From 5dd9a8a9b4ee80cb4b7dc762e58b5269d8a36d9a Mon Sep 17 00:00:00 2001 From: xpk Date: Thu, 6 Jul 2023 12:02:34 +0800 Subject: [PATCH] UPD: changes from upstream --- modules/networking/vpc-endpoints/README.md | 258 ++++++++++++++++++ modules/networking/vpc-endpoints/main.tf | 77 ++++-- modules/networking/vpc-endpoints/provider.tf | 4 +- modules/networking/vpc-endpoints/variables.tf | 8 +- 4 files changed, 316 insertions(+), 31 deletions(-) create mode 100644 modules/networking/vpc-endpoints/README.md diff --git a/modules/networking/vpc-endpoints/README.md b/modules/networking/vpc-endpoints/README.md new file mode 100644 index 0000000..25ccca6 --- /dev/null +++ b/modules/networking/vpc-endpoints/README.md @@ -0,0 +1,258 @@ +# vpc-endpoints module +This module deploys VPC endpoints. + +Automatically, this module performs the following additional tasks +- Create and attach security group which allows access from the same VPC +- Associate endpoints with 1 subnet in each availability zone + +# Inputs +| Variable | Type | Required | Description | +|-----------------------|--------------|----------|-------------------------------------------------| +| voc-id | string | yes | ID of VPC to deploy endpoints to | +| interface-ep-services | list(string) | yes | Interface endpoint names | +| gateway-ep-services | list(string) | no | Gateway endpoint names | +| default-tags | map | yes | Tags to add to resources | +| resource-prefix | string | yes | Prefix that will be added to resource name tags | + + +# Types of endpoints +## Gateway endpoints +At time of writing, AWS provides 2 gateway endpoints at no charge. These endpoints are deployed by default, +unless an empty list `[]` is provided as input. +* s3 +* dynamodb + +Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html + +## Interface endpoints +At time of writing, AWS provides 200+ interface endpoints: +* access-analyzer +* account +* execute-api +* appmesh +* appmesh-envoy-management +* apprunner +* apprunner.requests +* application-autoscaling +* mgn +* appstream.api +* appstream.streaming +* appsync-api +* athena +* auditmanager +* rds +* autoscaling-plans +* backup +* backup-gateway +* batch +* billingconductor +* braket +* cleanrooms +* cloudcontrolapi +* cloudcontrolapi-fips +* clouddirectory +* cloudformation +* cloudhsmv2 +* cloudtrail +* evidently +* evidently-dataplane +* monitoring +* rum +* rum-dataplane +* synthetics +* events +* logs +* codeartifact.api +* codeartifact.repositories +* codebuild +* codebuild-fips +* codecommit +* codecommit-fips +* git-codecommit +* git-codecommit-fips +* codedeploy +* codedeploy-commands-secure +* codeguru-profiler +* codeguru-reviewer +* codepipeline +* codestar-connections.api +* comprehend +* comprehendmedical +* config +* app-integrations +* cases +* connect-campaigns +* profile +* voiceid +* wisdom +* dataexchange +* dms +* dms-fips +* datasync +* devops-guru +* ds +* ebs +* ec2 +* autoscaling +* imagebuilder +* ecr.api +* ecr.dkr +* ecs +* ecs-agent +* ecs-telemetry +* eks +* elasticbeanstalk +* elasticbeanstalk-health +* drs +* elasticfilesystem +* elasticfilesystem-fips +* elastic-inference.runtime +* elasticloadbalancing +* elasticache +* elasticache-fips +* elasticmapreduce +* emr-containers +* emr-serverless +* events +* fis +* finspace +* finspace-api +* forecast +* forecastquery +* forecast-fips +* forecastquery-fips +* frauddetector +* fsx +* fsx-fips +* glue +* databrew +* grafana +* grafana-workspace +* groundstation +* guardduty-data +* guardduty-data-fips +* healthlake +* identitystore +* rolesanywhere +* inspector2 +* iot.data +* iot.fleethub.api +* deviceadvisor.iot +* iotwireless.api +* lorawan.cups +* lorawan.lns +* iotfleetwise +* greengrass +* iotroborunner +* iotsitewise.api +* iotsitewise.data +* iottwinmaker.api +* iottwinmaker.data +* kendra +* kendra-ranking +* kms +* kms-fips +* cassandra +* cassandra-fips +* kinesis-firehose +* kinesis-streams +* lakeformation +* lambda +* models-v2-lex +* runtime-v2-lex +* license-manager +* license-manager-fips +* lookoutequipment +* lookoutmetrics +* lookoutvision +* macie2 +* m2 +* aps +* aps-workspaces +* airflow.api +* airflow.env +* airflow.ops +* console +* signin +* memory-db +* memorydb-fips +* migrationhub-orchestrator +* refactor-spaces +* migrationhub-strategy +* nimble +* analytics-omics +* control-storage-omics +* storage-omics +* tags-omics +* workflows-omics +* service-managed +* panorama +* payment-cryptography.controlplane +* payment-cryptography.dataplane +* personalize +* personalize-events +* personalize-runtime +* pinpoint +* pinpoint-sms-voice-v2 +* polly +* private-networks +* acm-pca +* proton +* qldb.session +* rds +* rds-data +* redshift +* redshift-fips +* redshift-data +* rekognition +* rekognition-fips +* streaming-rekognition +* streaming-rekognition-fips +* robomaker +* s3 +* com.amazonaws.s3-global.accesspoint +* s3-outposts +* aws.sagemaker.region.notebook +* aws.sagemaker.region.studio +* sagemaker.api +* sagemaker.featurestore-runtime +* sagemaker.metrics +* sagemaker.runtime +* sagemaker.runtime-fips +* secretsmanager +* securityhub +* sts +* servicecatalog +* servicecatalog-appregistry +* email-smtp +* simspaceweaver +* snow-device-management +* sns +* sqs +* swf +* swf-fips +* states +* sync-states +* storagegateway +* ec2messages +* ssm +* ssm-contacts +* ssm-incidents +* ssmmessages +* tnb +* textract +* textract-fips +* transcribe +* transcribestreaming +* transcribe +* transcribestreaming +* transfer +* transfer.server +* translate +* verifiedpermissions +* vpc-lattice +* workspaces +* xray + + +Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html diff --git a/modules/networking/vpc-endpoints/main.tf b/modules/networking/vpc-endpoints/main.tf index 584c1b7..da98681 100644 --- a/modules/networking/vpc-endpoints/main.tf +++ b/modules/networking/vpc-endpoints/main.tf @@ -1,23 +1,45 @@ +data "aws_region" "this" {} + resource "aws_vpc_endpoint" "vpc-interface-ep" { - for_each = toset(var.interface-ep-services) + for_each = toset(var.interface-ep-services) vpc_id = data.aws_vpc.this-vpc.id - service_name = "com.amazonaws.${var.aws-region}.${each.value}" + service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}" vpc_endpoint_type = "Interface" security_group_ids = [ - aws_security_group.generic-ep-sg.id, + aws_security_group.vpc-ep-sg.id, ] # deploy to all subnets - subnet_ids = data.aws_subnets.this-subnets.ids + subnet_ids = local.one_subnet_in_each_az private_dns_enabled = true - tags = merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags) + tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags) + + lifecycle { + precondition { + condition = data.aws_vpc.this-vpc.enable_dns_support + error_message = "enableDnsSupport needs to be turned on." + } + } } -resource "aws_security_group" "generic-ep-sg" { - name = "HttpsAccessToVpcEndpoints" - description = "HttpsAccessToVpcEndpoints" +resource "aws_vpc_endpoint" "vpc-gateway-ep" { + for_each = toset(var.gateway-ep-services) + vpc_id = data.aws_vpc.this-vpc.id + service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}" + vpc_endpoint_type = "Gateway" + + tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags) +} + +resource random_id rid { + byte_length = 2 +} + +resource "aws_security_group" "vpc-ep-sg" { + name = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}" + description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}" vpc_id = data.aws_vpc.this-vpc.id ingress { @@ -35,31 +57,36 @@ resource "aws_security_group" "generic-ep-sg" { cidr_blocks = ["0.0.0.0/0"] } - tags = merge({"Name": "VpcEpAccess"},var.default-tags) + tags = merge({ "Name" : "VpcEpAccess" }, var.default-tags) } -resource "aws_vpc_endpoint" "vpc-gateway-ep" { - for_each = toset(var.gateway-ep-services) - vpc_id = data.aws_vpc.this-vpc.id - service_name = "com.amazonaws.${var.aws-region}.${each.value}" - vpc_endpoint_type = "Gateway" - tags = merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags) -} -data aws_vpc this-vpc { +data "aws_vpc" "this-vpc" { id = var.vpc-id - lifecycle { - postcondition { - condition = self.enable_dns_support == true - error_message = "The selected VPC must have DNS support enabled." - } - } } -data aws_subnets this-subnets { +data "aws_subnets" "this" { filter { - name = "vpc-id" + name = "vpc-id" values = [var.vpc-id] } +} + +data "aws_subnet" "this" { + for_each = toset(data.aws_subnets.this.ids) + id = each.key +} + +locals { + subnets_azs = { + for s in data.aws_subnet.this : s.availability_zone => s.id + } + one_subnet_in_each_az = compact([ + for az in data.aws_availability_zones.this.names : lookup(local.subnets_azs, az, "") + ]) +} + +data "aws_availability_zones" "this" { + state = "available" } \ No newline at end of file diff --git a/modules/networking/vpc-endpoints/provider.tf b/modules/networking/vpc-endpoints/provider.tf index e327cd6..08fffed 100644 --- a/modules/networking/vpc-endpoints/provider.tf +++ b/modules/networking/vpc-endpoints/provider.tf @@ -1,6 +1,6 @@ +# requires 1.3.0 for postcondition validation +# https://learn.hashicorp.com/tutorials/terraform/custom-conditions terraform { - # requires 1.3.0 for postcondition validation - # https://learn.hashicorp.com/tutorials/terraform/custom-conditions required_version = "~> 1.3.0" required_providers { aws = { diff --git a/modules/networking/vpc-endpoints/variables.tf b/modules/networking/vpc-endpoints/variables.tf index e74d5e5..a917bcf 100644 --- a/modules/networking/vpc-endpoints/variables.tf +++ b/modules/networking/vpc-endpoints/variables.tf @@ -1,12 +1,12 @@ variable vpc-id {} variable interface-ep-services { - type = list + type = list(string) + description = "List of interface endpoint. E.g. dkr,lambda,kms,elasticloadbalancing,execute-api,ec2,ssm,secretsmanager,monitoring,guardduty-data" } variable gateway-ep-services { - type = list + type = list(string) default = ["s3","dynamodb"] description = "Gateway endpoints are free, so deploy for all supported services by default." } variable default-tags {} -variable resource-prefix {} -variable aws-region {} \ No newline at end of file +variable resource-prefix {} \ No newline at end of file