UPD: changes from upstream

2023-07-06 12:02:34 +08:00 · 2023-07-06 12:02:34 +08:00 · 5dd9a8a9b4
commit 5dd9a8a9b4
parent e1373f2f62
4 changed files with 316 additions and 31 deletions
--- a/modules/networking/vpc-endpoints/README.md
+++ b/modules/networking/vpc-endpoints/README.md
@ -0,0 +1,258 @@
+# vpc-endpoints module
+This module deploys VPC endpoints.
+
+Automatically, this module performs the following additional tasks
+- Create and attach security group which allows access from the same VPC
+- Associate endpoints with 1 subnet in each availability zone
+
+# Inputs
+| Variable              | Type         | Required | Description                                     | 
+|-----------------------|--------------|----------|-------------------------------------------------|
+| voc-id                | string       | yes      | ID of VPC to deploy endpoints to                |
+| interface-ep-services | list(string) | yes      | Interface endpoint names                        |
+| gateway-ep-services   | list(string) | no       | Gateway endpoint names                          |
+| default-tags          | map          | yes      | Tags to add to resources                        | 
+| resource-prefix       | string       | yes      | Prefix that will be added to resource name tags |
+
+
+# Types of endpoints
+## Gateway endpoints
+At time of writing, AWS provides 2 gateway endpoints at no charge. These endpoints are deployed by default,
+unless an empty list `[]` is provided as input.
+* s3
+* dynamodb
+
+Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
+
+## Interface endpoints
+At time of writing, AWS provides 200+ interface endpoints:
+* access-analyzer
+* account
+* execute-api
+* appmesh
+* appmesh-envoy-management
+* apprunner
+* apprunner.requests
+* application-autoscaling
+* mgn
+* appstream.api
+* appstream.streaming
+* appsync-api
+* athena
+* auditmanager
+* rds
+* autoscaling-plans
+* backup
+* backup-gateway
+* batch
+* billingconductor
+* braket
+* cleanrooms
+* cloudcontrolapi
+* cloudcontrolapi-fips
+* clouddirectory
+* cloudformation
+* cloudhsmv2
+* cloudtrail
+* evidently
+* evidently-dataplane
+* monitoring
+* rum
+* rum-dataplane
+* synthetics
+* events
+* logs
+* codeartifact.api
+* codeartifact.repositories
+* codebuild
+* codebuild-fips
+* codecommit
+* codecommit-fips
+* git-codecommit
+* git-codecommit-fips
+* codedeploy
+* codedeploy-commands-secure
+* codeguru-profiler
+* codeguru-reviewer
+* codepipeline
+* codestar-connections.api
+* comprehend
+* comprehendmedical
+* config
+* app-integrations
+* cases
+* connect-campaigns
+* profile
+* voiceid
+* wisdom
+* dataexchange
+* dms
+* dms-fips
+* datasync
+* devops-guru
+* ds
+* ebs
+* ec2
+* autoscaling
+* imagebuilder
+* ecr.api
+* ecr.dkr
+* ecs
+* ecs-agent
+* ecs-telemetry
+* eks
+* elasticbeanstalk
+* elasticbeanstalk-health
+* drs
+* elasticfilesystem
+* elasticfilesystem-fips
+* elastic-inference.runtime
+* elasticloadbalancing
+* elasticache
+* elasticache-fips
+* elasticmapreduce
+* emr-containers
+* emr-serverless
+* events
+* fis
+* finspace
+* finspace-api
+* forecast
+* forecastquery
+* forecast-fips
+* forecastquery-fips
+* frauddetector
+* fsx
+* fsx-fips
+* glue
+* databrew
+* grafana
+* grafana-workspace
+* groundstation
+* guardduty-data
+* guardduty-data-fips
+* healthlake
+* identitystore
+* rolesanywhere
+* inspector2
+* iot.data
+* iot.fleethub.api
+* deviceadvisor.iot
+* iotwireless.api
+* lorawan.cups
+* lorawan.lns
+* iotfleetwise
+* greengrass
+* iotroborunner
+* iotsitewise.api
+* iotsitewise.data
+* iottwinmaker.api
+* iottwinmaker.data
+* kendra
+* kendra-ranking
+* kms
+* kms-fips
+* cassandra
+* cassandra-fips
+* kinesis-firehose
+* kinesis-streams
+* lakeformation
+* lambda
+* models-v2-lex
+* runtime-v2-lex
+* license-manager
+* license-manager-fips
+* lookoutequipment
+* lookoutmetrics
+* lookoutvision
+* macie2
+* m2
+* aps
+* aps-workspaces
+* airflow.api
+* airflow.env
+* airflow.ops
+* console
+* signin
+* memory-db
+* memorydb-fips
+* migrationhub-orchestrator
+* refactor-spaces
+* migrationhub-strategy
+* nimble
+* analytics-omics
+* control-storage-omics
+* storage-omics
+* tags-omics
+* workflows-omics
+* service-managed
+* panorama
+* payment-cryptography.controlplane
+* payment-cryptography.dataplane
+* personalize
+* personalize-events
+* personalize-runtime
+* pinpoint
+* pinpoint-sms-voice-v2
+* polly
+* private-networks
+* acm-pca
+* proton
+* qldb.session
+* rds
+* rds-data
+* redshift
+* redshift-fips
+* redshift-data
+* rekognition
+* rekognition-fips
+* streaming-rekognition
+* streaming-rekognition-fips
+* robomaker
+* s3
+* com.amazonaws.s3-global.accesspoint
+* s3-outposts
+* aws.sagemaker.region.notebook
+* aws.sagemaker.region.studio
+* sagemaker.api
+* sagemaker.featurestore-runtime
+* sagemaker.metrics
+* sagemaker.runtime
+* sagemaker.runtime-fips
+* secretsmanager
+* securityhub
+* sts
+* servicecatalog
+* servicecatalog-appregistry
+* email-smtp
+* simspaceweaver
+* snow-device-management
+* sns
+* sqs
+* swf
+* swf-fips
+* states
+* sync-states
+* storagegateway
+* ec2messages
+* ssm
+* ssm-contacts
+* ssm-incidents
+* ssmmessages
+* tnb
+* textract
+* textract-fips
+* transcribe
+* transcribestreaming
+* transcribe
+* transcribestreaming
+* transfer
+* transfer.server
+* translate
+* verifiedpermissions
+* vpc-lattice
+* workspaces
+* xray
+
+
+Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
--- a/modules/networking/vpc-endpoints/main.tf
+++ b/modules/networking/vpc-endpoints/main.tf
@ -1,23 +1,45 @@
+data "aws_region" "this" {}
+
 resource "aws_vpc_endpoint" "vpc-interface-ep" {
-  for_each = toset(var.interface-ep-services)
+  for_each          = toset(var.interface-ep-services)
  vpc_id            = data.aws_vpc.this-vpc.id
-  service_name      = "com.amazonaws.${var.aws-region}.${each.value}"
+  service_name      = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
  vpc_endpoint_type = "Interface"

  security_group_ids = [
-    aws_security_group.generic-ep-sg.id,
+    aws_security_group.vpc-ep-sg.id,
  ]

  # deploy to all subnets
-  subnet_ids = data.aws_subnets.this-subnets.ids
+  subnet_ids = local.one_subnet_in_each_az

  private_dns_enabled = true
-  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
+  tags                = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags)
+
+  lifecycle {
+    precondition {
+      condition     = data.aws_vpc.this-vpc.enable_dns_support
+      error_message = "enableDnsSupport needs to be turned on."
+    }
+  }
 }

-resource "aws_security_group" "generic-ep-sg" {
-  name        = "HttpsAccessToVpcEndpoints"
-  description = "HttpsAccessToVpcEndpoints"
+resource "aws_vpc_endpoint" "vpc-gateway-ep" {
+  for_each          = toset(var.gateway-ep-services)
+  vpc_id            = data.aws_vpc.this-vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
+  vpc_endpoint_type = "Gateway"
+
+  tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags)
+}
+
+resource random_id rid {
+  byte_length = 2
+}
+
+resource "aws_security_group" "vpc-ep-sg" {
+  name        = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
+  description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
  vpc_id      = data.aws_vpc.this-vpc.id

  ingress {
@ -35,31 +57,36 @@ resource "aws_security_group" "generic-ep-sg" {
    cidr_blocks = ["0.0.0.0/0"]
  }

-  tags = merge({"Name": "VpcEpAccess"},var.default-tags)
+  tags = merge({ "Name" : "VpcEpAccess" }, var.default-tags)
 }

-resource "aws_vpc_endpoint" "vpc-gateway-ep" {
-  for_each = toset(var.gateway-ep-services)
-  vpc_id            = data.aws_vpc.this-vpc.id
-  service_name      = "com.amazonaws.${var.aws-region}.${each.value}"
-  vpc_endpoint_type = "Gateway"

-  tags                =  merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
-}

-data aws_vpc this-vpc {
+data "aws_vpc" "this-vpc" {
  id = var.vpc-id
-  lifecycle {
-    postcondition {
-      condition     = self.enable_dns_support == true
-      error_message = "The selected VPC must have DNS support enabled."
-    }
-  }
 }

-data aws_subnets this-subnets {
+data "aws_subnets" "this" {
  filter {
-    name = "vpc-id"
+    name   = "vpc-id"
    values = [var.vpc-id]
  }
+}
+
+data "aws_subnet" "this" {
+  for_each = toset(data.aws_subnets.this.ids)
+  id       = each.key
+}
+
+locals {
+  subnets_azs = {
+    for s in data.aws_subnet.this : s.availability_zone => s.id
+  }
+  one_subnet_in_each_az = compact([
+    for az in data.aws_availability_zones.this.names : lookup(local.subnets_azs, az, "")
+  ])
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }
--- a/modules/networking/vpc-endpoints/provider.tf
+++ b/modules/networking/vpc-endpoints/provider.tf
@ -1,6 +1,6 @@
+# requires 1.3.0 for postcondition validation
+# https://learn.hashicorp.com/tutorials/terraform/custom-conditions
 terraform {
-  # requires 1.3.0 for postcondition validation
-  # https://learn.hashicorp.com/tutorials/terraform/custom-conditions
  required_version = "~> 1.3.0"
  required_providers {
    aws = {
--- a/modules/networking/vpc-endpoints/variables.tf
+++ b/modules/networking/vpc-endpoints/variables.tf
@ -1,12 +1,12 @@
 variable vpc-id {}
 variable interface-ep-services {
-  type = list
+  type = list(string)
+  description = "List of interface endpoint. E.g. dkr,lambda,kms,elasticloadbalancing,execute-api,ec2,ssm,secretsmanager,monitoring,guardduty-data"
 }
 variable gateway-ep-services {
-  type = list
+  type = list(string)
  default = ["s3","dynamodb"]
  description = "Gateway endpoints are free, so deploy for all supported services by default."
 }
 variable default-tags {}
-variable resource-prefix {}
-variable aws-region {}
+variable resource-prefix {}