From 693c031acc10ac3264872449bf6f67f5b5df00e5 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 15 Oct 2025 08:19:16 -0400 Subject: [PATCH] * 2.13.0 -- 2025-10-15 - vpc-interface-endpoint - add use_route53_profiles option --- CHANGELOG.md | 4 ++++ common/version.tf | 2 +- vpc-interface-endpoint/README.md | 1 + vpc-interface-endpoint/main.tf | 8 +++++--- vpc-interface-endpoint/outputs.tf | 7 ++++--- vpc-interface-endpoint/route53.tf | 3 +-- vpc-interface-endpoint/variables.tf | 6 ++++++ 7 files changed, 22 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4b96f79..88f557a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -488,3 +488,7 @@ * 2.12.2 -- 2025-10-07 - route53-zone-association/terraform-role - add route53profile permissions + +* 2.13.0 -- 2025-10-15 + - vpc-interface-endpoint + - add use_route53_profiles option diff --git a/common/version.tf b/common/version.tf index 9f431dd..1438bfd 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ locals { - _module_version = "2.12.2" + _module_version = "2.13.0" _module_names = { "_main_" = "aws-vpc-setup" diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md index 5990d14..df4229a 100644 --- a/vpc-interface-endpoint/README.md +++ b/vpc-interface-endpoint/README.md @@ -245,6 +245,7 @@ These are not included in the module because they don't exist until the resource | [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes | | [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [use\_route53\_profiles](#input\_use\_route53\_profiles) | Flag to use a route53 profile for association instead of the PHZ zone sharing | `bool` | `false` | no | | [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no | | [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | | [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf index 84dc51c..6ad94e0 100644 --- a/vpc-interface-endpoint/main.tf +++ b/vpc-interface-endpoint/main.tf @@ -57,6 +57,8 @@ locals { account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" region = data.aws_region.current.name + private_dns_unsupported = ["s3"] + service_parts = split(".", var.service) service = length(local.service_parts) <= 2 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.service full_service_parts = split(".", local.service) @@ -65,7 +67,7 @@ locals { # short_service = element(local.full_service_parts, length(local.full_service_parts) - 1) #short_service = join(".", slice(local.full_service_parts, index(local.full_service_parts, local.region) + 1, length(local.full_service_parts))) short_service = replace(replace(local.service, "com.amazonaws.", ""), format("%v.", local.region), "") - is_short_service = ! (local.full_service_parts[0] != "com" || ! contains(local.full_service_parts, local.region)) + is_short_service = !(local.full_service_parts[0] != "com" || !contains(local.full_service_parts, local.region)) base_tags = { "boc:tf_module_version" = local._module_version @@ -81,7 +83,7 @@ data "aws_vpc_endpoint_service" "interface_endpoint" { # service = local.full_service_parts[0] == "com" ? local.short_service : null # service_name = local.full_service_parts[0] != "com" ? local.service : null service = local.is_short_service ? local.short_service : null - service_name = ! local.is_short_service ? local.service : null + service_name = !local.is_short_service ? local.service : null filter { name = "service-type" values = ["Interface"] @@ -94,7 +96,7 @@ resource "aws_vpc_endpoint" "interface_endpoint" { vpc_endpoint_type = "Interface" subnet_ids = var.subnet_ids security_group_ids = var.security_group_ids - private_dns_enabled = var.private_dns_enabled + private_dns_enabled = (var.private_dns_enabled || var.use_route53_profiles) && !contains(local.private_dns_unsupported, var.service) auto_accept = true ip_address_type = var.ip_address_type diff --git a/vpc-interface-endpoint/outputs.tf b/vpc-interface-endpoint/outputs.tf index 3482e55..f708e2f 100644 --- a/vpc-interface-endpoint/outputs.tf +++ b/vpc-interface-endpoint/outputs.tf @@ -6,18 +6,19 @@ output "vpce_service_info" { description = "VPC Interface Endpoint information for service" value = { - "arn" = aws_vpc_endpoint.interface_endpoint.arn, "name" = local.short_service, "service_name" = aws_vpc_endpoint.interface_endpoint.service_name, "id" = aws_vpc_endpoint.interface_endpoint.id, + "arn" = aws_vpc_endpoint.interface_endpoint.arn, "dns_entry" = aws_vpc_endpoint.interface_endpoint.dns_entry, "subnet_ids" = aws_vpc_endpoint.interface_endpoint.subnet_ids, "network_interface_ids" = aws_vpc_endpoint.interface_endpoint.network_interface_ids, # "subnet_interface_id_map" = { for k, v in data.aws_network_interface.vpce_interfaces : v.subnet_id => k } "subnet_interface_id_map" = zipmap(tolist(aws_vpc_endpoint.interface_endpoint.subnet_ids), tolist(aws_vpc_endpoint.interface_endpoint.network_interface_ids)), # "subnet_interface_ip_map" = { for k, v in data.aws_network_interface.vpce_interfaces : v.subnet_id => v.private_ip } - zone_name = local.r53_create ? aws_route53_zone.vpce[0].name : null - zone_id = local.r53_create ? aws_route53_zone.vpce[0].id : null + private_dns_enabled = aws_vpc_endpoint.interface_endpoint.private_dns_enabled + zone_name = local.r53_create ? aws_route53_zone.vpce[0].name : null + zone_id = local.r53_create ? aws_route53_zone.vpce[0].id : null } } diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf index 13d96eb..224f7c1 100644 --- a/vpc-interface-endpoint/route53.tf +++ b/vpc-interface-endpoint/route53.tf @@ -16,8 +16,7 @@ locals { has_service = data.aws_vpc_endpoint_service.interface_endpoint.service != null has_domain_name = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name != null domain_name = local.is_wildcard ? join(".", slice(local.service_domain_parts, 1, length(local.service_domain_parts))) : data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name - # r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_service - r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_domain_name + r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_domain_name && !var.use_route53_profiles } resource "aws_route53_zone" "vpce" { diff --git a/vpc-interface-endpoint/variables.tf b/vpc-interface-endpoint/variables.tf index 6c17f19..6670fdd 100644 --- a/vpc-interface-endpoint/variables.tf +++ b/vpc-interface-endpoint/variables.tf @@ -32,6 +32,12 @@ variable "create_central_vpc_endpoint" { default = false } +variable "use_route53_profiles" { + description = "Flag to use a route53 profile for association instead of the PHZ zone sharing" + type = bool + default = false +} + # currently no use for dns_options.dns_record_ip_type to be service-defined variable "ip_address_type" {