put the raster service in a private subnet

Author: vincentsarago

infrastructure/aws/cdk/app.py

@@ -134,7 +134,30 @@ def __init__(  # noqa: C901
         """Define stack."""
         super().__init__(scope, id, **kwargs)
 
-        vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0)
+        # vpc = ec2.Vpc(self, f"{id}-vpc", nat_gateways=0)
+
+        vpc = ec2.Vpc(
+            self,
+            f"{id}-vpc",
+            subnet_configuration=[
+                ec2.SubnetConfiguration(
+                    name="ingress",
+                    cidr_mask=24,
+                    subnet_type=ec2.SubnetType.PUBLIC,
+                ),
+                ec2.SubnetConfiguration(
+                    name="application",
+                    cidr_mask=24,
+                    subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS,
+                ),
+                ec2.SubnetConfiguration(
+                    name="rds",
+                    cidr_mask=28,
+                    subnet_type=ec2.SubnetType.PRIVATE_ISOLATED,
+                ),
+            ],
+            nat_gateways=1,
+        )
 
         interface_endpoints = [
             (
@@ -163,6 +186,8 @@ def __init__(  # noqa: C901
                 ec2.InstanceClass.BURSTABLE3, ec2.InstanceSize.SMALL
             ),
             database_name="postgres",
+            # should set the subnet to `PRIVATE_ISOLATED` but then we need either a bastion host to connect to the db
+            # or an API to ingest/delete data in the DB
             vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
             backup_retention=Duration.days(7),
             deletion_protection=eoapi_settings.stage.lower() == "production",
@@ -229,6 +254,9 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
+                vpc_subnets=ec2.SubnetSelection(
+                    subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS
+                ),
                 allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eoraster_settings.memory,
@@ -250,6 +278,7 @@ def __init__(  # noqa: C901
             )
 
             db.connections.allow_from(eoraster_function, port_range=ec2.Port.tcp(5432))
+
             raster_api = apigw.HttpApi(
                 self,
                 f"{id}-raster-endpoint",
@@ -305,7 +334,6 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
-                allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eostac_settings.memory,
                 timeout=Duration.seconds(eostac_settings.timeout),
@@ -360,6 +388,8 @@ def __init__(  # noqa: C901
 
             if "DB_MAX_CONN_SIZE" not in env:
                 env["DB_MAX_CONN_SIZE"] = "1"
+            if "DB_MIN_CONN_SIZE" not in env:
+                env["DB_MIN_CONN_SIZE"] = "1"
 
             eovector_function = aws_lambda.Function(
                 self,
@@ -374,7 +404,6 @@ def __init__(  # noqa: C901
                     platform="linux/amd64",
                 ),
                 vpc=vpc,
-                allow_public_subnet=True,
                 handler="handler.handler",
                 memory_size=eovector_settings.memory,
                 timeout=Duration.seconds(eovector_settings.timeout),