revert create_private_s3_route logic (#63)

frenchfrywpepper · web-flow · commit beca9051f627 · 2025-09-18T10:17:51.000-04:00
* Revert "Allow user to create S3 vpc gateway endpoint on pre-existing subnets (#62)" This reverts commit 79af68c. * Add back create_private_s3_route but mark deprecated
diff --git a/customer-managed/aws/terraform/routing.tf b/customer-managed/aws/terraform/routing.tf
@@ -2,12 +2,8 @@ resource "aws_route_table" "main" {
   vpc_id = data.aws_vpc.redpanda.id
 }
 
-locals {
-  create_private_subnet_routes = local.create_private_subnets ? true : var.create_private_s3_route
-}
-
 resource "aws_route_table" "private" {
-  count  = local.create_private_subnet_routes ? length(local.subnet_ids) : 0
+  count  = local.create_private_subnets ? length(var.private_subnet_cidrs) : 0
   vpc_id = data.aws_vpc.redpanda.id
 
   tags = merge(
@@ -30,14 +26,14 @@ resource "aws_route_table_association" "public" {
 }
 
 resource "aws_route_table_association" "private" {
-  count          = local.create_private_subnet_routes ? length(aws_route_table.private) : 0
-  subnet_id      = local.subnet_ids[count.index]
+  count          = local.create_private_subnets ? length(var.private_subnet_cidrs) : 0
+  subnet_id      = aws_subnet.private[count.index].id
   route_table_id = aws_route_table.private[count.index].id
 }
 
 # Routes S3 traffic to the local gateway endpoint
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
-  count           = length(aws_route_table.private)
+  count           = local.create_private_subnets ? length(var.private_subnet_cidrs) : 0
   vpc_endpoint_id = aws_vpc_endpoint.s3.id
   route_table_id  = aws_route_table.private[count.index].id
 }
diff --git a/customer-managed/aws/terraform/variables.tf b/customer-managed/aws/terraform/variables.tf
@@ -185,12 +185,12 @@ variable "enable_redpanda_connect" {
   HELP
 }
 
+# tflint-ignore: terraform_unused_declarations
 variable "create_private_s3_route" {
   type        = bool
   default     = false
   description = <<-HELP
-  Applies only when private_subnet_ids is passed. If private subnets are created externally this variable defaults
-  to skipping creation of a VPC endpoint and route to S3 for private access to S3 buckets. Setting this variable to
-  true will create the VPC endpoint and route to S3 for private access to S3 buckets for the passed private subnet IDs.
+  DEPRECATED: When private subnets are created externally, s3 routes will never be created here and are also expected
+  to be created externally. This variable will be removed in a future release.
   HELP
 }
