terraform-aws-vpc-endpoints

This module provides an unified way to deploy vpc endpoints (interface & gateway).

Refer to the examples directory for more details.

VPC Endpoint - type Interface

You could find a complete list of AWS Services that integrate Interface VPC Endpoint here.

Each VPC Endpoint for a particular AWS Service have an unique identifier. Check the column Service name in the following link.

This identifier corresponds to the input variable id for the module.

The Interface VPC Endpoint is a VPC Endpoint implemented by the creation of ENI (Elastic Network Interface) inside the subnets where the VPC endpoint is associated with. Because there is ENI, it could be possible to restrict the flows by using security group. you can decide to let the module create the security group for you, or pass it as input to the module. Use create_security_group to true if you let the module generate the security group for you, or use security_group_ids to pass existent security groups. The inbound port should be opened for the https protocol.

locals {
    vpc_id                        = "vpc-0123456789"
    private_backend_subnets_ids   = ["subnet-0bd166bcc6917cc16","subnet-01b413241f1f69186","subnet-0159d8a30ce664786"] 
    private_backend_subnets_cidrs = ["172.31.16.0/20","172.31.0.0/20","172.31.32.0/20"] 
}

module "vpc-endpoints" {
  source  = "jparnaudeau/vpc-endpoints/aws"
  version = "1.0.0"

  # set the environment
  region         = var.region
  naming_pattern = "acme-dev-%s-%s"

  vpcendpoints_interfaces = [
    {
      id                    = "s3"
      vpc_id                = local.vpc_id
      subnet_ids            = local.private_backend_subnets_ids
      create_security_group = true
      security_group_ids    = []
      private_dns_enabled   = false
      allowed_cidr_blocks   = local.private_backend_subnets_cidrs
      inbound_ports         = ["443"]
      tags = {
        Component = "myapp"
      }
    },
    {
      id                    = "kms"
      vpc_id                = local.vpc_id
      subnet_ids            = local.private_backend_subnets_ids
      create_security_group = true
      security_group_ids    = []
      private_dns_enabled   = false
      allowed_cidr_blocks   = local.private_backend_subnets_cidrs
      inbound_ports         = ["443"]
      tags = {
        Component = "myapp"
      }
    },
  ]

VPC Endpoint - type Gateway

The Gateway VPC Endpoint is described in this link.

Gateway endpoints provide reliable connectivity to Amazon S3 and DynamoDB without requiring an internet gateway or a NAT device for your VPC. Gateway endpoints do not enable AWS PrivateLink.

It is implemented by the creation of an AWS Prefix List, directly used inside the route table of the subnets in which the VPC endpoint is attached with.

locals {
    vpc_id                         = "vpc-0123456789"
    private_backend_subnets_rt_ids = ["rtb-0e15c810631e634d6"]
}

module "vpc-endpoints" {
  source  = "jparnaudeau/vpc-endpoints/aws"
  version = "1.0.0"

  # set the environment
  region         = var.region
  naming_pattern = "acme-dev-%s-%s"

  vpcendpoints_gateways = [
    {
      id                  = "s3"
      vpc_id              = local.vpc_id
      private_dns_enabled = false
      route_table_ids     = local.private_backend_subnets_rt_ids
      tags = {
        Component = "myapp"
      }
    },
    {
      id                  = "dynamodb"
      vpc_id              = local.vpc_id
      private_dns_enabled = false
      route_table_ids     = local.private_backend_subnets_rt_ids
      tags = {
        Component = "myapp"
      }
    },
  ]

Requirements

Name	Version
terraform	>= 1.0.4
aws	>= 4.0

Providers

Name	Version
aws	>= 4.0

Modules

No modules.

Resources

Name	Type
aws_security_group.sg	resource
aws_vpc_endpoint.vpce	resource
aws_vpc_endpoint.vpce_gtw	resource
aws_vpc_endpoint_route_table_association.rt_assoc	resource
aws_vpc_endpoint_service.vpce_service	data source
aws_vpc_endpoint_service.vpce_service_gtw	data source

Inputs

Name	Description	Type	Default	Required
naming_pattern	The naming pattern to apply for the name of the resource vpc_endpoint and security_group. Must contains 2 %s	`string`	`"project-environment-%s-%s"`	no
region	The AWS Region Id	`string`	`"eu-west-3"`	no
tags	a map of string containing the tags	`map(string)`	`{}`	no
vpcendpoints_gateways	a map of object for creating vpcendpoints type gatewy (s3,dynamodb,...)	list(object({ id = string vpc_id = string route_table_ids = list(string) tags = map(string) }))	`[]`	no
vpcendpoints_interfaces	a map of object for creating vpcendpoints type interface (s3,kms,sns,...)	list(object({ id = string vpc_id = string subnet_ids = list(string) create_security_group = bool security_group_ids = list(string) private_dns_enabled = bool allowed_cidr_blocks = list(string) inbound_ports = list(string) tags = map(string) }))	`[]`	no

Outputs

Name	Description
vpc_endpoints_gateway_infos	Informations regarding vpc endpoints type gateway
vpc_endpoints_interface_infos	Informations regarding vpc endpoints type interface

jparnaudeau / terraform-aws-vpc-endpoints Goto Github PK