This module builds VPC endpoints based on the inputs.
module "vpc_endpoint" {
source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_endpoint?ref=v0.12.5"
dynamo_db_endpoint_enable = false
enable_private_dns_list = ["codebuild", "ec2", "ec2messages", "elasticloadbalancing", "events", "kms", "logs", "monitoring", "sagemaker.runtime", "secretsmanager", "servicecatalog", "sns", "sqs", "ssm"]
gateway_endpoints = ["s3", "dynamodb"]
interface_endpoints = ["codebuild", "ec2", "ec2messages", "elasticloadbalancing", "events", "execute-api", "kinesis-streams", "kms", "logs", "monitoring", "sagemaker.runtime", "secretsmanager", "servicecatalog", "sns", "sqs", "ssm"]
security_groups = [module.security_groups.vpc_endpoint_security_group_id]
subnets = module.base_network.private_subnets
s3_endpoint_enable = false
vpc_id = module.base_network.vpc_id
route_tables = concat(
module.base_network.private_route_tables,
module.base_network.public_route_tables,
)
}module "vpc_endpoint" {
source = "git@github.com:rackspace-infrastructure-automation/aws-terraform-vpc_endpoint?ref=v0.12.5"
dynamo_db_endpoint_enable = true
s3_endpoint_enable = true
vpc_id = "${module.base_network.vpc_id}"
route_tables = concat(
module.base_network.private_route_tables,
module.base_network.public_route_tables
)
}Full working references are available at examples
Several changes were required while adding terraform 0.12 compatibility. The following changes should be
made when upgrading from a previous release to version 0.12.0 or higher.
The following module variables were updated to better meet current Rackspace style guides:
route_tables_ids_list->route_tablessecurity_group_ids_list->security_groupssubnet_ids_list->subnets
From version 0.12.1, the following changes have occurred:
- All of the boolean "enable" variables such as
events_endpoint_enableandevents_private_dns_enableare marked for deprecation to accomodate a more compact and Terraform 0.12 friendly configuration. They will be removed in a future release. In lieu of these, please see the Additions section.
gateway_endpoints- introduced as a single variable to replace all "enable" Gatway booleans. It is a list of gateway servicenames.interface_endpoints- introduced as a single variable to replace all "enable" Interface booleans. It is a list of interface servicenames.enable_private_dns_list- introduced as a single variable to replace all of the "enable" Private DNS Interface booleans. It is a list of interface servicenames.
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| aws | >= 2.7.0 |
| Name | Version |
|---|---|
| aws | >= 2.7.0 |
No Modules.
| Name |
|---|
| aws_region |
| aws_vpc_endpoint |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| codebuild_endpoint_enable | Enable/Disable the codebuild VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| codebuild_fips_endpoint_enable | Enable/Disable the codebuild-fips VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| codebuild_fips_private_dns_enable | Enable/Disable private dns on the codebuild-fips endpoint. Allowed values: true, false | bool |
false |
no |
| codebuild_private_dns_enable | Enable/Disable private dns on the codebuild endpoint. Allowed values: true, false | bool |
false |
no |
| dynamo_db_endpoint_enable | Enable/Disable the DynamoDB VPC Endpoint. Allowed values: true, false | bool |
true |
no |
| ec2_endpoint_enable | Enable/Disable the ec2 VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| ec2_private_dns_enable | Enable/Disable private dns on the ec2 endpoint. Allowed values: true, false | bool |
false |
no |
| ec2messages_endpoint_enable | Enable/Disable the ec2messages VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| ec2messages_private_dns_enable | Enable/Disable private dns on the ec2messages endpoint. Allowed values: true, false | bool |
false |
no |
| ecr_api_endpoint_enable | Enable/Disable the ecr.api VPC endpoint. Allowed values: true, false | bool |
false |
no |
| ecr_api_private_dns_enable | Enable/Disable private dns on the ecr.api endpoint. Allowed values: true, false | bool |
false |
no |
| ecr_dkr_endpoint_enable | Enable/Disable the ecr.dkr endpoint. Allowed values: true, false | bool |
false |
no |
| ecr_dkr_private_dns_enable | Enable/Disable private dns on the ecr.dkr endpoint. Allowed values: true, false | bool |
false |
no |
| elasticloadbalancing_endpoint_enable | Enable/Disable the elasticloadbalancing VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| elasticloadbalancing_private_dns_enable | Enable/Disable private dns on the elasticloadbalancing endpoint. Allowed values: true, false | bool |
false |
no |
| enable_private_dns_list | List of Interface endpoints that should have private DNS enabled. This should be a subset of the list for interface endpoints to provision. | list(string) |
[] |
no |
| endpoint_policies | A map of Endpoint polices to apply to associated VPC Endpoints. Each policy should be listed in a key matching its service (See gateway_endpoints and interface_endpoints) Each policy must be between 100 and 10,240 characters. Services not given an explicit policy will use the terraform default for the service endpoint. | map |
{} |
no |
| environment | Application environment for which this network is being created. one of: ('Development', 'Integration', 'PreProduction', 'Production', 'QA', 'Staging', 'Test') | string |
"Development" |
no |
| events_endpoint_enable | Enable/Disable the events VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| events_private_dns_enable | Enable/Disable private dns on the events endpoint. Allowed values: true, false | bool |
false |
no |
| execute_api_endpoint_enable | Enable/Disable the execute-api VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| execute_api_private_dns_enable | Enable/Disable private dns on the execute-api endpoint. Allowed values: true, false | bool |
false |
no |
| gateway_endpoints | List of gateway endpoints to enable. e.g. ["dynamodb","s3"]. The complete list can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html . To date only s3 and dynamodb exist. Also note for backward compatibiity, s3_endpoint_enable and dynamo_db_endpoint_enable default to true so if using this method, those need to be explicitly set to false. |
list(string) |
[] |
no |
| interface_endpoints | List of interface endpoints to enable. e.g. ["codebuild","ec2"]. The complete list can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html. |
list(string) |
[] |
no |
| kinesis_streams_endpoint_enable | Enable/Disable the kinesis-streams VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| kinesis_streams_private_dns_enable | Enable/Disable private dns on the kinesis-streams endpoint. Allowed values: true, false | bool |
false |
no |
| kms_endpoint_enable | Enable/Disable the kms VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| kms_private_dns_enable | Enable/Disable private dns on the kms endpoint. Allowed values: true, false | bool |
false |
no |
| logs_endpoint_enable | Enable/Disable the logs VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| logs_private_dns_enable | Enable/Disable private dns on the logs endpoint. Allowed values: true, false | bool |
false |
no |
| monitoring_endpoint_enable | Enable/Disable the monitoring VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| monitoring_private_dns_enable | Enable/Disable private dns on the monitoring endpoint. Allowed values: true, false | bool |
false |
no |
| route_tables | List of Route Table ID's for each AZ | list(string) |
[] |
no |
| s3_endpoint_enable | Enable/Disable the S3 VPC Endpoint. Allowed values: true, false | bool |
true |
no |
| sagemaker_runtime_endpoint_enable | Enable/Disable the sagemaker.runtime VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| sagemaker_runtime_private_dns_enable | Enable/Disable private dns on the sagemaker.runtime endpoint. Allowed values: true, false | bool |
false |
no |
| secretsmanager_endpoint_enable | Enable/Disable the secretsmanager VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| secretsmanager_private_dns_enable | Enable/Disable private dns on the secretsmanager endpoint. Allowed values: true, false | bool |
false |
no |
| security_groups | List of Security Group ID's for the endpoints. | list(string) |
[] |
no |
| servicecatalog_endpoint_enable | Enable/Disable the servicecatalog VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| servicecatalog_private_dns_enable | Enable/Disable private dns on the servicecatalog endpoint. Allowed values: true, false | bool |
false |
no |
| sns_endpoint_enable | Enable/Disable the sns VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| sns_private_dns_enable | Enable/Disable private dns on the sns endpoint. Allowed values: true, false | bool |
false |
no |
| sqs_endpoint_enable | Enable/Disable the sqs VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| sqs_private_dns_enable | Enable/Disable private dns on the sqs endpoint. Allowed values: true, false | bool |
false |
no |
| ssm_endpoint_enable | Enable/Disable the ssm VPC Endpoint. Allowed values: true, false | bool |
false |
no |
| ssm_private_dns_enable | Enable/Disable private dns on the ssm endpoint. Allowed values: true, false | bool |
false |
no |
| subnets | List of Subnets to assoicate with Inteface endpoints. | list(string) |
[] |
no |
| tags | Custom tags to apply to all resources. | map(string) |
{} |
no |
| vpc_id | Provide Virtual Private Cloud ID | string |
n/a | yes |
| Name | Description |
|---|---|
| codebuild_fips_vpc_endpoint_id | CodeBuild-fips VPC endpoint ID |
| codebuild_vpc_endpoint_id | CodeBuild VPC endpoint ID |
| dynamodb_vpc_endpoint_id | DynamoDB VPC endpoint ID |
| ec2_vpc_endpoint_id | EC2 VPC endpoint ID |
| ec2messages_vpc_endpoint_id | EC2messages VPC endpoint ID |
| ecr_api_vpc_endpoint_id | ecr.api VPC endpoint ID |
| ecr_dkr_vpc_endpoint_id | ecr.dkr VPC endpoint ID |
| elasticloadbalancing_vpc_endpoint_id | Elasticloadbalancing VPC endpoint ID |
| endpoint_ids | Combined List of gateWay and Interface IDs |
| events_vpc_endpoint_id | Events VPC endpoint ID |
| execute_api_vpc_endpoint_id | Execute-api VPC endpoint ID |
| kinesis_streams_vpc_endpoint_id | Kinesis-streams VPC endpoint ID |
| kms_vpc_endpoint_id | Kms VPC endpoint ID |
| logs_vpc_endpoint_id | Logs VPC endpoint ID |
| monitoring_vpc_endpoint_id | Monitoring VPC endpoint ID |
| s3_vpc_endpoint_id | S3 VPC endpoint ID |
| sagemaker_runtime_vpc_endpoint_id | Sagemaker.runtime VPC endpoint ID |
| secretsmanager_vpc_endpoint_id | Secretsmanager VPC endpoint ID |
| servicecatalog_vpc_endpoint_id | Servicecatalog VPC endpoint ID |
| sns_vpc_endpoint_id | SNS VPC endpoint ID |
| sqs_vpc_endpoint_id | SQS VPC endpoint ID |
| ssm_vpc_endpoint_id | SSM VPC endpoint ID |