* 2.9.12 -- 2023-11-01

  - vpc-interface-endpoint
    - change vpce_kms_txt to vpce_heritage_txt

.pre-commit-config.yaml

@@ -4,14 +4,21 @@ repos:
   hooks:
 #    - id: terraform_validate
     - id: terraform_fmt
-    - id: terraform_docs_replace
-      args: ['table']
+#    - id: terraform_docs_replace
+#      args: ['table']
+#      exclude: common/*.tf
+#      exclude: version.tf
+#      exclude: examples
+    - id: terraform_docs
       exclude: common/*.tf
       exclude: version.tf
       exclude: examples
+      args:
+        - --args=--config=.terraform-docs.yml
 #    - id: terraform_tflint 
 #      args:  [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"]
 #      exclude: examples
+
 - repo: https://github.com/pre-commit/pre-commit-hooks
   rev: v4.5.0
   hooks:

CHANGELOG.md

@@ -364,3 +364,7 @@
 * 2.9.11 -- 2023-10-25
   - vpc-interface-endpoint
     - add ent-gov-dmz-network-prod to allowed list of accounts for setup of central vpc endpoints
+
+* 2.9.12 -- 2023-11-01
+  - vpc-interface-endpoint
+    - change vpce_kms_txt to vpce_heritage_txt

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.11"
+  _module_version = "2.9.12"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

vpc-interface-endpoint/README.md

@@ -81,8 +81,8 @@ These are not included in the module because they don't exist until the resource
 | Name | Type |
 |------|------|
 | [aws_route53_record.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_heritage_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_info_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
-| [aws_route53_record.vpce_kms_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_ptr_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
@@ -125,3 +125,133 @@ These are not included in the module because they don't exist until the resource
 | Name | Description |
 |------|-------------|
 | <a name="output_vpce_service_info"></a> [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service |
+
+<!-- BEGIN_TF_DOCS -->
+# About aws-vpc-setup :: vpc-interface-endpoint
+
+This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`.
+No policy is set by default.
+
+Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably
+not needed.
+
+# Usage
+
+```hcl
+module "vpce_secretsmanager" {
+  source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint"
+
+  service         = "secretsmanager"
+  subnet_ids      = [ "subnet-1234", "subnet-2345", "subnet-3456" ]
+
+  vpc_id          = "vpc-1234568"
+  vpc_full_name   = "vpc2-dice-dev"
+  vpc_environment = "dev"
+
+  ## optional
+  # private_dns_enabled = true
+  # policy              = data.aws_iam_policy_document.mypolicy.json
+
+  tags            = {}
+}
+```
+# Outputs
+This outputs an object with the following elements:
+
+* name: name of the VPC endpoint
+* service\_name: name of the VPC endpoint service
+* id: VPC endpoint ID
+* dns\_entry: DNS name for the VPC endpoint
+* subnet\_ids: list of subnet IDs on which the VPC endpoint resides
+* network\_interface\_ids: List of network interface IDs (ENIs), one per subnet
+
+To get the IPs or subnets, you'll need to get the ENIs in a `data` resource like this
+```hcl
+data "aws_network_interface" "interfaces" {
+  for_each = toset(module.vpce_secretsmanager.vpce_service_info.network_interface_ids)
+  id       = each.key
+}
+locals {
+  subnet_interface_id_map = { for k, v in data.aws_network_interface.interfaces : v.subnet_id => k }
+  subnet_interface_ip_map = { for k, v in data.aws_network_interface.interfaces : v.subnet_id => v.private_ip }
+}
+```
+
+These are not included in the module because they don't exist until the resource has been created.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
+| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
+| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
+| <a name="provider_time"></a> [time](#provider\_time) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpce_ips"></a> [vpce\_ips](#module\_vpce\_ips) | git@github.e.it.census.gov:terraform-modules/dns-lookup.git | tf-upgrade |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_route53_record.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_heritage_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_info_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_ptr_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_record.vpce_wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_route53_zone.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource |
+| [aws_ssm_parameter.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource |
+| [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [null_resource.vpce](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [time_static.vpce](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
+| [aws_network_interface.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_interface) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route53_zone.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
+| [aws_vpc_endpoint_service.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no |
+| <a name="input_create_central_vpc_endpoint"></a> [create\_central\_vpc\_endpoint](#input\_create\_central\_vpc\_endpoint) | Flag to enable this endpoint to be handled as central, creating route53 zones and entries for the private zone, and creating an SSM parameter with the needed details for VPC association. | `bool` | `false` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | IAM policy to apply to the VPC endpoint | `string` | `null` | no |
+| <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | Flag to enble \| disable private DNS (default: true) | `bool` | `true` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | VPC Security Group ID List (required, use a group with tcp/443 inbound) | `list(string)` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_vpce_service_info"></a> [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service |
+<!-- END_TF_DOCS -->

vpc-interface-endpoint/route53.tf

@@ -109,7 +109,7 @@ resource "time_static" "vpce" {
   count = local.r53_create ? 1 : 0
 }
 
-resource "aws_route53_record" "vpce_kms_txt" {
+resource "aws_route53_record" "vpce_heritage_txt" {
   count   = local.r53_create ? 1 : 0
   zone_id = try(aws_route53_zone.vpce[0].zone_id, null)
   name    = try(aws_route53_zone.vpce[0].name, null)