Updated files for policy in ecr api endpoint.

README.md

@@ -1,8 +1,13 @@
 # AWS Network Terraform module
 
 ![squareops_avatar]
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://drive.google.com/file/d/1R078Xyx2QQjBHqn35K8TN9JkFzGGNRgj/view?usp=drive_link">
+  <source media="(prefers-color-scheme: light)" srcset="https://drive.google.com/file/d/1ZOCXWl6tt5OLaly6Ncd3Hcu3Yg8XOm5U/view?usp=drive_link">
+  <img alt="Shows an illustrated sun in light mode and a moon with stars in dark mode." src="https://github.com/rachit89/terraform-aws-vpc/blob/feature/logo/png%20white%20bg%20squareops.png">
+</picture>
 
-[squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png
+### [squareops_avatar]: https://squareops.com/wp-content/uploads/2022/12/squareops-logo.png
 
 ### [SquareOps Technologies](https://squareops.com/) Your DevOps Partner for Accelerating cloud journey.
 
@@ -15,6 +20,7 @@ Terraform module to create Networking resources with IPv4 or dual stack IP mode
 
 module "key_pair_vpn" {
   source             = "squareops/keypair/aws"
+  count              = local.vpn_server_enabled ? 1 : 0
   environment        = "production"
   key_name           = format("%s-%s-vpn", "production", "skaf")
   ssm_parameter_path = format("%s-%s-vpn", "production", "skaf")
@@ -24,21 +30,22 @@ module "key_pair_vpn" {
 module "vpc" {
   source = "squareops/vpc/aws"
   name                                            = "skaf"
+  aws_region                                      = "us-east-1"
   vpc_cidr                                        = "10.0.0.0/16"
   environment                                     = "production"
   ipv6_enabled                                    = true
   create_ipam_pool                                = false
   ipam_enabled                                    = false
   vpc_flow_log_enabled                            = true
-  vpn_server_key_pair_name                        = module.key_pair_vpn.key_pair_name
+  vpn_server_key_pair_name                        = local.vpn_server_enabled ? module.key_pair_vpn[0].key_pair_name : ""
   vpc_availability_zones                          = ["us-east-1a", "us-east-1b"]
+  auto_assign_public_ip                           = true
   vpn_server_enabled                              = false
   vpc_intra_subnet_enabled                        = true
-  auto_assign_public_ip                           = true
   vpc_public_subnet_enabled                       = true
-  vpc_private_subnet_enable                       = true
-  vpc_one_nat_gateway_per_az                      = true
+  vpc_private_subnet_enabled                      = true
   vpc_database_subnet_enabled                     = true
+  vpc_one_nat_gateway_per_az                      = true
   vpn_server_instance_type                        = "t3a.small"
   vpc_public_subnets_counts                       = 2
   vpc_private_subnets_counts                      = 2

examples/complete-vpc-with-vpn/main.tf

@@ -1,14 +1,14 @@
 locals {
-  vpc_name                                       = "vpc-test"
-  aws_region                                     = "ap-northeast-1"
-  aws_account_id                                 = "767398031518"
-  environment                                    = "prod"
+  vpc_name                                       = "vpc-rachit"
+  aws_region                                     = "ap-south-1"
+  aws_account_id                                 = "654654551614"
+  environment                                    = "stg"
   kms_user                                       = null
   vpc_cidr                                       = "10.10.0.0/16"
-  vpc_availability_zones                         = ["ap-northeast-1a", "ap-northeast-1c"]
+  vpc_availability_zones                         = ["ap-south-1a", "ap-south-1b"]
   kms_deletion_window_in_days                    = 7
   enable_key_rotation                            = false
-  is_enabled                                     = true
+  is_enabled                                     = false
   vpc_flow_log_enabled                           = false
   vpn_server_enabled                             = true
   vpc_intra_subnet_enabled                       = true
@@ -23,10 +23,6 @@ locals {
   vpc_flow_log_cloudwatch_log_group_skip_destroy = false
   current_identity                               = data.aws_caller_identity.current.arn
   multi_region                                   = false
-  vpc_public_subnets_counts                      = 2
-  vpc_private_subnets_counts                     = 2
-  vpc_database_subnets_counts                    = 2
-  vpc_intra_subnets_counts                       = 2
   additional_aws_tags = {
     Owner      = "Organization_Name"
     Expires    = "Never"
@@ -38,6 +34,7 @@ data "aws_caller_identity" "current" {}
 
 module "key_pair_vpn" {
   source             = "squareops/keypair/aws"
+  count              = local.vpn_server_enabled ? 1 : 0
   key_name           = format("%s-%s-vpn", local.environment, local.vpc_name)
   environment        = local.environment
   ssm_parameter_path = format("%s-%s-vpn", local.environment, local.vpc_name)
@@ -96,8 +93,10 @@ module "vpc" {
   aws_region                                          = local.aws_region
   vpc_cidr                                            = local.vpc_cidr
   environment                                         = local.environment
+  ipv6_enabled                                        = true
+  ipam_enabled                                        = false
   vpc_flow_log_enabled                                = local.vpc_flow_log_enabled
-  vpn_server_key_pair_name                            = module.key_pair_vpn.key_pair_name
+  vpn_server_key_pair_name                            = local.vpn_server_enabled ? module.key_pair_vpn[0].key_pair_name : ""
   vpc_availability_zones                              = local.vpc_availability_zones
   vpn_server_enabled                                  = local.vpn_server_enabled
   vpc_intra_subnet_enabled                            = local.vpc_intra_subnet_enabled
@@ -113,10 +112,10 @@ module "vpc" {
   vpc_flow_log_cloudwatch_log_group_skip_destroy      = local.vpc_flow_log_cloudwatch_log_group_skip_destroy
   vpc_flow_log_cloudwatch_log_group_retention_in_days = 90
   vpc_flow_log_cloudwatch_log_group_kms_key_arn       = module.kms.key_arn #Enter your kms key arn
-  vpc_public_subnets_counts                           = local.vpc_public_subnets_counts
-  vpc_private_subnets_counts                          = local.vpc_private_subnets_counts
-  vpc_database_subnets_counts                         = local.vpc_database_subnets_counts
-  vpc_intra_subnets_counts                            = local.vpc_intra_subnets_counts
+  vpc_public_subnets_counts                           = 2
+  vpc_private_subnets_counts                          = 2
+  vpc_database_subnets_counts                         = 2
+  vpc_intra_subnets_counts                            = 2
   vpc_endpoint_type_private_s3                        = "Gateway"
   vpc_endpoint_type_ecr_dkr                           = "Interface"
   vpc_endpoint_type_ecr_api                           = "Interface"

main.tf

@@ -1,6 +1,5 @@
 locals {
-  azs = length(var.vpc_availability_zones)
-  # public subnets cidr
+  azs                   = length(var.vpc_availability_zones)
   public_subnets_native = var.vpc_public_subnet_enabled ? length(var.vpc_public_subnet_cidrs) > 0 ? var.vpc_public_subnet_cidrs : [for netnum in range(0, var.vpc_public_subnets_counts) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
   secondary_public_subnets = var.vpc_public_subnet_enabled && var.secondry_cidr_enabled ? [
     for cidr_block in var.secondary_cidr_blocks : [
@@ -10,14 +9,15 @@ locals {
   vpc_public_subnets = concat(local.public_subnets_native, flatten(local.secondary_public_subnets))
 
   # intra subnets cidr
-  intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 4, netnum)] : []
+  intra_subnets_native = var.vpc_intra_subnet_enabled ? length(var.vpc_intra_subnet_cidrs) > 0 ? var.vpc_intra_subnet_cidrs : [for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
   secondary_intra_subnets = var.vpc_intra_subnet_enabled && var.secondry_cidr_enabled ? [
     for cidr_block in var.secondary_cidr_blocks : [
       for netnum in range(var.vpc_intra_subnets_counts * 3, var.vpc_intra_subnets_counts * 4) : cidrsubnet(cidr_block, 8, netnum)
     ]
   ] : []
   vpc_intra_subnets = concat(local.intra_subnets_native, flatten(local.secondary_intra_subnets))
 
+
   # private subnets cidr
   private_subnets_native = var.vpc_private_subnet_enabled ? length(var.vpc_private_subnet_cidrs) > 0 ? var.vpc_private_subnet_cidrs : [for netnum in range(var.vpc_private_subnets_counts * 4, var.vpc_private_subnets_counts * 5) : cidrsubnet(var.vpc_cidr, 8, netnum)] : []
   secondary_private_subnets = var.vpc_private_subnet_enabled && var.secondry_cidr_enabled ? [
@@ -107,7 +107,6 @@ module "vpc" {
   private_subnet_ipv6_native                      = local.ipv6_only
   database_subnet_ipv6_native                     = local.ipv6_only
   intra_subnet_ipv6_native                        = local.ipv6_only
-  #assign_ipv6_address_on_creation = local.assign_ipv6_address_on_creation
   public_subnet_assign_ipv6_address_on_creation   = local.public_subnet_assign_ipv6_address_on_creation
   private_subnet_assign_ipv6_address_on_creation  = local.private_subnet_assign_ipv6_address_on_creation
   database_subnet_assign_ipv6_address_on_creation = local.database_subnet_assign_ipv6_address_on_creation
@@ -188,8 +187,8 @@ module "vpn_server" {
   vpc_id                   = module.vpc.vpc_id
   vpc_cidr                 = var.vpc_cidr
   environment              = var.environment
-  vpn_key_pair             = var.vpn_server_key_pair_name
-  public_subnet            = module.vpc.public_subnets[0]
+  vpn_key_pair_name        = var.vpn_server_key_pair_name
+  public_subnet_ids        = module.vpc.public_subnets[0]
   vpn_server_instance_type = var.vpn_server_instance_type
 }
 
@@ -295,27 +294,33 @@ POLICY
 }
 
 # private links for ECR.api
-
 resource "aws_vpc_endpoint" "private_ecr_api" {
   count               = var.vpc_ecr_endpoint_enabled ? 1 : 0
   depends_on          = [data.aws_route_tables.aws_private_routes]
   vpc_id              = module.vpc.vpc_id
   subnet_ids          = [module.vpc.private_subnets[count.index]]
   service_name        = "com.amazonaws.${var.aws_region}.ecr.api"
-  vpc_endpoint_type   = var.vpc_endpoint_type_ecr_api
+  security_group_ids  = [aws_security_group.vpc_endpoints[0].id]
+  vpc_endpoint_type   = "Interface"
   private_dns_enabled = true
-  policy              = <<POLICY
-{
-    "Statement": [
-        {
-            "Action": "ecr.api",
-            "Effect": "Allow",
-            "Resource": "*",
-            "Principal": "*"
-        }
+
+  policy = jsonencode({
+    "Statement" : [
+      {
+        "Principal" : {
+          "AWS" : "*"
+        },
+        "Action" : [
+          "ecr:BatchGetImage",
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:GetAuthorizationToken"
+        ],
+        "Effect" : "Allow",
+        "Resource" : "*"
+      }
     ]
-}
-POLICY
+  })
+
   tags = {
     Name = "${var.environment}-${var.name}-ecr-api-endpoint"
   }