.. | ||
main.tf | ||
provider.tf | ||
README.md | ||
variables.tf |
vpc-endpoints module
This module deploys VPC endpoints.
Automatically, this module performs the following additional tasks
- Create and attach security group which allows access from the same VPC
- Associate endpoints with 1 subnet in each availability zone
Inputs
Variable | Type | Required | Description |
---|---|---|---|
voc-id | string | yes | ID of VPC to deploy endpoints to |
interface-ep-services | list(string) | yes | Interface endpoint names |
gateway-ep-services | list(string) | no | Gateway endpoint names |
resource-prefix | string | yes | Prefix that will be added to resource name tags |
Types of endpoints
Gateway endpoints
At time of writing, AWS provides 2 gateway endpoints at no charge.
- s3
- dynamodb
For gateway endpoints, all route tables in the VPC will be updated with routes to the private links.
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
Interface endpoints
Interface endpoints are placed in one subnet for every AZ. Security group is created automatically and allow access from the VPC's cidr, plus all additional CIDRs if applicable.
At time of writing, AWS provides 200+ interface endpoints:
- access-analyzer
- account
- execute-api
- appmesh
- appmesh-envoy-management
- apprunner
- apprunner.requests
- application-autoscaling
- mgn
- appstream.api
- appstream.streaming
- appsync-api
- athena
- auditmanager
- rds
- autoscaling-plans
- backup
- backup-gateway
- batch
- billingconductor
- braket
- cleanrooms
- cloudcontrolapi
- cloudcontrolapi-fips
- clouddirectory
- cloudformation
- cloudhsmv2
- cloudtrail
- evidently
- evidently-dataplane
- monitoring
- rum
- rum-dataplane
- synthetics
- events
- logs
- codeartifact.api
- codeartifact.repositories
- codebuild
- codebuild-fips
- codecommit
- codecommit-fips
- git-codecommit
- git-codecommit-fips
- codedeploy
- codedeploy-commands-secure
- codeguru-profiler
- codeguru-reviewer
- codepipeline
- codestar-connections.api
- comprehend
- comprehendmedical
- config
- app-integrations
- cases
- connect-campaigns
- profile
- voiceid
- wisdom
- dataexchange
- dms
- dms-fips
- datasync
- devops-guru
- ds
- ebs
- ec2
- autoscaling
- imagebuilder
- ecr.api
- ecr.dkr
- ecs
- ecs-agent
- ecs-telemetry
- eks
- elasticbeanstalk
- elasticbeanstalk-health
- drs
- elasticfilesystem
- elasticfilesystem-fips
- elastic-inference.runtime
- elasticloadbalancing
- elasticache
- elasticache-fips
- elasticmapreduce
- emr-containers
- emr-serverless
- events
- fis
- finspace
- finspace-api
- forecast
- forecastquery
- forecast-fips
- forecastquery-fips
- frauddetector
- fsx
- fsx-fips
- glue
- databrew
- grafana
- grafana-workspace
- groundstation
- guardduty-data
- guardduty-data-fips
- healthlake
- identitystore
- rolesanywhere
- inspector2
- iot.data
- iot.fleethub.api
- deviceadvisor.iot
- iotwireless.api
- lorawan.cups
- lorawan.lns
- iotfleetwise
- greengrass
- iotroborunner
- iotsitewise.api
- iotsitewise.data
- iottwinmaker.api
- iottwinmaker.data
- kendra
- kendra-ranking
- kms
- kms-fips
- cassandra
- cassandra-fips
- kinesis-firehose
- kinesis-streams
- lakeformation
- lambda
- models-v2-lex
- runtime-v2-lex
- license-manager
- license-manager-fips
- lookoutequipment
- lookoutmetrics
- lookoutvision
- macie2
- m2
- aps
- aps-workspaces
- airflow.api
- airflow.env
- airflow.ops
- console
- signin
- memory-db
- memorydb-fips
- migrationhub-orchestrator
- refactor-spaces
- migrationhub-strategy
- nimble
- analytics-omics
- control-storage-omics
- storage-omics
- tags-omics
- workflows-omics
- service-managed
- panorama
- payment-cryptography.controlplane
- payment-cryptography.dataplane
- personalize
- personalize-events
- personalize-runtime
- pinpoint
- pinpoint-sms-voice-v2
- polly
- private-networks
- acm-pca
- proton
- qldb.session
- rds
- rds-data
- redshift
- redshift-fips
- redshift-data
- rekognition
- rekognition-fips
- streaming-rekognition
- streaming-rekognition-fips
- robomaker
- s3
- com.amazonaws.s3-global.accesspoint
- s3-outposts
- aws.sagemaker.region.notebook
- aws.sagemaker.region.studio
- sagemaker.api
- sagemaker.featurestore-runtime
- sagemaker.metrics
- sagemaker.runtime
- sagemaker.runtime-fips
- secretsmanager
- securityhub
- sts
- servicecatalog
- servicecatalog-appregistry
- email-smtp
- simspaceweaver
- snow-device-management
- sns
- sqs
- swf
- swf-fips
- states
- sync-states
- storagegateway
- ec2messages
- ssm
- ssm-contacts
- ssm-incidents
- ssmmessages
- tnb
- textract
- textract-fips
- transcribe
- transcribestreaming
- transcribe
- transcribestreaming
- transfer
- transfer.server
- translate
- verifiedpermissions
- vpc-lattice
- workspaces
- xray
Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
Example
module "vpc-ep" {
count = var.create-free-vpc-endpoints ? 1 : 0
source = "../vpc-endpoints"
gateway-ep-services = ["s3", "dynamodb"]
interface-ep-services = []
resource-prefix = var.resource-prefix
vpc-id = aws_vpc.vpc.id
}