From 86317bece6a7850e188e8bbf993f8be9e6152e1d Mon Sep 17 00:00:00 2001 From: "Byungjin Park (Claud)" Date: Mon, 6 Nov 2023 20:58:07 +0900 Subject: [PATCH] Refactor vpc-gateway-endpoint (#19) --- README.md | 4 ++ examples/vpc-gateway-endpoint-simple/main.tf | 34 ++++++++++++ .../vpc-gateway-endpoint-simple/outputs.tf | 4 ++ .../vpc-gateway-endpoint-simple/versions.tf | 10 ++++ modules/vpc-gateway-endpoint/README.md | 31 +++++------ modules/vpc-gateway-endpoint/main.tf | 54 ++++++++++++++----- modules/vpc-gateway-endpoint/outputs.tf | 49 +++++++++-------- modules/vpc-gateway-endpoint/variables.tf | 51 ++++++++++++------ modules/vpc-gateway-endpoint/versions.tf | 4 +- 9 files changed, 171 insertions(+), 70 deletions(-) create mode 100644 examples/vpc-gateway-endpoint-simple/main.tf create mode 100644 examples/vpc-gateway-endpoint-simple/outputs.tf create mode 100644 examples/vpc-gateway-endpoint-simple/versions.tf diff --git a/README.md b/README.md index ed2198a..ef04a71 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,10 @@ Terraform Modules from [this package](https://github.com/tedilabs/terraform-aws- ## Examples +### VPC + +- [vpc-gateway-endpoint-simple](./examples/vpc-gateway-endpoint-simple) + ### VPC Lattice - [lattice-service-network-simple](./examples/lattice-service-network-simple) diff --git a/examples/vpc-gateway-endpoint-simple/main.tf b/examples/vpc-gateway-endpoint-simple/main.tf new file mode 100644 index 0000000..55832fe --- /dev/null +++ b/examples/vpc-gateway-endpoint-simple/main.tf @@ -0,0 +1,34 @@ +provider "aws" { + region = "us-east-1" +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_route_tables" "this" { + vpc_id = data.aws_vpc.default.id +} + + +################################################### +# Gateway Endpoint +################################################### + +module "endpoint" { + source = "../../modules/vpc-gateway-endpoint" + # source = "tedilabs/vpc-connectivity/aws//modules/vpc-gateway-endpoint" + # version = "~> 0.2.0" + + vpc_id = data.aws_vpc.default.id + + name = "aws-s3" + service = "S3" + + route_tables = data.aws_route_tables.this.ids + + + tags = { + "project" = "terraform-aws-vpc-connectivity-examples" + } +} diff --git a/examples/vpc-gateway-endpoint-simple/outputs.tf b/examples/vpc-gateway-endpoint-simple/outputs.tf new file mode 100644 index 0000000..97ac8d3 --- /dev/null +++ b/examples/vpc-gateway-endpoint-simple/outputs.tf @@ -0,0 +1,4 @@ +output "endpoint" { + description = "The Gateway Endpoint." + value = module.endpoint +} diff --git a/examples/vpc-gateway-endpoint-simple/versions.tf b/examples/vpc-gateway-endpoint-simple/versions.tf new file mode 100644 index 0000000..e5cd366 --- /dev/null +++ b/examples/vpc-gateway-endpoint-simple/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.6" + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } +} diff --git a/modules/vpc-gateway-endpoint/README.md b/modules/vpc-gateway-endpoint/README.md index 1cf0ea3..f6775d8 100644 --- a/modules/vpc-gateway-endpoint/README.md +++ b/modules/vpc-gateway-endpoint/README.md @@ -3,21 +3,22 @@ This module creates following resources. - `aws_vpc_endpoint` -- `aws_vpc_endpoint_connection_notification` (optional) +- `aws_vpc_endpoint_policy` +- `aws_vpc_endpoint_route_table_association` (optional) ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.5 | -| [aws](#requirement\_aws) | >= 3.45 | +| [terraform](#requirement\_terraform) | >= 1.6 | +| [aws](#requirement\_aws) | >= 5.20 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | 5.19.0 | +| [aws](#provider\_aws) | 5.22.0 | ## Modules @@ -30,38 +31,38 @@ This module creates following resources. | Name | Type | |------|------| | [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint_connection_notification.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_connection_notification) | resource | +| [aws_vpc_endpoint_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_policy) | resource | +| [aws_vpc_endpoint_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | +| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) Desired name for the VPC Gateway Endpoint. | `string` | n/a | yes | -| [service\_name](#input\_service\_name) | (Required) The service name. For AWS services the service name is usually in the form `com.amazonaws..`. | `string` | n/a | yes | +| [service](#input\_service) | (Required) The AWS service name. Valid values are `DYNAMODB`, `S3`. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC in which the endpoint will be used. | `string` | n/a | yes | -| [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [notification\_configurations](#input\_notification\_configurations) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. | 
list(object({
    sns_arn = string
    events  = list(string)
  }))
| `[]` | no | -| [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no | +| [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway endpoints support policies. | `string` | `null` | no | | [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | | [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | | [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [route\_tables](#input\_route\_tables) | (Optional) A list of route table IDs to associate with the endpoint. | `list(string)` | `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the endpoint to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
| `{}` | no | ## Outputs | Name | Description | |------|-------------| | [arn](#output\_arn) | The Amazon Resource Name (ARN) of the VPC endpoint. | -| [cidr\_blocks](#output\_cidr\_blocks) | The list of CIDR blocks for the exposed AWS service. | | [id](#output\_id) | The ID of the VPC endpoint. | -| [managed](#output\_managed) | Whether or not the VPC Endpoint is being managed by its service. | | [name](#output\_name) | The VPC Gateway Endpoint name. | -| [notification\_configurations](#output\_notification\_configurations) | A list of Endpoint Connection Notifications for VPC Endpoint events. | -| [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. | -| [policy](#output\_policy) | The policy which is attached to the endpoint that controls access to the service. | -| [prefix\_list\_id](#output\_prefix\_list\_id) | The prefix list ID of the exposed AWS service. | +| [owner\_id](#output\_owner\_id) | The owner ID of the VPC endpoint. | +| [prefix\_list](#output\_prefix\_list) | The information of the prefix list of the VPC endpoint.
`id` - The prefix list ID of the exposed AWS service.
`ipv4_cidrs` - The list of CIDR blocks for the exposed AWS service. | +| [route\_tables](#output\_route\_tables) | The list of route table IDs which is associated with the VPC endpoint. | | [service\_name](#output\_service\_name) | The service name of the VPC Gateway Endpoint. | | [state](#output\_state) | The state of the VPC endpoint. | +| [type](#output\_type) | The type of the VPC endpoint. | | [vpc\_id](#output\_vpc\_id) | The VPC ID of the VPC endpoint. | diff --git a/modules/vpc-gateway-endpoint/main.tf b/modules/vpc-gateway-endpoint/main.tf index 40d838e..125a7f7 100644 --- a/modules/vpc-gateway-endpoint/main.tf +++ b/modules/vpc-gateway-endpoint/main.tf @@ -14,13 +14,38 @@ locals { } : {} } +data "aws_vpc_endpoint_service" "this" { + service = lower(var.service) + service_type = "Gateway" +} + + +################################################### +# Gateway Endpoint +################################################### + +# INFO: Not supported attributes +# - `auto_accept` +# - `dns_options` +# - `ip_address_type` +# - `private_dns_enabled` +# - `security_group_ids` +# - `subnet_ids` +# INFO: Use a separate resource +# - `policy` +# - `route_table_ids` resource "aws_vpc_endpoint" "this" { vpc_endpoint_type = "Gateway" - service_name = var.service_name + service_name = data.aws_vpc_endpoint_service.this.service_name vpc_id = var.vpc_id - auto_accept = var.auto_accept - policy = var.policy + auto_accept = true + + timeouts { + create = var.timeouts.create + update = var.timeouts.update + delete = var.timeouts.delete + } tags = merge( { @@ -33,17 +58,22 @@ resource "aws_vpc_endpoint" "this" { ################################################### -# Notification +# Policy for Gateway Endpoint ################################################### -resource "aws_vpc_endpoint_connection_notification" "this" { - for_each = { - for config in try(var.notification_configurations, []) : - config.sns_arn => config - } - +resource "aws_vpc_endpoint_policy" "this" { vpc_endpoint_id = aws_vpc_endpoint.this.id + policy = var.policy +} + + +################################################### +# Route Table Associations for Gateway Endpoint +################################################### - connection_notification_arn = each.key - connection_events = try(each.value.events, []) +resource "aws_vpc_endpoint_route_table_association" "this" { + count = length(var.route_tables) + + vpc_endpoint_id = aws_vpc_endpoint.this.id + route_table_id = var.route_tables[count.index] } diff --git a/modules/vpc-gateway-endpoint/outputs.tf b/modules/vpc-gateway-endpoint/outputs.tf index b7b083b..378e518 100644 --- a/modules/vpc-gateway-endpoint/outputs.tf +++ b/modules/vpc-gateway-endpoint/outputs.tf @@ -18,19 +18,19 @@ output "arn" { value = aws_vpc_endpoint.this.arn } -output "state" { - description = "The state of the VPC endpoint." - value = aws_vpc_endpoint.this.state -} - output "owner_id" { - description = "The Owner ID of the VPC endpoint." + description = "The owner ID of the VPC endpoint." value = aws_vpc_endpoint.this.owner_id } -output "managed" { - description = "Whether or not the VPC Endpoint is being managed by its service." - value = aws_vpc_endpoint.this.requester_managed +output "type" { + description = "The type of the VPC endpoint." + value = "GATEWAY" +} + +output "state" { + description = "The state of the VPC endpoint." + value = aws_vpc_endpoint.this.state } output "vpc_id" { @@ -38,22 +38,21 @@ output "vpc_id" { value = aws_vpc_endpoint.this.vpc_id } -output "cidr_blocks" { - description = "The list of CIDR blocks for the exposed AWS service." - value = aws_vpc_endpoint.this.cidr_blocks -} - -output "prefix_list_id" { - description = "The prefix list ID of the exposed AWS service." - value = aws_vpc_endpoint.this.prefix_list_id -} - -output "policy" { - description = "The policy which is attached to the endpoint that controls access to the service." - value = aws_vpc_endpoint.this.policy +output "prefix_list" { + description = <