From 87ebe881995be9ee10b125723ed9377f6b68ac1a Mon Sep 17 00:00:00 2001
From: K Odewale <kayode.odewal1@nhs.net>
Date: Thu, 18 Jan 2024 16:43:39 +0000
Subject: [PATCH 1/2] DS-2050 Added count

---
 build/automation/var/profile/nonprod.mk       |  7 ++++++
 infrastructure/stacks/security-groups/data.tf |  2 ++
 infrastructure/stacks/security-groups/main.tf |  4 ++++
 .../stacks/security-groups/variables.tf       | 24 +++++++++++++++++++
 4 files changed, 37 insertions(+)

diff --git a/build/automation/var/profile/nonprod.mk b/build/automation/var/profile/nonprod.mk
index 1548063..b1e48e6 100644
--- a/build/automation/var/profile/nonprod.mk
+++ b/build/automation/var/profile/nonprod.mk
@@ -31,6 +31,13 @@ LAMBDA_VERSIONS_TO_RETAIN = 5
 # Adding Performance and Regression SG as the legacy SG [live-lk8s-nonprod-core-dos-db-rds-postgres-sg]
 # with access to all DB is being deprecated
 # As a result adding additional SG to the Lambda used in nonprod
+TF_VAR_add_perf_security_group = true
+TF_VAR_add_regression_security_group = true
+TF_VAR_add_perf_egress = true
+TF_VAR_add_regression_egress = true
+TF_VAR_add_perf_ingress = true
+TF_VAR_add_regression_ingress = true
+
 TF_VAR_db_security_group_name = uec-core-dos-pipeline-datastore-hk-sg
 TF_VAR_db_performance_security_group_name =  uec-core-dos-performance-datastore-hk-sg
 TF_VAR_db_regression_security_group_name = uec-core-dos-regression-datastore-hk-sg
diff --git a/infrastructure/stacks/security-groups/data.tf b/infrastructure/stacks/security-groups/data.tf
index 701c807..031ca56 100644
--- a/infrastructure/stacks/security-groups/data.tf
+++ b/infrastructure/stacks/security-groups/data.tf
@@ -3,9 +3,11 @@ data "aws_security_group" "datastore" {
 }
 
 data "aws_security_group" "datastore_performance" {
+  count = var.add_perf_security_group ? 1 : 0
   name = var.db_performance_security_group_name
 }
 
 data "aws_security_group" "datastore_regression" {
+  count = var.add_regression_security_group ? 1 : 0
   name = var.db_regression_security_group_name
 }
diff --git a/infrastructure/stacks/security-groups/main.tf b/infrastructure/stacks/security-groups/main.tf
index 815f227..761355b 100644
--- a/infrastructure/stacks/security-groups/main.tf
+++ b/infrastructure/stacks/security-groups/main.tf
@@ -11,6 +11,7 @@ resource "aws_security_group" "hk_lambda_sg" {
   }
 
   egress {
+    count           = var.add_perf_egress ? 1 : 0
     description     = "Core DoS Performance DB Access"
     from_port       = 5432
     to_port         = 5432
@@ -19,6 +20,7 @@ resource "aws_security_group" "hk_lambda_sg" {
   }
 
   egress {
+    count           = var.add_regression_egress ? 1: 0
     description     = "Core DoS Regression DB Access"
     from_port       = 5432
     to_port         = 5432
@@ -46,6 +48,7 @@ resource "aws_security_group_rule" "db_sg_ingress" {
 }
 
 resource "aws_security_group_rule" "db_perf_sg_ingress" {
+  count                    = var.add_perf_ingress ? 1 : 0
   type                     = "ingress"
   from_port                = 5432
   to_port                  = 5432
@@ -56,6 +59,7 @@ resource "aws_security_group_rule" "db_perf_sg_ingress" {
 }
 
 resource "aws_security_group_rule" "db_regression_sg_ingress" {
+  count                    = var.add_regression_ingress ? 1 : 0
   type                     = "ingress"
   from_port                = 5432
   to_port                  = 5432
diff --git a/infrastructure/stacks/security-groups/variables.tf b/infrastructure/stacks/security-groups/variables.tf
index ce7eb3e..9c12bfc 100644
--- a/infrastructure/stacks/security-groups/variables.tf
+++ b/infrastructure/stacks/security-groups/variables.tf
@@ -21,3 +21,27 @@ variable "db_regression_security_group_name" {
 variable "db_performance_security_group_name" {
   description = "Identifier of security group attached to datastore for performance"
 }
+
+variable "add_perf_security_group" {
+  default = false
+}
+
+variable "add_regression_security_group" {
+  default = false
+}
+
+variable "add_perf_ingress" {
+  default = false
+}
+
+variable "add_regression_ingress" {
+  default = false
+}
+
+variable "add_perf_egress" {
+  default = false
+}
+
+variable "add_regression_egress" {
+  default = false
+}

From 4421245a8badce309ccc1c6a339677be5ecb53ad Mon Sep 17 00:00:00 2001
From: K Odewale <kayode.odewal1@nhs.net>
Date: Thu, 18 Jan 2024 17:54:28 +0000
Subject: [PATCH 2/2] DS-2050 Adding Dynamic egress

---
 infrastructure/stacks/security-groups/main.tf | 39 +++++++++++--------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/infrastructure/stacks/security-groups/main.tf b/infrastructure/stacks/security-groups/main.tf
index 761355b..124726a 100644
--- a/infrastructure/stacks/security-groups/main.tf
+++ b/infrastructure/stacks/security-groups/main.tf
@@ -10,23 +10,30 @@ resource "aws_security_group" "hk_lambda_sg" {
     security_groups = [data.aws_security_group.datastore.id]
   }
 
-  egress {
-    count           = var.add_perf_egress ? 1 : 0
-    description     = "Core DoS Performance DB Access"
-    from_port       = 5432
-    to_port         = 5432
-    protocol        = "tcp"
-    security_groups = [data.aws_security_group.datastore_performance.id]
+  dynamic "egress" {
+    for_each = var.add_perf_egress ? [1] : []
+    content {
+      description     = "Core DoS Performance DB Access"
+      from_port       = 5432
+      to_port         = 5432
+      protocol        = "tcp"
+      security_groups = [data.aws_security_group.datastore_performance[0].id]
+    }
+
   }
 
-  egress {
-    count           = var.add_regression_egress ? 1: 0
-    description     = "Core DoS Regression DB Access"
-    from_port       = 5432
-    to_port         = 5432
-    protocol        = "tcp"
-    security_groups = [data.aws_security_group.datastore_regression.id]
+  dynamic "egress" {
+    for_each = var.add_regression_egress ? [1] : []
+    content {
+      description     = "Core DoS Regression DB Access"
+      from_port       = 5432
+      to_port         = 5432
+      protocol        = "tcp"
+      security_groups = [data.aws_security_group.datastore_regression[0].id]
+    }
+
   }
+
   egress {
     description = "AWS API Outbound Access"
     from_port   = 443
@@ -53,7 +60,7 @@ resource "aws_security_group_rule" "db_perf_sg_ingress" {
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
-  security_group_id        = data.aws_security_group.datastore_performance.id
+  security_group_id        = data.aws_security_group.datastore_performance[0].id
   source_security_group_id = aws_security_group.hk_lambda_sg.id
   description              = "A rule to allow incoming connections from hk lambda to Performance Datastore Security Group"
 }
@@ -64,7 +71,7 @@ resource "aws_security_group_rule" "db_regression_sg_ingress" {
   from_port                = 5432
   to_port                  = 5432
   protocol                 = "tcp"
-  security_group_id        = data.aws_security_group.datastore_regression.id
+  security_group_id        = data.aws_security_group.datastore_regression[0].id
   source_security_group_id = aws_security_group.hk_lambda_sg.id
   description              = "A rule to allow incoming connections from hk lambda to Regression Datastore Security Group"
 }