Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add logic for vpce url overrides and fips endpoints #113

Merged
merged 4 commits into from
Mar 22, 2024
Merged

feat: add logic for vpce url overrides and fips endpoints #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
86de9c4
feat: add logic for vpce url overrides and fips endpoints
zack-is-cool Mar 22, 2024
78b4ce5
default this to false
zack-is-cool Mar 22, 2024
dc5be13
Merge branch 'main' into feat/add-vpc-endpoint-url-overrides
zack-is-cool Mar 22, 2024
17bf474
naming
zack-is-cool Mar 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,8 @@ To view examples for how you can leverage this VPC Module, please see the [examp

| Name | Source | Version |
|------|--------|---------|
| <a name="module_vpc"></a> [vpc](#module\_vpc) | git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git | v5.6.0 |
| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints | v5.6.0 |
| <a name="module_vpc"></a> [vpc](#module\_vpc) | git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git | v5.7.0 |
| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints | v5.7.0 |

## Resources

Expand All @@ -37,6 +37,7 @@ To view examples for how you can leverage this VPC Module, please see the [examp
| [aws_security_group.vpc_smtp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
| [aws_iam_policy_document.ecr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |

## Inputs
Expand All @@ -47,6 +48,7 @@ To view examples for how you can leverage this VPC Module, please see the [examp
| <a name="input_create_database_subnet_group"></a> [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Create database subnet group | `bool` | `true` | no |
| <a name="input_create_default_vpc_endpoints"></a> [create\_default\_vpc\_endpoints](#input\_create\_default\_vpc\_endpoints) | Creates a default set of VPC endpoints. | `bool` | `true` | no |
| <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | List of database subnets inside the VPC | `list(string)` | `[]` | no |
| <a name="input_enable_fips_vpce"></a> [enable\_fips\_vpce](#input\_enable\_fips\_vpce) | Enable FIPS endpoints for VPC endpoints. | `bool` | `false` | no |
| <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Enable NAT gateway | `bool` | `false` | no |
| <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | Tenancy of instances launched into the VPC.<br>Valid values are "default" or "dedicated".<br>EKS does not support dedicated tenancy. | `string` | `"default"` | no |
| <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Tags to apply to intra subnets | `map(string)` | `{}` | no |
Expand Down
31 changes: 25 additions & 6 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
data "aws_region" "current" {}

data "aws_iam_policy_document" "ecr" {
# checkov:skip=CKV_AWS_283: This policy allows EKS to access the regional ecr via a private VPC endpoint.
# checkov:skip=CKV_AWS_111: Cannot constrain down resources without knowing specific ECR Repo information.
Expand Down Expand Up @@ -65,7 +67,7 @@ locals {

module "vpc" {
#checkov:skip=CKV_TF_1: using ref to a specific version
source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.6.0"
source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git?ref=v5.7.0"

name = var.name
cidr = var.vpc_cidr
Expand Down Expand Up @@ -134,114 +136,131 @@ resource "aws_ec2_subnet_cidr_reservation" "this" {
module "vpc_endpoints" {
#checkov:skip=CKV_TF_1: using ref to a specific version
count = var.create_default_vpc_endpoints ? 1 : 0
source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.6.0"
source = "git::https://github.com/terraform-aws-modules/terraform-aws-vpc.git//modules/vpc-endpoints?ref=v5.7.0"

vpc_id = module.vpc.vpc_id
security_group_ids = [data.aws_security_group.default.id]

endpoints = {
s3 = {
service = "s3"
service_type = "Gateway"
tags = { Name = "s3-vpc-endpoint" }
route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
service = "s3"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.s3"
service_type = "Gateway"
tags = { Name = "s3-vpc-endpoint" }
route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
},
dynamodb = {
service = "dynamodb"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
service_type = "Gateway"
route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
security_group_ids = [aws_security_group.vpc_tls[0].id]
tags = { Name = "dynamodb-vpc-endpoint" }
},
ssm = {
service = "ssm"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ssm"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
ssmmessages = {
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ssmmessages"
service = "ssmmessages"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
lambda = {
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.lambda"
service = "lambda"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
sts = {
service = "sts"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.sts"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
logs = {
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.logs"
service = "logs"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
ec2 = {
service = "ec2"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ec2"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
ec2messages = {
service = "ec2messages"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ec2messages"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
ecr_api = {
service = "ecr.api"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ecr.api"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
policy = data.aws_iam_policy_document.ecr.json
},
ecr_dkr = {
service = "ecr.dkr"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.ecr.dkr"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
policy = data.aws_iam_policy_document.ecr.json
},
kms = {
service = "kms"
service_endpoint = var.enable_fips_vpce ? "com.amazonaws.${data.aws_region.current.name}.kms-fips" : "com.amazonaws.${data.aws_region.current.name}.kms"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
autoscaling = {
service = "autoscaling"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.autoscaling"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
elasticloadbalancing = {
service = "elasticloadbalancing"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.elasticloadbalancing"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
efs = {
service = "elasticfilesystem"
service_endpoint = var.enable_fips_vpce ? "com.amazonaws.${data.aws_region.current.name}.elasticfilesystem-fips" : "com.amazonaws.${data.aws_region.current.name}.elasticfilesystem"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
},
secretsmanager = {
service = "secretsmanager"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.secretsmanager"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_tls[0].id]
},
email_smtp = {
service = "email-smtp"
service_endpoint = "com.amazonaws.${data.aws_region.current.name}.email-smtp"
private_dns_enabled = true
subnet_ids = module.vpc.private_subnets
security_group_ids = [aws_security_group.vpc_smtp[0].id]
Expand Down
6 changes: 6 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,9 @@ variable "create_default_vpc_endpoints" {
type = bool
default = true
}

variable "enable_fips_vpce" {
description = "Enable FIPS endpoints for VPC endpoints."
type = bool
default = false
}
Loading