terraform-training/NetworkContentDelivery/Exercise3/main.tf

data "aws_availability_zones" "available" {}

module "Vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.8.1"

  name = var.VpcName
  cidr = var.VpcCidr
  azs  = slice(data.aws_availability_zones.available.names, 0, 2)

  private_subnets          = var.PrivateSubnets
  private_subnet_names     = ["${var.VpcName}Private1", "${var.VpcName}Private2"]
  enable_dns_hostnames     = true
  enable_dns_support       = true
  enable_nat_gateway       = false
  enable_dhcp_options      = true
  dhcp_options_domain_name = "${var.VpcName}.aws"
}

module "VpcEndpoints" {
  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
  version = "5.8.1"

  vpc_id                = module.Vpc.vpc_id
  create_security_group = false
  endpoints = {
    s3 = {
      service      = "s3"
      service_type = "Gateway"
      route_table_ids = flatten([
        module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids
      ])
      policy = data.aws_iam_policy_document.s3_endpoint_policy.json
      tags   = { Name = "S3VpcEp" }
    },
    dynamodb = {
      service      = "dynamodb"
      service_type = "Gateway"
      route_table_ids = flatten([
        module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids
      ])
      policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
      tags   = { Name = "DynamodbVpcEp" }
    }
  }
}

data "aws_iam_policy_document" "s3_endpoint_policy" {
  statement {
    effect    = "Deny"
    actions   = ["s3:*"]
    resources = ["*"]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringNotEquals"
      variable = "aws:sourceVpc"

      values = [module.Vpc.vpc_id]
    }
  }
}

data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
  statement {
    effect    = "Deny"
    actions   = ["dynamodb:*"]
    resources = ["*"]

    principals {
      type        = "*"
      identifiers = ["*"]
    }

    condition {
      test     = "StringNotEquals"
      variable = "aws:sourceVpc"

      values = [module.Vpc.vpc_id]
    }
  }
}
NEW: Exercise 3 2024-05-30 17:09:10 +08:00			`data "aws_availability_zones" "available" {}`

			`module "Vpc" {`
			`source = "terraform-aws-modules/vpc/aws"`
			`version = "5.8.1"`

			`name = var.VpcName`
			`cidr = var.VpcCidr`
			`azs = slice(data.aws_availability_zones.available.names, 0, 2)`

			`private_subnets = var.PrivateSubnets`
			`private_subnet_names = ["${var.VpcName}Private1", "${var.VpcName}Private2"]`
			`enable_dns_hostnames = true`
			`enable_dns_support = true`
			`enable_nat_gateway = false`
			`enable_dhcp_options = true`
			`dhcp_options_domain_name = "${var.VpcName}.aws"`
			`}`

			`module "VpcEndpoints" {`
			`source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"`
			`version = "5.8.1"`

			`vpc_id = module.Vpc.vpc_id`
			`create_security_group = false`
			`endpoints = {`
			`s3 = {`
			`service = "s3"`
			`service_type = "Gateway"`
			`route_table_ids = flatten([`
			`module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids`
			`])`
			`policy = data.aws_iam_policy_document.s3_endpoint_policy.json`
			`tags = { Name = "S3VpcEp" }`
			`},`
			`dynamodb = {`
			`service = "dynamodb"`
			`service_type = "Gateway"`
			`route_table_ids = flatten([`
			`module.Vpc.intra_route_table_ids, module.Vpc.private_route_table_ids, module.Vpc.public_route_table_ids`
			`])`
			`policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json`
			`tags = { Name = "DynamodbVpcEp" }`
			`}`
			`}`
			`}`

			`data "aws_iam_policy_document" "s3_endpoint_policy" {`
			`statement {`
			`effect = "Deny"`
			`actions = ["s3:*"]`
			`resources = ["*"]`

			`principals {`
			`type = "*"`
			`identifiers = ["*"]`
			`}`

			`condition {`
			`test = "StringNotEquals"`
			`variable = "aws:sourceVpc"`

			`values = [module.Vpc.vpc_id]`
			`}`
			`}`
			`}`

			`data "aws_iam_policy_document" "dynamodb_endpoint_policy" {`
			`statement {`
			`effect = "Deny"`
			`actions = ["dynamodb:*"]`
			`resources = ["*"]`

			`principals {`
			`type = "*"`
			`identifiers = ["*"]`
			`}`

			`condition {`
			`test = "StringNotEquals"`
			`variable = "aws:sourceVpc"`

			`values = [module.Vpc.vpc_id]`
			`}`
			`}`
			`}`