From 5a731972c6f28a983bd37b6742591773711360a5 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Tue, 3 Sep 2019 12:18:02 +0300 Subject: [PATCH 1/2] Added VPC endpoints from #311 to Terraform 0.11 branch (#319) * add missing endpoints from #311 * fix mistakes in endpoint names * added endpoints cloudformation, codepipeline, appmesh, sagemaker (api+runtime), transfer, servicecatalog, storagegateway * fix mistakes in endpoint names * fix mistakes in endpoint names * add endpoint tag to full example * terraform format --- README.md | 110 ++++ examples/complete-vpc/main.tf | 4 + main.tf | 492 ------------------ outputs.tf | 165 ++++++ variables.tf | 385 ++++++++++++++ vpc-endpoint.tf | 928 ++++++++++++++++++++++++++++++++++ 6 files changed, 1592 insertions(+), 492 deletions(-) create mode 100644 vpc-endpoint.tf diff --git a/README.md b/README.md index 2c6636096..c161877f2 100644 --- a/README.md +++ b/README.md @@ -207,12 +207,30 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | string | `"false"` | no | | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | list | `[]` | no | | apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| appmesh\_envoy\_management\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for APPMESH Envoy Management endpoint | string | `"false"` | no | +| appmesh\_envoy\_management\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for APPMESH Envoy Management endpoint | list | `[]` | no | +| appmesh\_envoy\_management\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for APPMESH Envoy Management endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | assign\_generated\_ipv6\_cidr\_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | string | `"false"` | no | | azs | A list of availability zones in the region | list | `[]` | no | | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no | +| cloudformation\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudFormation endpoint | string | `"false"` | no | +| cloudformation\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudFormation endpoint | list | `[]` | no | +| cloudformation\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudFormation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | string | `"false"` | no | | cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list | `[]` | no | | cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeBuild endpoint | string | `"false"` | no | +| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodeBuild endpoint | list | `[]` | no | +| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodeBuild endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeCommit endpoint | string | `"false"` | no | +| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodeCommit endpoint | list | `[]` | no | +| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodeCommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codepipeline\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint | string | `"false"` | no | +| codepipeline\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodePipeline endpoint | list | `[]` | no | +| codepipeline\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Config endpoint | string | `"false"` | no | +| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Config endpoint | list | `[]` | no | +| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | | create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | @@ -279,7 +297,13 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list | `[]` | no | | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | string | `"false"` | no | +| enable\_appmesh\_envoy\_management\_endpoint | Should be true if you want to provision an APPMESH Envoy Management endpoint to the VPC | string | `"false"` | no | +| enable\_cloudformation\_endpoint | Should be true if you want to provision an CloudFormation endpoint to the VPC | string | `"false"` | no | | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | string | `"false"` | no | +| enable\_codebuild\_endpoint | Should be true if you want to provision an CodeBuild endpoint to the VPC | string | `"false"` | no | +| enable\_codecommit\_endpoint | Should be true if you want to provision an CodeCommit endpointto the VPC | string | `"false"` | no | +| enable\_codepipeline\_endpoint | Should be true if you want to provision an CodePipeline endpoint to the VPC | string | `"false"` | no | +| enable\_config\_endpoint | Should be true if you want to provision an Config endpoint to the VPC | string | `"false"` | no | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | | enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | @@ -293,21 +317,40 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | string | `"false"` | no | | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | string | `"false"` | no | | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | string | `"false"` | no | +| enable\_git\_codecommit\_endpoint | Should be true if you want to provision an Git CodeCommit endpoint to the VPC | string | `"false"` | no | +| enable\_glue\_endpoint | Should be true if you want to provision an Glue endpoint to the VPC | string | `"false"` | no | +| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision an Kinesis Firehose endpoint to the VPC | string | `"false"` | no | +| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision an Kinesis Streams endpoint to the VPC | string | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no | | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | string | `"false"` | no | | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| enable\_sagemaker\_api\_endpoint | Should be true if you want to provision an Sagemaker API endpoint to the VPC | string | `"false"` | no | +| enable\_sagemaker\_notebook\_endpoint | Should be true if you want to provision an SageMaker Notebook endpoint to the VPC | string | `"false"` | no | +| enable\_sagemaker\_runtime\_endpoint | Should be true if you want to provision an Sagemaker Runtime endpoint to the VPC | string | `"false"` | no | +| enable\_secretsmanager\_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | string | `"false"` | no | +| enable\_servicecatalog\_endpoint | Should be true if you want to provision an Service Catalog endpoint to the VPC | string | `"false"` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | string | `"false"` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_storagegateway\_endpoint | Should be true if you want to provision an Storage Gateway endpoint to the VPC | string | `"false"` | no | +| enable\_sts\_endpoint | Should be true if you want to provision an STS endpoint to the VPC | string | `"false"` | no | +| enable\_transfer\_endpoint | Should be true if you want to provision an Transfer endpoint to the VPC | string | `"false"` | no | +| enable\_transferserver\_endpoint | Should be true if you want to provision an Transfer Server endpoint to the VPC | string | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | string | `"false"` | no | | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list | `[]` | no | | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | +| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git CodeCommit endpoint | string | `"false"` | no | +| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git CodeCommit endpoint | list | `[]` | no | +| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git CodeCommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| glue\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint | string | `"false"` | no | +| glue\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Glue endpoint | list | `[]` | no | +| glue\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_acl\_tags | Additional tags for the intra subnets network ACL | map | `{}` | no | @@ -318,6 +361,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | +| kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | string | `"false"` | no | +| kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | list | `[]` | no | +| kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | string | `"false"` | no | +| kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | list | `[]` | no | +| kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | string | `"false"` | no | | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list | `[]` | no | | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | @@ -362,7 +411,23 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | +| sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Sagemaker API endpoint | string | `"false"` | no | +| sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Sagemaker API endpoint | list | `[]` | no | +| sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Sagemaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| sagemaker\_notebook\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker Notebook endpoint | string | `"false"` | no | +| sagemaker\_notebook\_endpoint\_region | Region to use for Sagemaker Notebook endpoint | string | `""` | no | +| sagemaker\_notebook\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker Notebook endpoint | list | `[]` | no | +| sagemaker\_notebook\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| sagemaker\_runtime\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Runtime endpoint | string | `"false"` | no | +| sagemaker\_runtime\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Sagemaker Runtime endpoint | list | `[]` | no | +| sagemaker\_runtime\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Sagemaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | +| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | string | `"false"` | no | +| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list | `[]` | no | +| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| servicecatalog\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint | string | `"false"` | no | +| servicecatalog\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Service Catalog endpoint | list | `[]` | no | +| servicecatalog\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | string | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list | `[]` | no | @@ -376,7 +441,19 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| storagegateway\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint | string | `"false"` | no | +| storagegateway\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint | list | `[]` | no | +| storagegateway\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| sts\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for STS endpoint | string | `"false"` | no | +| sts\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for STS endpoint | list | `[]` | no | +| sts\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | +| transfer\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint | string | `"false"` | no | +| transfer\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer endpoint | list | `[]` | no | +| transfer\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | list | `[]` | no | +| transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | string | `"false"` | no | +| transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list | `[]` | no | +| transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | vpc\_endpoint\_tags | Additional tags for the VPC Endpoints | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | @@ -448,6 +525,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. | | vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail | | vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | +| vpc\_endpoint\_codebuild\_dns\_entry | The DNS entries for the VPC Endpoint for CodeBuild. | +| vpc\_endpoint\_codebuild\_id | The ID of VPC endpoint for CodeBuild | +| vpc\_endpoint\_codebuild\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CodeBuild. | +| vpc\_endpoint\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for CodeCommit. | +| vpc\_endpoint\_codecommit\_id | The ID of VPC endpoint for CodeCommit | +| vpc\_endpoint\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CodeCommit. | +| vpc\_endpoint\_config\_dns\_entry | The DNS entries for the VPC Endpoint for Config. | +| vpc\_endpoint\_config\_id | The ID of VPC endpoint for Config | +| vpc\_endpoint\_config\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Config. | | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | @@ -477,6 +563,18 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | | vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events | | vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | +| vpc\_endpoint\_git\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for Git CodeCommit. | +| vpc\_endpoint\_git\_codecommit\_id | The ID of VPC endpoint for Git CodeCommit | +| vpc\_endpoint\_git\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Git CodeCommit. | +| vpc\_endpoint\_glue\_dns\_entry | The DNS entries for the VPC Endpoint for Glue. | +| vpc\_endpoint\_glue\_id | The ID of VPC endpoint for Glue | +| vpc\_endpoint\_glue\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Glue. | +| vpc\_endpoint\_kinesis\_firehose\_dns\_entry | The DNS entries for the VPC Endpoint for Kinesis Firehose. | +| vpc\_endpoint\_kinesis\_firehose\_id | The ID of VPC endpoint for Kinesis Firehose | +| vpc\_endpoint\_kinesis\_firehose\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Kinesis Firehose. | +| vpc\_endpoint\_kinesis\_streams\_dns\_entry | The DNS entries for the VPC Endpoint for Kinesis Streams. | +| vpc\_endpoint\_kinesis\_streams\_id | The ID of VPC endpoint for Kinesis Streams | +| vpc\_endpoint\_kinesis\_streams\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Kinesis Streams. | | vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | | vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | @@ -488,6 +586,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_endpoint\_sagemaker\_notebook\_dns\_entry | The DNS entries for the VPC Endpoint for SageMaker Notebook. | +| vpc\_endpoint\_sagemaker\_notebook\_id | The ID of VPC endpoint for SageMaker Notebook | +| vpc\_endpoint\_sagemaker\_notebook\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SageMaker Notebook. | +| vpc\_endpoint\_secretsmanager\_dns\_entry | The DNS entries for the VPC Endpoint for Secrets Manager. | +| vpc\_endpoint\_secretsmanager\_id | The ID of VPC endpoint for Secrets Manager | +| vpc\_endpoint\_secretsmanager\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Secrets Manager. | | vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | @@ -500,6 +604,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_sts\_dns\_entry | The DNS entries for the VPC Endpoint for STS. | +| vpc\_endpoint\_sts\_id | The ID of VPC endpoint for STS | +| vpc\_endpoint\_sts\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for STS. | +| vpc\_endpoint\_transferserver\_dns\_entry | The DNS entries for the VPC Endpoint for Transfer Server. | +| vpc\_endpoint\_transferserver\_id | The ID of VPC endpoint for Transfer Server | +| vpc\_endpoint\_transferserver\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Transfer Server. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 2d5d71183..b7a4933b4 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -97,4 +97,8 @@ module "vpc" { Environment = "staging" Name = "complete" } + + vpc_endpoint_tags = { + Endpoint = true + } } diff --git a/main.tf b/main.tf index 95cc5bdba..940004e77 100644 --- a/main.tf +++ b/main.tf @@ -589,498 +589,6 @@ resource "aws_route" "private_nat_gateway" { } } -###################### -# VPC Endpoint for S3 -###################### -data "aws_vpc_endpoint_service" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" - - service = "s3" -} - -resource "aws_vpc_endpoint" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" - - tags = "${local.vpce_tags}" -} - -resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" -} - -resource "aws_vpc_endpoint_route_table_association" "intra_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" -} - -resource "aws_vpc_endpoint_route_table_association" "public_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${aws_route_table.public.id}" -} - -############################ -# VPC Endpoint for DynamoDB -############################ -data "aws_vpc_endpoint_service" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" - - service = "dynamodb" -} - -resource "aws_vpc_endpoint" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" - - tags = "${local.vpce_tags}" -} - -resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" -} - -resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" -} - -resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${aws_route_table.public.id}" -} - -####################### -# VPC Endpoint for SQS -####################### -data "aws_vpc_endpoint_service" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - service = "sqs" -} - -resource "aws_vpc_endpoint" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for SSM -####################### -data "aws_vpc_endpoint_service" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" - - service = "ssm" -} - -resource "aws_vpc_endpoint" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -############################### -# VPC Endpoint for SSMMESSAGES -############################### -data "aws_vpc_endpoint_service" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" - - service = "ssmmessages" -} - -resource "aws_vpc_endpoint" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for EC2 -####################### -data "aws_vpc_endpoint_service" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" - - service = "ec2" -} - -resource "aws_vpc_endpoint" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -############################### -# VPC Endpoint for EC2MESSAGES -############################### -data "aws_vpc_endpoint_service" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" - - service = "ec2messages" -} - -resource "aws_vpc_endpoint" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -########################### -# VPC Endpoint for ECR API -########################### -data "aws_vpc_endpoint_service" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - service = "ecr.api" -} - -resource "aws_vpc_endpoint" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -########################### -# VPC Endpoint for ECR DKR -########################### -data "aws_vpc_endpoint_service" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - service = "ecr.dkr" -} - -resource "aws_vpc_endpoint" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for API Gateway -####################### -data "aws_vpc_endpoint_service" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" - - service = "execute-api" -} - -resource "aws_vpc_endpoint" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for KMS -####################### -data "aws_vpc_endpoint_service" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" - - service = "kms" -} - -resource "aws_vpc_endpoint" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.kms_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS -####################### -data "aws_vpc_endpoint_service" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - service = "ecs" -} - -resource "aws_vpc_endpoint" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS Agent -####################### -data "aws_vpc_endpoint_service" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - service = "ecs-agent" -} - -resource "aws_vpc_endpoint" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS Telemetry -####################### -data "aws_vpc_endpoint_service" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - service = "ecs-telemetry" -} - -resource "aws_vpc_endpoint" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for Elasic Load Balancing -####################### -data "aws_vpc_endpoint_service" "elasticloadbalancing" { - count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" - - service = "elasticloadbalancing" -} - -resource "aws_vpc_endpoint" "elasticloadbalancing" { - count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.elasticloadbalancing.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.elasticloadbalancing_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.elasticloadbalancing_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for SNS -####################### -data "aws_vpc_endpoint_service" "sns" { - count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" - - service = "sns" -} - -resource "aws_vpc_endpoint" "sns" { - count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.sns.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.sns_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.sns_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Logs -####################### -data "aws_vpc_endpoint_service" "logs" { - count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" - - service = "logs" -} - -resource "aws_vpc_endpoint" "logs" { - count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.logs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.logs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.logs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudTrail -####################### -data "aws_vpc_endpoint_service" "cloudtrail" { - count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" - - service = "cloudtrail" -} - -resource "aws_vpc_endpoint" "cloudtrail" { - count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.cloudtrail.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.cloudtrail_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.cloudtrail_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Monitoring -####################### -data "aws_vpc_endpoint_service" "monitoring" { - count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" - - service = "monitoring" -} - -resource "aws_vpc_endpoint" "monitoring" { - count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.monitoring.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.monitoring_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.monitoring_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Events -####################### -data "aws_vpc_endpoint_service" "events" { - count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" - - service = "events" -} - -resource "aws_vpc_endpoint" "events" { - count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.events.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.events_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.events_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index c582d05b5..d29b1429a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -614,6 +614,171 @@ output "vpc_endpoint_events_dns_entry" { value = "${flatten(aws_vpc_endpoint.events.*.dns_entry)}" } +output "vpc_endpoint_codebuild_id" { + description = "The ID of VPC endpoint for CodeBuild" + value = "${element(concat(aws_vpc_endpoint.codebuild.*.id, list("")), 0)}" +} + +output "vpc_endpoint_codebuild_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CodeBuild." + value = "${flatten(aws_vpc_endpoint.codebuild.*.network_interface_ids)}" +} + +output "vpc_endpoint_codebuild_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CodeBuild." + value = "${flatten(aws_vpc_endpoint.codebuild.*.dns_entry)}" +} + +output "vpc_endpoint_codecommit_id" { + description = "The ID of VPC endpoint for CodeCommit" + value = "${element(concat(aws_vpc_endpoint.codecommit.*.id, list("")), 0)}" +} + +output "vpc_endpoint_codecommit_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CodeCommit." + value = "${flatten(aws_vpc_endpoint.codecommit.*.network_interface_ids)}" +} + +output "vpc_endpoint_codecommit_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CodeCommit." + value = "${flatten(aws_vpc_endpoint.codecommit.*.dns_entry)}" +} + +output "vpc_endpoint_git_codecommit_id" { + description = "The ID of VPC endpoint for Git CodeCommit" + value = "${element(concat(aws_vpc_endpoint.git_codecommit.*.id, list("")), 0)}" +} + +output "vpc_endpoint_git_codecommit_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Git CodeCommit." + value = "${flatten(aws_vpc_endpoint.git_codecommit.*.network_interface_ids)}" +} + +output "vpc_endpoint_git_codecommit_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Git CodeCommit." + value = "${flatten(aws_vpc_endpoint.git_codecommit.*.dns_entry)}" +} + +output "vpc_endpoint_config_id" { + description = "The ID of VPC endpoint for Config" + value = "${element(concat(aws_vpc_endpoint.config.*.id, list("")), 0)}" +} + +output "vpc_endpoint_config_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Config." + value = "${flatten(aws_vpc_endpoint.config.*.network_interface_ids)}" +} + +output "vpc_endpoint_config_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Config." + value = "${flatten(aws_vpc_endpoint.config.*.dns_entry)}" +} + +output "vpc_endpoint_secretsmanager_id" { + description = "The ID of VPC endpoint for Secrets Manager" + value = "${element(concat(aws_vpc_endpoint.secretsmanager.*.id, list("")), 0)}" +} + +output "vpc_endpoint_secretsmanager_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Secrets Manager." + value = "${flatten(aws_vpc_endpoint.secretsmanager.*.network_interface_ids)}" +} + +output "vpc_endpoint_secretsmanager_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Secrets Manager." + value = "${flatten(aws_vpc_endpoint.secretsmanager.*.dns_entry)}" +} + +output "vpc_endpoint_transferserver_id" { + description = "The ID of VPC endpoint for Transfer Server" + value = "${element(concat(aws_vpc_endpoint.transferserver.*.id, list("")), 0)}" +} + +output "vpc_endpoint_transferserver_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Transfer Server." + value = "${flatten(aws_vpc_endpoint.transferserver.*.network_interface_ids)}" +} + +output "vpc_endpoint_transferserver_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Transfer Server." + value = "${flatten(aws_vpc_endpoint.transferserver.*.dns_entry)}" +} + +output "vpc_endpoint_kinesis_streams_id" { + description = "The ID of VPC endpoint for Kinesis Streams" + value = "${element(concat(aws_vpc_endpoint.kinesis_streams.*.id, list("")), 0)}" +} + +output "vpc_endpoint_kinesis_streams_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Kinesis Streams." + value = "${flatten(aws_vpc_endpoint.kinesis_streams.*.network_interface_ids)}" +} + +output "vpc_endpoint_kinesis_streams_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Kinesis Streams." + value = "${flatten(aws_vpc_endpoint.kinesis_streams.*.dns_entry)}" +} + +output "vpc_endpoint_kinesis_firehose_id" { + description = "The ID of VPC endpoint for Kinesis Firehose" + value = "${element(concat(aws_vpc_endpoint.kinesis_firehose.*.id, list("")), 0)}" +} + +output "vpc_endpoint_kinesis_firehose_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Kinesis Firehose." + value = "${flatten(aws_vpc_endpoint.kinesis_firehose.*.network_interface_ids)}" +} + +output "vpc_endpoint_kinesis_firehose_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Kinesis Firehose." + value = "${flatten(aws_vpc_endpoint.kinesis_firehose.*.dns_entry)}" +} + +output "vpc_endpoint_glue_id" { + description = "The ID of VPC endpoint for Glue" + value = "${element(concat(aws_vpc_endpoint.glue.*.id, list("")), 0)}" +} + +output "vpc_endpoint_glue_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Glue." + value = "${flatten(aws_vpc_endpoint.glue.*.network_interface_ids)}" +} + +output "vpc_endpoint_glue_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Glue." + value = "${flatten(aws_vpc_endpoint.glue.*.dns_entry)}" +} + +output "vpc_endpoint_sagemaker_notebook_id" { + description = "The ID of VPC endpoint for SageMaker Notebook" + value = "${element(concat(aws_vpc_endpoint.sagemaker_notebook.*.id, list("")), 0)}" +} + +output "vpc_endpoint_sagemaker_notebook_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SageMaker Notebook." + value = "${flatten(aws_vpc_endpoint.sagemaker_notebook.*.network_interface_ids)}" +} + +output "vpc_endpoint_sagemaker_notebook_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SageMaker Notebook." + value = "${flatten(aws_vpc_endpoint.sagemaker_notebook.*.dns_entry)}" +} + +output "vpc_endpoint_sts_id" { + description = "The ID of VPC endpoint for STS" + value = "${element(concat(aws_vpc_endpoint.sts.*.id, list("")), 0)}" +} + +output "vpc_endpoint_sts_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for STS." + value = "${flatten(aws_vpc_endpoint.sts.*.network_interface_ids)}" +} + +output "vpc_endpoint_sts_dns_entry" { + description = "The DNS entries for the VPC Endpoint for STS." + value = "${flatten(aws_vpc_endpoint.sts.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index 69779f93e..b7a44faaa 100644 --- a/variables.tf +++ b/variables.tf @@ -544,6 +544,391 @@ variable "monitoring_endpoint_private_dns_enabled" { default = false } +variable "enable_codebuild_endpoint" { + description = "Should be true if you want to provision an CodeBuild endpoint to the VPC" + default = false +} + +variable "codebuild_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CodeBuild endpoint" + default = [] +} + +variable "codebuild_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CodeBuild endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codebuild_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CodeBuild endpoint" + default = false +} + +variable "enable_codecommit_endpoint" { + description = "Should be true if you want to provision an CodeCommit endpointto the VPC" + default = false +} + +variable "codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CodeCommit endpoint" + default = [] +} + +variable "codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CodeCommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CodeCommit endpoint" + default = false +} + +variable "enable_git_codecommit_endpoint" { + description = "Should be true if you want to provision an Git CodeCommit endpoint to the VPC" + default = false +} + +variable "git_codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Git CodeCommit endpoint" + default = [] +} + +variable "git_codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Git CodeCommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "git_codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Git CodeCommit endpoint" + default = false +} + +variable "enable_config_endpoint" { + description = "Should be true if you want to provision an Config endpoint to the VPC" + default = false +} + +variable "config_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Config endpoint" + default = [] +} + +variable "config_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "config_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Config endpoint" + default = false +} + +variable "enable_secretsmanager_endpoint" { + description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC" + default = false +} + +variable "secretsmanager_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint" + default = [] +} + +variable "secretsmanager_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "secretsmanager_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint" + default = false +} + +variable "enable_transferserver_endpoint" { + description = "Should be true if you want to provision an Transfer Server endpoint to the VPC" + default = false +} + +variable "transferserver_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Transfer Server endpoint" + default = [] +} + +variable "transferserver_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "transferserver_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint" + default = false +} + +variable "enable_kinesis_streams_endpoint" { + description = "Should be true if you want to provision an Kinesis Streams endpoint to the VPC" + default = false +} + +variable "kinesis_streams_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint" + default = [] +} + +variable "kinesis_streams_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "kinesis_streams_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint" + default = false +} + +variable "enable_kinesis_firehose_endpoint" { + description = "Should be true if you want to provision an Kinesis Firehose endpoint to the VPC" + default = false +} + +variable "kinesis_firehose_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint" + default = [] +} + +variable "kinesis_firehose_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "kinesis_firehose_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint" + default = false +} + +variable "enable_glue_endpoint" { + description = "Should be true if you want to provision an Glue endpoint to the VPC" + default = false +} + +variable "glue_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Glue endpoint" + default = [] +} + +variable "glue_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "glue_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint" + default = false +} + +variable "enable_sagemaker_notebook_endpoint" { + description = "Should be true if you want to provision an SageMaker Notebook endpoint to the VPC" + default = false +} + +variable "sagemaker_notebook_endpoint_region" { + description = "Region to use for Sagemaker Notebook endpoint" + default = "" +} + +variable "sagemaker_notebook_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SageMaker Notebook endpoint" + default = [] +} + +variable "sagemaker_notebook_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SageMaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sagemaker_notebook_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker Notebook endpoint" + default = false +} + +variable "enable_sts_endpoint" { + description = "Should be true if you want to provision an STS endpoint to the VPC" + default = false +} + +variable "sts_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for STS endpoint" + default = [] +} + +variable "sts_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sts_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for STS endpoint" + default = false +} + +variable "enable_cloudformation_endpoint" { + description = "Should be true if you want to provision an CloudFormation endpoint to the VPC" + default = false +} + +variable "cloudformation_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CloudFormation endpoint" + default = [] +} + +variable "cloudformation_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CloudFormation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "cloudformation_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CloudFormation endpoint" + default = false +} + +variable "enable_codepipeline_endpoint" { + description = "Should be true if you want to provision an CodePipeline endpoint to the VPC" + default = false +} + +variable "codepipeline_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CodePipeline endpoint" + default = [] +} + +variable "codepipeline_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codepipeline_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint" + default = false +} + +variable "enable_appmesh_envoy_management_endpoint" { + description = "Should be true if you want to provision an APPMESH Envoy Management endpoint to the VPC" + default = false +} + +variable "appmesh_envoy_management_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for APPMESH Envoy Management endpoint" + default = [] +} + +variable "appmesh_envoy_management_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for APPMESH Envoy Management endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "appmesh_envoy_management_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for APPMESH Envoy Management endpoint" + default = false +} + +variable "enable_servicecatalog_endpoint" { + description = "Should be true if you want to provision an Service Catalog endpoint to the VPC" + default = false +} + +variable "servicecatalog_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Service Catalog endpoint" + default = [] +} + +variable "servicecatalog_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "servicecatalog_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint" + default = false +} + +variable "enable_storagegateway_endpoint" { + description = "Should be true if you want to provision an Storage Gateway endpoint to the VPC" + default = false +} + +variable "storagegateway_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint" + default = [] +} + +variable "storagegateway_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "storagegateway_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint" + default = false +} + +variable "enable_transfer_endpoint" { + description = "Should be true if you want to provision an Transfer endpoint to the VPC" + default = false +} + +variable "transfer_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Transfer endpoint" + default = [] +} + +variable "transfer_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." + default = [] +} + +variable "transfer_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint" + default = false +} + +variable "enable_sagemaker_api_endpoint" { + description = "Should be true if you want to provision an Sagemaker API endpoint to the VPC" + default = false +} + +variable "sagemaker_api_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Sagemaker API endpoint" + default = [] +} + +variable "sagemaker_api_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Sagemaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sagemaker_api_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Sagemaker API endpoint" + default = false +} + +variable "enable_sagemaker_runtime_endpoint" { + description = "Should be true if you want to provision an Sagemaker Runtime endpoint to the VPC" + default = false +} + +variable "sagemaker_runtime_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Sagemaker Runtime endpoint" + default = [] +} + +variable "sagemaker_runtime_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Sagemaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sagemaker_runtime_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Runtime endpoint" + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true diff --git a/vpc-endpoint.tf b/vpc-endpoint.tf new file mode 100644 index 000000000..7e507d176 --- /dev/null +++ b/vpc-endpoint.tf @@ -0,0 +1,928 @@ +###################### +# VPC Endpoint for S3 +###################### +data "aws_vpc_endpoint_service" "s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + + service = "s3" +} + +resource "aws_vpc_endpoint" "s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" + + tags = "${local.vpce_tags}" +} + +resource "aws_vpc_endpoint_route_table_association" "private_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${element(aws_route_table.private.*.id, count.index)}" +} + +resource "aws_vpc_endpoint_route_table_association" "intra_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${element(aws_route_table.intra.*.id, 0)}" +} + +resource "aws_vpc_endpoint_route_table_association" "public_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${aws_route_table.public.id}" +} + +############################ +# VPC Endpoint for DynamoDB +############################ +data "aws_vpc_endpoint_service" "dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + + service = "dynamodb" +} + +resource "aws_vpc_endpoint" "dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" + + tags = "${local.vpce_tags}" +} + +resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${element(aws_route_table.private.*.id, count.index)}" +} + +resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${element(aws_route_table.intra.*.id, 0)}" +} + +resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${aws_route_table.public.id}" +} + +####################### +# VPC Endpoint for CodeBuild +####################### +data "aws_vpc_endpoint_service" "codebuild" { + count = "${var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0}" + + service = "codebuild" +} + +resource "aws_vpc_endpoint" "codebuild" { + count = "${var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.codebuild.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.codebuild_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.codebuild_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CodeCommit +####################### +data "aws_vpc_endpoint_service" "codecommit" { + count = "${var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0}" + + service = "codecommit" +} + +resource "aws_vpc_endpoint" "codecommit" { + count = "${var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.codecommit.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.codecommit_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.codecommit_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Giy CodeCommit +####################### +data "aws_vpc_endpoint_service" "git_codecommit" { + count = "${var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0}" + + service = "git-codecommit" +} + +resource "aws_vpc_endpoint" "git_codecommit" { + count = "${var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.git_codecommit.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.git_codecommit_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.git_codecommit_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Config +####################### +data "aws_vpc_endpoint_service" "config" { + count = "${var.create_vpc && var.enable_config_endpoint ? 1 : 0}" + + service = "config" +} + +resource "aws_vpc_endpoint" "config" { + count = "${var.create_vpc && var.enable_config_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.config.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.config_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.config_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SQS +####################### +data "aws_vpc_endpoint_service" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + service = "sqs" +} + +resource "aws_vpc_endpoint" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Secrets Manager +####################### +data "aws_vpc_endpoint_service" "secretsmanager" { + count = "${var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0}" + + service = "secretsmanager" +} + +resource "aws_vpc_endpoint" "secretsmanager" { + count = "${var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.secretsmanager.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.secretsmanager_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.secretsmanager_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SSM +####################### +data "aws_vpc_endpoint_service" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + service = "ssm" +} + +resource "aws_vpc_endpoint" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +############################### +# VPC Endpoint for SSMMESSAGES +############################### +data "aws_vpc_endpoint_service" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + service = "ssmmessages" +} + +resource "aws_vpc_endpoint" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for EC2 +####################### +data "aws_vpc_endpoint_service" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + service = "ec2" +} + +resource "aws_vpc_endpoint" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +############################### +# VPC Endpoint for EC2MESSAGES +############################### +data "aws_vpc_endpoint_service" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + service = "ec2messages" +} + +resource "aws_vpc_endpoint" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Transfer Server +####################### +data "aws_vpc_endpoint_service" "transferserver" { + count = "${var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0}" + + service = "transfer.server" +} + +resource "aws_vpc_endpoint" "transferserver" { + count = "${var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.transferserver.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.transferserver_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.transferserver_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +########################### +# VPC Endpoint for ECR API +########################### +data "aws_vpc_endpoint_service" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + service = "ecr.api" +} + +resource "aws_vpc_endpoint" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +########################### +# VPC Endpoint for ECR DKR +########################### +data "aws_vpc_endpoint_service" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + service = "ecr.dkr" +} + +resource "aws_vpc_endpoint" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for API Gateway +####################### +data "aws_vpc_endpoint_service" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + service = "execute-api" +} + +resource "aws_vpc_endpoint" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for KMS +####################### +data "aws_vpc_endpoint_service" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + service = "kms" +} + +resource "aws_vpc_endpoint" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kms_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Elasic Load Balancing +####################### +data "aws_vpc_endpoint_service" "elasticloadbalancing" { + count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" + + service = "elasticloadbalancing" +} + +resource "aws_vpc_endpoint" "elasticloadbalancing" { + count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.elasticloadbalancing.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.elasticloadbalancing_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.elasticloadbalancing_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SNS +####################### +data "aws_vpc_endpoint_service" "sns" { + count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" + + service = "sns" +} + +resource "aws_vpc_endpoint" "sns" { + count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sns.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sns_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sns_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Logs +####################### +data "aws_vpc_endpoint_service" "logs" { + count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" + + service = "logs" +} + +resource "aws_vpc_endpoint" "logs" { + count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.logs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.logs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.logs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudTrail +####################### +data "aws_vpc_endpoint_service" "cloudtrail" { + count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" + + service = "cloudtrail" +} + +resource "aws_vpc_endpoint" "cloudtrail" { + count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.cloudtrail.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.cloudtrail_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.cloudtrail_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Monitoring +####################### +data "aws_vpc_endpoint_service" "monitoring" { + count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" + + service = "monitoring" +} + +resource "aws_vpc_endpoint" "monitoring" { + count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.monitoring.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.monitoring_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.monitoring_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Events +####################### +data "aws_vpc_endpoint_service" "events" { + count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" + + service = "events" +} + +resource "aws_vpc_endpoint" "events" { + count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.events.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.events_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.events_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Kinesis Streams +####################### +data "aws_vpc_endpoint_service" "kinesis_streams" { + count = "${var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0}" + + service = "kinesis-streams" +} + +resource "aws_vpc_endpoint" "kinesis_streams" { + count = "${var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kinesis_streams.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kinesis_streams_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kinesis_streams_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Kinesis Firehose +####################### +data "aws_vpc_endpoint_service" "kinesis_firehose" { + count = "${var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0}" + + service = "kinesis-firehose" +} + +resource "aws_vpc_endpoint" "kinesis_firehose" { + count = "${var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kinesis_firehose.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kinesis_firehose_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kinesis_firehose_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Glue +####################### +data "aws_vpc_endpoint_service" "glue" { + count = "${var.create_vpc && var.enable_glue_endpoint ? 1 : 0}" + + service = "glue" +} + +resource "aws_vpc_endpoint" "glue" { + count = "${var.create_vpc && var.enable_glue_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.glue.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.glue_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.glue_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.glue_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Sagemaker Notebook +####################### +data "aws_vpc_endpoint_service" "sagemaker_notebook" { + count = "${var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0}" + + service = "aws.sagemaker.${var.sagemaker_notebook_endpoint_region}.notebook" +} + +resource "aws_vpc_endpoint" "sagemaker_notebook" { + count = "${var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sagemaker_notebook.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sagemaker_notebook_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sagemaker_notebook_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sagemaker_notebook_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for STS +####################### +data "aws_vpc_endpoint_service" "sts" { + count = "${var.create_vpc && var.enable_sts_endpoint ? 1 : 0}" + + service = "sts" +} + +resource "aws_vpc_endpoint" "sts" { + count = "${var.create_vpc && var.enable_sts_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sts.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sts_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sts_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sts_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudFormation +####################### +data "aws_vpc_endpoint_service" "cloudformation" { + count = "${var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0}" + + service = "cloudformation" +} + +resource "aws_vpc_endpoint" "cloudformation" { + count = "${var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.cloudformation.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.cloudformation_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.cloudformation_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.cloudformation_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CodePipeline +####################### +data "aws_vpc_endpoint_service" "codepipeline" { + count = "${var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0}" + + service = "codepipeline" +} + +resource "aws_vpc_endpoint" "codepipeline" { + count = "${var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.codepipeline.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.codepipeline_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.codepipeline_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.codepipeline_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for appmesh_envoy_management +####################### +data "aws_vpc_endpoint_service" "appmesh_envoy_management" { + count = "${var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1: 0}" + + service = "appmesh_envoy_management" +} + +resource "aws_vpc_endpoint" "appmesh_envoy_management" { + count = "${var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1: 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.appmesh_envoy_management.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.appmesh_envoy_management_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.appmesh_envoy_management_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.appmesh_envoy_management_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Service Catalog +####################### +data "aws_vpc_endpoint_service" "servicecatalog" { + count = "${var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0}" + + service = "servicecatalog" +} + +resource "aws_vpc_endpoint" "servicecatalog" { + count = "${var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.servicecatalog.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.servicecatalog_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.servicecatalog_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.servicecatalog_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Storage Gateway +####################### +data "aws_vpc_endpoint_service" "storagegateway" { + count = "${var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0}" + + service = "storagegateway" +} + +resource "aws_vpc_endpoint" "storagegateway" { + count = "${var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.storagegateway.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.storagegateway_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.storagegateway_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.storagegateway_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Transfer +####################### +data "aws_vpc_endpoint_service" "transfer" { + count = "${var.create_vpc && var.enable_transfer_endpoint ? 1 : 0}" + + service = "transfer" +} + +resource "aws_vpc_endpoint" "transfer" { + count = "${var.create_vpc && var.enable_transfer_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.transfer.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.transfer_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.transfer_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.transfer_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Sagemaker API +####################### +data "aws_vpc_endpoint_service" "sagemaker_api" { + count = "${var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0}" + + service = "sagemaker_api" +} + +resource "aws_vpc_endpoint" "sagemaker_api" { + count = "${var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sagemaker_api.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sagemaker_api_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sagemaker_api_endpoint_subnet_ids,aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sagemaker_api_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SAGEMAKER.RUNTIME +####################### +data "aws_vpc_endpoint_service" "sagemaker_runtime" { + count = "${var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0}" + + service = "sagemaker.runtime" +} + +resource "aws_vpc_endpoint" "sagemaker.runtime" { + count = "${var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sagemaker_runtime.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sagemaker_runtime_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sagemaker_runtime_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sagemaker_runtime_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} From 58aad070822b47ef4e9e3afae6a2503c7e9c6af0 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Tue, 3 Sep 2019 11:19:51 +0200 Subject: [PATCH 2/2] Updated CHANGELOG --- CHANGELOG.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c444d216..b649675dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,16 @@ + +## [v1.69.0] - 2019-09-03 + +- Added VPC endpoints from [#311](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/311) to Terraform 0.11 branch ([#319](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/319)) + + ## [v1.68.0] - 2019-09-02 +- Updated CHANGELOG - Add tags to VPC Endpoints ([#293](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/293)) - Updated CHANGELOG - Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS ([#274](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/274)) @@ -577,13 +584,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -661,7 +668,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.68.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.69.0...HEAD +[v1.69.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.68.0...v1.69.0 [v1.68.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.12.0...v1.68.0 [v2.12.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.11.0...v2.12.0 [v2.11.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.10.0...v2.11.0 @@ -742,9 +750,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0