diff --git a/examples/vpc-shared-endpoints-info/README.md b/examples/vpc-shared-endpoints-info/README.md new file mode 100644 index 0000000..4728136 --- /dev/null +++ b/examples/vpc-shared-endpoints-info/README.md @@ -0,0 +1,77 @@ +# Getting VPC Endpoint IDs from the shared VPC endpoints + +Most uses of the shared VPC endpoints require no additional code. + +There are some things which do require the use of the VPC Endpoint ID. The API Gateway is one of them. +To avoid hardcoding the ID, use the code in this directory to extract the appropriate VPC id. + +## Copy files into your working directory + +Copy these files into your working directory, where you are creating your resource(s) that need a VPC id. + +* provider.shared-vpce.tf +* variables.shared-vpce.auto.tfvars +* variables.shared-vpce.tf +* variables.username.tf +* vpc-endpoints.shared-vpce.tf + +## Plan and apply + +Note that this does not _create_ any resources, so it is safe to plan, apply, and then commit to git and do a PR. +This sets up data resources, which are read only. + +```console +% tf-plan +Changes to Outputs: + + account_caller_arn = "arn:aws-us-gov:sts::331530919105:assumed-role/AWSReservedSSO_inf-terraform_4bbd54df73a53293/donald.e.badrak.ii@census.gov" + + account_caller_arn_partition = "aws-us-gov" + + caller_account_id = "331530919105" + + profile = "331530919105-erd-dcdl-dev-gov" + + region = "us-gov-east-1" + + vpc_endpoints_ids = { + + autoscaling = "vpce-01c6af9f27490ee9d" + + cloudformation = "vpce-096d4cbf21b3f8ccf" + + config = "vpce-0aadc646f78015f6d" + + dms = "vpce-09ac407ee750c5654" + + ebs = "vpce-063d9f043c8ef1d76" + + ec2 = "vpce-0cb3367e8693fb574" + + ec2messages = "vpce-0efce59dd7f0feaed" + + "ecr.api" = "vpce-0333be5f12b2a1823" + + "ecr.dkr" = "vpce-04c9026cde229b311" + + ecs = "vpce-0a4cdd2a132ab73d4" + + elasticfilesystem = "vpce-098adf721886da73e" + + elasticloadbalancing = "vpce-02792e4f78be19ad7" + + execute-api = "vpce-01e9ec76f02f979b4" + + kms = "vpce-023a85ad2620a0ded" + + lambda = "vpce-0378285401827b3c9" + + logs = "vpce-0256e7aa79fc594e7" + + rds = "vpce-03033056010baea20" + + s3 = "vpce-012898031dcb55506" + + secretsmanager = "vpce-075883b5f6245aa3c" + + sns = "vpce-0a22902ce3e578077" + + sqs = "vpce-0607ba5b0b39f06fc" + + ssm = "vpce-0cd20111535ba290e" + + ssmmessages = "vpce-0762a94dda725e466" + + states = "vpce-0087fcbd2b314a49d" + + storagegateway = "vpce-021048fc1bf109629" + + sts = "vpce-0ffeee74d1e9e8666" + + sync-states = "vpce-0e2bc1d1555ec640b" + } + + vpc_full_name = "" +``` + +and now apply: + +```console +% tf-apply +``` + +## Using the results + +The `local` variable `vpc_endpoints` contains the vpc endpoint id: + +```console +% tf-console +> local.vpc_endpoints["execute-api"] +"vpce-01e9ec76f02f979b4" +``` diff --git a/examples/vpc-shared-endpoints-info/provider.shared-vpce.tf b/examples/vpc-shared-endpoints-info/provider.shared-vpce.tf new file mode 100644 index 0000000..199f8b1 --- /dev/null +++ b/examples/vpc-shared-endpoints-info/provider.shared-vpce.tf @@ -0,0 +1,10 @@ +provider "aws" { + alias = "shared_endpoints" + region = var.region + profile = var.profile + assume_role { + role_arn = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.shared_endpoints_account_id) + session_name = var.os_username + } +} + diff --git a/examples/vpc-shared-endpoints-info/variables.shared-vpce.auto.tfvars b/examples/vpc-shared-endpoints-info/variables.shared-vpce.auto.tfvars new file mode 100644 index 0000000..bf29495 --- /dev/null +++ b/examples/vpc-shared-endpoints-info/variables.shared-vpce.auto.tfvars @@ -0,0 +1,8 @@ +# 057405694017-ent-gov-network-prod +shared_endpoints_account_id = "057405694017" + +# 273715889907-ent-gov-dmz-network-prod +## shared_endpoints_account_id = "273715889907" + +# 269244441389-lab-gov-network-nonprod +## shared_endpoints_account_id = "269244441389" diff --git a/examples/vpc-shared-endpoints-info/variables.shared-vpce.tf b/examples/vpc-shared-endpoints-info/variables.shared-vpce.tf new file mode 100644 index 0000000..031209f --- /dev/null +++ b/examples/vpc-shared-endpoints-info/variables.shared-vpce.tf @@ -0,0 +1,4 @@ +variable "shared_endpoints_account_id" { + description = "AWS Account ID of the VPC shared endpoints" + type = string +} diff --git a/examples/vpc-shared-endpoints-info/variables.username.tf b/examples/vpc-shared-endpoints-info/variables.username.tf new file mode 100644 index 0000000..46f8f47 --- /dev/null +++ b/examples/vpc-shared-endpoints-info/variables.username.tf @@ -0,0 +1,5 @@ +variable "os_username" { + description = "OS username from environment variable, ideally as $USER" + type = string + default = null +} diff --git a/examples/vpc-shared-endpoints-info/vpc-endpoints.shared-vpce.tf b/examples/vpc-shared-endpoints-info/vpc-endpoints.shared-vpce.tf new file mode 100644 index 0000000..7dfb478 --- /dev/null +++ b/examples/vpc-shared-endpoints-info/vpc-endpoints.shared-vpce.tf @@ -0,0 +1,15 @@ +data "aws_ssm_parameters_by_path" "shared_endpoints" { + provider = aws.shared_endpoints + path = format("/enterprise/%v/vpc-endpoints/%v", data.aws_arn.current.partition, var.region) + recursive = true +} + +locals { + vpc_endpoints_ssm = { for k, v in zipmap(data.aws_ssm_parameters_by_path.shared_endpoints.names, data.aws_ssm_parameters_by_path.shared_endpoints.values) : k => jsondecode(v) } + vpc_endpoints = { for k, v in nonsensitive(local.vpc_endpoints_ssm) : v.name => v.id } +} + +output "vpc_endpoints_ids" { + description = "VPC Endpoints with ID created by SSM parameter" + value = local.vpc_endpoints +}