- iam-general-policies

  - add ipr_vpc_endpoints to enable S3 interface endpoints

CHANGELOG.md

@@ -192,3 +192,7 @@
 * 1.16.5 -- 2022-11-02
   - config
     - fix region variables
+
+* 1.16.6 -- 2023-01-03
+  - iam-general-policies
+    - add ipr_vpc_endpoints to enable S3 interface endpoints

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.16.5"
+  _module_version = "1.16.6"
 }

iam-general-policies/README.md

@@ -123,6 +123,7 @@ No modules.
 | [aws_iam_policy_document.root_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.sts_assume](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_regions.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source |
 
 ## Inputs
 
@@ -135,6 +136,7 @@ No modules.
 | <a name="input_ipr_base_cidr_blocks"></a> [ipr\_base\_cidr\_blocks](#input\_ipr\_base\_cidr\_blocks) | Base CIDR blocks for IP based API restrictions (default: census public network) | `list(string)` | <pre>[<br>  "148.129.0.0/16",<br>  "2610:20:2000::0/38"<br>]</pre> | no |
 | <a name="input_ipr_nat_gateway_cidr_blocks"></a> [ipr\_nat\_gateway\_cidr\_blocks](#input\_ipr\_nat\_gateway\_cidr\_blocks) | NAT Gateway CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
 | <a name="input_ipr_vpc_cidr_blocks"></a> [ipr\_vpc\_cidr\_blocks](#input\_ipr\_vpc\_cidr\_blocks) | VPC CIDR blocks for IP based API restrictions (default: none) | `list(string)` | `[]` | no |
+| <a name="input_ipr_vpc_endpoints"></a> [ipr\_vpc\_endpoints](#input\_ipr\_vpc\_endpoints) | VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud) | `list(string)` | <pre>[<br>  "vpce-047c17aeb6c23cab8",<br>  "vpce-0bc724bf64e6aeb64"<br>]</pre> | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 

iam-general-policies/main.tf

@@ -98,19 +98,24 @@ locals {
   ipr_cidr_blocks = compact(concat(var.ipr_base_cidr_blocks, var.ipr_vpc_cidr_blocks, var.ipr_nat_gateway_cidr_blocks, var.ipr_additional_cidr_blocks))
   ipr_conditions_list = [
     {
-      test : "Bool"
-      variable : "aws:ViaAWSService"
-      values : ["false"]
+      test     = "Bool"
+      variable = "aws:ViaAWSService"
+      values   = ["false"]
     },
     {
-      test : "NotIpAddressIfExists"
-      variable : "aws:sourceIp"
-      values : local.ipr_cidr_blocks
+      test     = "NotIpAddressIfExists"
+      variable = "aws:sourceIp"
+      values   = local.ipr_cidr_blocks
     },
     {
-      test : "NotIpAddressIfExists"
-      variable : "aws:VpcSourceIp"
-      values : var.ipr_vpc_cidr_blocks
+      test     = "NotIpAddressIfExists"
+      variable = "aws:VpcSourceIp"
+      values   = var.ipr_vpc_cidr_blocks
+    },
+    {
+      test     = "StringNotEquals"
+      variable = "aws:SourceVpce"
+      values   = [var.ipr_vpc_endpoints]
     },
   ]
   ipr_conditions = [for x in local.ipr_conditions_list : x if length(x.values) > 0]

iam-general-policies/variables.tf

@@ -45,3 +45,9 @@ variable "ipr_additional_cidr_blocks" {
   type        = list(string)
   default     = []
 }
+
+variable "ipr_vpc_endpoints" {
+  description = "VPC Endpoints to permit for IP based API restrictions (default: S3 interface endpoints in do2-govloud)"
+  type        = list(string)
+  default     = ["vpce-047c17aeb6c23cab8", "vpce-0bc724bf64e6aeb64"]
+}