diff --git a/README.md b/README.md
index c99a66d..f9224b1 100644
--- a/README.md
+++ b/README.md
@@ -133,6 +133,42 @@ module "app_runner_image_base" {
}
```
+### Private AppRunner Service
+
+```hcl
+module "app_runner_private" {
+ source = "terraform-aws-modules/app-runner/aws"
+
+ service_name = "example-private"
+
+ ...
+
+ # Ingress
+ create_ingress_vpc_connection = true
+ ingress_vpc_id = "vpc-12345678"
+ ingress_vpc_endpoint_id = "vpce-01234567890123456 s"
+
+ # Egress
+ create_vpc_connector = true
+ vpc_connector_subnets = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+ vpc_connector_security_groups = ["sg-12345678"]
+
+ network_configuration = {
+ ingress_configuration = {
+ is_publicly_accessible = false
+ }
+ egress_configuration = {
+ egress_type = "VPC"
+ }
+ }
+
+ tags = {
+ Terraform = "true"
+ Environment = "dev"
+ }
+}
+```
+
## Examples
Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-app-runner/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
@@ -145,13 +181,13 @@ Examples codified under the [`examples`](https://github.com/terraform-aws-module
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 4.22 |
+| [aws](#requirement\_aws) | >= 4.38 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.22 |
+| [aws](#provider\_aws) | >= 4.38 |
## Modules
@@ -167,6 +203,7 @@ No modules.
| [aws_apprunner_observability_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_observability_configuration) | resource |
| [aws_apprunner_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_service) | resource |
| [aws_apprunner_vpc_connector.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_vpc_connector) | resource |
+| [aws_apprunner_vpc_ingress_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/apprunner_vpc_ingress_connection) | resource |
| [aws_iam_policy.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_role.access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role.instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
@@ -195,6 +232,7 @@ No modules.
| [create](#input\_create) | Determines whether resources will be created (affects all resources) | `bool` | `true` | no |
| [create\_access\_iam\_role](#input\_create\_access\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `false` | no |
| [create\_custom\_domain\_association](#input\_create\_custom\_domain\_association) | Determines whether a Custom Domain Association will be created | `bool` | `false` | no |
+| [create\_ingress\_vpc\_connection](#input\_create\_ingress\_vpc\_connection) | Determines whether a VPC ingress configuration will be created | `bool` | `false` | no |
| [create\_instance\_iam\_role](#input\_create\_instance\_iam\_role) | Determines whether an IAM role is created or to use an existing IAM role | `bool` | `true` | no |
| [create\_service](#input\_create\_service) | Determines whether the service will be created | `bool` | `true` | no |
| [create\_vpc\_connector](#input\_create\_vpc\_connector) | Determines whether a VPC Connector will be created | `bool` | `false` | no |
@@ -203,6 +241,8 @@ No modules.
| [enable\_www\_subdomain](#input\_enable\_www\_subdomain) | Whether to associate the subdomain with the App Runner service in addition to the base domain. Defaults to `true` | `bool` | `null` | no |
| [encryption\_configuration](#input\_encryption\_configuration) | The encryption configuration for the service | `any` | `{}` | no |
| [health\_check\_configuration](#input\_health\_check\_configuration) | The health check configuration for the service | `any` | `{}` | no |
+| [ingress\_vpc\_endpoint\_id](#input\_ingress\_vpc\_endpoint\_id) | The ID of the VPC endpoint that is used for the VPC ingress configuration | `string` | `""` | no |
+| [ingress\_vpc\_id](#input\_ingress\_vpc\_id) | The ID of the VPC that is used for the VPC ingress configuration | `string` | `""` | no |
| [instance\_configuration](#input\_instance\_configuration) | The instance configuration for the service | `any` | `{}` | no |
| [instance\_iam\_role\_description](#input\_instance\_iam\_role\_description) | Description of the role | `string` | `null` | no |
| [instance\_iam\_role\_name](#input\_instance\_iam\_role\_name) | Name to use on IAM role created | `string` | `null` | no |
@@ -227,7 +267,7 @@ No modules.
| [access\_iam\_role\_arn](#output\_access\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
| [access\_iam\_role\_name](#output\_access\_iam\_role\_name) | The name of the IAM role |
| [access\_iam\_role\_unique\_id](#output\_access\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
-| [auto\_scaling\_configurations](#output\_auto\_scaling\_configurations) | Map of attribute maps for all autosclaing configurations created |
+| [auto\_scaling\_configurations](#output\_auto\_scaling\_configurations) | Map of attribute maps for all autoscaling configurations created |
| [connections](#output\_connections) | Map of attribute maps for all connections created |
| [custom\_domain\_association\_certificate\_validation\_records](#output\_custom\_domain\_association\_certificate\_validation\_records) | A set of certificate CNAME records used for this domain name |
| [custom\_domain\_association\_dns\_target](#output\_custom\_domain\_association\_dns\_target) | The App Runner subdomain of the App Runner service. The custom domain name is mapped to this target name. Attribute only available if resource created (not imported) with Terraform |
@@ -246,6 +286,8 @@ No modules.
| [vpc\_connector\_arn](#output\_vpc\_connector\_arn) | The Amazon Resource Name (ARN) of VPC connector |
| [vpc\_connector\_revision](#output\_vpc\_connector\_revision) | The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name |
| [vpc\_connector\_status](#output\_vpc\_connector\_status) | The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted |
+| [vpc\_ingress\_connection\_arn](#output\_vpc\_ingress\_connection\_arn) | The Amazon Resource Name (ARN) of the VPC Ingress Connection |
+| [vpc\_ingress\_connection\_domain\_name](#output\_vpc\_ingress\_connection\_domain\_name) | The domain name associated with the VPC Ingress Connection resource |
## License
diff --git a/examples/complete/README.md b/examples/complete/README.md
index 75394e8..35e716a 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -34,13 +34,13 @@ Note that this example may create resources which will incur monetary charges on
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 4.22 |
+| [aws](#requirement\_aws) | >= 4.38 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 4.22 |
+| [aws](#provider\_aws) | >= 4.38 |
## Modules
@@ -49,9 +49,12 @@ Note that this example may create resources which will incur monetary charges on
| [app\_runner\_code\_base](#module\_app\_runner\_code\_base) | ../.. | n/a |
| [app\_runner\_disabled](#module\_app\_runner\_disabled) | ../.. | n/a |
| [app\_runner\_image\_base](#module\_app\_runner\_image\_base) | ../.. | n/a |
+| [app\_runner\_private](#module\_app\_runner\_private) | ../.. | n/a |
| [app\_runner\_shared\_configs](#module\_app\_runner\_shared\_configs) | ../.. | n/a |
| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
+| [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | n/a |
+| [vpc\_endpoints\_security\_group](#module\_vpc\_endpoints\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 |
## Resources
@@ -90,6 +93,8 @@ Note that this example may create resources which will incur monetary charges on
| [code\_base\_vpc\_connector\_arn](#output\_code\_base\_vpc\_connector\_arn) | The Amazon Resource Name (ARN) of VPC connector |
| [code\_base\_vpc\_connector\_revision](#output\_code\_base\_vpc\_connector\_revision) | The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name |
| [code\_base\_vpc\_connector\_status](#output\_code\_base\_vpc\_connector\_status) | The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted |
+| [code\_base\_vpc\_ingress\_connection\_arn](#output\_code\_base\_vpc\_ingress\_connection\_arn) | The Amazon Resource Name (ARN) of the VPC Ingress Connection |
+| [code\_base\_vpc\_ingress\_connection\_domain\_name](#output\_code\_base\_vpc\_ingress\_connection\_domain\_name) | The domain name associated with the VPC Ingress Connection resource |
| [connections](#output\_connections) | Map of attribute maps for all connections created |
| [image\_base\_access\_iam\_role\_arn](#output\_image\_base\_access\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
| [image\_base\_access\_iam\_role\_name](#output\_image\_base\_access\_iam\_role\_name) | The name of the IAM role |
@@ -111,6 +116,30 @@ Note that this example may create resources which will incur monetary charges on
| [image\_base\_vpc\_connector\_arn](#output\_image\_base\_vpc\_connector\_arn) | The Amazon Resource Name (ARN) of VPC connector |
| [image\_base\_vpc\_connector\_revision](#output\_image\_base\_vpc\_connector\_revision) | The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name |
| [image\_base\_vpc\_connector\_status](#output\_image\_base\_vpc\_connector\_status) | The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted |
+| [image\_base\_vpc\_ingress\_connection\_arn](#output\_image\_base\_vpc\_ingress\_connection\_arn) | The Amazon Resource Name (ARN) of the VPC Ingress Connection |
+| [image\_base\_vpc\_ingress\_connection\_domain\_name](#output\_image\_base\_vpc\_ingress\_connection\_domain\_name) | The domain name associated with the VPC Ingress Connection resource |
+| [private\_access\_iam\_role\_arn](#output\_private\_access\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [private\_access\_iam\_role\_name](#output\_private\_access\_iam\_role\_name) | The name of the IAM role |
+| [private\_access\_iam\_role\_unique\_id](#output\_private\_access\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [private\_custom\_domain\_association\_certificate\_validation\_records](#output\_private\_custom\_domain\_association\_certificate\_validation\_records) | A set of certificate CNAME records used for this domain name |
+| [private\_custom\_domain\_association\_dns\_target](#output\_private\_custom\_domain\_association\_dns\_target) | The App Runner subdomain of the App Runner service. The custom domain name is mapped to this target name. Attribute only available if resource created (not imported) with Terraform |
+| [private\_custom\_domain\_association\_id](#output\_private\_custom\_domain\_association\_id) | The `domain_name` and `service_arn` separated by a comma (`,`) |
+| [private\_instance\_iam\_role\_arn](#output\_private\_instance\_iam\_role\_arn) | The Amazon Resource Name (ARN) specifying the IAM role |
+| [private\_instance\_iam\_role\_name](#output\_private\_instance\_iam\_role\_name) | The name of the IAM role |
+| [private\_instance\_iam\_role\_unique\_id](#output\_private\_instance\_iam\_role\_unique\_id) | Stable and unique string identifying the IAM role |
+| [private\_observability\_configuration\_arn](#output\_private\_observability\_configuration\_arn) | ARN of this observability configuration |
+| [private\_observability\_configuration\_latest](#output\_private\_observability\_configuration\_latest) | Whether the observability configuration has the highest `observability_configuration_revision` among all configurations that share the same `observability_configuration_name` |
+| [private\_observability\_configuration\_revision](#output\_private\_observability\_configuration\_revision) | The revision of the observability configuration |
+| [private\_observability\_configuration\_status](#output\_private\_observability\_configuration\_status) | The current state of the observability configuration. An `INACTIVE` configuration revision has been deleted and can't be used. It is permanently removed some time after deletion |
+| [private\_service\_arn](#output\_private\_service\_arn) | The Amazon Resource Name (ARN) of the service |
+| [private\_service\_id](#output\_private\_service\_id) | An alphanumeric ID that App Runner generated for this service. Unique within the AWS Region |
+| [private\_service\_status](#output\_private\_service\_status) | The current state of the App Runner service |
+| [private\_service\_url](#output\_private\_service\_url) | A subdomain URL that App Runner generated for this service. You can use this URL to access your service web application |
+| [private\_vpc\_connector\_arn](#output\_private\_vpc\_connector\_arn) | The Amazon Resource Name (ARN) of VPC connector |
+| [private\_vpc\_connector\_revision](#output\_private\_vpc\_connector\_revision) | The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name |
+| [private\_vpc\_connector\_status](#output\_private\_vpc\_connector\_status) | The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted |
+| [private\_vpc\_ingress\_connection\_arn](#output\_private\_vpc\_ingress\_connection\_arn) | The Amazon Resource Name (ARN) of the VPC Ingress Connection |
+| [private\_vpc\_ingress\_connection\_domain\_name](#output\_private\_vpc\_ingress\_connection\_domain\_name) | The domain name associated with the VPC Ingress Connection resource |
Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-app-runner/blob/master/LICENSE).
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 593e2fd..0498112 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -88,7 +88,6 @@ module "app_runner_code_base" {
tags = local.tags
}
-
module "app_runner_image_base" {
source = "../.."
@@ -129,6 +128,47 @@ module "app_runner_image_base" {
tags = local.tags
}
+module "app_runner_private" {
+ source = "../.."
+
+ service_name = "${local.name}-private"
+
+ # Pulling from shared configs
+ auto_scaling_configuration_arn = module.app_runner_shared_configs.auto_scaling_configurations["mega"].arn
+
+ source_configuration = {
+ auto_deployments_enabled = false
+ image_repository = {
+ image_configuration = {
+ port = 8000
+ }
+ image_identifier = "public.ecr.aws/aws-containers/hello-app-runner:latest"
+ image_repository_type = "ECR_PUBLIC"
+ }
+ }
+
+ create_ingress_vpc_connection = true
+ ingress_vpc_id = module.vpc.vpc_id
+ ingress_vpc_endpoint_id = module.vpc_endpoints.endpoints["apprunner"].id
+
+ create_vpc_connector = true
+ vpc_connector_subnets = module.vpc.private_subnets
+ vpc_connector_security_groups = [module.security_group.security_group_id]
+
+ network_configuration = {
+ ingress_configuration = {
+ is_publicly_accessible = false
+ }
+ egress_configuration = {
+ egress_type = "VPC"
+ }
+ }
+
+ enable_observability_configuration = true
+
+ tags = local.tags
+}
+
module "app_runner_disabled" {
source = "../.."
@@ -159,11 +199,30 @@ module "vpc" {
enable_nat_gateway = false
single_nat_gateway = true
+ enable_dns_hostnames = true
map_public_ip_on_launch = false
tags = local.tags
}
+module "vpc_endpoints" {
+ source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+
+ vpc_id = module.vpc.vpc_id
+ security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
+
+ endpoints = {
+ apprunner = {
+ service = "apprunner.requests"
+ # private_dns_enabled = true
+ subnet_ids = module.vpc.private_subnets
+ tags = { Name = "${local.name}-apprunner" }
+ },
+ }
+
+ tags = local.tags
+}
+
module "security_group" {
source = "terraform-aws-modules/security-group/aws"
version = "~> 4.0"
@@ -177,3 +236,17 @@ module "security_group" {
tags = local.tags
}
+
+module "vpc_endpoints_security_group" {
+ source = "terraform-aws-modules/security-group/aws"
+ version = "~> 4.0"
+
+ name = "${local.name}-vpc-endpoints"
+ description = "Security group for VPC Endpoints"
+ vpc_id = module.vpc.vpc_id
+
+ egress_rules = ["https-443-tcp"]
+ egress_cidr_blocks = [module.vpc.vpc_cidr_block]
+
+ tags = local.tags
+}
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index cd5a44c..d25d141 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -66,6 +66,16 @@ output "code_base_instance_iam_role_unique_id" {
value = module.app_runner_code_base.instance_iam_role_unique_id
}
+output "code_base_vpc_ingress_connection_arn" {
+ description = "The Amazon Resource Name (ARN) of the VPC Ingress Connection"
+ value = module.app_runner_code_base.vpc_ingress_connection_arn
+}
+
+output "code_base_vpc_ingress_connection_domain_name" {
+ description = "The domain name associated with the VPC Ingress Connection resource"
+ value = module.app_runner_code_base.vpc_ingress_connection_domain_name
+}
+
output "code_base_custom_domain_association_id" {
description = "The `domain_name` and `service_arn` separated by a comma (`,`)"
value = module.app_runner_code_base.custom_domain_association_id
@@ -170,6 +180,16 @@ output "image_base_instance_iam_role_unique_id" {
value = module.app_runner_image_base.instance_iam_role_unique_id
}
+output "image_base_vpc_ingress_connection_arn" {
+ description = "The Amazon Resource Name (ARN) of the VPC Ingress Connection"
+ value = module.app_runner_image_base.vpc_ingress_connection_arn
+}
+
+output "image_base_vpc_ingress_connection_domain_name" {
+ description = "The domain name associated with the VPC Ingress Connection resource"
+ value = module.app_runner_image_base.vpc_ingress_connection_domain_name
+}
+
output "image_base_custom_domain_association_id" {
description = "The `domain_name` and `service_arn` separated by a comma (`,`)"
value = module.app_runner_image_base.custom_domain_association_id
@@ -219,3 +239,117 @@ output "image_base_observability_configuration_status" {
description = "The current state of the observability configuration. An `INACTIVE` configuration revision has been deleted and can't be used. It is permanently removed some time after deletion"
value = module.app_runner_image_base.observability_configuration_status
}
+
+################################################################################
+# Private
+################################################################################
+
+output "private_service_arn" {
+ description = "The Amazon Resource Name (ARN) of the service"
+ value = module.app_runner_private.service_arn
+}
+
+output "private_service_id" {
+ description = "An alphanumeric ID that App Runner generated for this service. Unique within the AWS Region"
+ value = module.app_runner_private.service_id
+}
+
+output "private_service_url" {
+ description = "A subdomain URL that App Runner generated for this service. You can use this URL to access your service web application"
+ value = module.app_runner_private.service_url
+}
+
+output "private_service_status" {
+ description = "The current state of the App Runner service"
+ value = module.app_runner_private.service_status
+}
+
+output "private_access_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.app_runner_private.access_iam_role_name
+}
+
+output "private_access_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.app_runner_private.access_iam_role_arn
+}
+
+output "private_access_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.app_runner_private.access_iam_role_unique_id
+}
+
+output "private_instance_iam_role_name" {
+ description = "The name of the IAM role"
+ value = module.app_runner_private.instance_iam_role_name
+}
+
+output "private_instance_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) specifying the IAM role"
+ value = module.app_runner_private.instance_iam_role_arn
+}
+
+output "private_instance_iam_role_unique_id" {
+ description = "Stable and unique string identifying the IAM role"
+ value = module.app_runner_private.instance_iam_role_unique_id
+}
+
+output "private_vpc_ingress_connection_arn" {
+ description = "The Amazon Resource Name (ARN) of the VPC Ingress Connection"
+ value = module.app_runner_private.vpc_ingress_connection_arn
+}
+
+output "private_vpc_ingress_connection_domain_name" {
+ description = "The domain name associated with the VPC Ingress Connection resource"
+ value = module.app_runner_private.vpc_ingress_connection_domain_name
+}
+
+output "private_custom_domain_association_id" {
+ description = "The `domain_name` and `service_arn` separated by a comma (`,`)"
+ value = module.app_runner_private.custom_domain_association_id
+}
+
+output "private_custom_domain_association_certificate_validation_records" {
+ description = "A set of certificate CNAME records used for this domain name"
+ value = module.app_runner_private.custom_domain_association_certificate_validation_records
+}
+
+output "private_custom_domain_association_dns_target" {
+ description = "The App Runner subdomain of the App Runner service. The custom domain name is mapped to this target name. Attribute only available if resource created (not imported) with Terraform"
+ value = module.app_runner_private.custom_domain_association_dns_target
+}
+
+output "private_vpc_connector_arn" {
+ description = "The Amazon Resource Name (ARN) of VPC connector"
+ value = module.app_runner_private.vpc_connector_arn
+}
+
+output "private_vpc_connector_status" {
+ description = "The current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted"
+ value = module.app_runner_private.vpc_connector_status
+}
+
+output "private_vpc_connector_revision" {
+ description = "The revision of VPC connector. It's unique among all the active connectors (\"Status\": \"ACTIVE\") that share the same Name"
+ value = module.app_runner_private.vpc_connector_revision
+}
+
+output "private_observability_configuration_arn" {
+ description = "ARN of this observability configuration"
+ value = module.app_runner_private.observability_configuration_arn
+}
+
+output "private_observability_configuration_revision" {
+ description = "The revision of the observability configuration"
+ value = module.app_runner_private.observability_configuration_revision
+}
+
+output "private_observability_configuration_latest" {
+ description = "Whether the observability configuration has the highest `observability_configuration_revision` among all configurations that share the same `observability_configuration_name`"
+ value = module.app_runner_private.observability_configuration_latest
+}
+
+output "private_observability_configuration_status" {
+ description = "The current state of the observability configuration. An `INACTIVE` configuration revision has been deleted and can't be used. It is permanently removed some time after deletion"
+ value = module.app_runner_private.observability_configuration_status
+}
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 0ef3907..b6e9ea1 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.22"
+ version = ">= 4.38"
}
}
}
diff --git a/main.tf b/main.tf
index c1298c5..ef15c82 100644
--- a/main.tf
+++ b/main.tf
@@ -48,6 +48,14 @@ resource "aws_apprunner_service" "this" {
for_each = length(var.network_configuration) > 0 ? [var.network_configuration] : []
content {
+ dynamic "ingress_configuration" {
+ for_each = try([network_configuration.value.ingress_configuration], [])
+
+ content {
+ is_publicly_accessible = try(ingress_configuration.value.is_publicly_accessible, null)
+ }
+ }
+
dynamic "egress_configuration" {
for_each = try([network_configuration.value.egress_configuration], [])
@@ -294,6 +302,24 @@ resource "aws_iam_role_policy_attachment" "instance_additional" {
role = aws_iam_role.instance[0].name
}
+################################################################################
+# VPC Ingress Configuration
+################################################################################
+
+resource "aws_apprunner_vpc_ingress_connection" "this" {
+ count = local.create_service && var.create_ingress_vpc_connection ? 1 : 0
+
+ name = var.service_name
+ service_arn = aws_apprunner_service.this[0].arn
+
+ ingress_vpc_configuration {
+ vpc_id = var.ingress_vpc_id
+ vpc_endpoint_id = var.ingress_vpc_endpoint_id
+ }
+
+ tags = var.tags
+}
+
################################################################################
# Custom Domain Association
################################################################################
diff --git a/outputs.tf b/outputs.tf
index bfbea6f..d50d761 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -60,6 +60,20 @@ output "instance_iam_role_unique_id" {
value = try(aws_iam_role.instance[0].unique_id, null)
}
+################################################################################
+# VPC Ingress Configuration
+################################################################################
+
+output "vpc_ingress_connection_arn" {
+ description = "The Amazon Resource Name (ARN) of the VPC Ingress Connection"
+ value = try(aws_apprunner_vpc_ingress_connection.this[0].arn, null)
+}
+
+output "vpc_ingress_connection_domain_name" {
+ description = "The domain name associated with the VPC Ingress Connection resource"
+ value = try(aws_apprunner_vpc_ingress_connection.this[0].domain_name, null)
+}
+
################################################################################
# Custom Domain Association
################################################################################
@@ -112,7 +126,7 @@ output "connections" {
################################################################################
output "auto_scaling_configurations" {
- description = "Map of attribute maps for all autosclaing configurations created"
+ description = "Map of attribute maps for all autoscaling configurations created"
value = aws_apprunner_auto_scaling_configuration_version.this
}
diff --git a/variables.tf b/variables.tf
index 35ee576..b6a1b8b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -166,6 +166,28 @@ variable "instance_iam_role_policies" {
default = {}
}
+################################################################################
+# VPC Ingress Configuration
+################################################################################
+
+variable "create_ingress_vpc_connection" {
+ description = "Determines whether a VPC ingress configuration will be created"
+ type = bool
+ default = false
+}
+
+variable "ingress_vpc_id" {
+ description = "The ID of the VPC that is used for the VPC ingress configuration"
+ type = string
+ default = ""
+}
+
+variable "ingress_vpc_endpoint_id" {
+ description = "The ID of the VPC endpoint that is used for the VPC ingress configuration"
+ type = string
+ default = ""
+}
+
################################################################################
# Custom Domain Association
################################################################################
diff --git a/versions.tf b/versions.tf
index 0ef3907..b6e9ea1 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 4.22"
+ version = ">= 4.38"
}
}
}