xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: removing endpoint-5r module. it uses single deployer role and does not require provider aliases

Browse Source
This commit is contained in:
xpk 2023-10-05 00:10:32 +08:00
parent 65232e3c8e
commit 395e4d729c
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
5 changed files with 19 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

275
modules/networking/vpc-endpoints-5r/README.md
View File

@ -1,275 +0,0 @@
# vpc-endpoints module
This module deploys VPC endpoints.
Automatically, this module performs the following additional tasks
- Create and attach security group which allows access from the same VPC
- Associate endpoints with 1 subnet in each availability zone
# Inputs
| Variable | Type | Required | Description |
|-----------------------|--------------|----------|-------------------------------------------------|
| voc-id | string | yes | ID of VPC to deploy endpoints to |
| interface-ep-services | list(string) | yes | Interface endpoint names |
| gateway-ep-services | list(string) | no | Gateway endpoint names |
| resource-prefix | string | yes | Prefix that will be added to resource name tags |
# Types of endpoints
## Gateway endpoints
At time of writing, AWS provides 2 gateway endpoints at no charge.
* s3
* dynamodb
For gateway endpoints, all route tables in the VPC will be updated with routes to the private links.
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
## Interface endpoints
Interface endpoints are placed in one subnet for every AZ. Security group is created automatically
and allow access from the VPC's cidr, plus all additional CIDRs if applicable.
At time of writing, AWS provides 200+ interface endpoints:
* access-analyzer
* account
* execute-api
* appmesh
* appmesh-envoy-management
* apprunner
* apprunner.requests
* application-autoscaling
* mgn
* appstream.api
* appstream.streaming
* appsync-api
* athena
* auditmanager
* rds
* autoscaling-plans
* backup
* backup-gateway
* batch
* billingconductor
* braket
* cleanrooms
* cloudcontrolapi
* cloudcontrolapi-fips
* clouddirectory
* cloudformation
* cloudhsmv2
* cloudtrail
* evidently
* evidently-dataplane
* monitoring
* rum
* rum-dataplane
* synthetics
* events
* logs
* codeartifact.api
* codeartifact.repositories
* codebuild
* codebuild-fips
* codecommit
* codecommit-fips
* git-codecommit
* git-codecommit-fips
* codedeploy
* codedeploy-commands-secure
* codeguru-profiler
* codeguru-reviewer
* codepipeline
* codestar-connections.api
* comprehend
* comprehendmedical
* config
* app-integrations
* cases
* connect-campaigns
* profile
* voiceid
* wisdom
* dataexchange
* dms
* dms-fips
* datasync
* devops-guru
* ds
* ebs
* ec2
* autoscaling
* imagebuilder
* ecr.api
* ecr.dkr
* ecs
* ecs-agent
* ecs-telemetry
* eks
* elasticbeanstalk
* elasticbeanstalk-health
* drs
* elasticfilesystem
* elasticfilesystem-fips
* elastic-inference.runtime
* elasticloadbalancing
* elasticache
* elasticache-fips
* elasticmapreduce
* emr-containers
* emr-serverless
* events
* fis
* finspace
* finspace-api
* forecast
* forecastquery
* forecast-fips
* forecastquery-fips
* frauddetector
* fsx
* fsx-fips
* glue
* databrew
* grafana
* grafana-workspace
* groundstation
* guardduty-data
* guardduty-data-fips
* healthlake
* identitystore
* rolesanywhere
* inspector2
* iot.data
* iot.fleethub.api
* deviceadvisor.iot
* iotwireless.api
* lorawan.cups
* lorawan.lns
* iotfleetwise
* greengrass
* iotroborunner
* iotsitewise.api
* iotsitewise.data
* iottwinmaker.api
* iottwinmaker.data
* kendra
* kendra-ranking
* kms
* kms-fips
* cassandra
* cassandra-fips
* kinesis-firehose
* kinesis-streams
* lakeformation
* lambda
* models-v2-lex
* runtime-v2-lex
* license-manager
* license-manager-fips
* lookoutequipment
* lookoutmetrics
* lookoutvision
* macie2
* m2
* aps
* aps-workspaces
* airflow.api
* airflow.env
* airflow.ops
* console
* signin
* memory-db
* memorydb-fips
* migrationhub-orchestrator
* refactor-spaces
* migrationhub-strategy
* nimble
* analytics-omics
* control-storage-omics
* storage-omics
* tags-omics
* workflows-omics
* service-managed
* panorama
* payment-cryptography.controlplane
* payment-cryptography.dataplane
* personalize
* personalize-events
* personalize-runtime
* pinpoint
* pinpoint-sms-voice-v2
* polly
* private-networks
* acm-pca
* proton
* qldb.session
* rds
* rds-data
* redshift
* redshift-fips
* redshift-data
* rekognition
* rekognition-fips
* streaming-rekognition
* streaming-rekognition-fips
* robomaker
* s3
* com.amazonaws.s3-global.accesspoint
* s3-outposts
* aws.sagemaker.region.notebook
* aws.sagemaker.region.studio
* sagemaker.api
* sagemaker.featurestore-runtime
* sagemaker.metrics
* sagemaker.runtime
* sagemaker.runtime-fips
* secretsmanager
* securityhub
* sts
* servicecatalog
* servicecatalog-appregistry
* email-smtp
* simspaceweaver
* snow-device-management
* sns
* sqs
* swf
* swf-fips
* states
* sync-states
* storagegateway
* ec2messages
* ssm
* ssm-contacts
* ssm-incidents
* ssmmessages
* tnb
* textract
* textract-fips
* transcribe
* transcribestreaming
* transcribe
* transcribestreaming
* transfer
* transfer.server
* translate
* verifiedpermissions
* vpc-lattice
* workspaces
* xray
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
## Example
```hcl
module "vpc-ep" {
count = var.create-free-vpc-endpoints ? 1 : 0
source = "../vpc-endpoints"
gateway-ep-services = ["s3", "dynamodb"]
interface-ep-services = []
resource-prefix = var.resource-prefix
vpc-id = aws_vpc.vpc.id
}
```

114
modules/networking/vpc-endpoints-5r/main.tf
View File

@ -1,114 +0,0 @@
data "aws_region" "this" {
provider = aws.NetworkDeployer
}
data "aws_default_tags" "this" {
lifecycle {
postcondition {
condition = length(self.tags) >= 1
error_message = "Validation failed: Provider default_tags not set."
}
}
}
resource "aws_vpc_endpoint" "vpc-interface-ep" {
provider = aws.NetworkDeployer
for_each = toset(var.interface-ep-services)
vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
vpc_endpoint_type = "Interface"
security_group_ids = [
aws_security_group.vpc-ep-sg.id,
]
# deploy to all subnets
subnet_ids = local.one_subnet_in_each_az
private_dns_enabled = true
tags = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
lifecycle {
precondition {
condition = data.aws_vpc.this-vpc.enable_dns_support
error_message = "enableDnsSupport needs to be turned on."
}
}
}
resource "aws_vpc_endpoint" "vpc-gateway-ep" {
provider = aws.NetworkDeployer
for_each = toset(var.gateway-ep-services)
vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
vpc_endpoint_type = "Gateway"
route_table_ids = data.aws_route_tables.this.ids
tags = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
}
resource "random_id" "rid" {
byte_length = 2
}
resource "aws_security_group" "vpc-ep-sg" {
provider = aws.NetworkDeployer
name = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
vpc_id = data.aws_vpc.this-vpc.id
ingress {
description = "TLS from VPC"
from_port = 443
to_port = 443
protocol = "tcp"
# cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
cidr_blocks = data.aws_vpc.this-vpc.cidr_block_associations.*.cidr_block
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = { "Name" : "VpcEpAccess" }
}
data "aws_vpc" "this-vpc" {
provider = aws.NetworkDeployer
id = var.vpc-id
}
data "aws_availability_zones" "this" {
provider = aws.NetworkDeployer
state = "available"
}
# find all subnets for this vpc in all availability zones
data "aws_subnets" "subnets_and_az" {
provider = aws.NetworkDeployer
for_each = toset(data.aws_availability_zones.this.zone_ids)
filter {
name = "vpc-id"
values = [var.vpc-id]
}
filter {
name = "availability-zone-id"
values = [each.value]
}
}
data "aws_route_tables" "this" {
vpc_id = var.vpc-id
}
locals {
# pick first subnet in each AZ
one_subnet_in_each_az = compact([for k, v in data.aws_subnets.subnets_and_az : try(element(v.ids, length(v.ids) - 1), "")])
}

12
modules/networking/vpc-endpoints-5r/provider.tf
View File

@ -1,12 +0,0 @@
# requires 1.3.0 for postcondition validation
# https://learn.hashicorp.com/tutorials/terraform/custom-conditions
terraform {
required_version = "~> 1.3.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.75.2"
configuration_aliases = [ aws.NetworkDeployer, aws.SecurityDeployer, aws.CommonDeployer ]
}
}
}

18
modules/networking/vpc-endpoints-5r/variables.tf
View File

@ -1,18 +0,0 @@
variable vpc-id {}
variable interface-ep-services {
type = list(string)
description = "List of interface endpoint. E.g. dkr,lambda,kms,elasticloadbalancing,execute-api,ec2,ssm,secretsmanager,monitoring,guardduty-data"
}
variable gateway-ep-services {
type = list(string)
default = []
description = "s3 and dynamodb gateway endpoints are free."
}
variable resource-prefix {}
/*
variable secondary_cidrs {
type = list(string)
description = "Additional cidr blocks"
default = []
}
*/

40
modules/networking/vpc-subnet-manual-5r/main.tf
View File

@ -1,10 +1,10 @@
data "aws_caller_identity" "this" { data "aws_caller_identity" "this" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
} }
data "aws_availability_zones" "available-az" { data "aws_availability_zones" "available-az" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
state = "available" state = "available"
} }
data "aws_default_tags" "this" { data "aws_default_tags" "this" {
@ -22,7 +22,7 @@ locals {
} }
resource "aws_subnet" "private-subnets" { resource "aws_subnet" "private-subnets" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.private-subnet-cidrs) count = length(var.private-subnet-cidrs)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -34,7 +34,7 @@ resource "aws_subnet" "private-subnets" {
} }
resource "aws_subnet" "public-subnets" { resource "aws_subnet" "public-subnets" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.public-subnet-cidrs) count = length(var.public-subnet-cidrs)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -46,7 +46,7 @@ resource "aws_subnet" "public-subnets" {
} }
resource "aws_vpc" "vpc" { resource "aws_vpc" "vpc" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
cidr_block = var.vpc-cidr cidr_block = var.vpc-cidr
enable_dns_hostnames = true enable_dns_hostnames = true
@ -62,7 +62,7 @@ resource "aws_vpc" "vpc" {
} }
resource "aws_vpc_ipv4_cidr_block_association" "additional_cidr" { resource "aws_vpc_ipv4_cidr_block_association" "additional_cidr" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
for_each = toset(var.secondary_cidr_blocks) for_each = toset(var.secondary_cidr_blocks)
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -70,7 +70,7 @@ resource "aws_vpc_ipv4_cidr_block_association" "additional_cidr" {
} }
resource "aws_internet_gateway" "igw" { resource "aws_internet_gateway" "igw" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -81,7 +81,7 @@ resource "aws_internet_gateway" "igw" {
} }
resource "aws_eip" "ngw-eip" { resource "aws_eip" "ngw-eip" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = var.create-nat-gateway ? 1 : 0 count = var.create-nat-gateway ? 1 : 0
# deprecated # vpc = true # deprecated # vpc = true
@ -90,7 +90,7 @@ resource "aws_eip" "ngw-eip" {
} }
resource "aws_nat_gateway" "ngw" { resource "aws_nat_gateway" "ngw" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = var.create-nat-gateway ? 1 : 0 count = var.create-nat-gateway ? 1 : 0
allocation_id = aws_eip.ngw-eip[0].id allocation_id = aws_eip.ngw-eip[0].id
@ -103,7 +103,7 @@ resource "aws_nat_gateway" "ngw" {
} }
resource "aws_route_table" "public-route-table" { resource "aws_route_table" "public-route-table" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -113,7 +113,7 @@ resource "aws_route_table" "public-route-table" {
} }
resource "aws_route_table" "private-route-table" { resource "aws_route_table" "private-route-table" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.private-subnet-cidrs) > 0 ? 1 : 0 count = length(var.private-subnet-cidrs) > 0 ? 1 : 0
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
@ -123,7 +123,7 @@ resource "aws_route_table" "private-route-table" {
} }
resource "aws_route" "public-routes" { resource "aws_route" "public-routes" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.public-subnet-cidrs) > 0 ? 1 : 0 count = length(var.public-subnet-cidrs) > 0 ? 1 : 0
@ -133,7 +133,7 @@ resource "aws_route" "public-routes" {
} }
resource "aws_route" "private-routes" { resource "aws_route" "private-routes" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0 count = length(var.private-subnet-cidrs) > 0 && var.create-nat-gateway ? 1 : 0
@ -143,7 +143,7 @@ resource "aws_route" "private-routes" {
} }
resource "aws_route_table_association" "public_route_association" { resource "aws_route_table_association" "public_route_association" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(aws_subnet.public-subnets) count = length(aws_subnet.public-subnets)
route_table_id = aws_route_table.public-route-table[0].id route_table_id = aws_route_table.public-route-table[0].id
@ -151,7 +151,7 @@ resource "aws_route_table_association" "public_route_association" {
} }
resource "aws_route_table_association" "private_route_association" { resource "aws_route_table_association" "private_route_association" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
count = length(aws_subnet.private-subnets) count = length(aws_subnet.private-subnets)
route_table_id = aws_route_table.private-route-table[0].id route_table_id = aws_route_table.private-route-table[0].id
@ -164,7 +164,7 @@ this resource limits ingress and egress from and to itself
*/ */
resource "aws_default_security_group" "default-sg" { resource "aws_default_security_group" "default-sg" {
provider = aws.NetworkDeployer provider = aws.NetworkDeployer
vpc_id = aws_vpc.vpc.id vpc_id = aws_vpc.vpc.id
ingress { ingress {
@ -190,13 +190,11 @@ resource "aws_default_security_group" "default-sg" {
module "vpc-ep" { module "vpc-ep" {
providers = { providers = {
aws.NetworkDeployer = aws.NetworkDeployer aws = aws.NetworkDeployer
aws.CommonDeployer = aws.CommonDeployer
aws.SecurityDeployer = aws.SecurityDeployer
} }
count = var.create-free-vpc-endpoints ? 1 : 0 count = var.create-free-vpc-endpoints ? 1 : 0
source = "../vpc-endpoints-5r" source = "../vpc-endpoints"
gateway-ep-services = ["s3", "dynamodb"] gateway-ep-services = ["s3", "dynamodb"]
interface-ep-services = [] interface-ep-services = []