ECS endpoint (terraform-aws-modules#261)

* add ecs vpc endpoints

* add ecs vpcendpoints outputs

* add ecs vpc endpoints to readme inputs/outputs table

* add ecs vpc endpoints to readme endpoint list

Author: DrFaust92

README.md

@@ -16,7 +16,7 @@ These types of resources are supported:
 * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html)
 * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
   * Gateway: S3, DynamoDB
-  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS
+  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS, ECS, ECS Agent, ECS Telemetry
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
 * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
@@ -333,6 +333,15 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| ecs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | string | `"false"` | no |
+| ecs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS endpoint | list | `[]` | no |
+| ecs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| ecs\_agent\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | string | `"false"` | no |
+| ecs\_agent\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | list | `[]` | no |
+| ecs\_agent\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | string | `"false"` | no |
+| ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list | `[]` | no |
+| ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | tags | A map of tags to add to all resources | map | `{}` | no |
 | vpc\_tags | Additional tags for the VPC | map | `{}` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no |
@@ -426,6 +435,15 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
 | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES |
 | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
+| vpc\_endpoint\_ecs\_dns\_entry | The DNS entries for the VPC Endpoint for ECS. |
+| vpc\_endpoint\_ecs\_id | The ID of VPC endpoint for ECS |
+| vpc\_endpoint\_ecs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS. |
+| vpc\_endpoint\_ecs\_agent\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Agent. |
+| vpc\_endpoint\_ecs\_agent\_id | The ID of VPC endpoint for ECS Agent |
+| vpc\_endpoint\_ecs\_agent\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Agent. |
+| vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. |
+| vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry |
+| vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. |
 | vpc\_id | The ID of the VPC |
 | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC |
 | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC |

main.tf

@@ -830,6 +830,72 @@ resource "aws_vpc_endpoint" "kms" {
   private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}"
 }
 
+
+#######################
+# VPC Endpoint for ECS
+#######################
+data "aws_vpc_endpoint_service" "ecs" {
+  count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}"
+
+  service = "ecs"
+}
+
+resource "aws_vpc_endpoint" "ecs" {
+  count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ecs.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ecs_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}"
+}
+
+
+#######################
+# VPC Endpoint for ECS Agent
+#######################
+data "aws_vpc_endpoint_service" "ecs_agent" {
+  count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}"
+
+  service = "ecs-agent"
+}
+
+resource "aws_vpc_endpoint" "ecs_agent" {
+  count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ecs_agent_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}"
+}
+
+
+#######################
+# VPC Endpoint for ECS Telemetry
+#######################
+data "aws_vpc_endpoint_service" "ecs_telemetry" {
+  count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}"
+
+  service = "ecs-telemetry"
+}
+
+resource "aws_vpc_endpoint" "ecs_telemetry" {
+  count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ecs.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ecs_telemetry_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}"
+}
+
 ##########################
 # Route table association
 ##########################

outputs.tf

@@ -464,6 +464,51 @@ output "vpc_endpoint_apigw_dns_entry" {
   value       = "${flatten(aws_vpc_endpoint.apigw.*.dns_entry)}"
 }
 
+output "vpc_endpoint_ecs_id" {
+  description = "The ID of VPC endpoint for ECS"
+  value       = "${element(concat(aws_vpc_endpoint.ecs.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ecs_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for ECS."
+  value       = "${flatten(aws_vpc_endpoint.ecs.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ecs_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for ECS."
+  value       = "${flatten(aws_vpc_endpoint.ecs.*.dns_entry)}"
+}
+
+output "vpc_endpoint_ecs_agent_id" {
+  description = "The ID of VPC endpoint for ECS Agent"
+  value       = "${element(concat(aws_vpc_endpoint.ecs_agent.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ecs_agent_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for ECS Agent."
+  value       = "${flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ecs_agent_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for ECS Agent."
+  value       = "${flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry)}"
+}
+
+output "vpc_endpoint_ecs_telemetry_id" {
+  description = "The ID of VPC endpoint for ECS Telemetry"
+  value       = "${element(concat(aws_vpc_endpoint.ecs_telemetry.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ecs_telemetry_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry."
+  value       = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ecs_telemetry_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for ECS Telemetry."
+  value       = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}"
+}
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"

variables.tf

@@ -344,6 +344,66 @@ variable "kms_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_ecs_endpoint" {
+  description = "Should be true if you want to provision a ECS endpoint to the VPC"
+  default     = false
+}
+
+variable "ecs_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ECS endpoint"
+  default     = []
+}
+
+variable "ecs_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ecs_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint"
+  default     = false
+}
+
+variable "enable_ecs_agent_endpoint" {
+  description = "Should be true if you want to provision a ECS Agent endpoint to the VPC"
+  default     = false
+}
+
+variable "ecs_agent_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint"
+  default     = []
+}
+
+variable "ecs_agent_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ecs_agent_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint"
+  default     = false
+}
+
+variable "enable_ecs_telemetry_endpoint" {
+  description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC"
+  default     = false
+}
+
+variable "ecs_telemetry_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint"
+  default     = []
+}
+
+variable "ecs_telemetry_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ecs_telemetry_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint"
+  default     = false
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   default     = true