Separate Guacamole and Terraformer instances into separate subnets

[jsf9k]

💡 Summary

Instead of having the Guacamole instance and the Terraformer instances in the same subnets, we should split the private subnets into separate sets of Guacamole and Terraformer subnets.

Motivation and context

The Guacamole server is touched by traffic that comes from outside the assessment environment, so the subnet in which it resides should not contain any instances that do not touch such traffic. The Guacamole and Terraformer use cases are also quite different, so it is difficult for them to share NACL rules without making them overly broad for both types of instances.

In addition, I found that I can't ssh via SSM to a Terraformer instance unless I put it in the first private subnet alongside Guacamole. I believe this has something to do with the NACLs that are in place for that subnet specifically. This renders the second private subnet useless for our purposes.

Acceptance criteria

• The Terraformer instance(s) are placed in a subnet (or set of subnets) separate from the operations subnet or the subnet(s) where Guacamole resides.
• Dev team members are able to ssh into the Terraformer instances via AWS SSM.
• The Terraformer instance(s) are also reachable via Guacamole.
• The Terraformer instance(s) can still be used to create, destroy, and modify all appropriate AWS resources.