Remove the creation of the lambda vpc endpoint (#111)

* resolves #110 Remove the creation of the lambda vpc endpoint * Remove endpoints variable * Trigger tests * Trigger tests --------- Co-authored-by: Juan Sanchez <juan.sanchez@automat-it.com> Co-authored-by: Ben Whaley <503816+bwhaley@users.noreply.github.com>
chime · Sep 6, 2024 · 894b256 · 894b256
1 parent 0d7aa37
commit 894b256
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 23 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,4 @@
 **/terraform.tfstate*
 **/.terraform*
 **/.test-data
+.idea
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ When a NAT instance in any of the zonal ASGs is terminated, the lifecycle hook p
 
 The replace-route function also acts as a health check. Every minute, in the private subnet of each availability zone, the function checks that connectivity to the Internet works by requesting https://www.example.com and, if that fails, https://www.google.com. If the request succeeds, the function exits. If both requests fail, the NAT instance is presumably borked, and the function updates the route to point at the standby NAT gateway.
 
-In the event that a NAT instance is unavailable, the function would have no route to the AWS EC2 and Lambda APIs to perform the necessary steps to update the route table. This is mitigated by the use of [interface VPC endpoints](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html) to EC2 and Lambda.
+In the event that a NAT instance is unavailable, the function would have no route to the AWS EC2 API to perform the necessary steps to update the route table. This is mitigated by the use of an [interface VPC endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html) to EC2.
 
 ## Drawbacks
 

diff --git a/main.tf b/main.tf
@@ -31,19 +31,6 @@ locals {
     }
     : {}
   )
-  lambda_endpoint = (
-    var.enable_lambda_endpoint
-    ? {
-      lambda = {
-        service             = "lambda"
-        private_dns_enabled = true
-        subnet_ids          = local.az_private_subnets
-        tags                = { Name = "lambda-vpc-endpoint" }
-      }
-    }
-    : {}
-  )
-  endpoints = merge(local.ec2_endpoint, local.lambda_endpoint)
 
   # Must provide exactly 1 EIP per AZ
   # var.nat_instance_eip_ids ignored if doesn't match AZ count
@@ -457,7 +444,7 @@ locals {
 }
 
 resource "aws_security_group" "vpc_endpoint" {
-  count = length(local.endpoints) > 0 ? 1 : 0
+  count = length(local.ec2_endpoint) > 0 ? 1 : 0
 
   name_prefix = "ec2-vpc-endpoints-"
   description = "Allow TLS from the VPC CIDR to the AWS API."
@@ -483,13 +470,13 @@ resource "aws_security_group" "vpc_endpoint" {
 }
 
 module "vpc_endpoints" {
-  count = length(local.endpoints) > 0 ? 1 : 0
+  count = length(local.ec2_endpoint) > 0 ? 1 : 0
 
   source             = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
   version            = "~> 3.14.0"
   vpc_id             = var.vpc_id
   security_group_ids = [aws_security_group.vpc_endpoint[0].id]
-  endpoints          = local.endpoints
+  endpoints          = local.ec2_endpoint
   tags               = var.tags
 }
 

diff --git a/variables.tf b/variables.tf
@@ -61,12 +61,6 @@ variable "enable_ec2_endpoint" {
   default     = true
 }
 
-variable "enable_lambda_endpoint" {
-  description = "Whether to create a VPC endpoint to Lambda for Internet Connectivity testing."
-  type        = bool
-  default     = true
-}
-
 variable "enable_ssm" {
   description = "Whether to enable SSM on the Alternat instances."
   type        = bool