diff --git a/.circleci/config.yml b/.circleci/config.yml index e8c4b96b0..d0b402ed8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,17 +8,22 @@ terraform: &terraform jobs: validate: <<: *terraform + environment: + AWS_DEFAULT_REGION: us-east-1 steps: - checkout + - run: + name: Install curl + command: apk add --update curl # - run: # name: Add github.com to ~/.ssh/known_hosts # command: mkdir ~/.ssh && ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts - run: name: terraform init - command: terraform init -input=false + command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (cd "$m" && terraform init -input=false -backend=false) || exit 1; done - run: name: Validate Terraform configurations - command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate -check-variables=false "$m" && echo "√ $m") || exit 1 ; done + command: find . -name ".terraform" -prune -o -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (cd "$m" && terraform validate && echo "√ $m") || exit 1 ; done - run: name: Check if Terraform configurations are properly formatted command: if [[ -n "$(terraform fmt -write=false)" ]]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d6a452afd..150a8c859 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.15.0 + rev: v1.17.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/CHANGELOG.md b/CHANGELOG.md index 8578537b3..70e3a97d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,31 @@ + +## [v2.9.0] - 2019-07-21 + +- Fixed README after merge +- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303)) + + + +## [v2.8.0] - 2019-07-21 + +- Updated CHANGELOG +- Fixed README after merge +- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302)) +- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301)) +- adding transfer server vpc end point support +- adding codebuild, codecommit and git-codecommit vpc end point support +- adding config vpc end point support +- adding secrets manager vpc end point support +- Updated version of pre-commit-terraform + + ## [v2.7.0] - 2019-06-17 +- Updated CHANGELOG - Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288)) @@ -525,13 +547,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -609,7 +631,9 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.9.0...HEAD +[v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.8.0...v2.9.0 +[v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0 [v1.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...v1.67.0 @@ -684,9 +708,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0 diff --git a/README.md b/README.md index b69e66985..77f3f8054 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,8 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, - ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, - CloudTrail + * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, +ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -214,6 +213,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | bool | `"false"` | no | | cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list(string) | `[]` | no | | cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | `"false"` | no | +| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | `[]` | no | +| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | `"false"` | no | +| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | `[]` | no | +| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for config endpoint | string | `"false"` | no | +| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for config endpoint | list | `[]` | no | +| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | bool | `"false"` | no | | create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool | `"false"` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | bool | `"true"` | no | @@ -281,6 +289,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | `"false"` | no | | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | `"false"` | no | +| enable\_codebuild\_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC | string | `"false"` | no | +| enable\_codecommit\_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC | string | `"false"` | no | +| enable\_config\_endpoint | Should be true if you want to provision an config endpoint to the VPC | string | `"false"` | no | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool | `"false"` | no | | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | bool | `"false"` | no | | enable\_dns\_support | Should be true to enable DNS support in the VPC | bool | `"true"` | no | @@ -294,21 +305,29 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no | | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no | | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no | +| enable\_git\_codecommit\_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC | string | `"false"` | no | +| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | bool | `"false"` | no | +| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | bool | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no | | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | `"false"` | no | | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | bool | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | `"false"` | no | +| enable\_secretsmanager\_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | bool | `"false"` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | bool | `"false"` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | bool | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | bool | `"false"` | no | +| enable\_transferserver\_endpoint | Should be true if you want to provision a Transer Server endpoint to the VPC | bool | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool | `"false"` | no | | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | `"false"` | no | | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | `[]` | no | | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | `[]` | no | +| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no | +| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no | +| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map(string) | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_acl\_tags | Additional tags for the intra subnets network ACL | map(string) | `{}` | no | @@ -319,6 +338,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no | | intra\_subnets | A list of intra subnets | list(string) | `[]` | no | +| kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | bool | `"false"` | no | +| kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | list(string) | `[]` | no | +| kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | bool | `"false"` | no | +| kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | list(string) | `[]` | no | +| kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | `"false"` | no | | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | `[]` | no | | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | @@ -364,6 +389,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | `[]` | no | +| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no | +| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no | +| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | `"false"` | no | | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no | @@ -378,6 +406,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | tags | A map of tags to add to all resources | map(string) | `{}` | no | +| transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | bool | `"false"` | no | +| transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list(string) | `[]` | no | +| transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | | vpn\_gateway\_tags | Additional tags for the VPN gateway | map(string) | `{}` | no | @@ -418,6 +449,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_arns | List of ARNs of intra subnets | | intra\_subnets | List of IDs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | +| name | The name of the VPC specified as argument to this module | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw\_ids | List of NAT Gateway IDs | diff --git a/main.tf b/main.tf index 456a6bb0c..e6146968e 100644 --- a/main.tf +++ b/main.tf @@ -899,6 +899,90 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { } +############################# +# VPC Endpoint for Codebuild +############################# +data "aws_vpc_endpoint_service" "codebuild" { + count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 + + service = "codebuild" +} + +resource "aws_vpc_endpoint" "codebuild" { + count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.codebuild[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.codebuild_endpoint_security_group_ids + subnet_ids = coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.codebuild_endpoint_private_dns_enabled +} + +############################### +# VPC Endpoint for Code Commit +############################### +data "aws_vpc_endpoint_service" "codecommit" { + count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 + + service = "codecommit" +} + +resource "aws_vpc_endpoint" "codecommit" { + count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.codecommit[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.codecommit_endpoint_security_group_ids + subnet_ids = coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.codecommit_endpoint_private_dns_enabled +} + +################################### +# VPC Endpoint for Git Code Commit +################################### +data "aws_vpc_endpoint_service" "git_codecommit" { + count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 + + service = "git-codecommit" +} + +resource "aws_vpc_endpoint" "git_codecommit" { + count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.git_codecommit[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.git_codecommit_endpoint_security_group_ids + subnet_ids = coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.git_codecommit_endpoint_private_dns_enabled +} + +########################## +# VPC Endpoint for Config +########################## +data "aws_vpc_endpoint_service" "config" { + count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 + + service = "config" +} + +resource "aws_vpc_endpoint" "config" { + count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.config[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.config_endpoint_security_group_ids + subnet_ids = coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.config_endpoint_private_dns_enabled +} + ####################### # VPC Endpoint for SQS ####################### @@ -920,6 +1004,27 @@ resource "aws_vpc_endpoint" "sqs" { private_dns_enabled = var.sqs_endpoint_private_dns_enabled } +################################### +# VPC Endpoint for Secrets Manager +################################### +data "aws_vpc_endpoint_service" "secretsmanager" { + count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 + + service = "secretsmanager" +} + +resource "aws_vpc_endpoint" "secretsmanager" { + count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.secretsmanager[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.secretsmanager_endpoint_security_group_ids + subnet_ids = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled +} + ####################### # VPC Endpoint for SSM ####################### @@ -1004,6 +1109,27 @@ resource "aws_vpc_endpoint" "ec2messages" { private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled } +################################### +# VPC Endpoint for Transfer Server +################################### +data "aws_vpc_endpoint_service" "transferserver" { + count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 + + service = "transfer.server" +} + +resource "aws_vpc_endpoint" "transferserver" { + count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.transferserver[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.transferserver_endpoint_security_group_ids + subnet_ids = coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.transferserver_endpoint_private_dns_enabled +} + ########################### # VPC Endpoint for ECR API ########################### @@ -1286,6 +1412,50 @@ resource "aws_vpc_endpoint" "cloudtrail" { } +####################### +# VPC Endpoint for Kinesis Streams +####################### +data "aws_vpc_endpoint_service" "kinesis_streams" { + count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 + + service = "kinesis-streams" +} + +resource "aws_vpc_endpoint" "kinesis_streams" { + count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kinesis_streams[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kinesis_streams_endpoint_security_group_ids + subnet_ids = coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kinesis_streams_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for Kinesis Firehose +####################### +data "aws_vpc_endpoint_service" "kinesis_firehose" { + count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 + + service = "kinesis-firehose" +} + +resource "aws_vpc_endpoint" "kinesis_firehose" { + count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kinesis_firehose[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kinesis_firehose_endpoint_security_group_ids + subnet_ids = coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kinesis_firehose_endpoint_private_dns_enabled +} + + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 71164fcd6..1f43e8151 100644 --- a/outputs.tf +++ b/outputs.tf @@ -624,3 +624,7 @@ output "azs" { value = var.azs } +output "name" { + description = "The name of the VPC specified as argument to this module" + value = var.name +} diff --git a/variables.tf b/variables.tf index e063fe2cb..e83983643 100644 --- a/variables.tf +++ b/variables.tf @@ -218,6 +218,86 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_codebuild_endpoint" { + description = "Should be true if you want to provision an Codebuild endpoint to the VPC" + default = false +} + +variable "codebuild_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Codebuild endpoint" + default = [] +} + +variable "codebuild_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codebuild_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint" + default = false +} + +variable "enable_codecommit_endpoint" { + description = "Should be true if you want to provision an Codecommit endpoint to the VPC" + default = false +} + +variable "codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Codecommit endpoint" + default = [] +} + +variable "codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint" + default = false +} + +variable "enable_git_codecommit_endpoint" { + description = "Should be true if you want to provision an Git Codecommit endpoint to the VPC" + default = false +} + +variable "git_codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint" + default = [] +} + +variable "git_codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "git_codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint" + default = false +} + +variable "enable_config_endpoint" { + description = "Should be true if you want to provision an config endpoint to the VPC" + default = false +} + +variable "config_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for config endpoint" + default = [] +} + +variable "config_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "config_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for config endpoint" + default = false +} + variable "enable_sqs_endpoint" { description = "Should be true if you want to provision an SQS endpoint to the VPC" default = false @@ -262,8 +342,26 @@ variable "ssm_endpoint_private_dns_enabled" { default = false } -variable "enable_ssmmessages_endpoint" { - description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" +variable "enable_secretsmanager_endpoint" { + description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC" + type = bool + default = false +} + +variable "secretsmanager_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint" + type = list(string) + default = [] +} + +variable "secretsmanager_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "secretsmanager_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint" type = bool default = false } @@ -292,6 +390,12 @@ variable "apigw_endpoint_subnet_ids" { default = [] } +variable "enable_ssmmessages_endpoint" { + description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" + type = bool + default = false +} + variable "ssmmessages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" type = list(string) @@ -310,6 +414,31 @@ variable "ssmmessages_endpoint_private_dns_enabled" { default = false } +variable "enable_transferserver_endpoint" { + description = "Should be true if you want to provision a Transer Server endpoint to the VPC" + type = bool + default = false +} + +variable "transferserver_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Transfer Server endpoint" + type = list(string) + default = [] +} + +variable "transferserver_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "transferserver_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint" + type = bool + default = false +} + + variable "enable_ec2_endpoint" { description = "Should be true if you want to provision an EC2 endpoint to the VPC" type = bool @@ -646,6 +775,54 @@ variable "cloudtrail_endpoint_private_dns_enabled" { default = false } +variable "enable_kinesis_streams_endpoint" { + description = "Should be true if you want to provision a Kinesis Streams endpoint to the VPC" + type = bool + default = false +} + +variable "kinesis_streams_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint" + type = list(string) + default = [] +} + +variable "kinesis_streams_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "kinesis_streams_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint" + type = bool + default = false +} + +variable "enable_kinesis_firehose_endpoint" { + description = "Should be true if you want to provision a Kinesis Firehose endpoint to the VPC" + type = bool + default = false +} + +variable "kinesis_firehose_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint" + type = list(string) + default = [] +} + +variable "kinesis_firehose_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "kinesis_firehose_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint" + type = bool + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool