From cacc2b01c5125e3d298a9da35d3fc526d181a974 Mon Sep 17 00:00:00 2001 From: Larry Aiello Date: Mon, 26 Oct 2020 09:07:35 -0400 Subject: [PATCH] feat: Lambda VPC Endpoint (#534) --- README.md | 7 +++++++ examples/complete-vpc/README.md | 3 +++ examples/complete-vpc/main.tf | 6 +++++- examples/complete-vpc/outputs.tf | 15 +++++++++++++++ outputs.tf | 15 +++++++++++++++ variables.tf | 24 ++++++++++++++++++++++++ vpc-endpoints.tf | 21 +++++++++++++++++++++ 7 files changed, 90 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index fb1ce846a..35cce263b 100644 --- a/README.md +++ b/README.md @@ -450,6 +450,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | `bool` | `false` | no | | enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | `bool` | `false` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | `bool` | `false` | no | +| enable\_lambda\_endpoint | Should be true if you want to provision a Lambda endpoint to the VPC | `bool` | `false` | no | | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | `bool` | `false` | no | | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | `bool` | `false` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no | @@ -519,6 +520,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | `bool` | `false` | no | | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | `list(string)` | `[]` | no | | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | +| lambda\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint | `bool` | `false` | no | +| lambda\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Lambda endpoint | `list(string)` | `[]` | no | +| lambda\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | `bool` | `false` | no | | logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | `list(string)` | `[]` | no | | logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | @@ -855,6 +859,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | | vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | +| vpc\_endpoint\_lambda\_dns\_entry | The DNS entries for the VPC Endpoint for Lambda. | +| vpc\_endpoint\_lambda\_id | The ID of VPC endpoint for Lambda | +| vpc\_endpoint\_lambda\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Lambda. | | vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. | | vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs | | vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index 385ec8d80..5a8620912 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -47,6 +47,9 @@ No input. | public\_subnets | List of IDs of public subnets | | redshift\_subnets | List of IDs of redshift subnets | | this\_customer\_gateway | Map of Customer Gateway attributes | +| vpc\_endpoint\_lambda\_dns\_entry | The DNS entries for the VPC Endpoint for Lambda. | +| vpc\_endpoint\_lambda\_id | The ID of VPC endpoint for Lambda | +| vpc\_endpoint\_lambda\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Lambda. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index fbbbac1c5..3c4935c68 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -61,6 +61,11 @@ module "vpc" { ssm_endpoint_private_dns_enabled = true ssm_endpoint_security_group_ids = [data.aws_security_group.default.id] + # VPC endpoint for Lambda + enable_lambda_endpoint = true + lambda_endpoint_private_dns_enabled = true + lambda_endpoint_security_group_ids = [data.aws_security_group.default.id] + # VPC endpoint for SSMMESSAGES enable_ssmmessages_endpoint = true ssmmessages_endpoint_private_dns_enabled = true @@ -133,4 +138,3 @@ module "vpc" { Endpoint = "true" } } - diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index 9ad8c338a..0d24ff272 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -57,6 +57,21 @@ output "vpc_endpoint_ssm_dns_entry" { value = module.vpc.vpc_endpoint_ssm_dns_entry } +output "vpc_endpoint_lambda_id" { + description = "The ID of VPC endpoint for Lambda" + value = module.vpc.vpc_endpoint_lambda_id +} + +output "vpc_endpoint_lambda_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Lambda." + value = module.vpc.vpc_endpoint_lambda_network_interface_ids +} + +output "vpc_endpoint_lambda_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Lambda." + value = module.vpc.vpc_endpoint_lambda_dns_entry +} + # Customer Gateway output "cgw_ids" { description = "List of IDs of Customer Gateway" diff --git a/outputs.tf b/outputs.tf index 797a83f44..4be276615 100644 --- a/outputs.tf +++ b/outputs.tf @@ -513,6 +513,21 @@ output "vpc_endpoint_sqs_dns_entry" { value = flatten(aws_vpc_endpoint.sqs.*.dns_entry) } +output "vpc_endpoint_lambda_id" { + description = "The ID of VPC endpoint for Lambda" + value = concat(aws_vpc_endpoint.lambda.*.id, [""])[0] +} + +output "vpc_endpoint_lambda_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for Lambda." + value = flatten(aws_vpc_endpoint.lambda.*.network_interface_ids) +} + +output "vpc_endpoint_lambda_dns_entry" { + description = "The DNS entries for the VPC Endpoint for Lambda." + value = flatten(aws_vpc_endpoint.lambda.*.dns_entry) +} + output "vpc_endpoint_codebuild_id" { description = "The ID of VPC endpoint for codebuild" value = concat(aws_vpc_endpoint.codebuild.*.id, [""])[0] diff --git a/variables.tf b/variables.tf index a5336ef27..223697301 100644 --- a/variables.tf +++ b/variables.tf @@ -490,6 +490,30 @@ variable "sqs_endpoint_private_dns_enabled" { default = false } +variable "enable_lambda_endpoint" { + description = "Should be true if you want to provision a Lambda endpoint to the VPC" + type = bool + default = false +} + +variable "lambda_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for Lambda endpoint" + type = list(string) + default = [] +} + +variable "lambda_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "lambda_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint" + type = bool + default = false +} + variable "enable_ssm_endpoint" { description = "Should be true if you want to provision an SSM endpoint to the VPC" type = bool diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index 60030810b..1a3deddc4 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -185,6 +185,27 @@ resource "aws_vpc_endpoint" "sqs" { tags = local.vpce_tags } +######################### +# VPC Endpoint for Lambda +######################### +data "aws_vpc_endpoint_service" "lambda" { + count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0 + + service = "lambda" +} +resource "aws_vpc_endpoint" "lambda" { + count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.lambda[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.lambda_endpoint_security_group_ids + subnet_ids = coalescelist(var.lambda_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.lambda_endpoint_private_dns_enabled + tags = local.vpce_tags +} + ################################### # VPC Endpoint for Secrets Manager ###################################