chime · bwhaley · Sep 5, 2024 · Sep 6, 2024 · Sep 6, 2024 · Sep 6, 2024
@@ -4,3 +4,4 @@
 **/terraform.tfstate*
 **/.terraform*
 **/.test-data
+.idea
@@ -77,7 +77,7 @@ When a NAT instance in any of the zonal ASGs is terminated, the lifecycle hook p
 
 The replace-route function also acts as a health check. Every minute, in the private subnet of each availability zone, the function checks that connectivity to the Internet works by requesting https://www.example.com and, if that fails, https://www.google.com. If the request succeeds, the function exits. If both requests fail, the NAT instance is presumably borked, and the function updates the route to point at the standby NAT gateway.
 
-In the event that a NAT instance is unavailable, the function would have no route to the AWS EC2 and Lambda APIs to perform the necessary steps to update the route table. This is mitigated by the use of [interface VPC endpoints](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html) to EC2 and Lambda.
+In the event that a NAT instance is unavailable, the function would have no route to the AWS EC2 API to perform the necessary steps to update the route table. This is mitigated by the use of an [interface VPC endpoint](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/interface-vpc-endpoints.html) to EC2.
 
 ## Drawbacks
 

@@ -31,19 +31,6 @@ locals {
     }
     : {}
   )
-  lambda_endpoint = (
-    var.enable_lambda_endpoint
-    ? {
-      lambda = {
-        service             = "lambda"
-        private_dns_enabled = true
-        subnet_ids          = local.az_private_subnets
-        tags                = { Name = "lambda-vpc-endpoint" }
-      }
-    }
-    : {}
-  )
-  endpoints = merge(local.ec2_endpoint, local.lambda_endpoint)
 
   # Must provide exactly 1 EIP per AZ
   # var.nat_instance_eip_ids ignored if doesn't match AZ count
@@ -457,7 +444,7 @@ locals {
 }
 
 resource "aws_security_group" "vpc_endpoint" {
-  count = length(local.endpoints) > 0 ? 1 : 0
+  count = length(local.ec2_endpoint) > 0 ? 1 : 0
 
   name_prefix = "ec2-vpc-endpoints-"
   description = "Allow TLS from the VPC CIDR to the AWS API."
@@ -483,13 +470,13 @@ resource "aws_security_group" "vpc_endpoint" {
 }
 
 module "vpc_endpoints" {
-  count = length(local.endpoints) > 0 ? 1 : 0
+  count = length(local.ec2_endpoint) > 0 ? 1 : 0
 
   source             = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
   version            = "~> 3.14.0"
   vpc_id             = var.vpc_id
   security_group_ids = [aws_security_group.vpc_endpoint[0].id]
-  endpoints          = local.endpoints
+  endpoints          = local.ec2_endpoint
   tags               = var.tags
 }
 

@@ -61,12 +61,6 @@ variable "enable_ec2_endpoint" {
   default     = true
 }
 
-variable "enable_lambda_endpoint" {
-  description = "Whether to create a VPC endpoint to Lambda for Internet Connectivity testing."
-  type        = bool
-  default     = true
-}
-
 variable "enable_ssm" {
   description = "Whether to enable SSM on the Alternat instances."
   type        = bool