Merge pull request #25 from Cantara/master

Add vpc endpoints
telia-oss · Jul 15, 2020 · 9e0a501 · 9e0a501
2 parents bae982d + b0b914d
commit 9e0a501
Show file tree

Hide file tree

Showing 10 changed files with 111 additions and 2 deletions.
diff --git a/LICENSE b/LICENSE
@@ -1,6 +1,7 @@
 MIT License
 
 Copyright (c) 2018 Telia Company
+Copyright (c) 2019 Vygruppen AS
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -10,6 +10,7 @@ This is a module which simplifies setting up a new VPC and getting it into a use
 - Creates a NAT gateway for your private subnets if desired (requires public subnets).
 - Creates an egress only internet gateway for IPv6 traffic outbound from the private subnets.
 - Adds the tag `type` to each subnet with the value of either `public` or `private`.
+- Adds VPC Gateway Endpoints for s3 and dynamodb
 
 Note that, if `create_nat_gateways` is enabled, each private subnet has a route table which targets an individual NAT gateway when accessing
 the internet over IPv4, which means that all instances in a given private subnet will appear to have the same static IP from the outside.
diff --git a/examples/basic/main.tf b/examples/basic/main.tf
@@ -4,7 +4,7 @@ terraform {
 
 provider "aws" {
   version = ">= 2.17"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "vpc" {

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -4,7 +4,7 @@ terraform {
 
 provider "aws" {
   version = ">= 2.17"
-  region  = "${var.region}"
+  region  = var.region
 }
 
 module "vpc" {

diff --git a/examples/interface-endpoint/README.md b/examples/interface-endpoint/README.md
@@ -0,0 +1,8 @@
+## examples/interface-endpoint
+
+Adding an interface endpoint to a VPC for an AWS service eliminates the data transfer costs to use that service but 
+instead incurs a cost for adding ENIs in each subnet.  For this reason interface endpoints are not enabled by default.
+
+This example shows how to extend the VPC module to add interface endpoints.  It adds the interface endpoints
+necessary for using AWS Systems Manager / Session Manager to access an instances in a private subnet. The instances must 
+have the default vpc security group associated for this to work.
diff --git a/examples/interface-endpoint/main.tf b/examples/interface-endpoint/main.tf
@@ -0,0 +1,69 @@
+provider "aws" {
+  version = ">= 2.17"
+  region  = var.region
+}
+
+data "aws_availability_zones" "main" {}
+
+locals {
+  vpc_cidr_block = "10.100.0.0/16"
+  public_cidr_blocks = [for k, v in data.aws_availability_zones.main.names :
+  cidrsubnet(local.vpc_cidr_block, 4, k)]
+  private_cidr_blocks = [for k, v in data.aws_availability_zones.main.zone_ids :
+  cidrsubnet(local.vpc_cidr_block, 4, k + length(data.aws_availability_zones.main.names))]
+  tags = {
+    terraform   = "true"
+    environmemt = "dev"
+  }
+}
+
+module "vpc" {
+  source               = "../../"
+  name_prefix          = var.name_prefix
+  cidr_block           = local.vpc_cidr_block
+  availability_zones   = data.aws_availability_zones.main.names
+  private_subnet_cidrs = local.private_cidr_blocks
+  create_nat_gateways  = false
+  enable_dns_hostnames = true
+  tags                 = local.tags
+}
+
+resource "aws_vpc_endpoint" "ssm" {
+  service_name        = "com.amazonaws.${var.region}.ssm"
+  vpc_id              = module.vpc.vpc_id
+  subnet_ids          = compact(concat(module.vpc.private_subnet_ids, module.vpc.public_subnet_ids))
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc.default_security_group_id]
+  tags                = local.tags
+  private_dns_enabled = true
+}
+
+resource "aws_vpc_endpoint" "ssmmessages" {
+  service_name        = "com.amazonaws.${var.region}.ssmmessages"
+  vpc_id              = module.vpc.vpc_id
+  subnet_ids          = compact(concat(module.vpc.private_subnet_ids, module.vpc.public_subnet_ids))
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc.default_security_group_id]
+  tags                = local.tags
+  private_dns_enabled = true
+}
+
+resource "aws_vpc_endpoint" "ec2" {
+  service_name        = "com.amazonaws.${var.region}.ec2"
+  vpc_id              = module.vpc.vpc_id
+  subnet_ids          = compact(concat(module.vpc.private_subnet_ids, module.vpc.public_subnet_ids))
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc.default_security_group_id]
+  tags                = local.tags
+  private_dns_enabled = true
+}
+
+resource "aws_vpc_endpoint" "ec2messages" {
+  service_name        = "com.amazonaws.${var.region}.ec2messages"
+  vpc_id              = module.vpc.vpc_id
+  subnet_ids          = compact(concat(module.vpc.private_subnet_ids, module.vpc.public_subnet_ids))
+  vpc_endpoint_type   = "Interface"
+  security_group_ids  = [module.vpc.default_security_group_id]
+  tags                = local.tags
+  private_dns_enabled = true
+}
diff --git a/examples/interface-endpoint/outputs.tf b/examples/interface-endpoint/outputs.tf
@@ -0,0 +1,3 @@
+output "vpc_id" {
+  value = module.vpc.vpc_id
+}
diff --git a/examples/interface-endpoint/variables.tf b/examples/interface-endpoint/variables.tf
@@ -0,0 +1,9 @@
+variable "name_prefix" {
+  type    = string
+  default = "vpc-basic-example"
+}
+
+variable "region" {
+  type    = string
+  default = "eu-west-1"
+}
diff --git a/main.tf b/main.tf
@@ -3,6 +3,8 @@
 # ------------------------------------------------------------------------------
 data "aws_availability_zones" "main" {}
 
+data "aws_region" "current" {}
+
 locals {
   azs               = length(var.availability_zones) > 0 ? var.availability_zones : data.aws_availability_zones.main.names
   nat_gateway_count = var.create_nat_gateways ? min(length(local.azs), length(var.public_subnet_cidrs), length(var.private_subnet_cidrs)) : 0
@@ -188,3 +190,14 @@ resource "aws_route_table_association" "private" {
   route_table_id = aws_route_table.private[count.index].id
 }
 
+resource "aws_vpc_endpoint" "s3" {
+  service_name    = "com.amazonaws.${data.aws_region.current.name}.s3"
+  vpc_id          = aws_vpc.main.id
+  route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+}
+
+resource "aws_vpc_endpoint" "dynamodb" {
+  service_name    = "com.amazonaws.${data.aws_region.current.name}.dynamodb"
+  vpc_id          = aws_vpc.main.id
+  route_table_ids = compact(concat(aws_route_table.private.*.id, aws_route_table.public.*.id))
+}
diff --git a/outputs.tf b/outputs.tf
@@ -40,3 +40,8 @@ output "nat_gateway_ids" {
   description = "The IDs of the NAT Gateways."
   value       = aws_nat_gateway.private[*].id
 }
+
+output "default_security_group_id" {
+  description = "The id of the VPC default security group"
+  value       = aws_vpc.main.default_security_group_id
+}