Additional VPC Endpoints (terraform-aws-modules#302)

antonbabenko · web-flow · commit 34d17b3da1b8 · 2019-07-21T16:30:59.000+03:00
* adding secrets manager vpc end point support

* adding config vpc end point support

* adding codebuild, codecommit and git-codecommit vpc end point support

* adding transfer server vpc end point support
diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ These types of resources are supported:
   * Gateway: S3, DynamoDB
   * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
                ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing,
-               CloudTrail
+               CloudTrail, Secrets Manager, Config, Codebuild, Codecommit, Git-Codecommit, Transfer Server
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
 * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
@@ -376,15 +376,33 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | bool | `"false"` | no |
 | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list(string) | `[]` | no |
 | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | string | `"false"` | no |
+| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | list | `[]` | no |
+| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuild endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | string | `"false"` | no |
+| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | list | `[]` | no |
+| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | string | `"false"` | no |
+| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | list | `[]` | no |
+| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Config endpoint | string | `"false"` | no |
+| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Config endpoint | list | `[]` | no |
+| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | string | `"false"` | no |
 | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | list | `[]` | no |
 | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no |
 | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no |
 | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no |
+| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no |
+| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | bool | `"false"` | no |
+| transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | list(string) | `[]` | no |
+| transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | tags | A map of tags to add to all resources | map(string) | `{}` | no |
 | vpc\_tags | Additional tags for the VPC | map(string) | `{}` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no |
diff --git a/main.tf b/main.tf
@@ -899,6 +899,90 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
 }
 
 
+#############################
+# VPC Endpoint for Codebuild
+#############################
+data "aws_vpc_endpoint_service" "codebuild" {
+  count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0
+
+  service = "codebuild"
+}
+
+resource "aws_vpc_endpoint" "codebuild" {
+  count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.codebuild[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.codebuild_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.codebuild_endpoint_private_dns_enabled
+}
+
+###############################
+# VPC Endpoint for Code Commit
+###############################
+data "aws_vpc_endpoint_service" "codecommit" {
+  count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0
+
+  service = "codecommit"
+}
+
+resource "aws_vpc_endpoint" "codecommit" {
+  count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.codecommit[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.codecommit_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.codecommit_endpoint_private_dns_enabled
+}
+
+###################################
+# VPC Endpoint for Git Code Commit
+###################################
+data "aws_vpc_endpoint_service" "git_codecommit" {
+  count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0
+
+  service = "git-codecommit"
+}
+
+resource "aws_vpc_endpoint" "git_codecommit" {
+  count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.git_codecommit[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.git_codecommit_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.git_codecommit_endpoint_private_dns_enabled
+}
+
+##########################
+# VPC Endpoint for Config
+##########################
+data "aws_vpc_endpoint_service" "config" {
+  count = var.create_vpc && var.enable_config_endpoint ? 1 : 0
+
+  service = "config"
+}
+
+resource "aws_vpc_endpoint" "config" {
+  count = var.create_vpc && var.enable_config_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.config[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.config_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.config_endpoint_private_dns_enabled
+}
+
 #######################
 # VPC Endpoint for SQS
 #######################
@@ -920,6 +1004,27 @@ resource "aws_vpc_endpoint" "sqs" {
   private_dns_enabled = var.sqs_endpoint_private_dns_enabled
 }
 
+###################################
+# VPC Endpoint for Secrets Manager
+###################################
+data "aws_vpc_endpoint_service" "secretsmanager" {
+  count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0
+
+  service = "secretsmanager"
+}
+
+resource "aws_vpc_endpoint" "secretsmanager" {
+  count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.secretsmanager[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.secretsmanager_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled
+}
+
 #######################
 # VPC Endpoint for SSM
 #######################
@@ -1004,6 +1109,27 @@ resource "aws_vpc_endpoint" "ec2messages" {
   private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled
 }
 
+###################################
+# VPC Endpoint for Transfer Server
+###################################
+data "aws_vpc_endpoint_service" "transferserver" {
+  count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0
+
+  service = "transfer.server"
+}
+
+resource "aws_vpc_endpoint" "transferserver" {
+  count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.transferserver[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.transferserver_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.transferserver_endpoint_private_dns_enabled
+}
+
 ###########################
 # VPC Endpoint for ECR API
 ###########################
diff --git a/variables.tf b/variables.tf
@@ -218,6 +218,86 @@ variable "enable_s3_endpoint" {
   default     = false
 }
 
+variable "enable_codebuild_endpoint" {
+  description = "Should be true if you want to provision an Codebuild endpoint to the VPC"
+  default     = false
+}
+
+variable "codebuild_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Codebuild endpoint"
+  default     = []
+}
+
+variable "codebuild_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "codebuild_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint"
+  default     = false
+}
+
+variable "enable_codecommit_endpoint" {
+  description = "Should be true if you want to provision an Codecommit endpoint to the VPC"
+  default     = false
+}
+
+variable "codecommit_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Codecommit endpoint"
+  default     = []
+}
+
+variable "codecommit_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "codecommit_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint"
+  default     = false
+}
+
+variable "enable_git_codecommit_endpoint" {
+  description = "Should be true if you want to provision an Git Codecommit endpoint to the VPC"
+  default     = false
+}
+
+variable "git_codecommit_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint"
+  default     = []
+}
+
+variable "git_codecommit_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "git_codecommit_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint"
+  default     = false
+}
+
+variable "enable_config_endpoint" {
+  description = "Should be true if you want to provision an config endpoint to the VPC"
+  default     = false
+}
+
+variable "config_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for config endpoint"
+  default     = []
+}
+
+variable "config_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "config_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for config endpoint"
+  default     = false
+}
+
 variable "enable_sqs_endpoint" {
   description = "Should be true if you want to provision an SQS endpoint to the VPC"
   default     = false
@@ -262,8 +342,26 @@ variable "ssm_endpoint_private_dns_enabled" {
   default     = false
 }
 
-variable "enable_ssmmessages_endpoint" {
-  description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC"
+variable "enable_secretsmanager_endpoint" {
+  description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "secretsmanager_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "secretsmanager_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "secretsmanager_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint"
   type        = bool
   default     = false
 }
@@ -292,6 +390,12 @@ variable "apigw_endpoint_subnet_ids" {
   default     = []
 }
 
+variable "enable_ssmmessages_endpoint" {
+  description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
 variable "ssmmessages_endpoint_security_group_ids" {
   description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint"
   type        = list(string)
@@ -310,6 +414,31 @@ variable "ssmmessages_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_transferserver_endpoint" {
+  description = "Should be true if you want to provision a Transer Server endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "transferserver_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Transfer Server endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "transferserver_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "transferserver_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint"
+  type        = bool
+  default     = false
+}
+
+
 variable "enable_ec2_endpoint" {
   description = "Should be true if you want to provision an EC2 endpoint to the VPC"
   type        = bool
