From 0c4528ed41a7a71cc3b91dd2feee2026256e419b Mon Sep 17 00:00:00 2001 From: Mike VanDenburgh Date: Tue, 17 Sep 2024 21:58:38 -0400 Subject: [PATCH] fixup --- k8s/production/gitlab/sealed-secrets.yaml | 14 ---- k8s/staging/gitlab/kustomization.yaml | 16 ---- terraform/modules/iam_service_account/iam.tf | 4 +- .../modules/iam_service_account/variables.tf | 4 + .../modules/spack_aws_k8s/analytics_db.tf | 4 +- terraform/modules/spack_aws_k8s/data.tf | 43 ---------- terraform/modules/spack_aws_k8s/eks.tf | 84 +++++++++++++++++++ terraform/modules/spack_aws_k8s/gitlab_db.tf | 6 +- .../spack_aws_k8s/gitlab_object_stores.tf | 4 +- .../spack_aws_k8s/iam_service_accounts.tf | 4 + terraform/modules/spack_aws_k8s/karpenter.tf | 2 +- terraform/modules/spack_aws_k8s/opensearch.tf | 2 +- terraform/modules/spack_aws_k8s/ses.tf | 2 +- terraform/modules/spack_aws_k8s/vpc.tf | 4 +- 14 files changed, 106 insertions(+), 87 deletions(-) delete mode 100644 k8s/production/gitlab/sealed-secrets.yaml diff --git a/k8s/production/gitlab/sealed-secrets.yaml b/k8s/production/gitlab/sealed-secrets.yaml deleted file mode 100644 index 62a74da6b..000000000 --- a/k8s/production/gitlab/sealed-secrets.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: gitlab-secrets - namespace: gitlab -spec: - encryptedData: - postgres-password: AgCTVia7aVFs0RD2eXkq9+3GAGxf8mzRLjiVoYDYorFScTm0ekhGeXciHbPFkj3nGQjEke7Ah0L0pJJkMG5SXW28HupPuI2+Upco7BaYEjvpjcbuvrjQ4oMqs1/vPf0OKqf0XQu0mN3MDFZch5mBqlz/sOYqSyxBcurd1DgYhDrsH0lWkrk49oKf5nCG722COtD5xwi+n7PTLzaNxWY3lPwTbgdEg/PXUH+qVlZcXTI4fLut+PTuvBNmUaaP/QNfR07PrKu9hgVOgUtIle4Z0IO+enNf6qN06G7hKDN0HP9UgDu8q5A6s4l4LysoaUhgJT3QOvUNvS9mfo/dLBA9pebFKXk0KaQta1OhXINEkfn9kE2S+XKqgsCyKIoVCccEYs/m1439Ck6PkIIXh3SJkkWj7NDvwgW8OIk0cXFNgOUklnnRoIVIJzTEjf54p88skY8oX3njX0GTQtQsvlIWhxLzlmUtrFY0gImn+bvyPpn3rZSXDbdKm8DJ+Qs6ftNlUCN/aWKKVXQ4mxgwluOlEpvFZIeNYH2EUOz9o+3ppPwapeBOBgqZplBX2Ddk+HApLVFsiISGZQjxsKwD3CWHH/Dzov50oYRjbJqXU3XIJq1Lvy5gAEISSSAvF4wMpazQqpKSwOHl2wVpD/GpkkG2nnA/qN6/QL5V0RG1ovtbvtdAmKQgWKbAWejPhsoBfdUBfcK14McEc54RpeHBZUUqIPUmEG0RmA== - values.yaml: AgCxz1TSzLuSgA6P56DzVnuivKw6TPQ1xm1DGV/LJsdoLQPCEN85Kw/WLrzZqisAZABBF0E/EpQbdkGxebl5uNkO80UTC1m6K66tCMfEoRv1PFfM/4elnxZuUcQC4jZpnPHYhy3EvXm+IR5KTwvNG49fUeWTucJbDe82YmXK6ZK2e5evHepFwG6fAHxdpSJ+ss4vz2kYIep1m1rivl6T8M8lF8WotPPxh1yjGjBJ1LDI9bFfawnY7J8seImiXnexozNr8RkQAa2VhRm7SGCif1wfmzAlAvP3feK/7suObgDgBUxw87rH3wUCk/fdFVOsZRa35TK7zmOMbCfKC6aJTA4VhS/hHmDXYvgF39dWPMU4xic62XKycLSGhmOgKOv9BnaDEkk3HsqoKxIlv6DHQxn4ipaKQ1Te3PLxNIUZjrA/huD+1Gsm1YXsg2s7h6gV2M7fGT2hpQsvQipOIKSY0cCWODOigvpCttahRf892o2HnIkq2EK7Gz/jKf6bMxRGHsE97Gr6bAyUDPeK7D0ClYTLZ0P9Tpf5GRubU+9q87THGPMQcafZJx/bwamVbn6eoabL1Ah0SW/g0117iBU1pAb1H9+qCx/8L9orXv2m443RbFne6R24FUZ4hIOl372HbJdXO9p30vPIhGLEkfStdq8RWR6bjbJrChmfxSTkxpdTfhtHgiFXBho9agE2Hvnn4pqR5WmGxKj/k522llqOBKTHjBfEVk79FQKPJ2f3fkcmg8Jr8qOcVfYBexmxihFFN9v17u8TOmET0/B60yKH41bxkwKOpOplX7bqOZuivlNv - template: - metadata: - annotations: - kustomize.toolkit.fluxcd.io/reconcile: disabled - sealedsecrets.bitnami.com/managed: "true" diff --git a/k8s/staging/gitlab/kustomization.yaml b/k8s/staging/gitlab/kustomization.yaml index d713b6001..4764e242c 100644 --- a/k8s/staging/gitlab/kustomization.yaml +++ b/k8s/staging/gitlab/kustomization.yaml @@ -5,7 +5,6 @@ resources: - ../../production/gitlab/certificates.yaml - ../../production/gitlab/namespace.yaml - ../../production/gitlab/release.yaml - - ../../production/gitlab/sealed-secrets.yaml - ../../production/gitlab/pod-cleanup.yaml patches: - target: @@ -39,18 +38,3 @@ patches: - op: replace path: /spec/values/gitlab/toolbox/replicas value: 1 - - - target: - kind: SealedSecret - name: gitlab-secrets - namespace: gitlab - patch: |- - - op: replace - path: /spec/encryptedData/postgres-password - value: AgBrhGn3MnFaDZIyzfLlb32sIczl33zXjQ1HS1LSJ1IXqGO7e4soTGrLjMgI37kr7/1ftPF1Zzmj5Ud3DdDzm2pBpBY9GcOKZgupPdFBnRU6T+wNJ5QbYI/ZihD8QLKHkUojc0oNac3rcK1u9Cqc9lyMU5n0QKXbLODXrggwyDfeccL2EWikOWVsz3gKDZFXB7XNab5WyigDFlf3C4toYypAkXIQhEwOfZ9rAo68KdjkAFcHgWt6Z8ceQU2Ik6c5pdMl88KDZwLA141kQP6Cda8MM9IUdwu8IReNrS/3G7rZoHwJR00CaM6fw3BiNtBDOlDndLMOtGRslU0Xr/PLeUu/EaysEnk2tjydPNImayz2Dm1a1FHcRKBCpZB5hslSs8Crrni04cNrKz6J/SDxNYQw9hQbrruZASjKj4YLamiQPEv1jOIpbzUfGsyDC8uxq0Wsp1l5fW5rtMfqB8rZbXwgCp7lO1Rm3fwEaqX9FuT/lP8RgyCT+cbb6JXrhe+lA9bJgjixpk64QwbSf32KrwopHgd071To3SajxYAnDeOYdaZICxoPj19emPlsu595P24tGKqHk5VgRz/RGcd2TtspO9BR24iTWviDjqxEo+BVk0iC0B9EDAHyuVNWCvE8MgORL/nwChqrHijX06U4/dECz5PBJxQ4TDRc+yOcbDjUEZIZajE2wvnVshezHMHRCJ+GkVbs/fZCpDDb6mLYYnyG0G9Bcw== - - op: replace - path: /spec/encryptedData/smtp-password - value: AgBxq/Exrot6AQ2Ix30FHcv3GLsYD3b2VGGBe2NDD6FuSnW4tNkKsYJkyw9zYVCQoKBM2/YgddQNSJFKKU2VqiIOUo6xQ74nV49A45ADKq9nErXf377TfwDgQCjaxST8HXGrUgUyGHjAoFlYmI5xuA9D8v4DE3HUCHZNBT1XAWyift9A1oE19JO76BpArzNsewn0RoYFIeB2oRIOd2+UZo1mcby6JfjM1sb+bNVHNbqf9SNHxyGsL1J9M3K8pUZUliDOZFlsFukWKUxigb5YV11QTzmPrPOtQCqCvoOGcKw5PqI5wj/EVU7MEqPNkVKZvduNb3YaKnyWkMRp/FkSANQLNoTlxc+bzqFTBeR6/jftVNJrwDbUB41aAPpLbFgzJA/dXMA9oGErlZHVxDSc6vVdha26ZFwpOI/cWh59nVFovV7gkZu5uUjGnUUSeoCVU7YhVE3THu2jeGXz/GXCU0PKdgb2HOEFMYIFdIn2KDzBsBgJzbzppVjuh28NF/38L+Xt++wIR6PznOX2sbVuwrgk6sAgCnrmSrKWDbvyAefm5EwHngfWf4YEE/YLwDZhuYS0o7psllVcQy4b5TTmhTDvdG/s1avGg4/FIpfGJmNqKCki8lunAeunVNvmmyCH18CnwQlbT9J0qLRGJj61OGul+PVpWJE+6wJZMJXqev1V4SFk7GJdZ+aNRQ4rS8lHrDo= - - op: replace - path: /spec/encryptedData/values.yaml - value: AgAqkxqZpt47BIajymrkjNbYzKjR6qiTipUZvufNUal/hId4RBPSBXPlpdLWJBxlwQ0vsL1ZfC7QQCr9ECC+D5UWsnY6VWkmbFK5K/H5CHErxZUnv4Y8A6kJLV2B0wWbf2YlemATySyxqUlF1SUjazcTyYjpBjWdj7xva16Y+tBrjPq/bQm0WoUBSSPwkYtmK2PWPUN05zM2748AUMcUEK7n+7WGOExl4o17PD+qPbHG72jWRG/x45RIyrmSRMcKQjft94IG5p4hDlV/fJLS7UAGbKff5U5Tfm4Ybq7dol1tmrTt6xsG1nFRV/Rio/t1M8hnusMFRXfIUY8ngDRtSLVC1FX5YdmVpv3AwweIkbBeKgzpvFR2rYYHWN3zAq9vQTE+sULKnDFPS9ZldIXn6CubORTg0lh8Cz9OXfU4g4YSduwXdwYD614N1IXxRtFxr72ec1Xxho/woQF+a7pnlPfdGqwo7b+0ANuNrTpm2wWmpJq5NJXLAFlNRoYhfZntqM7GaqlHDgRLJQQ7CzoXvYSvNeo7Br1t/s6D1jbw+LYfJuE2vz19cQG4K/zeH6kacGtuoErXo5mMhoR1RFadthbYEA8Tac778w2O88t9EJgGMKlHeDRFQVmsx2OhLBf/wqzl8cbVhaa971nHWFNVO3CnO7F9Gn3g0M9WCdyVOUqx7IjJP7O/LjWDMgWnBurv3yiBqOIYzP9ljyWLeqw40H3B9nwbZSVzdy0oPFNKN4MtGJkFVUXVxiMHwRD7SpPorVG58BH9iJ/tkedqDRoaCJNPsmIsGLcyQQ9HWjgEMcX00E8= diff --git a/terraform/modules/iam_service_account/iam.tf b/terraform/modules/iam_service_account/iam.tf index b7726c2a4..447e8fbe2 100644 --- a/terraform/modules/iam_service_account/iam.tf +++ b/terraform/modules/iam_service_account/iam.tf @@ -7,7 +7,7 @@ data "aws_iam_openid_connect_provider" "this" { } resource "aws_iam_role" "this" { - name = "${var.service_account_name}-role-${var.deployment_name}" + name = "${var.service_account_name}-role-${var.deployment_name}-${var.deployment_stage}" description = "Managed by Terraform. ${var.service_account_iam_role_description}" assume_role_policy = jsonencode({ "Version" : "2012-10-17", @@ -30,7 +30,7 @@ resource "aws_iam_role" "this" { resource "aws_iam_policy" "this" { for_each = toset(var.service_account_iam_policies) - name = "${var.service_account_name}-policy-${index(var.service_account_iam_policies, each.value)}" + name = "${var.service_account_name}-policy-${var.deployment_name}-${var.deployment_stage}${index(var.service_account_iam_policies, each.value)}" policy = each.value } diff --git a/terraform/modules/iam_service_account/variables.tf b/terraform/modules/iam_service_account/variables.tf index a25faee6d..9a5154d43 100644 --- a/terraform/modules/iam_service_account/variables.tf +++ b/terraform/modules/iam_service_account/variables.tf @@ -2,6 +2,10 @@ variable "deployment_name" { type = string } +variable "deployment_stage" { + type = string +} + variable "service_account_name" { description = "The name of the service account" type = string diff --git a/terraform/modules/spack_aws_k8s/analytics_db.tf b/terraform/modules/spack_aws_k8s/analytics_db.tf index 277522ddf..85d3ecef2 100644 --- a/terraform/modules/spack_aws_k8s/analytics_db.tf +++ b/terraform/modules/spack_aws_k8s/analytics_db.tf @@ -15,8 +15,8 @@ module "analytics_db" { identifier = "spack-analytics${local.suffix}" engine = "postgres" - family = "postgres16" - major_engine_version = "16" + family = "postgres15" + major_engine_version = "15" instance_class = var.gitlab_db_instance_class # Credentials diff --git a/terraform/modules/spack_aws_k8s/data.tf b/terraform/modules/spack_aws_k8s/data.tf index af302336c..496e4701b 100644 --- a/terraform/modules/spack_aws_k8s/data.tf +++ b/terraform/modules/spack_aws_k8s/data.tf @@ -1,46 +1,3 @@ -data "aws_eks_cluster" "spack" { - name = "spack${local.suffix}" -} - -data "aws_security_group" "spack_node_sg" { - name = "${data.aws_eks_cluster.spack.id}-node-sg" -} - -data "aws_iam_openid_connect_provider" "spack" { - url = data.aws_eks_cluster.spack.identity[0].oidc[0].issuer -} - -data "aws_vpc" "spack" { - id = data.aws_eks_cluster.spack.vpc_config[0].vpc_id -} - -data "aws_subnets" "public" { - filter { - name = "vpc-id" - values = [data.aws_vpc.spack.id] - } - filter { - name = "tag:kubernetes.io/role/elb" - values = ["1"] - } -} - -data "aws_subnets" "private" { - filter { - name = "vpc-id" - values = [data.aws_vpc.spack.id] - } - filter { - name = "tag:kubernetes.io/role/internal-elb" - values = ["1"] - } -} - -data "aws_subnet" "spack" { - for_each = toset(concat(data.aws_subnets.public.ids, data.aws_subnets.private.ids)) - id = each.value -} - data "aws_route53_zone" "spack_io" { name = "spack.io" private_zone = false diff --git a/terraform/modules/spack_aws_k8s/eks.tf b/terraform/modules/spack_aws_k8s/eks.tf index 2dbcb898d..58e430680 100644 --- a/terraform/modules/spack_aws_k8s/eks.tf +++ b/terraform/modules/spack_aws_k8s/eks.tf @@ -10,6 +10,22 @@ module "eks" { enable_cluster_creator_admin_permissions = true cluster_endpoint_public_access = true + access_entries = { + admin = { + kubernetes_groups = [] + principal_arn = aws_iam_role.eks_cluster_access.arn + + policy_associations = { + cluster = { + policy_arn = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy" + access_scope = { + type = "cluster" + } + } + } + } + } + cluster_addons = { coredns = { addon_version = "v1.11.1-eksbuild.11" @@ -254,3 +270,71 @@ resource "aws_iam_policy_attachment" "efs_csi_driver" { roles = [aws_iam_role.efs_csi_driver.name] policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy" # AWS managed policy } + +resource "aws_iam_role" "eks_cluster_access" { + name = "SpackEKSClusterAccess-${var.deployment_name}-${var.deployment_stage}" + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : [ + "arn:aws:iam::588562868276:user/scott", + "arn:aws:iam::588562868276:user/jacob", + "arn:aws:iam::588562868276:user/krattiger1", + "arn:aws:iam::588562868276:user/mike", + "arn:aws:iam::588562868276:user/zack", + "arn:aws:iam::588562868276:user/dan", + "arn:aws:iam::588562868276:user/william", + ] + }, + "Action" : "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "eks_cluster_access" { + name = "SpackEKSClusterAccess-${var.deployment_name}-${var.deployment_stage}" + role = aws_iam_role.eks_cluster_access.id + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Action" : [ + "eks:ListAccessEntries", + "eks:DescribeAccessEntry", + "eks:UpdateAccessEntry", + "eks:ListAccessPolicies", + "eks:AssociateAccessPolicy", + "eks:DisassociateAccessPolicy" + ], + "Resource" : "*" + }, + ] + }) +} + +resource "aws_iam_role" "readonly_clusterrole" { + name = "SpackEKSReadOnlyClusterAccess-${var.deployment_name}-${var.deployment_stage}" + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : [ + "arn:aws:iam::588562868276:user/joesnyder", + "arn:aws:iam::588562868276:user/alecscott", + "arn:aws:iam::588562868276:user/tgamblin", + "arn:aws:iam::588562868276:user/vsoch", + "arn:aws:iam::588562868276:user/caetanomelone", + ] + }, + "Action" : "sts:AssumeRole" + } + ] + }) +} diff --git a/terraform/modules/spack_aws_k8s/gitlab_db.tf b/terraform/modules/spack_aws_k8s/gitlab_db.tf index 88e8e8fda..e3d375af9 100644 --- a/terraform/modules/spack_aws_k8s/gitlab_db.tf +++ b/terraform/modules/spack_aws_k8s/gitlab_db.tf @@ -15,12 +15,12 @@ module "gitlab_db" { identifier = "spack-gitlab${local.suffix}" engine = "postgres" - family = "postgres16" - major_engine_version = "16" + family = "postgres14" + major_engine_version = "14" instance_class = var.gitlab_db_instance_class db_name = "gitlabhq_production" - username = "gitlab" + username = "postgres" port = "5432" manage_master_user_password = false password = random_password.gitlab_db_password.result diff --git a/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf b/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf index a715b27b2..a86812dfc 100644 --- a/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf +++ b/terraform/modules/spack_aws_k8s/gitlab_object_stores.tf @@ -47,7 +47,7 @@ resource "aws_s3_bucket_lifecycle_configuration" "delete_old_artifacts" { } resource "aws_iam_policy" "gitlab_object_stores" { - name = "GitlabS3Role-${var.deployment_name}" + name = "GitlabS3Role-${var.deployment_name}-${var.deployment_stage}" description = "Managed by Terraform. Grants required permissions for GitLab to read/write to relevant S3 buckets." # https://docs.gitlab.com/ee/install/aws/manual_install_aws.html#create-an-iam-policy @@ -79,7 +79,7 @@ resource "aws_iam_policy" "gitlab_object_stores" { } resource "aws_iam_role" "gitlab_object_stores" { - name = "GitlabS3Role-${var.deployment_name}" + name = "GitlabS3Role-${var.deployment_name}-${var.deployment_stage}" description = "Managed by Terraform. Role for GitLab to assume so that it can access relevant S3 buckets." assume_role_policy = jsonencode({ "Version" : "2012-10-17", diff --git a/terraform/modules/spack_aws_k8s/iam_service_accounts.tf b/terraform/modules/spack_aws_k8s/iam_service_accounts.tf index 9c1f42c57..c294eb9f1 100644 --- a/terraform/modules/spack_aws_k8s/iam_service_accounts.tf +++ b/terraform/modules/spack_aws_k8s/iam_service_accounts.tf @@ -2,6 +2,7 @@ module "build_cache_pruner" { source = "../iam_service_account" deployment_name = var.deployment_name + deployment_stage = var.deployment_stage service_account_iam_policies = [ jsonencode({ @@ -33,6 +34,7 @@ module "cache_indexer" { source = "../iam_service_account" deployment_name = var.deployment_name + deployment_stage = var.deployment_stage service_account_iam_policies = [ jsonencode({ @@ -59,6 +61,7 @@ module "protected_publish" { source = "../iam_service_account" deployment_name = var.deployment_name + deployment_stage = var.deployment_stage service_account_iam_policies = [ jsonencode({ @@ -81,6 +84,7 @@ module "spackbot" { source = "../iam_service_account" deployment_name = var.deployment_name + deployment_stage = var.deployment_stage service_account_iam_policies = [ jsonencode({ diff --git a/terraform/modules/spack_aws_k8s/karpenter.tf b/terraform/modules/spack_aws_k8s/karpenter.tf index 01cbd4263..06c07de3d 100644 --- a/terraform/modules/spack_aws_k8s/karpenter.tf +++ b/terraform/modules/spack_aws_k8s/karpenter.tf @@ -10,7 +10,7 @@ module "karpenter" { # Name needs to match role name passed to the EC2NodeClass node_iam_role_use_name_prefix = false - node_iam_role_name = "KarpenterControllerNodeRole-${var.deployment_name}" + node_iam_role_name = "KarpenterControllerNodeRole-${var.deployment_name}-${var.deployment_stage}" create_pod_identity_association = true } diff --git a/terraform/modules/spack_aws_k8s/opensearch.tf b/terraform/modules/spack_aws_k8s/opensearch.tf index 9972fbd7b..87e3f8b00 100644 --- a/terraform/modules/spack_aws_k8s/opensearch.tf +++ b/terraform/modules/spack_aws_k8s/opensearch.tf @@ -164,7 +164,7 @@ data "aws_iam_policy" "amazon_opensearch_service_cognito_access" { } resource "aws_iam_role" "opensearch_cognito_role" { - name = "OpenSearchCognitoAccessRole-${var.deployment_name}" + name = "OpenSearchCognitoAccessRole-${var.deployment_name}-${var.deployment_stage}" description = "IAM role that gives OpenSearch permissions to configure the Amazon Cognito user and identity pools and use them for authentication." assume_role_policy = jsonencode({ "Version" : "2012-10-17", diff --git a/terraform/modules/spack_aws_k8s/ses.tf b/terraform/modules/spack_aws_k8s/ses.tf index e2727d0a5..793afabab 100644 --- a/terraform/modules/spack_aws_k8s/ses.tf +++ b/terraform/modules/spack_aws_k8s/ses.tf @@ -15,7 +15,7 @@ resource "aws_route53_record" "ses_verification" { } resource "aws_iam_user" "ses_user" { - name = "ses-smtp-user-${var.deployment_name}" + name = "ses-smtp-user-${var.deployment_name}-${var.deployment_stage}" } resource "aws_iam_access_key" "ses_user" { diff --git a/terraform/modules/spack_aws_k8s/vpc.tf b/terraform/modules/spack_aws_k8s/vpc.tf index 39cea5561..8b4f93632 100644 --- a/terraform/modules/spack_aws_k8s/vpc.tf +++ b/terraform/modules/spack_aws_k8s/vpc.tf @@ -19,8 +19,8 @@ module "vpc" { cidr = local.vpc_cidr azs = local.azs - private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] - public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 3, k + 4)] enable_nat_gateway = true single_nat_gateway = false