feat: Add support for creating a security group for VPC endpoint(s)

[bryantbiggs]

Description

• Add support for creating a security group for VPC endpoint(s)

Motivation and Context

• VPC endpoints require a security group, and most of the interface endpoint services use https/443 - this change lets users makes these requirements easier for users when utilizing the VPC endpoint sub-module while also allowing them to extend its use

Breaking Changes

• No

How Has This Been Tested?

• I have updated at least one of the examples/* to demonstrate and validate my change(s)
• I have tested and validated these changes using one or more of the provided examples/* projects

• I have executed pre-commit run -a on my pull request

[bryantbiggs]

we don't need all of these - they just make the example take longer and cost more

[bryantbiggs]

default is false so we don't surprise users (like I did with the ALB module 🙃)

[antonbabenko]

This PR is included in version 5.1.0 🎉

[segoja7]

Hi @bryantbiggs

I think that the new feature to create security groups for vpc endpoints is not working.

module "vpc_endpoints" {
  source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  version  = "5.1.0"
  vpc_id   = data.aws_vpc.vpc_datasource.id
  endpoints = {
    logs = {
      create              = true
      service             = "logs"
      private_dns_enabled = true
      create_security_group      = true
      security_group_description = "security group for cloudwatchlogs-vpc-endpoint"
      security_group_name_prefix = "cloudwatchlogs-vpc-endpoint-sg"
      security_group_rules  = {
      ingress = {
        from_port   = 443
        to_port     = 443
        protocol    = "tcp"
        description = "from 1.2.3.4/5:443"
        cidr_blocks = "0.0.0.0/0"
      }
      egress = {
        from_port   = -1
        to_port     = -1
        protocol    = "-1"
        description = "Allow all outgoing traffic"
        cidr_blocks = "0.0.0.0/0"
      }
    }
      subnet_ids = [for subnet_ids in data.aws_subnet.example : subnet_ids.id]
      tags       = { Name = "cloudwatchlogs-vpc-endpoint" }
    }
  }
}

This is my ouput in the console:

` # module.vpc_endpoints.aws_vpc_endpoint.this["logs"] will be created

• resource "aws_vpc_endpoint" "this" {

  • arn = (known after apply)

  • cidr_blocks = (known after apply)

  • dns_entry = (known after apply)

  • id = (known after apply)

  • ip_address_type = (known after apply)

  • network_interface_ids = (known after apply)

  • owner_id = (known after apply)

  • policy = (known after apply)

  • prefix_list_id = (known after apply)

  • private_dns_enabled = true

  • requester_managed = (known after apply)

  • route_table_ids = (known after apply)

  • security_group_ids = (known after apply)

  • service_name = "com.amazonaws.us-east-1.logs"

  • state = (known after apply)

  • subnet_ids = [

    • "subnet-123abc",
    • "subnet-456def",
      ]

  • tags = {

    • "Name" = "cloudwatchlogs-vpc-endpoint"
      }

  • tags_all = {

    • "Name" = "cloudwatchlogs-vpc-endpoint"
      }

  • vpc_endpoint_type = "Interface"

  • vpc_id = "vpc-123abc"

  • timeouts {

    • create = "10m"
    • delete = "10m"
    • update = "10m"
      }
      }

Plan: 1 to add, 0 to change, 0 to destroy.`

[bryantbiggs]

your code is incorrect

[segoja7]

Sorry for that, can you explain to me where is the error?

[bryantbiggs]

How have you tried checking/validating your code?

[segoja7]

My apologies, now is working.

module "vpc_endpoints" {
  source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  version  = "5.1.0"
  vpc_id   = data.aws_vpc.vpc_datasource.id
  create_security_group = true
  create              = true
  security_group_description = "security group for logs-vpc-endpoint"
  security_group_name_prefix = "logs-vpc-endpoint-sg"
  security_group_rules  = {
      ingress = {
        from_port   = 443
        to_port     = 443
        protocol    = "tcp"
        description = "from 1.2.3.4/5:443"
        cidr_blocks = ["0.0.0.0/0"]
      }
      egress = {
        from_port   = -1
        to_port     = -1
        protocol    = "-1"
        description = "Allow all outgoing traffic"
        cidr_blocks = ["0.0.0.0/0"]
      }
    }
  endpoints = {
    logs = {
      service    = "logs"
      subnet_ids = [for subnet_ids in data.aws_subnet.example : subnet_ids.id]
      tags       = { Name = "logs-vpc-endpoint" }
    }
  }
}

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.