Skip to content

rackspace-infrastructure-automation/aws-terraform-vpc_endpoint

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

66 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

aws-terraform-vpc_endpoint

This module builds VPC endpoints based on the inputs.

Basic Usage

New Style (uses for_each resource parameter)

module "vpc_endpoint" {
  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_endpoint?ref=v0.12.5"

  dynamo_db_endpoint_enable = false
  enable_private_dns_list   = ["codebuild", "ec2", "ec2messages", "elasticloadbalancing", "events", "kms", "logs", "monitoring", "sagemaker.runtime", "secretsmanager", "servicecatalog", "sns", "sqs", "ssm"]
  gateway_endpoints         = ["s3", "dynamodb"]
  interface_endpoints       = ["codebuild", "ec2", "ec2messages", "elasticloadbalancing", "events", "execute-api", "kinesis-streams", "kms", "logs", "monitoring", "sagemaker.runtime", "secretsmanager", "servicecatalog", "sns", "sqs", "ssm"]
  security_groups           = [module.security_groups.vpc_endpoint_security_group_id]
  subnets                   = module.base_network.private_subnets
  s3_endpoint_enable        = false
  vpc_id                    = module.base_network.vpc_id

 route_tables = concat(
    module.base_network.private_route_tables,
    module.base_network.public_route_tables,
 )
}

Legacy (uses boolean toggles per endpoint)

module "vpc_endpoint" {
  source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_endpoint?ref=v0.12.5"

  dynamo_db_endpoint_enable = true
  s3_endpoint_enable        = true
  vpc_id                    = "${module.base_network.vpc_id}"

  route_tables = concat(
    module.base_network.private_route_tables,
    module.base_network.public_route_tables
  )
}

Full working references are available at examples

Terraform 0.12 upgrade

Several changes were required while adding terraform 0.12 compatibility. The following changes should be
made when upgrading from a previous release to version 0.12.0 or higher.

Module variables

The following module variables were updated to better meet current Rackspace style guides:

  • route_tables_ids_list -> route_tables
  • security_group_ids_list -> security_groups
  • subnet_ids_list -> subnets

From version 0.12.1, the following changes have occurred:

Deprecations

  • All of the boolean "enable" variables such as events_endpoint_enable and events_private_dns_enable are marked for deprecation to accomodate a more compact and Terraform 0.12 friendly configuration. They will be removed in a future release. In lieu of these, please see the Additions section.

Additions

  • gateway_endpoints - introduced as a single variable to replace all "enable" Gatway booleans. It is a list of gateway servicenames.
  • interface_endpoints - introduced as a single variable to replace all "enable" Interface booleans. It is a list of interface servicenames.
  • enable_private_dns_list - introduced as a single variable to replace all of the "enable" Private DNS Interface booleans. It is a list of interface servicenames.

Requirements

Name Version
terraform >= 0.12
aws >= 2.7.0

Providers

Name Version
aws >= 2.7.0

Modules

No Modules.

Resources

Name
aws_region
aws_vpc_endpoint

Inputs

Name Description Type Default Required
codebuild_endpoint_enable Enable/Disable the codebuild VPC Endpoint. Allowed values: true, false bool false no
codebuild_fips_endpoint_enable Enable/Disable the codebuild-fips VPC Endpoint. Allowed values: true, false bool false no
codebuild_fips_private_dns_enable Enable/Disable private dns on the codebuild-fips endpoint. Allowed values: true, false bool false no
codebuild_private_dns_enable Enable/Disable private dns on the codebuild endpoint. Allowed values: true, false bool false no
dynamo_db_endpoint_enable Enable/Disable the DynamoDB VPC Endpoint. Allowed values: true, false bool true no
ec2_endpoint_enable Enable/Disable the ec2 VPC Endpoint. Allowed values: true, false bool false no
ec2_private_dns_enable Enable/Disable private dns on the ec2 endpoint. Allowed values: true, false bool false no
ec2messages_endpoint_enable Enable/Disable the ec2messages VPC Endpoint. Allowed values: true, false bool false no
ec2messages_private_dns_enable Enable/Disable private dns on the ec2messages endpoint. Allowed values: true, false bool false no
ecr_api_endpoint_enable Enable/Disable the ecr.api VPC endpoint. Allowed values: true, false bool false no
ecr_api_private_dns_enable Enable/Disable private dns on the ecr.api endpoint. Allowed values: true, false bool false no
ecr_dkr_endpoint_enable Enable/Disable the ecr.dkr endpoint. Allowed values: true, false bool false no
ecr_dkr_private_dns_enable Enable/Disable private dns on the ecr.dkr endpoint. Allowed values: true, false bool false no
elasticloadbalancing_endpoint_enable Enable/Disable the elasticloadbalancing VPC Endpoint. Allowed values: true, false bool false no
elasticloadbalancing_private_dns_enable Enable/Disable private dns on the elasticloadbalancing endpoint. Allowed values: true, false bool false no
enable_private_dns_list List of Interface endpoints that should have private DNS enabled. This should be a subset of the list for interface endpoints to provision. list(string) [] no
endpoint_policies A map of Endpoint polices to apply to associated VPC Endpoints. Each policy should be listed in a key matching its service (See gateway_endpoints and interface_endpoints) Each policy must be between 100 and 10,240 characters. Services not given an explicit policy will use the terraform default for the service endpoint. map {} no
environment Application environment for which this network is being created. one of: ('Development', 'Integration', 'PreProduction', 'Production', 'QA', 'Staging', 'Test') string "Development" no
events_endpoint_enable Enable/Disable the events VPC Endpoint. Allowed values: true, false bool false no
events_private_dns_enable Enable/Disable private dns on the events endpoint. Allowed values: true, false bool false no
execute_api_endpoint_enable Enable/Disable the execute-api VPC Endpoint. Allowed values: true, false bool false no
execute_api_private_dns_enable Enable/Disable private dns on the execute-api endpoint. Allowed values: true, false bool false no
gateway_endpoints List of gateway endpoints to enable. e.g. ["dynamodb","s3"]. The complete list can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html . To date only s3 and dynamodb exist. Also note for backward compatibiity, s3_endpoint_enable and dynamo_db_endpoint_enable default to true so if using this method, those need to be explicitly set to false. list(string) [] no
interface_endpoints List of interface endpoints to enable. e.g. ["codebuild","ec2"]. The complete list can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html. list(string) [] no
kinesis_streams_endpoint_enable Enable/Disable the kinesis-streams VPC Endpoint. Allowed values: true, false bool false no
kinesis_streams_private_dns_enable Enable/Disable private dns on the kinesis-streams endpoint. Allowed values: true, false bool false no
kms_endpoint_enable Enable/Disable the kms VPC Endpoint. Allowed values: true, false bool false no
kms_private_dns_enable Enable/Disable private dns on the kms endpoint. Allowed values: true, false bool false no
logs_endpoint_enable Enable/Disable the logs VPC Endpoint. Allowed values: true, false bool false no
logs_private_dns_enable Enable/Disable private dns on the logs endpoint. Allowed values: true, false bool false no
monitoring_endpoint_enable Enable/Disable the monitoring VPC Endpoint. Allowed values: true, false bool false no
monitoring_private_dns_enable Enable/Disable private dns on the monitoring endpoint. Allowed values: true, false bool false no
route_tables List of Route Table ID's for each AZ list(string) [] no
s3_endpoint_enable Enable/Disable the S3 VPC Endpoint. Allowed values: true, false bool true no
sagemaker_runtime_endpoint_enable Enable/Disable the sagemaker.runtime VPC Endpoint. Allowed values: true, false bool false no
sagemaker_runtime_private_dns_enable Enable/Disable private dns on the sagemaker.runtime endpoint. Allowed values: true, false bool false no
secretsmanager_endpoint_enable Enable/Disable the secretsmanager VPC Endpoint. Allowed values: true, false bool false no
secretsmanager_private_dns_enable Enable/Disable private dns on the secretsmanager endpoint. Allowed values: true, false bool false no
security_groups List of Security Group ID's for the endpoints. list(string) [] no
servicecatalog_endpoint_enable Enable/Disable the servicecatalog VPC Endpoint. Allowed values: true, false bool false no
servicecatalog_private_dns_enable Enable/Disable private dns on the servicecatalog endpoint. Allowed values: true, false bool false no
sns_endpoint_enable Enable/Disable the sns VPC Endpoint. Allowed values: true, false bool false no
sns_private_dns_enable Enable/Disable private dns on the sns endpoint. Allowed values: true, false bool false no
sqs_endpoint_enable Enable/Disable the sqs VPC Endpoint. Allowed values: true, false bool false no
sqs_private_dns_enable Enable/Disable private dns on the sqs endpoint. Allowed values: true, false bool false no
ssm_endpoint_enable Enable/Disable the ssm VPC Endpoint. Allowed values: true, false bool false no
ssm_private_dns_enable Enable/Disable private dns on the ssm endpoint. Allowed values: true, false bool false no
subnets List of Subnets to assoicate with Inteface endpoints. list(string) [] no
tags Custom tags to apply to all resources. map(string) {} no
vpc_id Provide Virtual Private Cloud ID string n/a yes

Outputs

Name Description
codebuild_fips_vpc_endpoint_id CodeBuild-fips VPC endpoint ID
codebuild_vpc_endpoint_id CodeBuild VPC endpoint ID
dynamodb_vpc_endpoint_id DynamoDB VPC endpoint ID
ec2_vpc_endpoint_id EC2 VPC endpoint ID
ec2messages_vpc_endpoint_id EC2messages VPC endpoint ID
ecr_api_vpc_endpoint_id ecr.api VPC endpoint ID
ecr_dkr_vpc_endpoint_id ecr.dkr VPC endpoint ID
elasticloadbalancing_vpc_endpoint_id Elasticloadbalancing VPC endpoint ID
endpoint_ids Combined List of gateWay and Interface IDs
events_vpc_endpoint_id Events VPC endpoint ID
execute_api_vpc_endpoint_id Execute-api VPC endpoint ID
kinesis_streams_vpc_endpoint_id Kinesis-streams VPC endpoint ID
kms_vpc_endpoint_id Kms VPC endpoint ID
logs_vpc_endpoint_id Logs VPC endpoint ID
monitoring_vpc_endpoint_id Monitoring VPC endpoint ID
s3_vpc_endpoint_id S3 VPC endpoint ID
sagemaker_runtime_vpc_endpoint_id Sagemaker.runtime VPC endpoint ID
secretsmanager_vpc_endpoint_id Secretsmanager VPC endpoint ID
servicecatalog_vpc_endpoint_id Servicecatalog VPC endpoint ID
sns_vpc_endpoint_id SNS VPC endpoint ID
sqs_vpc_endpoint_id SQS VPC endpoint ID
ssm_vpc_endpoint_id SSM VPC endpoint ID