API gateway Endpoint issue 224

README.md

@@ -15,7 +15,7 @@ These types of resources are supported:
 * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html)
 * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
   * Gateway: S3, DynamoDB
-  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR
+  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
 * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
@@ -133,7 +133,7 @@ If `one_nat_gateway_per_az = true` and `single_nat_gateway = false`, then the mo
 By default, if NAT Gateways are enabled, private subnets will be configured with routes for Internet traffic that point at the NAT Gateways configured by use of the above options.
 
 If you need private subnets that should have no Internet routing (in the sense of [RFC1918 Category 1 subnets](https://tools.ietf.org/html/rfc1918)), `intra_subnets` should be specified. An example use case is configuration of AWS Lambda functions within a VPC, where AWS Lambda functions only need to pass traffic to internal resources or VPC endpoints for AWS services.
- 
+
 Since AWS Lambda functions allocate Elastic Network Interfaces in proportion to the traffic received ([read more](https://docs.aws.amazon.com/lambda/latest/dg/vpc.html)), it can be useful to allocate a large private subnet for such allocations, while keeping the traffic they generate entirely internal to the VPC.
 
 You can add additional tags with `intra_subnet_tags` as with other subnet types.
@@ -238,6 +238,7 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no |
 | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no |
 | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no |
+| enable\_apigw\_endpoint | Should be true if you want to provision a API Gateway endpoint to the VPC | string | `"false"` | no |
 | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no |
 | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no |
 | igw\_tags | Additional tags for the internet gateway | map | `{}` | no |
@@ -271,8 +272,10 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no |
 | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no |
 | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no |
+| apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API Gateway endpoint | list | `[]` | no |
 | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no |
+| apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API Gateway endpoint | string | `"false"` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | tags | A map of tags to add to all resources | map | `{}` | no |
@@ -369,4 +372,3 @@ Module is maintained by [Anton Babenko](https://github.com/antonbabenko) with he
 ## License
 
 Apache 2 Licensed. See LICENSE for full details.
-

examples/issue-224-vpcendpoint-apigw/main.tf

@@ -0,0 +1,30 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = "${module.vpc.vpc_id}"
+}
+
+module "vpc" {
+  source = "../../"
+
+  name = "complete-example"
+
+  cidr = "10.15.0.0/16"
+
+  azs             = ["us-east-1a"]
+  private_subnets = ["10.15.1.0/24"]
+
+  # VPC endpoint for API gateway
+  enable_apigw_endpoint              = true
+  apigw_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  apigw_endpoint_private_dns_enabled = true
+
+  tags = {
+    Owner       = "user"
+    Environment = "test"
+    Name        = "test-224"
+  }
+}

main.tf

@@ -530,6 +530,28 @@ resource "aws_vpc_endpoint" "ecr_dkr" {
   private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}"
 }
 
+#######################
+# VPC Endpoint for API Gateway
+#######################
+data "aws_vpc_endpoint_service" "apigw" {
+  count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}"
+
+  service = "execute-api"
+}
+
+resource "aws_vpc_endpoint" "apigw" {
+  count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.apigw.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.apigw_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}"
+}
+
+
 ##########################
 # Route table association
 ##########################

variables.tf

@@ -208,6 +208,26 @@ variable "enable_ssmmessages_endpoint" {
   default     = false
 }
 
+variable "enable_apigw_endpoint" {
+  description = "Should be true if you want to provision an api gateway endpoint to the VPC"
+  default     = false
+}
+
+variable "apigw_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for API GW  endpoint"
+  default     = []
+}
+
+variable "apigw_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint"
+  default     = false
+}
+
+variable "apigw_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
 variable "ssmmessages_endpoint_security_group_ids" {
   description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint"
   default     = []