Skip to content

Commit

Permalink
feat: add vpc endpoint policies to supported services (#601)
Browse files Browse the repository at this point in the history
* feat: add vpc endpoint policies to supported services

* chore: empty commit to re-run

* chore: Run pre-commit terraform_docs hook

Co-authored-by: Anton Babenko <anton@antonbabenko.com>
  • Loading branch information
bryantbiggs and antonbabenko authored Feb 23, 2021
1 parent bbfd33e commit 93a6f40
Show file tree
Hide file tree
Showing 7 changed files with 394 additions and 93 deletions.
100 changes: 67 additions & 33 deletions README.md

Large diffs are not rendered by default.

4 changes: 3 additions & 1 deletion examples/complete-vpc/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP

| Name |
|------|
| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/security_group) |
| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) |
| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) |

## Inputs

Expand Down
50 changes: 50 additions & 0 deletions examples/complete-vpc/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ module "vpc" {

# VPC endpoint for DynamoDB
enable_dynamodb_endpoint = true
dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json

# VPC endpoint for SSM
enable_ssm_endpoint = true
Expand All @@ -77,6 +78,7 @@ module "vpc" {

# VPC Endpoint for EC2
enable_ec2_endpoint = true
ec2_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json
ec2_endpoint_private_dns_enabled = true
ec2_endpoint_security_group_ids = [data.aws_security_group.default.id]

Expand All @@ -87,11 +89,13 @@ module "vpc" {

# VPC Endpoint for ECR API
enable_ecr_api_endpoint = true
ecr_api_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json
ecr_api_endpoint_private_dns_enabled = true
ecr_api_endpoint_security_group_ids = [data.aws_security_group.default.id]

# VPC Endpoint for ECR DKR
enable_ecr_dkr_endpoint = true
ecr_dkr_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json
ecr_dkr_endpoint_private_dns_enabled = true
ecr_dkr_endpoint_security_group_ids = [data.aws_security_group.default.id]

Expand Down Expand Up @@ -142,3 +146,49 @@ module "vpc" {
Endpoint = "true"
}
}

# Data source used to avoid race condition
data "aws_vpc_endpoint" "dynamodb" {
vpc_id = module.vpc.vpc_id
service_name = "com.amazonaws.eu-west-1.dynamodb"
}

data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
statement {
effect = "Deny"
actions = ["dynamodb:*"]
resources = ["*"]

principals {
type = "*"
identifiers = ["*"]
}

condition {
test = "StringNotEquals"
variable = "aws:sourceVpce"

values = [data.aws_vpc_endpoint.dynamodb.id]
}
}
}

data "aws_iam_policy_document" "generic_endpoint_policy" {
statement {
effect = "Deny"
actions = ["*"]
resources = ["*"]

principals {
type = "*"
identifiers = ["*"]
}

condition {
test = "StringNotEquals"
variable = "aws:sourceVpce"

values = [data.aws_vpc_endpoint.dynamodb.id]
}
}
}
2 changes: 1 addition & 1 deletion examples/ipv6/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP

| Name |
|------|
| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) |

## Inputs

Expand Down
12 changes: 6 additions & 6 deletions examples/vpc-flow-logs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -47,12 +47,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP

| Name |
|------|
| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
| [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) |

## Inputs

Expand Down
Loading

0 comments on commit 93a6f40

Please sign in to comment.