v1.4.0: add vpc-interface-endpoint module

CHANGELOG.md

@@ -62,3 +62,7 @@
 * v1.3.0 -- 20211020
   - peer
     - add peer_network_acl_filter
+
+* v1.4.0 -- 20211109
+  - vpc-interface-endpoint
+    - create new submodule for setting up an interface endpoint

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.3.0"
+  _module_version = "1.4.0"
 }

vpc-interface-endpoint/README.md

@@ -0,0 +1,78 @@
+# About aws-vpc-setup :: vpc-interface-endpoint
+
+This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`.
+No policy is set by default.
+
+Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably
+not needed.
+
+# Usage
+
+```hcl
+module "vpce_secretsmanager" {
+  source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint"
+
+  service         = "secretsmanager"
+  subnet_ids      = [ "subnet-1234", "subnet-2345", "subnet-3456" ]
+
+  vpc_id          = "vpc-1234568"
+  vpc_full_name   = "vpc2-dice-dev"
+  vpc_environment = "dev"
+
+  ## optional
+  # private_dns_enabled = true
+  # policy              = data.aws_iam_policy_document.mypolicy.json
+
+  tags            = {}
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_vpc_endpoint_service.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | IAM policy to apply to the VPC endpoint | `string` | `null` | no |
+| <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | Flag to enble \| disable private DNS (default: true) | `bool` | `true` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | VPC Security Group ID List (required, use a group with tcp/443 inbound) | `list(string)` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_vpce_service_info"></a> [vpce\_service\_info](#output\_vpce\_service\_info) | VPC Interface Endpoint information for service |

vpc-interface-endpoint/data.tf

@@ -0,0 +1 @@
+../common/data.tf

vpc-interface-endpoint/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

vpc-interface-endpoint/main.tf

@@ -0,0 +1,66 @@
+/*
+* # About aws-vpc-setup :: vpc-interface-endpoint
+* 
+* This sets up a VPC endpoint of type Interface for the specified service. By default, it sets `private_dns_enabled=true`.
+* No policy is set by default.
+*
+* Possible future configurations may be to create a service-specific SG if a SG is not used, though that is probably
+* not needed.
+*
+* # Usage
+* 
+* ```hcl
+* module "vpce_secretsmanager" {
+*   source          = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint"
+*
+*   service         = "secretsmanager"
+*   subnet_ids      = [ "subnet-1234", "subnet-2345", "subnet-3456" ]
+*
+*   vpc_id          = "vpc-1234568"
+*   vpc_full_name   = "vpc2-dice-dev"
+*   vpc_environment = "dev"
+*
+*   ## optional
+*   # private_dns_enabled = true
+*   # policy              = data.aws_iam_policy_document.mypolicy.json
+*
+*   tags            = {}
+* }
+* ```
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+  region              = data.aws_region.current.name
+
+  service       = length(regexall("^com.amazonaws", var.service)) == 0 ? var.service : format("com.amazonaws.%v.%v", local.region, var.service)
+  _service      = split(".", local.service)
+  short_service = element(local._service, length(local._service))
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+}
+
+data "aws_vpc_endpoint_service" "interface_endpoint" {
+  service = local.service
+}
+
+resource "aws_vpc_endpoint" "interface_endpoint" {
+  vpc_id              = var.vpc_id
+  service_name        = data.aws_vpc_endpoint_service.interface_endpoint.service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = var.subnet_ids
+  security_group_ids  = var.security_group_ids
+  private_dns_enabled = var.private_dns_enabled
+  auto_accept         = true
+
+  tags = merge(
+    local.base_tags,
+    tomap({
+      Name = format("vpce-%v-%v", local.short_service, var.vpc_full_name)
+    })
+  )
+}

vpc-interface-endpoint/outputs.tf

@@ -0,0 +1,9 @@
+output "vpce_service_info" {
+  description = "VPC Interface Endpoint information for service"
+  value = {
+    "name" : local.short_service,
+    "service_name" = aws_vpc_endpoint.interface_endpoint.service_name,
+    "id" : aws_vpc_endpoint.interface_endpoint.id,
+    "dns_entry" : aws_vpc_endpoint.interface_endpoint.dns_entry,
+  }
+}

vpc-interface-endpoint/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

vpc-interface-endpoint/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

vpc-interface-endpoint/variables.common.vpc.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc.tf

vpc-interface-endpoint/variables.common.vpc_id.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf

vpc-interface-endpoint/variables.tf

@@ -0,0 +1,27 @@
+variable "service" {
+  description = "VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name}"
+  type        = string
+}
+
+variable "subnet_ids" {
+  description = "VPC Subnet ID List"
+  type        = list(string)
+  default     = []
+}
+
+variable "security_group_ids" {
+  description = "VPC Security Group ID List (required, use a group with tcp/443 inbound)"
+  type        = list(string)
+}
+
+variable "private_dns_enabled" {
+  description = "Flag to enble | disable private DNS (default: true)"
+  type        = bool
+  default     = true
+}
+
+variable "policy" {
+  description = "IAM policy to apply to the VPC endpoint"
+  type        = string
+  default     = null
+}

vpc-interface-endpoint/version.tf

@@ -0,0 +1 @@
+../common/version.tf