diff --git a/examples/vpc-interface-endpoint-full/main.tf b/examples/vpc-interface-endpoint-full/main.tf
index fc577d0..693119b 100644
--- a/examples/vpc-interface-endpoint-full/main.tf
+++ b/examples/vpc-interface-endpoint-full/main.tf
@@ -49,7 +49,7 @@ module "endpoint" {
## Network
vpc_id = data.aws_vpc.default.id
- ip_address_type = "IPV4"
+ ip_address_type = "IPv4"
network_mapping = {
"use1-az1" = {
subnet = data.aws_subnet.default["use1-az1"].id
@@ -77,7 +77,11 @@ module "endpoint" {
## DNS
- private_dns_enabled = false
+ private_dns = {
+ enabled = true
+ record_ip_type = "IPv4"
+ only_for_inbound_resolver_endpoint = false
+ }
## Notifications
diff --git a/modules/vpc-interface-endpoint/README.md b/modules/vpc-interface-endpoint/README.md
index 2b49e55..7c1b728 100644
--- a/modules/vpc-interface-endpoint/README.md
+++ b/modules/vpc-interface-endpoint/README.md
@@ -50,11 +50,11 @@ This module creates following resources.
| [auto\_accept](#input\_auto\_accept) | (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). | `bool` | `true` | no |
| [connection\_notifications](#input\_connection\_notifications) | (Optional) A list of configurations of Endpoint Connection Notifications for VPC Endpoint events. Each block of `connection_notifications` as defined below.
(Required) `name` - The name of the configuration for connection notification. This value is only used internally within Terraform code.
(Required) `sns_topic` - The Amazon Resource Name (ARN) of the SNS topic for the notifications.
(Required) `events` - One or more endpoint events for which to receive notifications. Valid values are `Accept`, `Reject`, `Connect` and `Delete`. | list(object({
name = string
sns_topic = string
events = set(string)
})) | `[]` | no |
| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the interface endpoint. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the endpoint name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. You don't need to specify `protocol`, `from_port`, `to_port`. Just specify source information. Defaults to `[{ id = "default", ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Optional) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined. Defaults to `tcp`.
(Optional) `from_port` - The start of port range for the TCP protocols. Defaults to `443`.
(Optional) `to_port` - The end of port range for the TCP protocols. Defaults to `443`.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule. | object({
enabled = optional(bool, true)
name = optional(string)
description = optional(string, "Managed by Terraform.")
ingress_rules = optional(
list(object({
id = string
description = optional(string, "Managed by Terraform.")
protocol = optional(string)
from_port = optional(number)
to_port = optional(number)
ipv4_cidrs = optional(list(string), [])
ipv6_cidrs = optional(list(string), [])
prefix_lists = optional(list(string), [])
security_groups = optional(list(string), [])
self = optional(bool, false)
})),
[{
id = "default"
ipv4_cidrs = ["0.0.0.0/0"]
}]
)
}) | `{}` | no |
-| [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPV4`, `IPV6` and `DUALSTACK`. Defaults to `IPV4` | `string` | `"IPV4"` | no |
+| [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPv4`, `IPv6` and `DUALSTACK`. Defaults to `IPv4` | `string` | `"IPv4"` | no |
| [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no |
| [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the interface endpoint how routes traffic to targets in which subnets, and in accordance with IP address settings. Choose one subnet for each zone. An endpoint network interface is assigned a private IP address from the IP address range of your subnet, and keeps this IP address until the interface endpoint is deleted. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each block of `network_mapping` as defined below.
(Required) `subnet` - The id of the subnet of which to attach to the endpoint. You can specify only one subnet per Availability Zone. | map(object({
subnet = string
})) | `{}` | no |
| [policy](#input\_policy) | (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies. | `string` | `null` | no |
-| [private\_dns\_enabled](#input\_private\_dns\_enabled) | (Optional) Whether or not to associate a private hosted zone with the specified VPC. | `bool` | `false` | no |
+| [private\_dns](#input\_private\_dns) | (Optional) The configuration of the private DNS settings for the interface endpoint. `private_dns` block as defined below.
(Optional) `enabled` - Whether to associate a private hosted zone with the specified VPC. The private hosted zone contains a record set for the default public DNS name for the service for the Region (for example, `kinesis.us-east-1.amazonaws.com`), which resolves to the private IP addresses of the endpoint network interfaces in the VPC. This enables you to make requests to the default public DNS name for the service instead of the public DNS names that are automatically generated by the VPC endpoint service. Defaults to `false`.
(Optional) `record_ip_type` - The type of DNS records created for the endpoint. Valid values are `IPv4`, `IPv6`, `DUALSTACK`, `SERVICE_DEFINED`. Defaults to `IPv4`.
(Optional) `only_for_inbound_resolver_endpoint` - Whether to enable private DNS only for inbound endpoints. This option is available only for services that support both gateway and interface endpoints. It routes traffic that originates from the VPC to the gateway endpoint and traffic that originates from on-premises to the interface endpoint. | object({
enabled = optional(bool, false)
record_ip_type = optional(string, "IPv4")
only_for_inbound_resolver_endpoint = optional(bool, false)
}) | `{}` | no |
| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no |
| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
@@ -76,6 +76,7 @@ This module creates following resources.
| [network\_interfaces](#output\_network\_interfaces) | One or more network interfaces for the VPC Endpoint. |
| [network\_mapping](#output\_network\_mapping) | The configuration for the endpoint how routes traffic to targets in which subnets and IP address settings. |
| [owner\_id](#output\_owner\_id) | The Owner ID of the VPC endpoint. |
+| [private\_dns](#output\_private\_dns) | The configuration of the private DNS settings for the VPC Endpoint. |
| [requester\_managed](#output\_requester\_managed) | Whether or not the VPC Endpoint is being managed by its service. |
| [security\_groups](#output\_security\_groups) | A set of security group IDs which is assigned to the VPC endpoint. |
| [service\_name](#output\_service\_name) | The service name of the VPC Interface Endpoint. |
diff --git a/modules/vpc-interface-endpoint/main.tf b/modules/vpc-interface-endpoint/main.tf
index 0181de5..71db059 100644
--- a/modules/vpc-interface-endpoint/main.tf
+++ b/modules/vpc-interface-endpoint/main.tf
@@ -32,6 +32,13 @@ locals {
),
var.security_groups
)
+
+ ip_address_types = {
+ "IPv4" = "ipv4"
+ "IPv6" = "ipv6"
+ "DUALSTACK" = "dualstack"
+ "SERVICE_DEFINED" = "service-defined"
+ }
}
@@ -39,8 +46,6 @@ locals {
# Interface Endpoint
###################################################
-# TODO:
-# - `dns_options`
# INFO: Not supported attributes
# - `route_table_ids`
# INFO: Use a separate resource
@@ -53,9 +58,18 @@ resource "aws_vpc_endpoint" "this" {
auto_accept = var.auto_accept
vpc_id = var.vpc_id
- ip_address_type = lower(var.ip_address_type)
+ ip_address_type = local.ip_address_types[var.ip_address_type]
+
+ private_dns_enabled = var.private_dns.enabled
- private_dns_enabled = var.private_dns_enabled
+ dynamic "dns_options" {
+ for_each = var.private_dns.enabled ? ["go"] : []
+
+ content {
+ dns_record_ip_type = local.ip_address_types[var.private_dns.record_ip_type]
+ private_dns_only_for_inbound_resolver_endpoint = var.private_dns.only_for_inbound_resolver_endpoint
+ }
+ }
timeouts {
create = var.timeouts.create
diff --git a/modules/vpc-interface-endpoint/outputs.tf b/modules/vpc-interface-endpoint/outputs.tf
index 381679a..61d8d22 100644
--- a/modules/vpc-interface-endpoint/outputs.tf
+++ b/modules/vpc-interface-endpoint/outputs.tf
@@ -50,7 +50,7 @@ output "network_mapping" {
output "ip_address_type" {
description = "The type of IP addresses used by the VPC endpoint."
- value = upper(aws_vpc_endpoint.this.ip_address_type)
+ value = var.ip_address_type
}
output "default_security_group" {
@@ -68,6 +68,15 @@ output "network_interfaces" {
value = aws_vpc_endpoint.this.network_interface_ids
}
+output "private_dns" {
+ description = "The configuration of the private DNS settings for the VPC Endpoint."
+ value = {
+ enabled = aws_vpc_endpoint.this.private_dns_enabled
+ record_ip_type = var.private_dns.record_ip_type
+ only_for_inbound_resolver_endpoint = aws_vpc_endpoint.this.dns_options[0].private_dns_only_for_inbound_resolver_endpoint
+ }
+}
+
output "dns_entries" {
description = "The DNS entries for the VPC Endpoint."
value = aws_vpc_endpoint.this.dns_entry
diff --git a/modules/vpc-interface-endpoint/variables.tf b/modules/vpc-interface-endpoint/variables.tf
index c11aa8c..28bc041 100644
--- a/modules/vpc-interface-endpoint/variables.tf
+++ b/modules/vpc-interface-endpoint/variables.tf
@@ -36,22 +36,31 @@ variable "network_mapping" {
}
variable "ip_address_type" {
- description = "(Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPV4`, `IPV6` and `DUALSTACK`. Defaults to `IPV4`"
+ description = "(Optional) The type of IP addresses used by the subnets for the interface endpoint. The possible values are `IPv4`, `IPv6` and `DUALSTACK`. Defaults to `IPv4`"
type = string
- default = "IPV4"
+ default = "IPv4"
nullable = false
validation {
- condition = contains(["IPV4", "IPV6", "DUALSTACK"], var.ip_address_type)
- error_message = "The possible values are `IPV4`, `IPV6` and `DUALSTACK`."
+ condition = contains(["IPv4", "IPv6", "DUALSTACK"], var.ip_address_type)
+ error_message = "The possible values are `IPv4`, `IPv6` and `DUALSTACK`."
}
}
-variable "private_dns_enabled" {
- description = "(Optional) Whether or not to associate a private hosted zone with the specified VPC."
- type = bool
- default = false
- nullable = false
+variable "private_dns" {
+ description = <