From f4c164503d42da03180d3bfa88203e0f745d1972 Mon Sep 17 00:00:00 2001 From: badra001 Date: Wed, 1 Nov 2023 09:02:06 -0400 Subject: [PATCH] * 2.9.12 -- 2023-11-01 - vpc-interface-endpoint - change vpce_kms_txt to vpce_heritage_txt --- .pre-commit-config.yaml | 11 ++- CHANGELOG.md | 4 + common/version.tf | 2 +- vpc-interface-endpoint/README.md | 132 +++++++++++++++++++++++++++++- vpc-interface-endpoint/route53.tf | 2 +- 5 files changed, 146 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4ad8b85..2b7e68b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -4,14 +4,21 @@ repos: hooks: # - id: terraform_validate - id: terraform_fmt - - id: terraform_docs_replace - args: ['table'] +# - id: terraform_docs_replace +# args: ['table'] +# exclude: common/*.tf +# exclude: version.tf +# exclude: examples + - id: terraform_docs exclude: common/*.tf exclude: version.tf exclude: examples + args: + - --args=--config=.terraform-docs.yml # - id: terraform_tflint # args: [ "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"] # exclude: examples + - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.5.0 hooks: diff --git a/CHANGELOG.md b/CHANGELOG.md index 36928e8..6f7795a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -364,3 +364,7 @@ * 2.9.11 -- 2023-10-25 - vpc-interface-endpoint - add ent-gov-dmz-network-prod to allowed list of accounts for setup of central vpc endpoints + +* 2.9.12 -- 2023-11-01 + - vpc-interface-endpoint + - change vpce_kms_txt to vpce_heritage_txt diff --git a/common/version.tf b/common/version.tf index 8f9b36d..c9003c2 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ locals { - _module_version = "2.9.11" + _module_version = "2.9.12" _module_names = { "_main_" = "aws-vpc-setup" diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md index 1a1b59c..e4e2966 100644 --- a/vpc-interface-endpoint/README.md +++ b/vpc-interface-endpoint/README.md @@ -81,8 +81,8 @@ These are not included in the module because they don't exist until the resource | Name | Type | |------|------| | [aws_route53_record.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_heritage_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_route53_record.vpce_info_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | -| [aws_route53_record.vpce_kms_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_route53_record.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_route53_record.vpce_ptr_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | | [aws_route53_record.vpce_wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | @@ -125,3 +125,133 @@ These are not included in the module because they don't exist until the resource | Name | Description | |------|-------------| | [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service | + + +# About aws-vpc-setup :: vpc-interface-endpoint + +This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`. +No policy is set by default. + +Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably +not needed. + +# Usage + +```hcl +module "vpce_secretsmanager" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint" + + service = "secretsmanager" + subnet_ids = [ "subnet-1234", "subnet-2345", "subnet-3456" ] + + vpc_id = "vpc-1234568" + vpc_full_name = "vpc2-dice-dev" + vpc_environment = "dev" + + ## optional + # private_dns_enabled = true + # policy = data.aws_iam_policy_document.mypolicy.json + + tags = {} +} +``` +# Outputs +This outputs an object with the following elements: + +* name: name of the VPC endpoint +* service\_name: name of the VPC endpoint service +* id: VPC endpoint ID +* dns\_entry: DNS name for the VPC endpoint +* subnet\_ids: list of subnet IDs on which the VPC endpoint resides +* network\_interface\_ids: List of network interface IDs (ENIs), one per subnet + +To get the IPs or subnets, you'll need to get the ENIs in a `data` resource like this +```hcl +data "aws_network_interface" "interfaces" { + for_each = toset(module.vpce_secretsmanager.vpce_service_info.network_interface_ids) + id = each.key +} +locals { + subnet_interface_id_map = { for k, v in data.aws_network_interface.interfaces : v.subnet_id => k } + subnet_interface_ip_map = { for k, v in data.aws_network_interface.interfaces : v.subnet_id => v.private_ip } +} +``` + +These are not included in the module because they don't exist until the resource has been created. + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.13 | +| [aws](#requirement\_aws) | >= 3.66.0 | +| [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.66.0 | +| [null](#provider\_null) | >= 3.0 | +| [time](#provider\_time) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [vpce\_ips](#module\_vpce\_ips) | git@github.e.it.census.gov:terraform-modules/dns-lookup.git | tf-upgrade | + +## Resources + +| Name | Type | +|------|------| +| [aws_route53_record.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_heritage_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_info_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_ptr_info](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_record.vpce_wildcard](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource | +| [aws_route53_zone.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone) | resource | +| [aws_ssm_parameter.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ssm_parameter) | resource | +| [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [null_resource.vpce](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | +| [time_static.vpce](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/static) | resource | +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | +| [aws_network_interface.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_interface) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route53_zone.vpce_ptr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | +| [aws_vpc_endpoint_service.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | +| [create\_central\_vpc\_endpoint](#input\_create\_central\_vpc\_endpoint) | Flag to enable this endpoint to be handled as central, creating route53 zones and entries for the private zone, and creating an SSM parameter with the needed details for VPC association. | `bool` | `false` | no | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [policy](#input\_policy) | IAM policy to apply to the VPC endpoint | `string` | `null` | no | +| [private\_dns\_enabled](#input\_private\_dns\_enabled) | Flag to enble \| disable private DNS (default: true) | `bool` | `true` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | VPC Security Group ID List (required, use a group with tcp/443 inbound) | `list(string)` | n/a | yes | +| [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service | + \ No newline at end of file diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf index d9cd399..1fd1857 100644 --- a/vpc-interface-endpoint/route53.tf +++ b/vpc-interface-endpoint/route53.tf @@ -109,7 +109,7 @@ resource "time_static" "vpce" { count = local.r53_create ? 1 : 0 } -resource "aws_route53_record" "vpce_kms_txt" { +resource "aws_route53_record" "vpce_heritage_txt" { count = local.r53_create ? 1 : 0 zone_id = try(aws_route53_zone.vpce[0].zone_id, null) name = try(aws_route53_zone.vpce[0].name, null)