-
Notifications
You must be signed in to change notification settings - Fork 0
/
vpc.tf
125 lines (107 loc) · 3.42 KB
/
vpc.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 5.0"
name = "${local.name} vpc"
cidr = local.vpc_cidr
azs = local.azs
private_subnets = ["10.16.32.0/20", "10.16.48.0/20"]
public_subnets = ["10.16.64.0/20", "10.16.80.0/20"]
private_subnet_names = ["ECS example private subnet 1", "ECS example private subnet 2"]
public_subnet_names = ["ECS example public subnet 1", "ECS example public subnet 2"]
enable_nat_gateway = true
single_nat_gateway = true
map_public_ip_on_launch = true
tags = local.tags
}
module "vpc_endpoints" {
source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
vpc_id = module.vpc.vpc_id
create_security_group = true
security_group_name_prefix = "${local.name}-vpc-endpoints-"
security_group_description = "VPC endpoint security group"
security_group_rules = {
ingress_https = {
description = "HTTPS from VPC"
cidr_blocks = [module.vpc.vpc_cidr_block]
}
egress_all = {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
endpoints = {
s3 = {
service = "s3"
private_dns_enabled = true
service_type = "Gateway"
tags = { Name = "S3 Gateway Endpoint" }
policy = data.aws_iam_policy_document.s3_endpoint_policy.json
route_table_ids = module.vpc.private_route_table_ids
},
ecr_api = {
service = "ecr.api"
private_dns_enabled = true
tags = { Name = "ECR API Interface Endpoint" }
subnet_ids = [module.vpc.private_subnets[0]] # Interface endpoints are priced per AZ
policy = data.aws_iam_policy_document.generic_endpoint_policy.json
},
ecr_dkr = {
service = "ecr.dkr"
private_dns_enabled = true
tags = { Name = "ECR DKR Interface Endpoint" }
subnet_ids = [module.vpc.private_subnets[0]] # Interface endpoints are priced per AZ
policy = data.aws_iam_policy_document.generic_endpoint_policy.json
},
}
tags = merge(local.tags, {
Project = "Demo Private ECS with Fargate"
Endpoint = "true"
})
}
################################################################################
# Supporting Resources
################################################################################
data "aws_iam_policy_document" "generic_endpoint_policy" {
statement {
effect = "Deny"
actions = ["*"]
resources = ["*"]
principals {
type = "*"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:SourceVpc"
values = [module.vpc.vpc_id]
}
}
statement {
effect = "Allow"
actions = [
"ecr:GetAuthorizationToken",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer"
]
resources = ["*"]
principals {
type = "*"
identifiers = ["*"]
}
}
}
data "aws_iam_policy_document" "s3_endpoint_policy" {
statement {
effect = "Allow"
actions = ["s3:GetObject"]
resources = ["arn:aws:s3:::prod-${local.region}-starport-layer-bucket/*"] # to access the layer files
principals {
type = "*"
identifiers = ["*"]
}
}
}