Add VPC

.github/workflows/tf_apply_staging.yml

@@ -1,14 +1,14 @@
-name: "Terraform apply staging"
+name: 'Terraform apply staging'
 
 on:
   workflow_dispatch:
   push:
     branches:
       - main
     paths:
-      - "terragrunt/**"
-      - "!terragrunt/env/staging/**"
-      - ".github/workflows/tf_apply_staging.yml"
+      - 'terragrunt/**'
+      - '!terragrunt/env/staging/**'
+      - '.github/workflows/tf_apply_staging.yml'
 
 env:
   AWS_REGION: ca-central-1
@@ -41,7 +41,11 @@ jobs:
           role-session-name: TFApply
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Terraform Apply
-        working-directory: terragrunt
+      - name: Apply network
+        working-directory: terragrunt/env/staging/network
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve
+
+      - name: Apply ecr
+        working-directory: terragrunt/env/staging/ecr
         run: |
           terragrunt apply --terragrunt-non-interactive -auto-approve

.github/workflows/tf_plan_staging.yml

@@ -1,12 +1,12 @@
-name: "Terraform plan staging"
+name: 'Terraform plan staging'
 
 on:
   workflow_dispatch:
   pull_request:
     paths:
-      - "terragrunt/**"
-      - "!terragrunt/env/staging/**"
-      - ".github/workflows/tf_plan_staging.yml"
+      - 'terragrunt/**'
+      - '!terragrunt/env/staging/**'
+      - '.github/workflows/tf_plan_staging.yml'
 
 env:
   AWS_REGION: ca-central-1
@@ -23,6 +23,12 @@ permissions:
 
 jobs:
   terraform-plan:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - module: ecr
+          - module: network
     runs-on: ubuntu-latest
     environment: staging
     steps:
@@ -43,7 +49,7 @@ jobs:
         uses: cds-snc/terraform-plan@v3.2.2
         with:
           comment-delete: true
-          comment-title: "Staging:"
-          directory: ./terragrunt/env/staging/ecr/
+          comment-title: 'Staging: ${{ matrix.module }}'
+          directory: ./terragrunt/env/staging/${{ matrix.module }}
           github-token: ${{ secrets.GITHUB_TOKEN }}
           terragrunt: true

terragrunt/aws/network/outputs.tf

@@ -0,0 +1,25 @@
+output "vpc_id" {
+  description = "The VPC id"
+  value       = module.react_answers_vpc.vpc_id
+}
+
+output "vpc_private_subnet_ids" {
+  description = "List of the React Answers app VPC private subnet ids"
+  value       = module.react_answers_vpc.private_subnet_ids
+}
+
+output "vpc_public_subnet_ids" {
+  description = "List of the React Answers App VPC public subnet ids"
+  value       = module.react_answers_vpc.public_subnet_ids
+}
+
+output "vpc_cidr_block" {
+  description = "List of cidr block ips for the React Answers VPC"
+  value       = module.react_answers_vpc.cidr_block
+}
+
+
+output "app_security_group_id" {
+  description = "App security group Id for the react answers app"
+  value       = aws_security_group.app.id
+}

terragrunt/aws/network/security_groups.tf

@@ -0,0 +1,50 @@
+# 
+# Security Groups for the VPC React Answers app 
+#
+
+# Define local variables for use in this module/file
+locals {
+  # The name of the Security Group, derived from the product name variable
+  sg_app_name = "${var.product_name}_app_sg"
+}
+
+# Create a Security Group for the React Answers App
+resource "aws_security_group" "app" {
+  # Use the SG name defined in the local variable
+  name = local.sg_app_name
+
+  # Short description for clarity in the AWS console
+  description = "Security Group for the React Answers App"
+
+  # ID of the VPC where this SG will be created
+  vpc_id = module.react_answers_vpc.vpc_id
+
+  # Ensures Terraform removes associated rules upon SG destruction or modification
+  revoke_rules_on_delete = true
+
+  # Tags for cost allocation and identification
+  tags = {
+    CostCentre = var.billing_code
+    Name       = local.sg_app_name
+  }
+}
+
+# Create an egress rule to allow HTTPS traffic to the internet
+resource "aws_security_group_rule" "app_egress_https" {
+  # Brief description to identify the purpose of this rule
+  description = "Allow HTTPS (TCP 443) egress to the internet"
+
+  # Egress rule allows outbound traffic
+  type = "egress"
+
+  # The TCP port range (443 to 443) for HTTPS
+  from_port = 443
+  to_port   = 443
+  protocol  = "tcp"
+
+  # Public internet CIDR block
+  cidr_blocks = ["0.0.0.0/0"]
+
+  # Attach the rule to the SG created above
+  security_group_id = aws_security_group.app.id
+}

terragrunt/aws/network/vpc.tf

@@ -0,0 +1,24 @@
+# 
+# VPC module for React answers
+# 
+
+# Use the terraform-modules/vpc module to create the VPC for the react answers app
+module "react_answers_vpc" {
+  source            = "github.com/cds-snc/terraform-modules//vpc?ref=v10.2.2"
+  name              = var.product_name
+  billing_tag_value = var.billing_tag_value
+
+  # Enables VPC flow logs and blocks ssh and rdp traffic
+  enable_flow_log = true
+  block_ssh       = true
+  block_rdp       = true
+
+  # uses single nat gateway if not in production 
+  single_nat_gateway = var.env != "production"
+
+  # allow HTTPS connections on part 443 in/out from the internet and allow a repsonse back to/from the internet
+  allow_https_request_out          = true
+  allow_https_request_out_response = true
+  allow_https_request_in           = true
+  allow_https_request_in_response  = true
+}

terragrunt/env/common/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.67"
+      version = "~> 5.0"
     }
   }
 }

terragrunt/env/staging/network/terragrunt.hcl

@@ -0,0 +1,7 @@
+terraform {
+  source = "../../../aws//network"
+}
+
+include {
+  path = find_in_parent_folders("root.hcl")
+}