xpk/terraform.aws-baseline-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

UPD: changes from upstream

Browse Source
This commit is contained in:
xpk 2023-07-06 12:02:34 +08:00
parent e1373f2f62
commit 5dd9a8a9b4
Signed by: xpk
GPG Key ID: CD4FF6793F09AB86
4 changed files with 316 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

258
modules/networking/vpc-endpoints/README.md Normal file
View File

@ -0,0 +1,258 @@
# vpc-endpoints module
This module deploys VPC endpoints.
Automatically, this module performs the following additional tasks
- Create and attach security group which allows access from the same VPC
- Associate endpoints with 1 subnet in each availability zone
# Inputs
| Variable | Type | Required | Description |
|-----------------------|--------------|----------|-------------------------------------------------|
| voc-id | string | yes | ID of VPC to deploy endpoints to |
| interface-ep-services | list(string) | yes | Interface endpoint names |
| gateway-ep-services | list(string) | no | Gateway endpoint names |
| default-tags | map | yes | Tags to add to resources |
| resource-prefix | string | yes | Prefix that will be added to resource name tags |
# Types of endpoints
## Gateway endpoints
At time of writing, AWS provides 2 gateway endpoints at no charge. These endpoints are deployed by default,
unless an empty list `[]` is provided as input.
* s3
* dynamodb
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
## Interface endpoints
At time of writing, AWS provides 200+ interface endpoints:
* access-analyzer
* account
* execute-api
* appmesh
* appmesh-envoy-management
* apprunner
* apprunner.requests
* application-autoscaling
* mgn
* appstream.api
* appstream.streaming
* appsync-api
* athena
* auditmanager
* rds
* autoscaling-plans
* backup
* backup-gateway
* batch
* billingconductor
* braket
* cleanrooms
* cloudcontrolapi
* cloudcontrolapi-fips
* clouddirectory
* cloudformation
* cloudhsmv2
* cloudtrail
* evidently
* evidently-dataplane
* monitoring
* rum
* rum-dataplane
* synthetics
* events
* logs
* codeartifact.api
* codeartifact.repositories
* codebuild
* codebuild-fips
* codecommit
* codecommit-fips
* git-codecommit
* git-codecommit-fips
* codedeploy
* codedeploy-commands-secure
* codeguru-profiler
* codeguru-reviewer
* codepipeline
* codestar-connections.api
* comprehend
* comprehendmedical
* config
* app-integrations
* cases
* connect-campaigns
* profile
* voiceid
* wisdom
* dataexchange
* dms
* dms-fips
* datasync
* devops-guru
* ds
* ebs
* ec2
* autoscaling
* imagebuilder
* ecr.api
* ecr.dkr
* ecs
* ecs-agent
* ecs-telemetry
* eks
* elasticbeanstalk
* elasticbeanstalk-health
* drs
* elasticfilesystem
* elasticfilesystem-fips
* elastic-inference.runtime
* elasticloadbalancing
* elasticache
* elasticache-fips
* elasticmapreduce
* emr-containers
* emr-serverless
* events
* fis
* finspace
* finspace-api
* forecast
* forecastquery
* forecast-fips
* forecastquery-fips
* frauddetector
* fsx
* fsx-fips
* glue
* databrew
* grafana
* grafana-workspace
* groundstation
* guardduty-data
* guardduty-data-fips
* healthlake
* identitystore
* rolesanywhere
* inspector2
* iot.data
* iot.fleethub.api
* deviceadvisor.iot
* iotwireless.api
* lorawan.cups
* lorawan.lns
* iotfleetwise
* greengrass
* iotroborunner
* iotsitewise.api
* iotsitewise.data
* iottwinmaker.api
* iottwinmaker.data
* kendra
* kendra-ranking
* kms
* kms-fips
* cassandra
* cassandra-fips
* kinesis-firehose
* kinesis-streams
* lakeformation
* lambda
* models-v2-lex
* runtime-v2-lex
* license-manager
* license-manager-fips
* lookoutequipment
* lookoutmetrics
* lookoutvision
* macie2
* m2
* aps
* aps-workspaces
* airflow.api
* airflow.env
* airflow.ops
* console
* signin
* memory-db
* memorydb-fips
* migrationhub-orchestrator
* refactor-spaces
* migrationhub-strategy
* nimble
* analytics-omics
* control-storage-omics
* storage-omics
* tags-omics
* workflows-omics
* service-managed
* panorama
* payment-cryptography.controlplane
* payment-cryptography.dataplane
* personalize
* personalize-events
* personalize-runtime
* pinpoint
* pinpoint-sms-voice-v2
* polly
* private-networks
* acm-pca
* proton
* qldb.session
* rds
* rds-data
* redshift
* redshift-fips
* redshift-data
* rekognition
* rekognition-fips
* streaming-rekognition
* streaming-rekognition-fips
* robomaker
* s3
* com.amazonaws.s3-global.accesspoint
* s3-outposts
* aws.sagemaker.region.notebook
* aws.sagemaker.region.studio
* sagemaker.api
* sagemaker.featurestore-runtime
* sagemaker.metrics
* sagemaker.runtime
* sagemaker.runtime-fips
* secretsmanager
* securityhub
* sts
* servicecatalog
* servicecatalog-appregistry
* email-smtp
* simspaceweaver
* snow-device-management
* sns
* sqs
* swf
* swf-fips
* states
* sync-states
* storagegateway
* ec2messages
* ssm
* ssm-contacts
* ssm-incidents
* ssmmessages
* tnb
* textract
* textract-fips
* transcribe
* transcribestreaming
* transcribe
* transcribestreaming
* transfer
* transfer.server
* translate
* verifiedpermissions
* vpc-lattice
* workspaces
* xray
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

69
modules/networking/vpc-endpoints/main.tf
View File

@ -1,23 +1,45 @@
data "aws_region" "this" {}
resource "aws_vpc_endpoint" "vpc-interface-ep" { resource "aws_vpc_endpoint" "vpc-interface-ep" {
for_each = toset(var.interface-ep-services) for_each = toset(var.interface-ep-services)
vpc_id = data.aws_vpc.this-vpc.id vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.${var.aws-region}.${each.value}" service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
vpc_endpoint_type = "Interface" vpc_endpoint_type = "Interface"
security_group_ids = [ security_group_ids = [
aws_security_group.generic-ep-sg.id, aws_security_group.vpc-ep-sg.id,
] ]
# deploy to all subnets # deploy to all subnets
subnet_ids = data.aws_subnets.this-subnets.ids subnet_ids = local.one_subnet_in_each_az
private_dns_enabled = true private_dns_enabled = true
tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags) tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags)
lifecycle {
precondition {
condition = data.aws_vpc.this-vpc.enable_dns_support
error_message = "enableDnsSupport needs to be turned on."
}
}
} }
resource "aws_security_group" "generic-ep-sg" { resource "aws_vpc_endpoint" "vpc-gateway-ep" {
name = "HttpsAccessToVpcEndpoints" for_each = toset(var.gateway-ep-services)
description = "HttpsAccessToVpcEndpoints" vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.${data.aws_region.this.name}.${each.value}"
vpc_endpoint_type = "Gateway"
tags = merge({ "Name" : "${var.resource-prefix}-vpcep-${each.value}" }, var.default-tags)
}
resource random_id rid {
byte_length = 2
}
resource "aws_security_group" "vpc-ep-sg" {
name = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
vpc_id = data.aws_vpc.this-vpc.id vpc_id = data.aws_vpc.this-vpc.id
ingress { ingress {
@ -38,28 +60,33 @@ resource "aws_security_group" "generic-ep-sg" {
tags = merge({ "Name" : "VpcEpAccess" }, var.default-tags) tags = merge({ "Name" : "VpcEpAccess" }, var.default-tags)
} }
resource "aws_vpc_endpoint" "vpc-gateway-ep" {
for_each = toset(var.gateway-ep-services)
vpc_id = data.aws_vpc.this-vpc.id
service_name = "com.amazonaws.${var.aws-region}.${each.value}"
vpc_endpoint_type = "Gateway"
tags = merge({"Name": "${var.resource-prefix}-vpcep-${each.value}"},var.default-tags)
}
data aws_vpc this-vpc { data "aws_vpc" "this-vpc" {
id = var.vpc-id id = var.vpc-id
lifecycle {
postcondition {
condition = self.enable_dns_support == true
error_message = "The selected VPC must have DNS support enabled."
}
}
} }
data aws_subnets this-subnets { data "aws_subnets" "this" {
filter { filter {
name = "vpc-id" name = "vpc-id"
values = [var.vpc-id] values = [var.vpc-id]
} }
} }
data "aws_subnet" "this" {
for_each = toset(data.aws_subnets.this.ids)
id = each.key
}
locals {
subnets_azs = {
for s in data.aws_subnet.this : s.availability_zone => s.id
}
one_subnet_in_each_az = compact([
for az in data.aws_availability_zones.this.names : lookup(local.subnets_azs, az, "")
])
}
data "aws_availability_zones" "this" {
state = "available"
}

2
modules/networking/vpc-endpoints/provider.tf
View File

@ -1,6 +1,6 @@
terraform {
# requires 1.3.0 for postcondition validation # requires 1.3.0 for postcondition validation
# https://learn.hashicorp.com/tutorials/terraform/custom-conditions # https://learn.hashicorp.com/tutorials/terraform/custom-conditions
terraform {
required_version = "~> 1.3.0" required_version = "~> 1.3.0"
required_providers { required_providers {
aws = { aws = {

6
modules/networking/vpc-endpoints/variables.tf
View File

@ -1,12 +1,12 @@
variable vpc-id {} variable vpc-id {}
variable interface-ep-services { variable interface-ep-services {
type = list type = list(string)
description = "List of interface endpoint. E.g. dkr,lambda,kms,elasticloadbalancing,execute-api,ec2,ssm,secretsmanager,monitoring,guardduty-data"
} }
variable gateway-ep-services { variable gateway-ep-services {
type = list type = list(string)
default = ["s3","dynamodb"] default = ["s3","dynamodb"]
description = "Gateway endpoints are free, so deploy for all supported services by default." description = "Gateway endpoints are free, so deploy for all supported services by default."
} }
variable default-tags {} variable default-tags {}
variable resource-prefix {} variable resource-prefix {}
variable aws-region {}