terraform.aws-baseline-infra/modules/networking/vpc-endpoints
2023-07-12 23:31:48 +08:00
..
main.tf FIX: corrected vpcep SG, removing default gateway endpoints, updated readme 2023-07-12 23:30:57 +08:00
provider.tf UPD: changes from upstream 2023-07-06 12:02:34 +08:00
README.md DOC: updated readme 2023-07-12 23:31:48 +08:00
variables.tf DOC: updated readme 2023-07-12 23:31:48 +08:00

vpc-endpoints module

This module deploys VPC endpoints.

Automatically, this module performs the following additional tasks

  • Create and attach security group which allows access from the same VPC
  • Associate endpoints with 1 subnet in each availability zone

Inputs

Variable Type Required Description
voc-id string yes ID of VPC to deploy endpoints to
interface-ep-services list(string) yes Interface endpoint names
gateway-ep-services list(string) no Gateway endpoint names
resource-prefix string yes Prefix that will be added to resource name tags

Types of endpoints

Gateway endpoints

At time of writing, AWS provides 2 gateway endpoints at no charge.

  • s3
  • dynamodb

For gateway endpoints, all route tables in the VPC will be updated with routes to the private links.

Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html

Interface endpoints

Interface endpoints are placed in one subnet for every AZ. Security group is created automatically and allow access from the VPC's cidr, plus all additional CIDRs if applicable.

At time of writing, AWS provides 200+ interface endpoints:

  • access-analyzer
  • account
  • execute-api
  • appmesh
  • appmesh-envoy-management
  • apprunner
  • apprunner.requests
  • application-autoscaling
  • mgn
  • appstream.api
  • appstream.streaming
  • appsync-api
  • athena
  • auditmanager
  • rds
  • autoscaling-plans
  • backup
  • backup-gateway
  • batch
  • billingconductor
  • braket
  • cleanrooms
  • cloudcontrolapi
  • cloudcontrolapi-fips
  • clouddirectory
  • cloudformation
  • cloudhsmv2
  • cloudtrail
  • evidently
  • evidently-dataplane
  • monitoring
  • rum
  • rum-dataplane
  • synthetics
  • events
  • logs
  • codeartifact.api
  • codeartifact.repositories
  • codebuild
  • codebuild-fips
  • codecommit
  • codecommit-fips
  • git-codecommit
  • git-codecommit-fips
  • codedeploy
  • codedeploy-commands-secure
  • codeguru-profiler
  • codeguru-reviewer
  • codepipeline
  • codestar-connections.api
  • comprehend
  • comprehendmedical
  • config
  • app-integrations
  • cases
  • connect-campaigns
  • profile
  • voiceid
  • wisdom
  • dataexchange
  • dms
  • dms-fips
  • datasync
  • devops-guru
  • ds
  • ebs
  • ec2
  • autoscaling
  • imagebuilder
  • ecr.api
  • ecr.dkr
  • ecs
  • ecs-agent
  • ecs-telemetry
  • eks
  • elasticbeanstalk
  • elasticbeanstalk-health
  • drs
  • elasticfilesystem
  • elasticfilesystem-fips
  • elastic-inference.runtime
  • elasticloadbalancing
  • elasticache
  • elasticache-fips
  • elasticmapreduce
  • emr-containers
  • emr-serverless
  • events
  • fis
  • finspace
  • finspace-api
  • forecast
  • forecastquery
  • forecast-fips
  • forecastquery-fips
  • frauddetector
  • fsx
  • fsx-fips
  • glue
  • databrew
  • grafana
  • grafana-workspace
  • groundstation
  • guardduty-data
  • guardduty-data-fips
  • healthlake
  • identitystore
  • rolesanywhere
  • inspector2
  • iot.data
  • iot.fleethub.api
  • deviceadvisor.iot
  • iotwireless.api
  • lorawan.cups
  • lorawan.lns
  • iotfleetwise
  • greengrass
  • iotroborunner
  • iotsitewise.api
  • iotsitewise.data
  • iottwinmaker.api
  • iottwinmaker.data
  • kendra
  • kendra-ranking
  • kms
  • kms-fips
  • cassandra
  • cassandra-fips
  • kinesis-firehose
  • kinesis-streams
  • lakeformation
  • lambda
  • models-v2-lex
  • runtime-v2-lex
  • license-manager
  • license-manager-fips
  • lookoutequipment
  • lookoutmetrics
  • lookoutvision
  • macie2
  • m2
  • aps
  • aps-workspaces
  • airflow.api
  • airflow.env
  • airflow.ops
  • console
  • signin
  • memory-db
  • memorydb-fips
  • migrationhub-orchestrator
  • refactor-spaces
  • migrationhub-strategy
  • nimble
  • analytics-omics
  • control-storage-omics
  • storage-omics
  • tags-omics
  • workflows-omics
  • service-managed
  • panorama
  • payment-cryptography.controlplane
  • payment-cryptography.dataplane
  • personalize
  • personalize-events
  • personalize-runtime
  • pinpoint
  • pinpoint-sms-voice-v2
  • polly
  • private-networks
  • acm-pca
  • proton
  • qldb.session
  • rds
  • rds-data
  • redshift
  • redshift-fips
  • redshift-data
  • rekognition
  • rekognition-fips
  • streaming-rekognition
  • streaming-rekognition-fips
  • robomaker
  • s3
  • com.amazonaws.s3-global.accesspoint
  • s3-outposts
  • aws.sagemaker.region.notebook
  • aws.sagemaker.region.studio
  • sagemaker.api
  • sagemaker.featurestore-runtime
  • sagemaker.metrics
  • sagemaker.runtime
  • sagemaker.runtime-fips
  • secretsmanager
  • securityhub
  • sts
  • servicecatalog
  • servicecatalog-appregistry
  • email-smtp
  • simspaceweaver
  • snow-device-management
  • sns
  • sqs
  • swf
  • swf-fips
  • states
  • sync-states
  • storagegateway
  • ec2messages
  • ssm
  • ssm-contacts
  • ssm-incidents
  • ssmmessages
  • tnb
  • textract
  • textract-fips
  • transcribe
  • transcribestreaming
  • transcribe
  • transcribestreaming
  • transfer
  • transfer.server
  • translate
  • verifiedpermissions
  • vpc-lattice
  • workspaces
  • xray

Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

Example

module "vpc-ep" {
  count  = var.create-free-vpc-endpoints ? 1 : 0
  source = "../vpc-endpoints"

  gateway-ep-services   = ["s3", "dynamodb"]
  interface-ep-services = []
  resource-prefix       = var.resource-prefix
  vpc-id                = aws_vpc.vpc.id
}