move Gateway VPC Endpoints to separate vpc/endpoints.tf, refactor sli…

…ghtly, and add Interface VPC Endpoints (disabled by default)
techservicesillinois · Mar 7, 2018 · e7c0ac8 · e7c0ac8
1 parent 191b1da
commit e7c0ac8
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -73,7 +73,7 @@ You will need:
      - bucket (2 occurrences, same value)
      - cidr_block (multiple occurrences, all different values)
 
-You may wish to make other changes to `global/main.tf` and `vpc/main.tf` depending on your specific needs (e.g. to deploy more or fewer distinct subnets); some hints are included in the comments within those files.  Note in particular that quite a few components can be omitted if you don't need any campus-facing subnets.
+You may wish to make additional changes depending on your specific needs (e.g. to deploy more or fewer distinct subnets); read the comments for some hints.  Note in particular that quite a few other components can be omitted if you aren't deploying any campus-facing subnets.
 
 If you leave everything else unchanged, the result will be an Enterprise VPC in us-east-2 (Ohio) with six subnets (all three types duplicated across two Availability Zones) as shown in the Detailed Enterprise VPC Example diagram:
 ![Enterprise VPC Example diagram](https://answers.uillinois.edu/images/group180/71015/EnterpriseVPCExample.png)

diff --git a/vpc/endpoints.tf b/vpc/endpoints.tf
@@ -0,0 +1,92 @@
+# Example configuration for VPC Endpoints
+# https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
+#
+# Copyright (c) 2018 Board of Trustees University of Illinois
+
+locals {
+  # Gateway VPC Endpoints, enabled by default
+  gateway_vpc_endpoint_service_names = [
+    "com.amazonaws.${var.region}.dynamodb",
+    "com.amazonaws.${var.region}.s3",
+  ]
+
+  # Interface VPC Endpoints, disabled by default because they create elastic
+  # network interfaces (thus consuming a private IP) on each subnet.  Uncomment
+  # the ones you want to use.
+  interface_vpc_endpoint_service_names = [
+    #"com.amazonaws.${var.region}.ec2",
+    #"com.amazonaws.${var.region}.ec2messages",
+    #"com.amazonaws.${var.region}.elasticloadbalancing",
+    #"com.amazonaws.${var.region}.kinesis-streams",
+    #"com.amazonaws.${var.region}.kms",
+    #"com.amazonaws.${var.region}.servicecatalog",
+    #"com.amazonaws.${var.region}.ssm",
+  ]
+
+  # which subnets from main.tf to use for Interface VPC Endpoints
+  interface_vpc_endpoint_subnet_ids = ["${module.private1-a-net.id}", "${module.private1-b-net.id}"]
+
+  # derived values used in main.tf
+  gateway_vpc_endpoint_count = "${length(local.gateway_vpc_endpoint_service_names)}"
+  gateway_vpc_endpoint_ids   = ["${aws_vpc_endpoint.gateway.*.id}"]
+}
+
+# create Gateway VPC Endpoints (if desired)
+
+resource "aws_vpc_endpoint" "gateway" {
+  count = "${length(local.gateway_vpc_endpoint_service_names)}"
+
+  vpc_id            = "${aws_vpc.vpc.id}"
+  vpc_endpoint_type = "Gateway"
+  service_name      = "${local.gateway_vpc_endpoint_service_names[count.index]}"
+}
+
+# create Interface VPC Endpoints (if desired)
+
+resource "aws_vpc_endpoint" "interface" {
+  count = "${length(local.interface_vpc_endpoint_service_names)}"
+
+  vpc_id              = "${aws_vpc.vpc.id}"
+  vpc_endpoint_type   = "Interface"
+  service_name        = "${local.interface_vpc_endpoint_service_names[count.index]}"
+  private_dns_enabled = true
+  security_group_ids  = ["${aws_security_group.endpoints.id}"]
+  subnet_ids          = ["${local.interface_vpc_endpoint_subnet_ids}"]
+}
+
+# Security Group for Interface VPC Endpoints (if any)
+
+resource "aws_security_group" "endpoints" {
+  count = "${length(local.interface_vpc_endpoint_service_names) > 0 ? 1 : 0}"
+
+  tags = {
+    Name = "${var.vpc_short_name}-vpc-endpoints"
+  }
+
+  name_prefix = "vpc-endpoints-"
+  vpc_id      = "${aws_vpc.vpc.id}"
+}
+
+# allow all outbound
+resource "aws_security_group_rule" "endpoint_egress" {
+  count = "${length(local.interface_vpc_endpoint_service_names) > 0 ? 1 : 0}"
+
+  security_group_id = "${aws_security_group.endpoints.id}"
+  type              = "egress"
+  protocol          = "-1"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+# allow inbound only from this VPC
+resource "aws_security_group_rule" "endpoint_ingress" {
+  count = "${length(local.interface_vpc_endpoint_service_names) > 0 ? 1 : 0}"
+
+  security_group_id = "${aws_security_group.endpoints.id}"
+  type              = "ingress"
+  protocol          = "-1"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["${aws_vpc.vpc.cidr_block}"]
+}
diff --git a/vpc/main.tf b/vpc/main.tf
@@ -8,7 +8,7 @@ terraform {
 
   ## future (https://github.com/hashicorp/terraform/issues/16835)
   #required_providers {
-  #  aws    = "~> 1.7"
+  #  aws    = "~> 1.9"
   #}
 
   backend "s3" {
@@ -92,7 +92,7 @@ provider "aws" {
   allowed_account_ids = ["${var.account_id}"]
 
   # until https://github.com/hashicorp/terraform/issues/16835
-  version = "~> 1.7"
+  version = "~> 1.9"
 }
 
 # explicit provider for us-east-2 (VPN connection monitoring)
@@ -165,27 +165,6 @@ module "nat-b" {
   public_subnet_id = "${module.public1-b-net.id}"
 }
 
-# create Gateway VPC Endpoints (if desired)
-
-resource "aws_vpc_endpoint" "private-s3" {
-  vpc_id       = "${aws_vpc.vpc.id}"
-  service_name = "com.amazonaws.${var.region}.s3"
-}
-
-resource "aws_vpc_endpoint" "private-dynamodb" {
-  vpc_id       = "${aws_vpc.vpc.id}"
-  service_name = "com.amazonaws.${var.region}.dynamodb"
-}
-
-locals {
-  gateway_vpc_endpoint_count = 2
-
-  gateway_vpc_endpoint_ids = [
-    "${aws_vpc_endpoint.private-s3.id}",
-    "${aws_vpc_endpoint.private-dynamodb.id}",
-  ]
-}
-
 # create a VPN Gateway with a VPN Connection to each of the Customer Gateways
 # defined in the global environment
 #