From 03e8c62a59bd24906fb8da30d1d15b4d9df18358 Mon Sep 17 00:00:00 2001 From: Ilia Lazebnik Date: Fri, 24 May 2019 20:00:30 +0300 Subject: [PATCH] ECS endpoint (#261) * add ecs vpc endpoints * add ecs vpcendpoints outputs * add ecs vpc endpoints to readme inputs/outputs table * add ecs vpc endpoints to readme endpoint list --- README.md | 20 +++++++++++++++- main.tf | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++ outputs.tf | 45 +++++++++++++++++++++++++++++++++++ variables.tf | 60 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 190 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 039c699cd..ce7b774a0 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ These types of resources are supported: * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB - * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS + * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) @@ -333,6 +333,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no | +| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no | +| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no | +| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no | +| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no | +| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no | +| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | @@ -426,6 +435,15 @@ Terraform version 0.10.3 or newer is required for this module to work. | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS | +| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. | +| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent | +| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. | +| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. | +| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry | +| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/main.tf b/main.tf index 1b6f3fa42..9a2f89232 100644 --- a/main.tf +++ b/main.tf @@ -830,6 +830,72 @@ resource "aws_vpc_endpoint" "kms" { private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" } + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" +} + + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" +} + + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" +} + ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index 425af581e..107d801b8 100644 --- a/outputs.tf +++ b/outputs.tf @@ -464,6 +464,51 @@ output "vpc_endpoint_apigw_dns_entry" { value = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}" } +output "vpc_endpoint_ecs_id" { + description = "The ID of VPC endpoint for ECS" + value = "${element(concat(aws_vpc_endpoint.ecs.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS." + value = "${flatten(aws_vpc_endpoint.ecs.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS." + value = "${flatten(aws_vpc_endpoint.ecs.*.dns_entry)}" +} + +output "vpc_endpoint_ecs_agent_id" { + description = "The ID of VPC endpoint for ECS Agent" + value = "${element(concat(aws_vpc_endpoint.ecs_agent.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_agent_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Agent." + value = "${flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_agent_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Agent." + value = "${flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry)}" +} + +output "vpc_endpoint_ecs_telemetry_id" { + description = "The ID of VPC endpoint for ECS Telemetry" + value = "${element(concat(aws_vpc_endpoint.ecs_telemetry.*.id, list("")), 0)}" +} + +output "vpc_endpoint_ecs_telemetry_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." + value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids)}" +} + +output "vpc_endpoint_ecs_telemetry_dns_entry" { + description = "The DNS entries for the VPC Endpoint for ECS Telemetry." + value = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index 33b79d6c5..9c24a808f 100644 --- a/variables.tf +++ b/variables.tf @@ -344,6 +344,66 @@ variable "kms_endpoint_private_dns_enabled" { default = false } +variable "enable_ecs_endpoint" { + description = "Should be true if you want to provision a ECS endpoint to the VPC" + default = false +} + +variable "ecs_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" + default = [] +} + +variable "ecs_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" + default = false +} + +variable "enable_ecs_agent_endpoint" { + description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" + default = false +} + +variable "ecs_agent_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" + default = [] +} + +variable "ecs_agent_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_agent_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" + default = false +} + +variable "enable_ecs_telemetry_endpoint" { + description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" + default = false +} + +variable "ecs_telemetry_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" + default = [] +} + +variable "ecs_telemetry_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "ecs_telemetry_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true