Date: 2021-09-24
❌ Rejected
A core part of the Modernisation Platform is its network topology and configuration and we naturally want confidence that it exists in its desired state to meet security, compliance and best-practise requirements. We want to use the right products and tools that offer networking monitoring and testing capabilities to provide us with this confidence.
IaC network tester is a programmatic wrapper around the AWS Reachability Analyzer. It supports automated executions of the Reachability Analyzer, with feedback indicating if the network connectivity test was successful or not. Such a tool could allow us to automatically test network connectivity and take actions on the results.
- effort would be required to transform terraform outputs into a state acceptable as inputs into the IaC network tester (by default it seems only to tightly integrate with CloudFormation stacks)
- it can only test connectivity between deployed resources such as ec2 instances, network interfaces, network gateways and internet gateways
- it potentially allows us to codify expected connectivity and alert on deviations
- the source and destination resources must be in the same VPC or in VPCs that are connected through a VPC peering connection. In the case of a shared VPC (as is the case within the Modernisation Platform), the resources must be owned by the same AWS account. This provides a limitation to what we can test, i.e. only connectivity within a VPC, i.e. within a business unit's VPC within a particular environment. We would be unable to test across VPC, e.g. across business units or across environments
- application of the IaC Network Tester tool would depend on transforming outputs from our IaC tool of choice, Terraform, into a format capable of being parsed.
Given the disadvantages around the tool itself, specifically the limitations around cross-VPC testing and the fact that use-cases for testing within a VPC don't currently exist at this point in time, the arguments for using it are not sufficiently convincing.
Google doc capturing networking testing requirements, principals and related spike stories