diff --git a/README.md b/README.md index 2c6636096..fe1240063 100644 --- a/README.md +++ b/README.md @@ -213,6 +213,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | cloudtrail\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | string | `"false"` | no | | cloudtrail\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | list | `[]` | no | | cloudtrail\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CODEBUILD endpoint | string | `"false"` | no | +| codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CODEBUILD endpoint | list | `[]` | no | +| codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CODEBUILD endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CODECOMMIT endpoint | string | `"false"` | no | +| codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CODECOMMIT endpoint | list | `[]` | no | +| codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CODECOMMIT endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| config\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CONFIG endpoint | string | `"false"` | no | +| config\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CONFIG endpoint | list | `[]` | no | +| config\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CONFIG endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | create\_database\_internet\_gateway\_route | Controls if an internet gateway route for public database access should be created | string | `"false"` | no | | create\_database\_nat\_gateway\_route | Controls if a nat gateway route should be created to give internet access to the database subnets | string | `"false"` | no | | create\_database\_subnet\_group | Controls if database subnet group should be created | string | `"true"` | no | @@ -280,6 +289,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | string | `"false"` | no | | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | string | `"false"` | no | +| enable\_codebuild\_endpoint | Should be true if you want to provision an CODEBUILD endpoint to the VPC | string | `"false"` | no | +| enable\_codecommit\_endpoint | Should be true if you want to provision an CODECOMMIT endpointto the VPC | string | `"false"` | no | +| enable\_config\_endpoint | Should be true if you want to provision an CONFIG endpoint to the VPC | string | `"false"` | no | | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | string | `"false"` | no | | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | string | `"false"` | no | | enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no | @@ -293,21 +305,35 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | string | `"false"` | no | | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | string | `"false"` | no | | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | string | `"false"` | no | +| enable\_git\_codecommit\_endpoint | Should be true if you want to provision an GIT_CODECOMMIT endpoint to the VPC | string | `"false"` | no | +| enable\_glue\_endpoint | Should be true if you want to provision an GLUE endpoint to the VPC | string | `"false"` | no | +| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision an KINESIS_FIREHOSE endpoint to the VPC | string | `"false"` | no | +| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision an KINESIS_STREAMS endpoint to the VPC | string | `"false"` | no | | enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no | | enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | string | `"false"` | no | | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | string | `"false"` | no | | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no | +| enable\_sagemaker\_notebook\_endpoint | Should be true if you want to provision an SAGEMAKER_NOTEBOOK endpoint to the VPC | string | `"false"` | no | +| enable\_secretsmanager\_endpoint | Should be true if you want to provision an SECRETSMANAGER endpoint to the VPC | string | `"false"` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | string | `"false"` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | string | `"false"` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no | +| enable\_sts\_endpoint | Should be true if you want to provision an STS endpoint to theVPC | string | `"false"` | no | +| enable\_transferserver\_endpoint | Should be true if you want to provision an TRANSFERSERVER endpoint to the VPC | string | `"false"` | no | | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no | | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | string | `"false"` | no | | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | list | `[]` | no | | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | +| git\_codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for GIT_CODECOMMIT endpoint | string | `"false"` | no | +| git\_codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for GIT_CODECOMMIT endpoint | list | `[]` | no | +| git\_codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for GIT_CODECOMMIT endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| glue\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for GLUE endpoint | string | `"false"` | no | +| glue\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for GLUE endpoint | list | `[]` | no | +| glue\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for GLUE endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | | intra\_acl\_tags | Additional tags for the intra subnets network ACL | map | `{}` | no | @@ -318,6 +344,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | +| kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KINESIS_FIREHOSE endpoint | string | `"false"` | no | +| kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KINESIS_FIREHOSE endpoint | list | `[]` | no | +| kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KINESIS_FIREHOSE endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KINESIS_STREAMS endpoint | string | `"false"` | no | +| kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KINESIS_STREAMS endpoint | list | `[]` | no | +| kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KINESIS_STREAMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | string | `"false"` | no | | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list | `[]` | no | | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | @@ -362,7 +394,13 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | redshift\_subnet\_tags | Additional tags for the redshift subnets | map | `{}` | no | | redshift\_subnets | A list of redshift subnets | list | `[]` | no | | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | string | `"false"` | no | +| sagemaker\_notebook\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SAGEMAKER_NOTEBOOK endpoint | string | `"false"` | no | +| sagemaker\_notebook\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SAGEMAKER_NOTEBOOK endpoint | list | `[]` | no | +| sagemaker\_notebook\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SAGEMAKER_NOTEBOOK endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list | `[]` | no | +| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SECRETSMANAGER endpoint | string | `"false"` | no | +| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SECRETSMANAGER endpoint | list | `[]` | no | +| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SECRETSMANAGER endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | string | `"false"` | no | | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | string | `"false"` | no | | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | list | `[]` | no | @@ -376,7 +414,13 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no | | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no | | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | +| sts\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for STS endpoint | string | `"false"` | no | +| sts\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for STS endpoint | list | `[]` | no | +| sts\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | tags | A map of tags to add to all resources | map | `{}` | no | +| transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for TRANSFERSERVER endpoint | string | `"false"` | no | +| transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for TRANSFERSERVER endpoint | list | `[]` | no | +| transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for TRANSFERSERVER endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no | | vpc\_endpoint\_tags | Additional tags for the VPC Endpoints | map | `{}` | no | | vpc\_tags | Additional tags for the VPC | map | `{}` | no | | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no | @@ -448,6 +492,15 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_cloudtrail\_dns\_entry | The DNS entries for the VPC Endpoint for CloudTrail. | | vpc\_endpoint\_cloudtrail\_id | The ID of VPC endpoint for CloudTrail | | vpc\_endpoint\_cloudtrail\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudTrail. | +| vpc\_endpoint\_codebuild\_dns\_entry | The DNS entries for the VPC Endpoint for CODEBUILD. | +| vpc\_endpoint\_codebuild\_id | The ID of VPC endpoint for CODEBUILD | +| vpc\_endpoint\_codebuild\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CODEBUILD. | +| vpc\_endpoint\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for CODECOMMIT. | +| vpc\_endpoint\_codecommit\_id | The ID of VPC endpoint for CODECOMMIT | +| vpc\_endpoint\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CODECOMMIT. | +| vpc\_endpoint\_config\_dns\_entry | The DNS entries for the VPC Endpoint for CONFIG. | +| vpc\_endpoint\_config\_id | The ID of VPC endpoint for CONFIG | +| vpc\_endpoint\_config\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CONFIG. | | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB | | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. | | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. | @@ -477,6 +530,18 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. | | vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events | | vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | +| vpc\_endpoint\_git\_codecommit\_dns\_entry | The DNS entries for the VPC Endpoint for GIT_CODECOMMIT. | +| vpc\_endpoint\_git\_codecommit\_id | The ID of VPC endpoint for GIT_CODECOMMIT | +| vpc\_endpoint\_git\_codecommit\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for GIT_CODECOMMIT. | +| vpc\_endpoint\_glue\_dns\_entry | The DNS entries for the VPC Endpoint for GLUE. | +| vpc\_endpoint\_glue\_id | The ID of VPC endpoint for GLUE | +| vpc\_endpoint\_glue\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for GLUE. | +| vpc\_endpoint\_kinesis\_firehose\_dns\_entry | The DNS entries for the VPC Endpoint for KINESIS_FIREHOSE. | +| vpc\_endpoint\_kinesis\_firehose\_id | The ID of VPC endpoint for KINESIS_FIREHOSE | +| vpc\_endpoint\_kinesis\_firehose\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KINESIS_FIREHOSE. | +| vpc\_endpoint\_kinesis\_streams\_dns\_entry | The DNS entries for the VPC Endpoint for KINESIS_STREAMS. | +| vpc\_endpoint\_kinesis\_streams\_id | The ID of VPC endpoint for KINESIS_STREAMS | +| vpc\_endpoint\_kinesis\_streams\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KINESIS_STREAMS. | | vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. | | vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS | | vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. | @@ -488,6 +553,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 | | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. | +| vpc\_endpoint\_sagemaker\_notebook\_dns\_entry | The DNS entries for the VPC Endpoint for SAGEMAKER_NOTEBOOK. | +| vpc\_endpoint\_sagemaker\_notebook\_id | The ID of VPC endpoint for SAGEMAKER_NOTEBOOK | +| vpc\_endpoint\_sagemaker\_notebook\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SAGEMAKER_NOTEBOOK. | +| vpc\_endpoint\_secretsmanager\_dns\_entry | The DNS entries for the VPC Endpoint for SECRETSMANAGER. | +| vpc\_endpoint\_secretsmanager\_id | The ID of VPC endpoint for SECRETSMANAGER | +| vpc\_endpoint\_secretsmanager\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SECRETSMANAGER. | | vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. | | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | @@ -500,6 +571,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. | | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES | | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | +| vpc\_endpoint\_sts\_dns\_entry | The DNS entries for the VPC Endpoint for STS. | +| vpc\_endpoint\_sts\_id | The ID of VPC endpoint for STS | +| vpc\_endpoint\_sts\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for STS. | +| vpc\_endpoint\_transferserver\_dns\_entry | The DNS entries for the VPC Endpoint for TRANSFERSERVER. | +| vpc\_endpoint\_transferserver\_id | The ID of VPC endpoint for TRANSFERSERVER | +| vpc\_endpoint\_transferserver\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for TRANSFERSERVER. | | vpc\_id | The ID of the VPC | | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | diff --git a/main.tf b/main.tf index 95cc5bdba..940004e77 100644 --- a/main.tf +++ b/main.tf @@ -589,498 +589,6 @@ resource "aws_route" "private_nat_gateway" { } } -###################### -# VPC Endpoint for S3 -###################### -data "aws_vpc_endpoint_service" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" - - service = "s3" -} - -resource "aws_vpc_endpoint" "s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" - - tags = "${local.vpce_tags}" -} - -resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" -} - -resource "aws_vpc_endpoint_route_table_association" "intra_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" -} - -resource "aws_vpc_endpoint_route_table_association" "public_s3" { - count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" - route_table_id = "${aws_route_table.public.id}" -} - -############################ -# VPC Endpoint for DynamoDB -############################ -data "aws_vpc_endpoint_service" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" - - service = "dynamodb" -} - -resource "aws_vpc_endpoint" "dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" - - tags = "${local.vpce_tags}" -} - -resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.private.*.id, count.index)}" -} - -resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${element(aws_route_table.intra.*.id, 0)}" -} - -resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { - count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" - - vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" - route_table_id = "${aws_route_table.public.id}" -} - -####################### -# VPC Endpoint for SQS -####################### -data "aws_vpc_endpoint_service" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - service = "sqs" -} - -resource "aws_vpc_endpoint" "sqs" { - count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for SSM -####################### -data "aws_vpc_endpoint_service" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" - - service = "ssm" -} - -resource "aws_vpc_endpoint" "ssm" { - count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -############################### -# VPC Endpoint for SSMMESSAGES -############################### -data "aws_vpc_endpoint_service" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" - - service = "ssmmessages" -} - -resource "aws_vpc_endpoint" "ssmmessages" { - count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for EC2 -####################### -data "aws_vpc_endpoint_service" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" - - service = "ec2" -} - -resource "aws_vpc_endpoint" "ec2" { - count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -############################### -# VPC Endpoint for EC2MESSAGES -############################### -data "aws_vpc_endpoint_service" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" - - service = "ec2messages" -} - -resource "aws_vpc_endpoint" "ec2messages" { - count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -########################### -# VPC Endpoint for ECR API -########################### -data "aws_vpc_endpoint_service" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - service = "ecr.api" -} - -resource "aws_vpc_endpoint" "ecr_api" { - count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -########################### -# VPC Endpoint for ECR DKR -########################### -data "aws_vpc_endpoint_service" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - service = "ecr.dkr" -} - -resource "aws_vpc_endpoint" "ecr_dkr" { - count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for API Gateway -####################### -data "aws_vpc_endpoint_service" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" - - service = "execute-api" -} - -resource "aws_vpc_endpoint" "apigw" { - count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for KMS -####################### -data "aws_vpc_endpoint_service" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" - - service = "kms" -} - -resource "aws_vpc_endpoint" "kms" { - count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.kms_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS -####################### -data "aws_vpc_endpoint_service" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - service = "ecs" -} - -resource "aws_vpc_endpoint" "ecs" { - count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS Agent -####################### -data "aws_vpc_endpoint_service" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - service = "ecs-agent" -} - -resource "aws_vpc_endpoint" "ecs_agent" { - count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for ECS Telemetry -####################### -data "aws_vpc_endpoint_service" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - service = "ecs-telemetry" -} - -resource "aws_vpc_endpoint" "ecs_telemetry" { - count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for Elasic Load Balancing -####################### -data "aws_vpc_endpoint_service" "elasticloadbalancing" { - count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" - - service = "elasticloadbalancing" -} - -resource "aws_vpc_endpoint" "elasticloadbalancing" { - count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.elasticloadbalancing.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.elasticloadbalancing_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.elasticloadbalancing_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for SNS -####################### -data "aws_vpc_endpoint_service" "sns" { - count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" - - service = "sns" -} - -resource "aws_vpc_endpoint" "sns" { - count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.sns.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.sns_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.sns_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Logs -####################### -data "aws_vpc_endpoint_service" "logs" { - count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" - - service = "logs" -} - -resource "aws_vpc_endpoint" "logs" { - count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.logs.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.logs_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.logs_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudTrail -####################### -data "aws_vpc_endpoint_service" "cloudtrail" { - count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" - - service = "cloudtrail" -} - -resource "aws_vpc_endpoint" "cloudtrail" { - count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.cloudtrail.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.cloudtrail_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.cloudtrail_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Monitoring -####################### -data "aws_vpc_endpoint_service" "monitoring" { - count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" - - service = "monitoring" -} - -resource "aws_vpc_endpoint" "monitoring" { - count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.monitoring.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.monitoring_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.monitoring_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - -####################### -# VPC Endpoint for CloudWatch Events -####################### -data "aws_vpc_endpoint_service" "events" { - count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" - - service = "events" -} - -resource "aws_vpc_endpoint" "events" { - count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" - - vpc_id = "${local.vpc_id}" - service_name = "${data.aws_vpc_endpoint_service.events.service_name}" - vpc_endpoint_type = "Interface" - - security_group_ids = ["${var.events_endpoint_security_group_ids}"] - subnet_ids = ["${coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)}"] - private_dns_enabled = "${var.events_endpoint_private_dns_enabled}" - - tags = "${local.vpce_tags}" -} - ########################## # Route table association ########################## diff --git a/outputs.tf b/outputs.tf index c582d05b5..33a4c290e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -614,6 +614,171 @@ output "vpc_endpoint_events_dns_entry" { value = "${flatten(aws_vpc_endpoint.events.*.dns_entry)}" } +output "vpc_endpoint_codebuild_id" { + description = "The ID of VPC endpoint for CODEBUILD" + value = "${element(concat(aws_vpc_endpoint.codebuild.*.id, list("")), 0)}" +} + +output "vpc_endpoint_codebuild_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CODEBUILD." + value = "${flatten(aws_vpc_endpoint.codebuild.*.network_interface_ids)}" +} + +output "vpc_endpoint_codebuild_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CODEBUILD." + value = "${flatten(aws_vpc_endpoint.codebuild.*.dns_entry)}" +} + +output "vpc_endpoint_codecommit_id" { + description = "The ID of VPC endpoint for CODECOMMIT" + value = "${element(concat(aws_vpc_endpoint.codecommit.*.id, list("")), 0)}" +} + +output "vpc_endpoint_codecommit_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CODECOMMIT." + value = "${flatten(aws_vpc_endpoint.codecommit.*.network_interface_ids)}" +} + +output "vpc_endpoint_codecommit_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CODECOMMIT." + value = "${flatten(aws_vpc_endpoint.codecommit.*.dns_entry)}" +} + +output "vpc_endpoint_git_codecommit_id" { + description = "The ID of VPC endpoint for GIT_CODECOMMIT" + value = "${element(concat(aws_vpc_endpoint.git_codecommit.*.id, list("")), 0)}" +} + +output "vpc_endpoint_git_codecommit_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for GIT_CODECOMMIT." + value = "${flatten(aws_vpc_endpoint.git_codecommit.*.network_interface_ids)}" +} + +output "vpc_endpoint_git_codecommit_dns_entry" { + description = "The DNS entries for the VPC Endpoint for GIT_CODECOMMIT." + value = "${flatten(aws_vpc_endpoint.git_codecommit.*.dns_entry)}" +} + +output "vpc_endpoint_config_id" { + description = "The ID of VPC endpoint for CONFIG" + value = "${element(concat(aws_vpc_endpoint.config.*.id, list("")), 0)}" +} + +output "vpc_endpoint_config_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for CONFIG." + value = "${flatten(aws_vpc_endpoint.config.*.network_interface_ids)}" +} + +output "vpc_endpoint_config_dns_entry" { + description = "The DNS entries for the VPC Endpoint for CONFIG." + value = "${flatten(aws_vpc_endpoint.config.*.dns_entry)}" +} + +output "vpc_endpoint_secretsmanager_id" { + description = "The ID of VPC endpoint for SECRETSMANAGER" + value = "${element(concat(aws_vpc_endpoint.secretsmanager.*.id, list("")), 0)}" +} + +output "vpc_endpoint_secretsmanager_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SECRETSMANAGER." + value = "${flatten(aws_vpc_endpoint.secretsmanager.*.network_interface_ids)}" +} + +output "vpc_endpoint_secretsmanager_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SECRETSMANAGER." + value = "${flatten(aws_vpc_endpoint.secretsmanager.*.dns_entry)}" +} + +output "vpc_endpoint_transferserver_id" { + description = "The ID of VPC endpoint for TRANSFERSERVER" + value = "${element(concat(aws_vpc_endpoint.transferserver.*.id, list("")), 0)}" +} + +output "vpc_endpoint_transferserver_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for TRANSFERSERVER." + value = "${flatten(aws_vpc_endpoint.transferserver.*.network_interface_ids)}" +} + +output "vpc_endpoint_transferserver_dns_entry" { + description = "The DNS entries for the VPC Endpoint for TRANSFERSERVER." + value = "${flatten(aws_vpc_endpoint.transferserver.*.dns_entry)}" +} + +output "vpc_endpoint_kinesis_streams_id" { + description = "The ID of VPC endpoint for KINESIS_STREAMS" + value = "${element(concat(aws_vpc_endpoint.kinesis_streams.*.id, list("")), 0)}" +} + +output "vpc_endpoint_kinesis_streams_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for KINESIS_STREAMS." + value = "${flatten(aws_vpc_endpoint.kinesis_streams.*.network_interface_ids)}" +} + +output "vpc_endpoint_kinesis_streams_dns_entry" { + description = "The DNS entries for the VPC Endpoint for KINESIS_STREAMS." + value = "${flatten(aws_vpc_endpoint.kinesis_streams.*.dns_entry)}" +} + +output "vpc_endpoint_kinesis_firehose_id" { + description = "The ID of VPC endpoint for KINESIS_FIREHOSE" + value = "${element(concat(aws_vpc_endpoint.kinesis_firehose.*.id, list("")), 0)}" +} + +output "vpc_endpoint_kinesis_firehose_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for KINESIS_FIREHOSE." + value = "${flatten(aws_vpc_endpoint.kinesis_firehose.*.network_interface_ids)}" +} + +output "vpc_endpoint_kinesis_firehose_dns_entry" { + description = "The DNS entries for the VPC Endpoint for KINESIS_FIREHOSE." + value = "${flatten(aws_vpc_endpoint.kinesis_firehose.*.dns_entry)}" +} + +output "vpc_endpoint_glue_id" { + description = "The ID of VPC endpoint for GLUE" + value = "${element(concat(aws_vpc_endpoint.glue.*.id, list("")), 0)}" +} + +output "vpc_endpoint_glue_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for GLUE." + value = "${flatten(aws_vpc_endpoint.glue.*.network_interface_ids)}" +} + +output "vpc_endpoint_glue_dns_entry" { + description = "The DNS entries for the VPC Endpoint for GLUE." + value = "${flatten(aws_vpc_endpoint.glue.*.dns_entry)}" +} + +output "vpc_endpoint_sagemaker_notebook_id" { + description = "The ID of VPC endpoint for SAGEMAKER_NOTEBOOK" + value = "${element(concat(aws_vpc_endpoint.sagemaker_notebook.*.id, list("")), 0)}" +} + +output "vpc_endpoint_sagemaker_notebook_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for SAGEMAKER_NOTEBOOK." + value = "${flatten(aws_vpc_endpoint.sagemaker_notebook.*.network_interface_ids)}" +} + +output "vpc_endpoint_sagemaker_notebook_dns_entry" { + description = "The DNS entries for the VPC Endpoint for SAGEMAKER_NOTEBOOK." + value = "${flatten(aws_vpc_endpoint.sagemaker_notebook.*.dns_entry)}" +} + +output "vpc_endpoint_sts_id" { + description = "The ID of VPC endpoint for STS" + value = "${element(concat(aws_vpc_endpoint.sts.*.id, list("")), 0)}" +} + +output "vpc_endpoint_sts_network_interface_ids" { + description = "One or more network interfaces for the VPC Endpoint for STS." + value = "${flatten(aws_vpc_endpoint.sts.*.network_interface_ids)}" +} + +output "vpc_endpoint_sts_dns_entry" { + description = "The DNS entries for the VPC Endpoint for STS." + value = "${flatten(aws_vpc_endpoint.sts.*.dns_entry)}" +} + # Static values (arguments) output "azs" { description = "A list of availability zones specified as argument to this module" diff --git a/variables.tf b/variables.tf index 69779f93e..375558d17 100644 --- a/variables.tf +++ b/variables.tf @@ -544,6 +544,226 @@ variable "monitoring_endpoint_private_dns_enabled" { default = false } +variable "enable_codebuild_endpoint" { + description = "Should be true if you want to provision an CODEBUILD endpoint to the VPC" + default = false +} + +variable "codebuild_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CODEBUILD endpoint" + default = [] +} + +variable "codebuild_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CODEBUILD endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codebuild_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CODEBUILD endpoint" + default = false +} + +variable "enable_codecommit_endpoint" { + description = "Should be true if you want to provision an CODECOMMIT endpointto the VPC" + default = false +} + +variable "codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CODECOMMIT endpoint" + default = [] +} + +variable "codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CODECOMMIT endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CODECOMMIT endpoint" + default = false +} + +variable "enable_git_codecommit_endpoint" { + description = "Should be true if you want to provision an GIT_CODECOMMIT endpoint to the VPC" + default = false +} + +variable "git_codecommit_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for GIT_CODECOMMIT endpoint" + default = [] +} + +variable "git_codecommit_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for GIT_CODECOMMIT endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "git_codecommit_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for GIT_CODECOMMIT endpoint" + default = false +} + +variable "enable_config_endpoint" { + description = "Should be true if you want to provision an CONFIG endpoint to the VPC" + default = false +} + +variable "config_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for CONFIG endpoint" + default = [] +} + +variable "config_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for CONFIG endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "config_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for CONFIG endpoint" + default = false +} + +variable "enable_secretsmanager_endpoint" { + description = "Should be true if you want to provision an SECRETSMANAGER endpoint to the VPC" + default = false +} + +variable "secretsmanager_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SECRETSMANAGER endpoint" + default = [] +} + +variable "secretsmanager_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SECRETSMANAGER endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "secretsmanager_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SECRETSMANAGER endpoint" + default = false +} + +variable "enable_transferserver_endpoint" { + description = "Should be true if you want to provision an TRANSFERSERVER endpoint to the VPC" + default = false +} + +variable "transferserver_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for TRANSFERSERVER endpoint" + default = [] +} + +variable "transferserver_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for TRANSFERSERVER endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "transferserver_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for TRANSFERSERVER endpoint" + default = false +} + +variable "enable_kinesis_streams_endpoint" { + description = "Should be true if you want to provision an KINESIS_STREAMS endpoint to the VPC" + default = false +} + +variable "kinesis_streams_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for KINESIS_STREAMS endpoint" + default = [] +} + +variable "kinesis_streams_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for KINESIS_STREAMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "kinesis_streams_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for KINESIS_STREAMS endpoint" + default = false +} + +variable "enable_kinesis_firehose_endpoint" { + description = "Should be true if you want to provision an KINESIS_FIREHOSE endpoint to the VPC" + default = false +} + +variable "kinesis_firehose_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for KINESIS_FIREHOSE endpoint" + default = [] +} + +variable "kinesis_firehose_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for KINESIS_FIREHOSE endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "kinesis_firehose_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for KINESIS_FIREHOSE endpoint" + default = false +} + +variable "enable_glue_endpoint" { + description = "Should be true if you want to provision an GLUE endpoint to the VPC" + default = false +} + +variable "glue_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for GLUE endpoint" + default = [] +} + +variable "glue_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for GLUE endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "glue_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for GLUE endpoint" + default = false +} + +variable "enable_sagemaker_notebook_endpoint" { + description = "Should be true if you want to provision an SAGEMAKER_NOTEBOOK endpoint to the VPC" + default = false +} + +variable "sagemaker_notebook_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for SAGEMAKER_NOTEBOOK endpoint" + default = [] +} + +variable "sagemaker_notebook_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for SAGEMAKER_NOTEBOOK endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sagemaker_notebook_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for SAGEMAKER_NOTEBOOK endpoint" + default = false +} + +variable "enable_sts_endpoint" { + description = "Should be true if you want to provision an STS endpoint to theVPC" + default = false +} + +variable "sts_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for STS endpoint" + default = [] +} + +variable "sts_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + default = [] +} + +variable "sts_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for STS endpoint" + default = false +} + variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" default = true diff --git a/vpc-endpoint.tf b/vpc-endpoint.tf new file mode 100644 index 000000000..01b94537a --- /dev/null +++ b/vpc-endpoint.tf @@ -0,0 +1,744 @@ +###################### +# VPC Endpoint for S3 +###################### +data "aws_vpc_endpoint_service" "s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + + service = "s3" +} + +resource "aws_vpc_endpoint" "s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.s3.service_name}" + + tags = "${local.vpce_tags}" +} + +resource "aws_vpc_endpoint_route_table_association" "private_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${element(aws_route_table.private.*.id, count.index)}" +} + +resource "aws_vpc_endpoint_route_table_association" "intra_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${element(aws_route_table.intra.*.id, 0)}" +} + +resource "aws_vpc_endpoint_route_table_association" "public_s3" { + count = "${var.create_vpc && var.enable_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.s3.id}" + route_table_id = "${aws_route_table.public.id}" +} + +############################ +# VPC Endpoint for DynamoDB +############################ +data "aws_vpc_endpoint_service" "dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + + service = "dynamodb" +} + +resource "aws_vpc_endpoint" "dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.dynamodb.service_name}" + + tags = "${local.vpce_tags}" +} + +resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${element(aws_route_table.private.*.id, count.index)}" +} + +resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${element(aws_route_table.intra.*.id, 0)}" +} + +resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { + count = "${var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0}" + + vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb.id}" + route_table_id = "${aws_route_table.public.id}" +} + +####################### +# VPC Endpoint for CODEBUILD +####################### +data "aws_vpc_endpoint_service" "codebuild" { + count = "${var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0}" + + service = "codebuild" +} + +resource "aws_vpc_endpoint" "codebuild" { + count = "${var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.codebuild.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.codebuild_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.codebuild_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CODECOMMIT +####################### +data "aws_vpc_endpoint_service" "codecommit" { + count = "${var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0}" + + service = "codecommit" +} + +resource "aws_vpc_endpoint" "codecommit" { + count = "${var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.codecommit.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.codecommit_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.codecommit_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for GIT CODECOMMIT +####################### +data "aws_vpc_endpoint_service" "git_codecommit" { + count = "${var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0}" + + service = "git_codecommit" +} + +resource "aws_vpc_endpoint" "git_codecommit" { + count = "${var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.git_codecommit.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.git_codecommit_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.git_codecommit_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CONFIG +####################### +data "aws_vpc_endpoint_service" "config" { + count = "${var.create_vpc && var.enable_config_endpoint ? 1 : 0}" + + service = "config" +} + +resource "aws_vpc_endpoint" "config" { + count = "${var.create_vpc && var.enable_config_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.config.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.config_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.config_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SQS +####################### +data "aws_vpc_endpoint_service" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + service = "sqs" +} + +resource "aws_vpc_endpoint" "sqs" { + count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sqs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sqs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Secrets Manager +####################### +data "aws_vpc_endpoint_service" "secretsmanager" { + count = "${var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0}" + + service = "secretsmanager" +} + +resource "aws_vpc_endpoint" "secretsmanager" { + count = "${var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.secretsmanager.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.secretsmanager_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.secretsmanager_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SSM +####################### +data "aws_vpc_endpoint_service" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + service = "ssm" +} + +resource "aws_vpc_endpoint" "ssm" { + count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssm.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssm_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +############################### +# VPC Endpoint for SSMMESSAGES +############################### +data "aws_vpc_endpoint_service" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + service = "ssmmessages" +} + +resource "aws_vpc_endpoint" "ssmmessages" { + count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ssmmessages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for EC2 +####################### +data "aws_vpc_endpoint_service" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + service = "ec2" +} + +resource "aws_vpc_endpoint" "ec2" { + count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +############################### +# VPC Endpoint for EC2MESSAGES +############################### +data "aws_vpc_endpoint_service" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + service = "ec2messages" +} + +resource "aws_vpc_endpoint" "ec2messages" { + count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ec2messages.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ec2messages_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Transfer Server +####################### +data "aws_vpc_endpoint_service" "transferserver" { + count = "${var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0}" + + service = "transferserver" +} + +resource "aws_vpc_endpoint" "transferserver" { + count = "${var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.transferserver.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.transferserver_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.transferserver_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +########################### +# VPC Endpoint for ECR API +########################### +data "aws_vpc_endpoint_service" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + service = "ecr.api" +} + +resource "aws_vpc_endpoint" "ecr_api" { + count = "${var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_api.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_api_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_api_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +########################### +# VPC Endpoint for ECR DKR +########################### +data "aws_vpc_endpoint_service" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + service = "ecr.dkr" +} + +resource "aws_vpc_endpoint" "ecr_dkr" { + count = "${var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecr_dkr.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecr_dkr_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecr_dkr_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for API Gateway +####################### +data "aws_vpc_endpoint_service" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + service = "execute-api" +} + +resource "aws_vpc_endpoint" "apigw" { + count = "${var.create_vpc && var.enable_apigw_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.apigw.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.apigw_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for KMS +####################### +data "aws_vpc_endpoint_service" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + service = "kms" +} + +resource "aws_vpc_endpoint" "kms" { + count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kms.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kms_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS +####################### +data "aws_vpc_endpoint_service" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + service = "ecs" +} + +resource "aws_vpc_endpoint" "ecs" { + count = "${var.create_vpc && var.enable_ecs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS Agent +####################### +data "aws_vpc_endpoint_service" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + service = "ecs-agent" +} + +resource "aws_vpc_endpoint" "ecs_agent" { + count = "${var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_agent.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_agent_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for ECS Telemetry +####################### +data "aws_vpc_endpoint_service" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + service = "ecs-telemetry" +} + +resource "aws_vpc_endpoint" "ecs_telemetry" { + count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.ecs_telemetry_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Elasic Load Balancing +####################### +data "aws_vpc_endpoint_service" "elasticloadbalancing" { + count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" + + service = "elasticloadbalancing" +} + +resource "aws_vpc_endpoint" "elasticloadbalancing" { + count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.elasticloadbalancing.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.elasticloadbalancing_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.elasticloadbalancing_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for SNS +####################### +data "aws_vpc_endpoint_service" "sns" { + count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" + + service = "sns" +} + +resource "aws_vpc_endpoint" "sns" { + count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sns.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sns_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sns_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Logs +####################### +data "aws_vpc_endpoint_service" "logs" { + count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" + + service = "logs" +} + +resource "aws_vpc_endpoint" "logs" { + count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.logs.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.logs_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.logs_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudTrail +####################### +data "aws_vpc_endpoint_service" "cloudtrail" { + count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" + + service = "cloudtrail" +} + +resource "aws_vpc_endpoint" "cloudtrail" { + count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.cloudtrail.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.cloudtrail_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.cloudtrail_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Monitoring +####################### +data "aws_vpc_endpoint_service" "monitoring" { + count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" + + service = "monitoring" +} + +resource "aws_vpc_endpoint" "monitoring" { + count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.monitoring.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.monitoring_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.monitoring_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for CloudWatch Events +####################### +data "aws_vpc_endpoint_service" "events" { + count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" + + service = "events" +} + +resource "aws_vpc_endpoint" "events" { + count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.events.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.events_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.events_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Kinesis Streams +####################### +data "aws_vpc_endpoint_service" "kinesis_streams" { + count = "${var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0}" + + service = "kinesis_streams" +} + +resource "aws_vpc_endpoint" "kinesis_streams" { + count = "${var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kinesis_streams.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kinesis_streams_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kinesis_streams_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Kinesis Firehose +####################### +data "aws_vpc_endpoint_service" "kinesis_firehose" { + count = "${var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0}" + + service = "kinesis_firehose" +} + +resource "aws_vpc_endpoint" "kinesis_firehose" { + count = "${var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.kinesis_firehose.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.kinesis_firehose_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.kinesis_firehose_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Glue +####################### +data "aws_vpc_endpoint_service" "glue" { + count = "${var.create_vpc && var.enable_glue_endpoint ? 1 : 0}" + + service = "glue" +} + +resource "aws_vpc_endpoint" "glue" { + count = "${var.create_vpc && var.enable_glue_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.glue.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.glue_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.glue_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.glue_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for Sagemaker Notebook +####################### +data "aws_vpc_endpoint_service" "sagemaker_notebook" { + count = "${var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0}" + + service = "sagemaker_notebook" +} + +resource "aws_vpc_endpoint" "sagemaker_notebook" { + count = "${var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sagemaker_notebook.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sagemaker_notebook_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sagemaker_notebook_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sagemaker_notebook_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +} + +####################### +# VPC Endpoint for STS +####################### +data "aws_vpc_endpoint_service" "sts" { + count = "${var.create_vpc && var.enable_sts_endpoint ? 1 : 0}" + + service = "sts" +} + +resource "aws_vpc_endpoint" "sts" { + count = "${var.create_vpc && var.enable_sts_endpoint ? 1 : 0}" + + vpc_id = "${local.vpc_id}" + service_name = "${data.aws_vpc_endpoint_service.sts.service_name}" + vpc_endpoint_type = "Interface" + + security_group_ids = ["${var.sts_endpoint_security_group_ids}"] + subnet_ids = ["${coalescelist(var.sts_endpoint_subnet_ids, aws_subnet.private.*.id)}"] + private_dns_enabled = "${var.sts_endpoint_private_dns_enabled}" + + tags = "${local.vpce_tags}" +}