From 28150b09d65e847c996fa5103bb6e008c35ec5a6 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 08:09:33 -0500 Subject: [PATCH 1/8] v1.4.0: add vpc-interface-endpoint --- CHANGELOG.md | 4 + common/version.tf | 2 +- vpc-interface-endpoint/README.md | 78 +++++++++++++++++++ vpc-interface-endpoint/data.tf | 1 + vpc-interface-endpoint/defaults.tf | 1 + vpc-interface-endpoint/main.tf | 66 ++++++++++++++++ vpc-interface-endpoint/outputs.tf | 10 +++ vpc-interface-endpoint/prefixes.tf | 1 + vpc-interface-endpoint/variables.common.tf | 1 + .../variables.common.vpc.tf | 1 + .../variables.common.vpc_id.tf | 1 + vpc-interface-endpoint/variables.tf | 27 +++++++ vpc-interface-endpoint/version.tf | 1 + 13 files changed, 193 insertions(+), 1 deletion(-) create mode 100644 vpc-interface-endpoint/README.md create mode 120000 vpc-interface-endpoint/data.tf create mode 120000 vpc-interface-endpoint/defaults.tf create mode 100644 vpc-interface-endpoint/main.tf create mode 100644 vpc-interface-endpoint/outputs.tf create mode 120000 vpc-interface-endpoint/prefixes.tf create mode 120000 vpc-interface-endpoint/variables.common.tf create mode 120000 vpc-interface-endpoint/variables.common.vpc.tf create mode 120000 vpc-interface-endpoint/variables.common.vpc_id.tf create mode 100644 vpc-interface-endpoint/variables.tf create mode 120000 vpc-interface-endpoint/version.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a767ca..71d3d7a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -62,3 +62,7 @@ * v1.3.0 -- 20211020 - peer - add peer_network_acl_filter + +* v1.4.0 -- 20211109 + - vpc-interface-endpoint + - create new submodule for setting up an interface endpoint diff --git a/common/version.tf b/common/version.tf index 08f3f68..37ff20f 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.3.0" + _module_version = "1.4.0" } diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md new file mode 100644 index 0000000..122970b --- /dev/null +++ b/vpc-interface-endpoint/README.md @@ -0,0 +1,78 @@ +# About aws-vpc-setup :: vpc-interface-endpoint + +This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`. +No policy is set by default. + +Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably +not needed. + +# Usage + +```hcl +module "vpn" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "secretsmanager" + subnet_ids = [ "subnet-1234", "subnet-2345", "subnet-3456" ] + + vpc_id = "vpc-1234568" + vpc_full_name = "vpc2-dice-dev" + vpc_environment = "dev" + + ## optional + # private_dns_enabled = true + # policy = data.aws_iam_policy_document.mypolicy.json + + tags = {} +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_vpc_endpoint_service.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [policy](#input\_policy) | IAM policy to apply to the VPC endpoint | `string` | `null` | no | +| [private\_dns\_enabled](#input\_private\_dns\_enabled) | Flag to enble \| disable private DNS (default: true) | `bool` | `true` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | VPC Security Group ID List (required, use a group with tcp/443 inbound) | `list(string)` | n/a | yes | +| [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service | diff --git a/vpc-interface-endpoint/data.tf b/vpc-interface-endpoint/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/vpc-interface-endpoint/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/defaults.tf b/vpc-interface-endpoint/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/vpc-interface-endpoint/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf new file mode 100644 index 0000000..6aef928 --- /dev/null +++ b/vpc-interface-endpoint/main.tf @@ -0,0 +1,66 @@ +/* +* # About aws-vpc-setup :: vpc-interface-endpoint +* +* This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`. +* No policy is set by default. +* +* Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably +* not needed. +* +* # Usage +* +* ```hcl +* module "vpn" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" +* +* service = "secretsmanager" +* subnet_ids = [ "subnet-1234", "subnet-2345", "subnet-3456" ] +* +* vpc_id = "vpc-1234568" +* vpc_full_name = "vpc2-dice-dev" +* vpc_environment = "dev" +* +* ## optional +* # private_dns_enabled = true +* # policy = data.aws_iam_policy_document.mypolicy.json +* +* tags = {} +* } +* ``` +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + region = data.aws_region.current.name + + service = length(regexall("^com.amazonaws", var.service)) > 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) + _service = split(".", local.service) + short_service = element(local._service, length(local._service)) + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +data "aws_vpc_endpoint_service" "interface_endpoint" { + service = local.service_name +} + +resource "aws_vpc_endpoint" "interface_endpoint" { + vpc_id = var.vpc_id + service_name = data.aws_vpc_endpoint_service.interface_endpoint.service_name + vpc_endpoint_type = "Interface" + subnet_ids = var.subnet_ids + security_group_ids = var.security_group_ids + private_dns_enabled = var.private_dns_enabled + auto_accept = true + + tags = merge( + local.base_tags, + tomap({ + Name = format("vpce-%v-%v", local.short_service, var.vpc_full_name) + }) + ) +} diff --git a/vpc-interface-endpoint/outputs.tf b/vpc-interface-endpoint/outputs.tf new file mode 100644 index 0000000..2db008d --- /dev/null +++ b/vpc-interface-endpoint/outputs.tf @@ -0,0 +1,10 @@ +output "vpce_service_info" { + description = "VPC Interface Endpoint information for service" + value = { + "name" : local.short_service, + "service_name" = aws_vpc_endpoint.interface_endpoint.service_name, + "id" : aws_vpc_endpoint.interface_endpoint.id, + "dns_entry" : aws_vpc_endpoint.interface_endpoint.dns_entry, + "hosted_zone_id" : aws_vpc_endpoint.interface_endpoint.hosted_zone_id, + } +} diff --git a/vpc-interface-endpoint/prefixes.tf b/vpc-interface-endpoint/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/vpc-interface-endpoint/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/variables.common.tf b/vpc-interface-endpoint/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/vpc-interface-endpoint/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/variables.common.vpc.tf b/vpc-interface-endpoint/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/vpc-interface-endpoint/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/variables.common.vpc_id.tf b/vpc-interface-endpoint/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/vpc-interface-endpoint/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/variables.tf b/vpc-interface-endpoint/variables.tf new file mode 100644 index 0000000..1f2ab0d --- /dev/null +++ b/vpc-interface-endpoint/variables.tf @@ -0,0 +1,27 @@ +variable "service" { + description = "VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name}" + type = string +} + +variable "subnet_ids" { + description = "VPC Subnet ID List" + type = list(string) + default = [] +} + +variable "security_group_ids" { + description = "VPC Security Group ID List (required, use a group with tcp/443 inbound)" + type = list(string) +} + +variable "private_dns_enabled" { + description = "Flag to enble | disable private DNS (default: true)" + type = bool + default = true +} + +variable "policy" { + description = "IAM policy to apply to the VPC endpoint" + type = string + default = null +} diff --git a/vpc-interface-endpoint/version.tf b/vpc-interface-endpoint/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/vpc-interface-endpoint/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file From d1663de9e1b856a214ecad3a660a966f2c84ed18 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 08:11:14 -0500 Subject: [PATCH 2/8] update doc --- vpc-interface-endpoint/README.md | 2 +- vpc-interface-endpoint/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md index 122970b..4982c94 100644 --- a/vpc-interface-endpoint/README.md +++ b/vpc-interface-endpoint/README.md @@ -9,7 +9,7 @@ not needed. # Usage ```hcl -module "vpn" { +module "vpce_secretsmanager" { source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" service = "secretsmanager" diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 6aef928..37048d7 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -10,7 +10,7 @@ * # Usage * * ```hcl -* module "vpn" { +* module "vpce_secretsmanager" { * source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" * * service = "secretsmanager" From dc30b50436cfe46e6e74bf6e57294908d37e11ef Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 08:17:39 -0500 Subject: [PATCH 3/8] fix --- vpc-interface-endpoint/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 37048d7..6e12cc2 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -45,7 +45,7 @@ locals { } data "aws_vpc_endpoint_service" "interface_endpoint" { - service = local.service_name + service = local.service } resource "aws_vpc_endpoint" "interface_endpoint" { From 5ba66b80294dc5500b38b312ef894223bf214b10 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 08:19:32 -0500 Subject: [PATCH 4/8] fix --- vpc-interface-endpoint/outputs.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/vpc-interface-endpoint/outputs.tf b/vpc-interface-endpoint/outputs.tf index 2db008d..8136ad7 100644 --- a/vpc-interface-endpoint/outputs.tf +++ b/vpc-interface-endpoint/outputs.tf @@ -5,6 +5,5 @@ output "vpce_service_info" { "service_name" = aws_vpc_endpoint.interface_endpoint.service_name, "id" : aws_vpc_endpoint.interface_endpoint.id, "dns_entry" : aws_vpc_endpoint.interface_endpoint.dns_entry, - "hosted_zone_id" : aws_vpc_endpoint.interface_endpoint.hosted_zone_id, } } From acbcb616480ee7bf6f58ec65f48fea4fffb6ed3f Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 08:24:34 -0500 Subject: [PATCH 5/8] fix --- vpc-interface-endpoint/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 6e12cc2..0887e83 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -34,7 +34,7 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region = data.aws_region.current.name - service = length(regexall("^com.amazonaws", var.service)) > 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) + service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) _service = split(".", local.service) short_service = element(local._service, length(local._service)) From ca7516ec5b71784927ba7f7ad4a07a658ccc9e29 Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 10:21:49 -0500 Subject: [PATCH 6/8] v1.4.1: vpc-interface-endpoint: minor change on tagging --- CHANGELOG.md | 5 +++++ common/version.tf | 2 +- vpc-interface-endpoint/main.tf | 3 +-- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 71d3d7a..0635714 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -66,3 +66,8 @@ * v1.4.0 -- 20211109 - vpc-interface-endpoint - create new submodule for setting up an interface endpoint + +* v1.4.1 -- 20211109 + - vpc-interface-endpoint + - minor change to tagging on name + diff --git a/common/version.tf b/common/version.tf index 37ff20f..a34718a 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.4.0" + _module_version = "1.4.1" } diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 0887e83..d3eb081 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -35,8 +35,7 @@ locals { region = data.aws_region.current.name service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) - _service = split(".", local.service) - short_service = element(local._service, length(local._service)) + short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local._service, format("com.amazonaws.%v.", local.region), "") base_tags = { "boc:tf_module_version" = local._module_version From 2def1d1739bf54e62d1073ec92885e462126128b Mon Sep 17 00:00:00 2001 From: badra001 Date: Tue, 9 Nov 2021 10:25:49 -0500 Subject: [PATCH 7/8] fix --- vpc-interface-endpoint/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index d3eb081..c4b7b42 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -35,7 +35,7 @@ locals { region = data.aws_region.current.name service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service) - short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local._service, format("com.amazonaws.%v.", local.region), "") + short_service = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : replace(local.service, format("com.amazonaws.%v.", local.region), "") base_tags = { "boc:tf_module_version" = local._module_version From bf8243d3930868f01aca393a15479623a396f74c Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 10 Nov 2021 12:46:55 -0500 Subject: [PATCH 8/8] exclude examples --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6f20ddd..4c1c0f3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -10,6 +10,7 @@ repos: exclude: version.tf - id: terraform_tflint args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] + exclude: examples - repo: https://github.com/pre-commit/pre-commit-hooks rev: v3.4.0 hooks: