From 0f3d57ff23cfbfd6b02fe87c0f832b34d4c573d0 Mon Sep 17 00:00:00 2001 From: Christian Kemper Date: Mon, 15 Jul 2019 21:17:20 +0100 Subject: [PATCH 01/10] adding secrets manager vpc end point support --- CHANGELOG.md | 4 ++-- README.md | 5 ++++- main.tf | 21 +++++++++++++++++++++ variables.tf | 24 ++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8578537b3..a13e7eea7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## [Unreleased] - - +- Updated CHANGELOG +- Added VPC endpoint for Secrets Manager, ## [v2.7.0] - 2019-06-17 diff --git a/README.md b/README.md index b69e66985..319320709 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ These types of resources are supported: * Gateway: S3, DynamoDB * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, - CloudTrail + CloudTrail, Secrets Manager * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -374,6 +374,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no | +| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no | +| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | diff --git a/main.tf b/main.tf index 456a6bb0c..bfb657717 100644 --- a/main.tf +++ b/main.tf @@ -920,6 +920,27 @@ resource "aws_vpc_endpoint" "sqs" { private_dns_enabled = var.sqs_endpoint_private_dns_enabled } +################################### +# VPC Endpoint for Secrets Manager +################################### +data "aws_vpc_endpoint_service" "secretsmanager" { + count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 + + service = "secretsmanager" +} + +resource "aws_vpc_endpoint" "secretsmanager" { + count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.secretsmanager[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.secretsmanager_endpoint_security_group_ids + subnet_ids = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled +} + ####################### # VPC Endpoint for SSM ####################### diff --git a/variables.tf b/variables.tf index e063fe2cb..64bc34167 100644 --- a/variables.tf +++ b/variables.tf @@ -262,6 +262,30 @@ variable "ssm_endpoint_private_dns_enabled" { default = false } +variable "enable_secretsmanager_endpoint" { + description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC" + type = bool + default = false +} + +variable "secretsmanager_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint" + type = list(string) + default = [] +} + +variable "secretsmanager_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "secretsmanager_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint" + type = bool + default = false +} + variable "enable_ssmmessages_endpoint" { description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" type = bool From 7c4ddd64865f9092eb3269918451720650fb55ab Mon Sep 17 00:00:00 2001 From: Christian Kemper Date: Mon, 15 Jul 2019 21:33:02 +0100 Subject: [PATCH 02/10] adding config vpc end point support --- CHANGELOG.md | 2 +- README.md | 3 +++ main.tf | 21 +++++++++++++++++++++ variables.tf | 20 ++++++++++++++++++++ 4 files changed, 45 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a13e7eea7..4c8c8c9a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## [Unreleased] - Updated CHANGELOG -- Added VPC endpoint for Secrets Manager, +- Added VPC endpoint for Secrets Manager, Config ## [v2.7.0] - 2019-06-17 diff --git a/README.md b/README.md index 319320709..d8e8c4626 100644 --- a/README.md +++ b/README.md @@ -368,6 +368,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no | | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Config endpoint | string | `"false"` | no | +| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Config endpoint | list | `[]` | no | +| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no | | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no | | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | diff --git a/main.tf b/main.tf index bfb657717..d29db3b18 100644 --- a/main.tf +++ b/main.tf @@ -899,6 +899,27 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { } +########################## +# VPC Endpoint for Config +########################## +data "aws_vpc_endpoint_service" "config" { + count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 + + service = "config" +} + +resource "aws_vpc_endpoint" "config" { + count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.config[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.config_endpoint_security_group_ids + subnet_ids = coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.config_endpoint_private_dns_enabled +} + ####################### # VPC Endpoint for SQS ####################### diff --git a/variables.tf b/variables.tf index 64bc34167..3913180a1 100644 --- a/variables.tf +++ b/variables.tf @@ -218,6 +218,26 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_config_endpoint" { + description = "Should be true if you want to provision an config endpoint to the VPC" + default = false +} + +variable "config_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for config endpoint" + default = [] +} + +variable "config_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "config_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for config endpoint" + default = false +} + variable "enable_sqs_endpoint" { description = "Should be true if you want to provision an SQS endpoint to the VPC" default = false From 98bc929d6fd33e7d772ea643d60ce1005b5cb25d Mon Sep 17 00:00:00 2001 From: Christian Kemper Date: Mon, 15 Jul 2019 22:02:40 +0100 Subject: [PATCH 03/10] adding codebuild, codecommit and git-codecommit vpc end point support --- CHANGELOG.md | 2 +- README.md | 9 ++++++++ main.tf | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 60 +++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 133 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c8c8c9a5..7604946f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## [Unreleased] - Updated CHANGELOG -- Added VPC endpoint for Secrets Manager, Config +- Added VPC endpoint for Secrets Manager, Config, git-codecommit ## [v2.7.0] - 2019-06-17 diff --git a/README.md b/README.md index d8e8c4626..e290847b4 100644 --- a/README.md +++ b/README.md @@ -368,6 +368,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no | | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | `"false"` | no | +| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | `[]` | no | +| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuild endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | `"false"` | no | +| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | `[]` | no | +| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no | +| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no | +| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Config endpoint | string | `"false"` | no | | config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Config endpoint | list | `[]` | no | | config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | diff --git a/main.tf b/main.tf index d29db3b18..2f58bd78e 100644 --- a/main.tf +++ b/main.tf @@ -899,6 +899,69 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { } +############################# +# VPC Endpoint for Codebuild +############################# +data "aws_vpc_endpoint_service" "codebuild" { + count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 + + service = "codebuild" +} + +resource "aws_vpc_endpoint" "codebuild" { + count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.codebuild[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.codebuild_endpoint_security_group_ids + subnet_ids = coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.codebuild_endpoint_private_dns_enabled +} + +############################### +# VPC Endpoint for Code Commit +############################### +data "aws_vpc_endpoint_service" "codecommit" { + count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 + + service = "codecommit" +} + +resource "aws_vpc_endpoint" "codecommit" { + count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.codecommit[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.codecommit_endpoint_security_group_ids + subnet_ids = coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.codecommit_endpoint_private_dns_enabled +} + +################################### +# VPC Endpoint for Git Code Commit +################################### +data "aws_vpc_endpoint_service" "git_codecommit" { + count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 + + service = "git-codecommit" +} + +resource "aws_vpc_endpoint" "git_codecommit" { + count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.git_codecommit[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.git_codecommit_endpoint_security_group_ids + subnet_ids = coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.git_codecommit_endpoint_private_dns_enabled +} + ########################## # VPC Endpoint for Config ########################## diff --git a/variables.tf b/variables.tf index 3913180a1..2d5962b15 100644 --- a/variables.tf +++ b/variables.tf @@ -218,6 +218,66 @@ variable "enable_s3_endpoint" { default = false } +variable "enable_codebuild_endpoint" { + description = "Should be true if you want to provision an Codebuild endpoint to the VPC" + default = false +} + +variable "codebuild_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Codebuild endpoint" + default = [] +} + +variable "codebuild_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codebuild_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint" + default = false +} + +variable "enable_codecommit_endpoint" { + description = "Should be true if you want to provision an Codecommit endpoint to the VPC" + default = false +} + +variable "codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Codecommit endpoint" + default = [] +} + +variable "codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint" + default = false +} + +variable "enable_git_codecommit_endpoint" { + description = "Should be true if you want to provision an Git Codecommit endpoint to the VPC" + default = false +} + +variable "git_codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint" + default = [] +} + +variable "git_codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "git_codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint" + default = false +} + variable "enable_config_endpoint" { description = "Should be true if you want to provision an config endpoint to the VPC" default = false From 4e31800241e91fef16e70dca36b574ef79a4bead Mon Sep 17 00:00:00 2001 From: Christian Kemper Date: Mon, 15 Jul 2019 22:23:46 +0100 Subject: [PATCH 04/10] adding transfer server vpc end point support --- CHANGELOG.md | 4 ++-- README.md | 5 ++++- main.tf | 21 +++++++++++++++++++++ variables.tf | 37 +++++++++++++++++++++++++++++++------ 4 files changed, 58 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7604946f3..8578537b3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,7 @@ ## [Unreleased] -- Updated CHANGELOG -- Added VPC endpoint for Secrets Manager, Config, git-codecommit + + ## [v2.7.0] - 2019-06-17 diff --git a/README.md b/README.md index e290847b4..1b1e180e0 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,7 @@ These types of resources are supported: * Gateway: S3, DynamoDB * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, - CloudTrail, Secrets Manager + CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -392,6 +392,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | bool | `"false"` | no | +| transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list(string) | `[]` | no | +| transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | tags | A map of tags to add to all resources | map(string) | `{}` | no | | vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | diff --git a/main.tf b/main.tf index 2f58bd78e..8afca2622 100644 --- a/main.tf +++ b/main.tf @@ -1109,6 +1109,27 @@ resource "aws_vpc_endpoint" "ec2messages" { private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled } +################################### +# VPC Endpoint for Transfer Server +################################### +data "aws_vpc_endpoint_service" "transferserver" { + count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 + + service = "transfer.server" +} + +resource "aws_vpc_endpoint" "transferserver" { + count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.transferserver[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.transferserver_endpoint_security_group_ids + subnet_ids = coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.transferserver_endpoint_private_dns_enabled +} + ########################### # VPC Endpoint for ECR API ########################### diff --git a/variables.tf b/variables.tf index 2d5962b15..01665c55f 100644 --- a/variables.tf +++ b/variables.tf @@ -366,12 +366,6 @@ variable "secretsmanager_endpoint_private_dns_enabled" { default = false } -variable "enable_ssmmessages_endpoint" { - description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" - type = bool - default = false -} - variable "enable_apigw_endpoint" { description = "Should be true if you want to provision an api gateway endpoint to the VPC" type = bool @@ -396,6 +390,12 @@ variable "apigw_endpoint_subnet_ids" { default = [] } +variable "enable_ssmmessages_endpoint" { + description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" + type = bool + default = false +} + variable "ssmmessages_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" type = list(string) @@ -414,6 +414,31 @@ variable "ssmmessages_endpoint_private_dns_enabled" { default = false } +variable "enable_transferserver_endpoint" { + description = "Should be true if you want to provision a Transer Server endpoint to the VPC" + type = bool + default = false +} + +variable "transferserver_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Transfer Server endpoint" + type = list(string) + default = [] +} + +variable "transferserver_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "transferserver_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint" + type = bool + default = false +} + + variable "enable_ec2_endpoint" { description = "Should be true if you want to provision an EC2 endpoint to the VPC" type = bool From 16d5f0e9182a47a547f0be3dab204a318133abe6 Mon Sep 17 00:00:00 2001 From: Edward Viaene Date: Sun, 21 Jul 2019 15:26:15 +0200 Subject: [PATCH 05/10] Added Kinesis streams and firehose VPC endpoints (#301) --- README.md | 8 ++++++++ main.tf | 44 ++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 100 insertions(+) diff --git a/README.md b/README.md index b69e66985..b9dd5d666 100644 --- a/README.md +++ b/README.md @@ -294,6 +294,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no | | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no | | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no | +| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | bool | `"false"` | no | +| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | bool | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no | | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | bool | `"false"` | no | | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no | @@ -319,6 +321,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map(string) | `{}` | no | | intra\_subnets | A list of intra subnets | list(string) | `[]` | no | +| kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | bool | `"false"` | no | +| kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | list(string) | `[]` | no | +| kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | bool | `"false"` | no | +| kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | list(string) | `[]` | no | +| kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | bool | `"false"` | no | | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list(string) | `[]` | no | | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | diff --git a/main.tf b/main.tf index 456a6bb0c..50bf881ad 100644 --- a/main.tf +++ b/main.tf @@ -1286,6 +1286,50 @@ resource "aws_vpc_endpoint" "cloudtrail" { } +####################### +# VPC Endpoint for Kinesis Streams +####################### +data "aws_vpc_endpoint_service" "kinesis_streams" { + count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 + + service = "kinesis-streams" +} + +resource "aws_vpc_endpoint" "kinesis_streams" { + count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kinesis_streams[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kinesis_streams_endpoint_security_group_ids + subnet_ids = coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kinesis_streams_endpoint_private_dns_enabled +} + + +####################### +# VPC Endpoint for Kinesis Firehose +####################### +data "aws_vpc_endpoint_service" "kinesis_firehose" { + count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 + + service = "kinesis-firehose" +} + +resource "aws_vpc_endpoint" "kinesis_firehose" { + count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.kinesis_firehose[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.kinesis_firehose_endpoint_security_group_ids + subnet_ids = coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.kinesis_firehose_endpoint_private_dns_enabled +} + + ########################## # Route table association ########################## diff --git a/variables.tf b/variables.tf index e063fe2cb..b4a764166 100644 --- a/variables.tf +++ b/variables.tf @@ -646,6 +646,54 @@ variable "cloudtrail_endpoint_private_dns_enabled" { default = false } +variable "enable_kinesis_streams_endpoint" { + description = "Should be true if you want to provision a Kinesis Streams endpoint to the VPC" + type = bool + default = false +} + +variable "kinesis_streams_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint" + type = list(string) + default = [] +} + +variable "kinesis_streams_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "kinesis_streams_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint" + type = bool + default = false +} + +variable "enable_kinesis_firehose_endpoint" { + description = "Should be true if you want to provision a Kinesis Firehose endpoint to the VPC" + type = bool + default = false +} + +variable "kinesis_firehose_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint" + type = list(string) + default = [] +} + +variable "kinesis_firehose_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "kinesis_firehose_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint" + type = bool + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool From f913987c5af744101b2467943bf0b362e7a30f47 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 21 Jul 2019 16:33:12 +0300 Subject: [PATCH 06/10] Fixed README after merge --- .pre-commit-config.yaml | 2 +- README.md | 43 +++++++++++++++++++++++------------------ 2 files changed, 25 insertions(+), 20 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d6a452afd..150a8c859 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.15.0 + rev: v1.17.0 hooks: - id: terraform_fmt - id: terraform_docs diff --git a/README.md b/README.md index eb6693715..7d395e236 100644 --- a/README.md +++ b/README.md @@ -16,9 +16,8 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, - ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, - CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server + * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, +ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -214,6 +213,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | bool | `"false"` | no | | cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list(string) | `[]` | no | | cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | `"false"` | no | +| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | `[]` | no | +| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | `"false"` | no | +| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | `[]` | no | +| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for config endpoint | string | `"false"` | no | +| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for config endpoint | list | `[]` | no | +| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | bool | `"false"` | no | | create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | bool | `"false"` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | bool | `"true"` | no | @@ -281,6 +289,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | `"false"` | no | | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | `"false"` | no | +| enable\_codebuild\_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC | string | `"false"` | no | +| enable\_codecommit\_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC | string | `"false"` | no | +| enable\_config\_endpoint | Should be true if you want to provision an config endpoint to the VPC | string | `"false"` | no | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool | `"false"` | no | | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | bool | `"false"` | no | | enable\_dns\_support | Should be true to enable DNS support in the VPC | bool | `"true"` | no | @@ -294,6 +305,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no | | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no | | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no | +| enable\_git\_codecommit\_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC | string | `"false"` | no | | enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | bool | `"false"` | no | | enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | bool | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | bool | `"false"` | no | @@ -302,15 +314,20 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | bool | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | `"false"` | no | +| enable\_secretsmanager\_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | bool | `"false"` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | bool | `"false"` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | bool | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | bool | `"false"` | no | +| enable\_transferserver\_endpoint | Should be true if you want to provision a Transer Server endpoint to the VPC | bool | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool | `"false"` | no | | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | bool | `"false"` | no | | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list(string) | `[]` | no | | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) | `[]` | no | +| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no | +| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no | +| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map(string) | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_acl\_tags | Additional tags for the intra subnets network ACL | map(string) | `{}` | no | @@ -372,38 +389,26 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) | `[]` | no | +| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no | +| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no | +| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool | `"false"` | no | | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no | | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | -| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | `"false"` | no | -| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | `[]` | no | -| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuild endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | `"false"` | no | -| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | `[]` | no | -| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no | -| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no | -| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | -| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Config endpoint | string | `"false"` | no | -| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Config endpoint | list | `[]` | no | -| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no | | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no | | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | -| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no | -| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no | -| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | +| tags | A map of tags to add to all resources | map(string) | `{}` | no | | transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | bool | `"false"` | no | | transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list(string) | `[]` | no | | transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no | -| tags | A map of tags to add to all resources | map(string) | `{}` | no | | vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | | vpn\_gateway\_tags | Additional tags for the VPN gateway | map(string) | `{}` | no | From 979f591ddcc2a5a628c48238024d662b68f90618 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 21 Jul 2019 16:34:42 +0300 Subject: [PATCH 07/10] Updated CHANGELOG --- CHANGELOG.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8578537b3..cf2adfc51 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,23 @@ + +## [v2.8.0] - 2019-07-21 + +- Fixed README after merge +- Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302)) +- Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301)) +- adding transfer server vpc end point support +- adding codebuild, codecommit and git-codecommit vpc end point support +- adding config vpc end point support +- adding secrets manager vpc end point support +- Updated version of pre-commit-terraform + + ## [v2.7.0] - 2019-06-17 +- Updated CHANGELOG - Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 ([#288](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/288)) @@ -609,7 +623,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.8.0...HEAD +[v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0 [v1.67.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.5.0...v1.67.0 From 17db88d2552ecf1d5b0c7d2b93d9e0532720ad48 Mon Sep 17 00:00:00 2001 From: Ben Sykes Date: Sun, 21 Jul 2019 08:38:32 -0500 Subject: [PATCH 08/10] Output var.name (#303) --- .circleci/config.yml | 9 +++++++-- outputs.tf | 4 ++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index e8c4b96b0..d0b402ed8 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,17 +8,22 @@ terraform: &terraform jobs: validate: <<: *terraform + environment: + AWS_DEFAULT_REGION: us-east-1 steps: - checkout + - run: + name: Install curl + command: apk add --update curl # - run: # name: Add github.com to ~/.ssh/known_hosts # command: mkdir ~/.ssh && ssh-keyscan -t rsa github.com >> ~/.ssh/known_hosts - run: name: terraform init - command: terraform init -input=false + command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (cd "$m" && terraform init -input=false -backend=false) || exit 1; done - run: name: Validate Terraform configurations - command: find . -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (terraform validate -check-variables=false "$m" && echo "√ $m") || exit 1 ; done + command: find . -name ".terraform" -prune -o -type f -name "*.tf" -exec dirname {} \;|sort -u | while read m; do (cd "$m" && terraform validate && echo "√ $m") || exit 1 ; done - run: name: Check if Terraform configurations are properly formatted command: if [[ -n "$(terraform fmt -write=false)" ]]; then echo "Some terraform files need be formatted, run 'terraform fmt' to fix"; exit 1; fi diff --git a/outputs.tf b/outputs.tf index 71164fcd6..34e3fa2f5 100644 --- a/outputs.tf +++ b/outputs.tf @@ -624,3 +624,7 @@ output "azs" { value = var.azs } +output "name" { + description = "The name of the VPC" + value = var.name +} From 7f4f9113a46769372db44e962faf24adae57097d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 21 Jul 2019 16:40:08 +0300 Subject: [PATCH 09/10] Fixed README after merge --- README.md | 1 + outputs.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 7d395e236..77f3f8054 100644 --- a/README.md +++ b/README.md @@ -449,6 +449,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_arns | List of ARNs of intra subnets | | intra\_subnets | List of IDs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | +| name | The name of the VPC specified as argument to this module | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw\_ids | List of NAT Gateway IDs | diff --git a/outputs.tf b/outputs.tf index 34e3fa2f5..1f43e8151 100644 --- a/outputs.tf +++ b/outputs.tf @@ -625,6 +625,6 @@ output "azs" { } output "name" { - description = "The name of the VPC" + description = "The name of the VPC specified as argument to this module" value = var.name } From 40821bbe9469438a5c439c88109b4664e1a929bf Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sun, 21 Jul 2019 16:40:23 +0300 Subject: [PATCH 10/10] Updated CHANGELOG --- CHANGELOG.md | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cf2adfc51..70e3a97d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,9 +3,17 @@ + +## [v2.9.0] - 2019-07-21 + +- Fixed README after merge +- Output var.name ([#303](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/303)) + + ## [v2.8.0] - 2019-07-21 +- Updated CHANGELOG - Fixed README after merge - Additional VPC Endpoints ([#302](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/302)) - Added Kinesis streams and firehose VPC endpoints ([#301](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/301)) @@ -539,13 +547,13 @@ - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - -## [v1.5.1] - 2017-11-23 + +## [v1.5.0] - 2017-11-23 - -## [v1.5.0] - 2017-11-23 + +## [v1.5.1] - 2017-11-23 - Reverted bad merge, fixed [#33](https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/33) - Set enable_dns_support=true by default @@ -623,7 +631,8 @@ - Initial commit -[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.8.0...HEAD +[Unreleased]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.9.0...HEAD +[v2.9.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.8.0...v2.9.0 [v2.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.7.0...v2.8.0 [v2.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v2.6.0...v2.7.0 [v2.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.67.0...v2.6.0 @@ -699,9 +708,9 @@ [v1.8.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.7.0...v1.8.0 [v1.7.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.6.0...v1.7.0 [v1.6.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.1...v1.6.0 -[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.4.1 -[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.5.1 -[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.0 +[v1.4.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.0...v1.4.1 +[v1.5.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.5.1...v1.5.0 +[v1.5.1]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.4.0...v1.5.1 [v1.4.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.3.0...v1.4.0 [v1.3.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.2.0...v1.3.0 [v1.2.0]: https://github.com/terraform-aws-modules/terraform-aws-vpc/compare/v1.1.0...v1.2.0