Skip to content

Commit

Permalink
Support dns_options for vpc-interface-endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
posquit0 committed Dec 13, 2023
1 parent e986af7 commit a76c093
Show file tree
Hide file tree
Showing 5 changed files with 55 additions and 18 deletions.
8 changes: 6 additions & 2 deletions examples/vpc-interface-endpoint-full/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ module "endpoint" {

## Network
vpc_id = data.aws_vpc.default.id
ip_address_type = "IPV4"
ip_address_type = "IPv4"
network_mapping = {
"use1-az1" = {
subnet = data.aws_subnet.default["use1-az1"].id
Expand Down Expand Up @@ -77,7 +77,11 @@ module "endpoint" {


## DNS
private_dns_enabled = false
private_dns = {
enabled = true
record_ip_type = "IPv4"
only_for_inbound_resolver_endpoint = false
}


## Notifications
Expand Down
5 changes: 3 additions & 2 deletions modules/vpc-interface-endpoint/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -50,11 +50,11 @@ This module creates following resources.
| <a name="input_auto_accept"></a> [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no |
| <a name="input_connection_notifications"></a> [connection\_notifications](#input\_connection\_notifications) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. Each block of `connection_notifications` as defined below.<br> (Required) `name` - The name of the configuration for connection notification. This value is only used internally within Terraform code.<br> (Required) `sns_topic` - The Amazon Resource Name (ARN) of the SNS topic for the notifications.<br> (Required) `events` - One or more endpoint events for which to receive notifications. Valid values are `Accept`, `Reject`, `Connect` and `Delete`. | <pre>list(object({<br> name = string<br> sns_topic = string<br> events = set(string)<br> }))</pre> | `[]` | no |
| <a name="input_default_security_group"></a> [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the interface endpoint. `default_security_group` block as defined below.<br> (Optional) `enabled` - Whether to use the default security group. Defaults to `true`.<br> (Optional) `name` - The name of the default security group. If not provided, the endpoint name is used for the name of security group.<br> (Optional) `description` - The description of the default security group.<br> (Optional) `ingress_rules` - A list of ingress rules in a security group. You don't need to specify `protocol`, `from_port`, `to_port`. Just specify source information. Defaults to `[{ id = "default", ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `ingress_rules` as defined below.<br> (Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.<br> (Optional) `description` - The description of the rule.<br> (Optional) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined. Defaults to `tcp`.<br> (Optional) `from_port` - The start of port range for the TCP protocols. Defaults to `443`.<br> (Optional) `to_port` - The end of port range for the TCP protocols. Defaults to `443`.<br> (Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.<br> (Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.<br> (Optional) `prefix_lists` - The prefix list IDs to allow.<br> (Optional) `security_groups` - The source security group IDs to allow.<br> (Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | <pre>object({<br> enabled = optional(bool, true)<br> name = optional(string)<br> description = optional(string, "Managed by Terraform.")<br> ingress_rules = optional(<br> list(object({<br> id = string<br> description = optional(string, "Managed by Terraform.")<br> protocol = optional(string)<br> from_port = optional(number)<br> to_port = optional(number)<br> ipv4_cidrs = optional(list(string), [])<br> ipv6_cidrs = optional(list(string), [])<br> prefix_lists = optional(list(string), [])<br> security_groups = optional(list(string), [])<br> self = optional(bool, false)<br> })),<br> [{<br> id = "default"<br> ipv4_cidrs = ["0.0.0.0/0"]<br> }]<br> )<br> })</pre> | `{}` | no |
| <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPV4`, `IPV6` and `DUALSTACK`. Defaults to `IPV4` | `string` | `"IPV4"` | no |
| <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPv4`, `IPv6` and `DUALSTACK`. Defaults to `IPv4` | `string` | `"IPv4"` | no |
| <a name="input_module_tags_enabled"></a> [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
| <a name="input_network_mapping"></a> [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the interface endpoint how routes traffic to targets in which subnets, and in accordance with IP address settings. Choose one subnet for each zone. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the interface endpoint is deleted. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each block of `network_mapping` as defined below.<br> (Required) `subnet` - The id of the subnet of which to attach to the endpoint. You can specify only one subnet per Availability Zone. | <pre>map(object({<br> subnet = string<br> }))</pre> | `{}` | no |
| <a name="input_policy"></a> [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no |
| <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | (Optional) Whether or not to associate a private hosted zone with the specified VPC. | `bool` | `false` | no |
| <a name="input_private_dns"></a> [private\_dns](#input\_private\_dns) | (Optional) The configuration of the private DNS settings for the interface endpoint. `private_dns` block as defined below.<br> (Optional) `enabled` - Whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, `kinesis.us-east-1.amazonaws.com`), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. Defaults to `false`.<br> (Optional) `record_ip_type` - The type of DNS records created for the endpoint. Valid values are `IPv4`, `IPv6`, `DUALSTACK`, `SERVICE_DEFINED`. Defaults to `IPv4`.<br> (Optional) `only_for_inbound_resolver_endpoint` - Whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint. | <pre>object({<br> enabled = optional(bool, false)<br> record_ip_type = optional(string, "IPv4")<br> only_for_inbound_resolver_endpoint = optional(bool, false)<br> })</pre> | `{}` | no |
| <a name="input_resource_group_description"></a> [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
| <a name="input_resource_group_enabled"></a> [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
| <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
Expand All @@ -76,6 +76,7 @@ This module creates following resources.
| <a name="output_network_interfaces"></a> [network\_interfaces](#output\_network\_interfaces) | One or more network interfaces for the VPC Endpoint. |
| <a name="output_network_mapping"></a> [network\_mapping](#output\_network\_mapping) | The configuration for the endpoint how routes traffic to targets in which subnets and IP address settings. |
| <a name="output_owner_id"></a> [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. |
| <a name="output_private_dns"></a> [private\_dns](#output\_private\_dns) | The configuration of the private DNS settings for the VPC Endpoint. |
| <a name="output_requester_managed"></a> [requester\_managed](#output\_requester\_managed) | Whether or not the VPC Endpoint is being managed by its service. |
| <a name="output_security_groups"></a> [security\_groups](#output\_security\_groups) | A set of security group IDs which is assigned to the VPC endpoint. |
| <a name="output_service_name"></a> [service\_name](#output\_service\_name) | The service name of the VPC Interface Endpoint. |
Expand Down
22 changes: 18 additions & 4 deletions modules/vpc-interface-endpoint/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -32,15 +32,20 @@ locals {
),
var.security_groups
)

ip_address_types = {
"IPv4" = "ipv4"
"IPv6" = "ipv6"
"DUALSTACK" = "dualstack"
"SERVICE_DEFINED" = "service-defined"
}
}


###################################################
# Interface Endpoint
###################################################

# TODO:
# - `dns_options`
# INFO: Not supported attributes
# - `route_table_ids`
# INFO: Use a separate resource
Expand All @@ -53,9 +58,18 @@ resource "aws_vpc_endpoint" "this" {
auto_accept = var.auto_accept

vpc_id = var.vpc_id
ip_address_type = lower(var.ip_address_type)
ip_address_type = local.ip_address_types[var.ip_address_type]

private_dns_enabled = var.private_dns.enabled

private_dns_enabled = var.private_dns_enabled
dynamic "dns_options" {
for_each = var.private_dns.enabled ? ["go"] : []

content {
dns_record_ip_type = local.ip_address_types[var.private_dns.record_ip_type]
private_dns_only_for_inbound_resolver_endpoint = var.private_dns.only_for_inbound_resolver_endpoint
}
}

timeouts {
create = var.timeouts.create
Expand Down
11 changes: 10 additions & 1 deletion modules/vpc-interface-endpoint/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ output "network_mapping" {

output "ip_address_type" {
description = "The type of IP addresses used by the VPC endpoint."
value = upper(aws_vpc_endpoint.this.ip_address_type)
value = var.ip_address_type
}

output "default_security_group" {
Expand All @@ -68,6 +68,15 @@ output "network_interfaces" {
value = aws_vpc_endpoint.this.network_interface_ids
}

output "private_dns" {
description = "The configuration of the private DNS settings for the VPC Endpoint."
value = {
enabled = aws_vpc_endpoint.this.private_dns_enabled
record_ip_type = var.private_dns.record_ip_type
only_for_inbound_resolver_endpoint = aws_vpc_endpoint.this.dns_options[0].private_dns_only_for_inbound_resolver_endpoint
}
}

output "dns_entries" {
description = "The DNS entries for the VPC Endpoint."
value = aws_vpc_endpoint.this.dns_entry
Expand Down
27 changes: 18 additions & 9 deletions modules/vpc-interface-endpoint/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -36,22 +36,31 @@ variable "network_mapping" {
}

variable "ip_address_type" {
description = "(Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPV4`, `IPV6` and `DUALSTACK`. Defaults to `IPV4`"
description = "(Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPv4`, `IPv6` and `DUALSTACK`. Defaults to `IPv4`"
type = string
default = "IPV4"
default = "IPv4"
nullable = false

validation {
condition = contains(["IPV4", "IPV6", "DUALSTACK"], var.ip_address_type)
error_message = "The possible values are `IPV4`, `IPV6` and `DUALSTACK`."
condition = contains(["IPv4", "IPv6", "DUALSTACK"], var.ip_address_type)
error_message = "The possible values are `IPv4`, `IPv6` and `DUALSTACK`."
}
}

variable "private_dns_enabled" {
description = "(Optional) Whether or not to associate a private hosted zone with the specified VPC."
type = bool
default = false
nullable = false
variable "private_dns" {
description = <<EOF
(Optional) The configuration of the private DNS settings for the interface endpoint. `private_dns` block as defined below.
(Optional) `enabled` - Whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, `kinesis.us-east-1.amazonaws.com`), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. Defaults to `false`.
(Optional) `record_ip_type` - The type of DNS records created for the endpoint. Valid values are `IPv4`, `IPv6`, `DUALSTACK`, `SERVICE_DEFINED`. Defaults to `IPv4`.
(Optional) `only_for_inbound_resolver_endpoint` - Whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint.
EOF
type = object({
enabled = optional(bool, false)
record_ip_type = optional(string, "IPv4")
only_for_inbound_resolver_endpoint = optional(bool, false)
})
default = {}
nullable = false
}

variable "default_security_group" {
Expand Down

0 comments on commit a76c093

Please sign in to comment.