/networking.tf:16), so in-VPC Secrets Manager consumers (main Lambda, cleanup Lambda, Fargate task) reach SM over NAT just like they reach ECR and any other non-IPv6 service.Savings: ~$14/mo (2 AZs × ~$7.20). NAT byte-cost delta is negligible —
GetSecretValuepayloads are tiny.What's removed
aws_vpc_endpoint.secretsmanager(wasmain.tf:743-754)aws_security_group.vpc_endpoints— the endpoint was its sole consumervpc_endpoints_security_group_id,secretsmanager_endpoint_id,secretsmanager_endpoint_dnsWhat's updated
main.tfupdated to reflect actual topology (NAT present, per-service interface endpoints removed)Precondition for safety
enable_nat_gatewaymust remaintruein every environment. If a future change turns NAT off, this endpoint (and likely the ECR ones too) must be reintroduced first or in-VPC SM calls will fail.Test plan
terraform validateclean interraform/environments/aws/terraform fmtno-diffterraform planin a real env should show only the endpoint + SG destroy + three output removals, no other diffsSummary by CodeRabbit