From 6b93437d746e3f5a838f2ffc42522de2ac929489 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaros=C5=82aw=20Wygoda?= Date: Mon, 25 May 2020 10:03:44 +0200 Subject: [PATCH] feat: Add VPC Endpoint for SES (#449) --- README.md | 9 ++++++++- outputs.tf | 16 ++++++++++++++++ variables.tf | 24 ++++++++++++++++++++++++ vpc-endpoints.tf | 23 +++++++++++++++++++++++ 4 files changed, 71 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 0da36822f..1ed5763ed 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ These types of resources are supported: * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): * Gateway: S3, DynamoDB * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, -ECS, ECS Agent, ECS Telemetry, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events), +ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing, CloudTrail, Secrets Manager, Config, CodeBuild, CodeCommit, Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream, @@ -397,6 +397,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_sagemaker\_runtime\_endpoint | Should be true if you want to provision a SageMaker Runtime endpoint to the VPC | `bool` | `false` | no | | enable\_secretsmanager\_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | `bool` | `false` | no | | enable\_servicecatalog\_endpoint | Should be true if you want to provision a Service Catalog endpoint to the VPC | `bool` | `false` | no | +| enable\_ses\_endpoint | Should be true if you want to provision an SES endpoint to the VPC | `bool` | `false` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | `bool` | `false` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | `bool` | `false` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | `bool` | `false` | no | @@ -513,6 +514,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | servicecatalog\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint | `bool` | `false` | no | | servicecatalog\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Service Catalog endpoint | `list(string)` | `[]` | no | | servicecatalog\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | +| ses\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SES endpoint | `bool` | `false` | no | +| ses\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SES endpoint | `list(string)` | `[]` | no | +| ses\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | `bool` | `false` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | `list(string)` | `[]` | no | @@ -736,6 +740,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_servicecatalog\_dns\_entry | The DNS entries for the VPC Endpoint for Service Catalog. | | vpc\_endpoint\_servicecatalog\_id | The ID of VPC endpoint for Service Catalog | | vpc\_endpoint\_servicecatalog\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Service Catalog. | +| vpc\_endpoint\_ses\_dns\_entry | The DNS entries for the VPC Endpoint for SES. | +| vpc\_endpoint\_ses\_id | The ID of VPC endpoint for SES | +| vpc\_endpoint\_ses\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SES. | | vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | diff --git a/outputs.tf b/outputs.tf index 4de43e4f8..ce2579682 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1087,6 +1087,22 @@ output "vpc_endpoint_cloud_directory_dns_entry" { value = flatten(aws_vpc_endpoint.cloud_directory.*.dns_entry) } +output "vpc_endpoint_ses_id" { + description = "The ID of VPC endpoint for SES" + value = concat(aws_vpc_endpoint.ses.*.id, [""])[0] +} + +output "vpc_endpoint_ses_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SES." + value = flatten(aws_vpc_endpoint.ses.*.network_interface_ids) +} + +output "vpc_endpoint_ses_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SES." + value = flatten(aws_vpc_endpoint.ses.*.dns_entry) +} + + # VPC flow log output "vpc_flow_log_id" { description = "The ID of the Flow Log resource" diff --git a/variables.tf b/variables.tf index 9381d8cef..38749e3d2 100644 --- a/variables.tf +++ b/variables.tf @@ -1323,6 +1323,30 @@ variable "cloud_directory_endpoint_private_dns_enabled" { default = false } +variable "enable_ses_endpoint" { + description = "Should be true if you want to provision an SES endpoint to the VPC" + type = bool + default = false +} + +variable "ses_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SES endpoint" + type = list(string) + default = [] +} + +variable "ses_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "ses_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SES endpoint" + type = bool + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index 605140ba2..3365cfe26 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -1026,3 +1026,26 @@ resource "aws_vpc_endpoint" "cloud_directory" { tags = local.vpce_tags } + +####################### +# VPC Endpoint for SES +####################### +data "aws_vpc_endpoint_service" "ses" { + count = var.create_vpc && var.enable_ses_endpoint ? 1 : 0 + + service = "email-smtp" +} + +resource "aws_vpc_endpoint" "ses" { + count = var.create_vpc && var.enable_ses_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.ses[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.ses_endpoint_security_group_ids + subnet_ids = coalescelist(var.ses_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.ses_endpoint_private_dns_enabled + + tags = local.vpce_tags +}