Refactor vpc-gateway-endpoint (#19)

README.md

@@ -59,6 +59,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws-
 
 ## Examples
 
+### VPC
+
+- [vpc-gateway-endpoint-simple](./examples/vpc-gateway-endpoint-simple)
+
 ### VPC Lattice
 
 - [lattice-service-network-simple](./examples/lattice-service-network-simple)

examples/vpc-gateway-endpoint-simple/main.tf

@@ -0,0 +1,34 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_route_tables" "this" {
+  vpc_id = data.aws_vpc.default.id
+}
+
+
+###################################################
+# Gateway Endpoint
+###################################################
+
+module "endpoint" {
+  source = "../../modules/vpc-gateway-endpoint"
+  # source  = "tedilabs/vpc-connectivity/aws//modules/vpc-gateway-endpoint"
+  # version = "~> 0.2.0"
+
+  vpc_id = data.aws_vpc.default.id
+
+  name    = "aws-s3"
+  service = "S3"
+
+  route_tables = data.aws_route_tables.this.ids
+
+
+  tags = {
+    "project" = "terraform-aws-vpc-connectivity-examples"
+  }
+}

examples/vpc-gateway-endpoint-simple/outputs.tf

@@ -0,0 +1,4 @@
+output "endpoint" {
+  description = "The Gateway Endpoint."
+  value       = module.endpoint
+}

examples/vpc-gateway-endpoint-simple/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = "~> 1.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}

modules/vpc-gateway-endpoint/README.md

@@ -3,21 +3,22 @@
 This module creates following resources.
 
 - `aws_vpc_endpoint`
-- `aws_vpc_endpoint_connection_notification` (optional)
+- `aws_vpc_endpoint_policy`
+- `aws_vpc_endpoint_route_table_association` (optional)
 
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.45 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.20 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.22.0 |
 
 ## Modules
 
@@ -30,38 +31,38 @@ This module creates following resources.
 | Name | Type |
 |------|------|
 | [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
-| [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource |
+| [aws_vpc_endpoint_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_policy) | resource |
+| [aws_vpc_endpoint_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource |
+| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_name"></a> [name](#input\_name) | (Required) Desired name for the VPC Gateway Endpoint. | `string` | n/a | yes |
-| <a name="input_service_name"></a> [service\_name](#input\_service\_name) | (Required) The service name. For AWS services the service name is usually in the form `com.amazonaws.<region>.<service>`. | `string` | n/a | yes |
+| <a name="input_service"></a> [service](#input\_service) | (Required) The AWS service name. Valid values are `DYNAMODB`, `S3`. | `string` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC in which the endpoint will be used. | `string` | n/a | yes |
-| <a name="input_auto_accept"></a> [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no |
 | <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
-| <a name="input_notification_configurations"></a> [notification\_configurations](#input\_notification\_configurations) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. | <pre>list(object({<br>    sns_arn = string<br>    events  = list(string)<br>  }))</pre> | `[]` | no |
-| <a name="input_policy"></a> [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway endpoints support policies. | `string` | `null` | no |
 | <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
 | <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
+| <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | (Optional) A list of route table IDs to associate with the endpoint. | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
+| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | (Optional) How long to wait for the endpoint to be created/updated/deleted. | <pre>object({<br>    create = optional(string, "10m")<br>    update = optional(string, "10m")<br>    delete = optional(string, "10m")<br>  })</pre> | `{}` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
 | <a name="output_arn"></a> [arn](#output\_arn) | The Amazon Resource Name (ARN) of the VPC endpoint. |
-| <a name="output_cidr_blocks"></a> [cidr\_blocks](#output\_cidr\_blocks) | The list of CIDR blocks for the exposed AWS service. |
 | <a name="output_id"></a> [id](#output\_id) | The ID of the VPC endpoint. |
-| <a name="output_managed"></a> [managed](#output\_managed) | Whether or not the VPC Endpoint is being managed by its service. |
 | <a name="output_name"></a> [name](#output\_name) | The VPC Gateway Endpoint name. |
-| <a name="output_notification_configurations"></a> [notification\_configurations](#output\_notification\_configurations) | A list of Endpoint Connection Notifications for VPC Endpoint events. |
-| <a name="output_owner_id"></a> [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. |
-| <a name="output_policy"></a> [policy](#output\_policy) | The policy which is attached to the endpoint that controls access to the service. |
-| <a name="output_prefix_list_id"></a> [prefix\_list\_id](#output\_prefix\_list\_id) | The prefix list ID of the exposed AWS service. |
+| <a name="output_owner_id"></a> [owner\_id](#output\_owner\_id) | The owner ID of the VPC endpoint. |
+| <a name="output_prefix_list"></a> [prefix\_list](#output\_prefix\_list) | The information of the prefix list of the VPC endpoint.<br>    `id` - The prefix list ID of the exposed AWS service.<br>    `ipv4_cidrs` - The list of CIDR blocks for the exposed AWS service. |
+| <a name="output_route_tables"></a> [route\_tables](#output\_route\_tables) | The list of route table IDs which is associated with the VPC endpoint. |
 | <a name="output_service_name"></a> [service\_name](#output\_service\_name) | The service name of the VPC Gateway Endpoint. |
 | <a name="output_state"></a> [state](#output\_state) | The state of the VPC endpoint. |
+| <a name="output_type"></a> [type](#output\_type) | The type of the VPC endpoint. |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The VPC ID of the VPC endpoint. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/vpc-gateway-endpoint/main.tf

@@ -14,13 +14,38 @@ locals {
   } : {}
 }
 
+data "aws_vpc_endpoint_service" "this" {
+  service      = lower(var.service)
+  service_type = "Gateway"
+}
+
+
+###################################################
+# Gateway Endpoint
+###################################################
+
+# INFO: Not supported attributes
+# - `auto_accept`
+# - `dns_options`
+# - `ip_address_type`
+# - `private_dns_enabled`
+# - `security_group_ids`
+# - `subnet_ids`
+# INFO: Use a separate resource
+# - `policy`
+# - `route_table_ids`
 resource "aws_vpc_endpoint" "this" {
   vpc_endpoint_type = "Gateway"
-  service_name      = var.service_name
+  service_name      = data.aws_vpc_endpoint_service.this.service_name
   vpc_id            = var.vpc_id
 
-  auto_accept = var.auto_accept
-  policy      = var.policy
+  auto_accept = true
+
+  timeouts {
+    create = var.timeouts.create
+    update = var.timeouts.update
+    delete = var.timeouts.delete
+  }
 
   tags = merge(
     {
@@ -33,17 +58,22 @@ resource "aws_vpc_endpoint" "this" {
 
 
 ###################################################
-# Notification
+# Policy for Gateway Endpoint
 ###################################################
 
-resource "aws_vpc_endpoint_connection_notification" "this" {
-  for_each = {
-    for config in try(var.notification_configurations, []) :
-    config.sns_arn => config
-  }
-
+resource "aws_vpc_endpoint_policy" "this" {
   vpc_endpoint_id = aws_vpc_endpoint.this.id
+  policy          = var.policy
+}
+
+
+###################################################
+# Route Table Associations for Gateway Endpoint
+###################################################
 
-  connection_notification_arn = each.key
-  connection_events           = try(each.value.events, [])
+resource "aws_vpc_endpoint_route_table_association" "this" {
+  count = length(var.route_tables)
+
+  vpc_endpoint_id = aws_vpc_endpoint.this.id
+  route_table_id  = var.route_tables[count.index]
 }

modules/vpc-gateway-endpoint/outputs.tf

@@ -18,42 +18,41 @@ output "arn" {
   value       = aws_vpc_endpoint.this.arn
 }
 
-output "state" {
-  description = "The state of the VPC endpoint."
-  value       = aws_vpc_endpoint.this.state
-}
-
 output "owner_id" {
-  description = "The Owner ID of the VPC endpoint."
+  description = "The owner ID of the VPC endpoint."
   value       = aws_vpc_endpoint.this.owner_id
 }
 
-output "managed" {
-  description = "Whether or not the VPC Endpoint is being managed by its service."
-  value       = aws_vpc_endpoint.this.requester_managed
+output "type" {
+  description = "The type of the VPC endpoint."
+  value       = "GATEWAY"
+}
+
+output "state" {
+  description = "The state of the VPC endpoint."
+  value       = aws_vpc_endpoint.this.state
 }
 
 output "vpc_id" {
   description = "The VPC ID of the VPC endpoint."
   value       = aws_vpc_endpoint.this.vpc_id
 }
 
-output "cidr_blocks" {
-  description = "The list of CIDR blocks for the exposed AWS service."
-  value       = aws_vpc_endpoint.this.cidr_blocks
-}
-
-output "prefix_list_id" {
-  description = "The prefix list ID of the exposed AWS service."
-  value       = aws_vpc_endpoint.this.prefix_list_id
-}
-
-output "policy" {
-  description = "The policy which is attached to the endpoint that controls access to the service."
-  value       = aws_vpc_endpoint.this.policy
+output "prefix_list" {
+  description = <<EOF
+  The information of the prefix list of the VPC endpoint.
+    `id` - The prefix list ID of the exposed AWS service.
+    `ipv4_cidrs` - The list of CIDR blocks for the exposed AWS service.
+  EOF
+  value = {
+    id         = aws_vpc_endpoint.this.prefix_list_id
+    ipv4_cidrs = aws_vpc_endpoint.this.cidr_blocks
+  }
 }
 
-output "notification_configurations" {
-  description = "A list of Endpoint Connection Notifications for VPC Endpoint events."
-  value       = var.notification_configurations
+output "route_tables" {
+  description = <<EOF
+  The list of route table IDs which is associated with the VPC endpoint.
+  EOF
+  value       = aws_vpc_endpoint_route_table_association.this[*].route_table_id
 }

modules/vpc-gateway-endpoint/variables.tf

@@ -1,49 +1,65 @@
 variable "name" {
   description = "(Required) Desired name for the VPC Gateway Endpoint."
   type        = string
+  nullable    = false
 }
 
-variable "service_name" {
-  description = "(Required) The service name. For AWS services the service name is usually in the form `com.amazonaws.<region>.<service>`."
+variable "service" {
+  description = "(Required) The AWS service name. Valid values are `DYNAMODB`, `S3`."
   type        = string
+  nullable    = false
+
+  validation {
+    condition     = contains(["DYNAMODB", "S3"], var.service)
+    error_message = "Valid values are `DYNAMODB` and `S3`."
+  }
 }
 
 variable "vpc_id" {
   description = "(Required) The ID of the VPC in which the endpoint will be used."
   type        = string
-}
-
-variable "auto_accept" {
-  description = "(Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account)."
-  type        = bool
-  default     = true
+  nullable    = false
 }
 
 variable "policy" {
-  description = "(Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies."
+  description = "(Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway endpoints support policies."
   type        = string
   default     = null
+  nullable    = true
+}
+
+variable "route_tables" {
+  description = <<EOF
+  (Optional) A list of route table IDs to associate with the endpoint.
+  EOF
+  type        = list(string)
+  default     = []
+  nullable    = false
 }
 
-variable "notification_configurations" {
-  description = "(Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events."
-  type = list(object({
-    sns_arn = string
-    events  = list(string)
-  }))
-  default = []
+variable "timeouts" {
+  description = "(Optional) How long to wait for the endpoint to be created/updated/deleted."
+  type = object({
+    create = optional(string, "10m")
+    update = optional(string, "10m")
+    delete = optional(string, "10m")
+  })
+  default  = {}
+  nullable = false
 }
 
 variable "tags" {
   description = "(Optional) A map of tags to add to all resources."
   type        = map(string)
   default     = {}
+  nullable    = false
 }
 
 variable "module_tags_enabled" {
   description = "(Optional) Whether to create AWS Resource Tags for the module informations."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 
@@ -55,16 +71,19 @@ variable "resource_group_enabled" {
   description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module."
   type        = bool
   default     = true
+  nullable    = false
 }
 
 variable "resource_group_name" {
   description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`."
   type        = string
   default     = ""
+  nullable    = false
 }
 
 variable "resource_group_description" {
   description = "(Optional) The description of Resource Group."
   type        = string
   default     = "Managed by Terraform."
+  nullable    = false
 }

modules/vpc-gateway-endpoint/versions.tf

@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.5"
+  required_version = ">= 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.45"
+      version = ">= 5.20"
     }
   }
 }