Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missing VPC Endpoints #269

Merged
merged 21 commits into from
May 27, 2019
Merged
Show file tree
Hide file tree
Changes from 17 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 39 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,9 @@ These types of resources are supported:
* [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html)
* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
* Gateway: S3, DynamoDB
* Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry
* Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing,
CloudTrail
* [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
* [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
* [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
Expand Down Expand Up @@ -263,6 +265,24 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no |
| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no |
| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | string | `"false"` | no |
| sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list | `[]` | no |
| sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | string | `"false"` | no |
| cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list | `[]` | no |
| cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | string | `"false"` | no |
| elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | list | `[]` | no |
| elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | string | `"false"` | no |
| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | list | `[]` | no |
| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | string | `"false"` | no |
| events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list | `[]` | no |
| events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | string | `"false"` | no |
| monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | list | `[]` | no |
| monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no |
| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no |
| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
Expand Down Expand Up @@ -456,6 +476,24 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
| vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
| vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES |
| vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
| vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. |
| vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS |
| vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. |
| vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. |
| vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail |
| vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. |
| vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. |
| vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing |
| vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. |
| vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. |
| vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring |
| vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. |
| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. |
| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs |
| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. |
| vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. |
| vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events |
| vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. |
| vpc\_id | The ID of the VPC |
| vpc\_instance\_tenancy | Tenancy of instances spin up within VPC |
| vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC |
Expand Down
136 changes: 135 additions & 1 deletion main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -898,12 +898,13 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
route_table_id = aws_route_table.public[0].id
}


#######################
# VPC Endpoint for SQS
#######################
data "aws_vpc_endpoint_service" "sqs" {
count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0

service = "sqs"
}

Expand Down Expand Up @@ -1152,6 +1153,139 @@ resource "aws_vpc_endpoint" "ecs_telemetry" {
private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for SNS
#######################
data "aws_vpc_endpoint_service" "sns" {
count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0

service = "sns"
}

resource "aws_vpc_endpoint" "sns" {
count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.sns[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.sns_endpoint_security_group_ids
subnet_ids = coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.sns_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for CloudWatch Monitoring
#######################
data "aws_vpc_endpoint_service" "monitoring" {
count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0

service = "monitoring"
}

resource "aws_vpc_endpoint" "monitoring" {
count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.monitoring[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.monitoring_endpoint_security_group_ids
subnet_ids = coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.monitoring_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for CloudWatch Logs
#######################
data "aws_vpc_endpoint_service" "logs" {
count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0

service = "logs"
}

resource "aws_vpc_endpoint" "logs" {
count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.logs[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.logs_endpoint_security_group_ids
subnet_ids = coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.logs_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for CloudWatch Events
#######################
data "aws_vpc_endpoint_service" "events" {
count = var.create_vpc && var.enable_events_endpoint ? 1 : 0

service = "events"
}

resource "aws_vpc_endpoint" "events" {
count = var.create_vpc && var.enable_events_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.events[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.events_endpoint_security_group_ids
subnet_ids = coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.events_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for Elastic Load Balancing
#######################
data "aws_vpc_endpoint_service" "elasticloadbalancing" {
count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0

service = "elasticloadbalancing"
}

resource "aws_vpc_endpoint" "elasticloadbalancing" {
count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.elasticloadbalancing[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.elasticloadbalancing_endpoint_security_group_ids
subnet_ids = coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.elasticloadbalancing_endpoint_private_dns_enabled
}


#######################
# VPC Endpoint for CloudTrail
#######################
data "aws_vpc_endpoint_service" "cloudtrail" {
count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0

service = "cloudtrail"
}

resource "aws_vpc_endpoint" "cloudtrail" {
count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.cloudtrail[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.cloudtrail_endpoint_security_group_ids
subnet_ids = coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.cloudtrail_endpoint_private_dns_enabled
}


##########################
# Route table association
##########################
Expand Down
90 changes: 90 additions & 0 deletions outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -528,6 +528,96 @@ output "vpc_endpoint_ecs_telemetry_dns_entry" {
value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}"
}

output "vpc_endpoint_sns_id" {
description = "The ID of VPC endpoint for SNS"
value = concat(aws_vpc_endpoint.sns.*.id, [""])[0]
}

output "vpc_endpoint_sns_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for SNS."
value = flatten(aws_vpc_endpoint.sns.*.network_interface_ids)
}

output "vpc_endpoint_sns_dns_entry" {
description = "The DNS entries for the VPC Endpoint for SNS."
value = flatten(aws_vpc_endpoint.sns.*.dns_entry)
}

output "vpc_endpoint_monitoring_id" {
description = "The ID of VPC endpoint for CloudWatch Monitoring"
value = concat(aws_vpc_endpoint.monitoring.*.id, [""])[0]
}

output "vpc_endpoint_monitoring_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring."
value = flatten(aws_vpc_endpoint.monitoring.*.network_interface_ids)
}

output "vpc_endpoint_monitoring_dns_entry" {
description = "The DNS entries for the VPC Endpoint for CloudWatch Monitoring."
value = flatten(aws_vpc_endpoint.monitoring.*.dns_entry)
}

output "vpc_endpoint_logs_id" {
description = "The ID of VPC endpoint for CloudWatch Logs"
value = concat(aws_vpc_endpoint.logs.*.id, [""])[0]
}

output "vpc_endpoint_logs_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for CloudWatch Logs."
value = flatten(aws_vpc_endpoint.logs.*.network_interface_ids)
}

output "vpc_endpoint_logs_dns_entry" {
description = "The DNS entries for the VPC Endpoint for CloudWatch Logs."
value = flatten(aws_vpc_endpoint.logs.*.dns_entry)
}

output "vpc_endpoint_events_id" {
description = "The ID of VPC endpoint for CloudWatch Events"
value = concat(aws_vpc_endpoint.events.*.id, [""])[0]
}

output "vpc_endpoint_events_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for CloudWatch Events."
value = flatten(aws_vpc_endpoint.events.*.network_interface_ids)
}

output "vpc_endpoint_events_dns_entry" {
description = "The DNS entries for the VPC Endpoint for CloudWatch Events."
value = flatten(aws_vpc_endpoint.events.*.dns_entry)
}

output "vpc_endpoint_elasticloadbalancing_id" {
description = "The ID of VPC endpoint for Elastic Load Balancing"
value = concat(aws_vpc_endpoint.elasticloadbalancing.*.id, [""])[0]
}

output "vpc_endpoint_elasticloadbalancing_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for Elastic Load Balancing."
value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.network_interface_ids)
}

output "vpc_endpoint_elasticloadbalancing_dns_entry" {
description = "The DNS entries for the VPC Endpoint for Elastic Load Balancing."
value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.dns_entry)
}

output "vpc_endpoint_cloudtrail_id" {
description = "The ID of VPC endpoint for CloudTrail"
value = concat(aws_vpc_endpoint.cloudtrail.*.id, [""])[0]
}

output "vpc_endpoint_cloudtrail_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for CloudTrail."
value = flatten(aws_vpc_endpoint.cloudtrail.*.network_interface_ids)
}

output "vpc_endpoint_cloudtrail_dns_entry" {
description = "The DNS entries for the VPC Endpoint for CloudTrail."
value = flatten(aws_vpc_endpoint.cloudtrail.*.dns_entry)
}

# Static values (arguments)
output "azs" {
description = "A list of availability zones specified as argument to this module"
Expand Down
Loading