From 5354505fdb6f53623dd01fd3f602469162c3bbec Mon Sep 17 00:00:00 2001
From: Volodymyr Zahorniak <7808206+zahorniak@users.noreply.github.com>
Date: Fri, 11 Sep 2020 18:44:39 +0300
Subject: [PATCH] feat: Add ability to create CodeDeploy endpoint to VPC (#501)

---
 README.md                     | 10 +++++++-
 examples/complete-vpc/main.tf | 13 +++++++---
 variables.tf                  | 48 +++++++++++++++++++++++++++++++++++
 vpc-endpoints.tf              | 46 +++++++++++++++++++++++++++++++++
 4 files changed, 112 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 57d211a45..0b6f7fddb 100644
--- a/README.md
+++ b/README.md
@@ -26,7 +26,7 @@ Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(No
 CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream,
 Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR),
 DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans,
-Application Auto Scaling, Workspaces, ACM PCA, RDS.
+Application Auto Scaling, Workspaces, ACM PCA, RDS, CodeDeploy, CodeDeploy Commands Secure
 
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
@@ -277,6 +277,12 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | `bool` | `false` | no |
 | codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | `list` | `[]` | no |
 | codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no |
+| codedeploy\_commands\_secure\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy Commands Secure endpoint | `bool` | `false` | no |
+| codedeploy\_commands\_secure\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodeDeploy Commands Secure endpoint | `list(string)` | `[]` | no |
+| codedeploy\_commands\_secure\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| codedeploy\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy endpoint | `bool` | `false` | no |
+| codedeploy\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodeDeploy endpoint | `list(string)` | `[]` | no |
+| codedeploy\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodeDeploy endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | codepipeline\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint | `bool` | `false` | no |
 | codepipeline\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CodePipeline endpoint | `list(string)` | `[]` | no |
 | codepipeline\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -400,6 +406,8 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | `bool` | `false` | no |
 | enable\_codebuild\_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC | `bool` | `false` | no |
 | enable\_codecommit\_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC | `bool` | `false` | no |
+| enable\_codedeploy\_commands\_secure\_endpoint | Should be true if you want to provision an CodeDeploy Commands Secure endpoint to the VPC | `bool` | `false` | no |
+| enable\_codedeploy\_endpoint | Should be true if you want to provision an CodeDeploy endpoint to the VPC | `bool` | `false` | no |
 | enable\_codepipeline\_endpoint | Should be true if you want to provision a CodePipeline endpoint to the VPC | `bool` | `false` | no |
 | enable\_config\_endpoint | Should be true if you want to provision an config endpoint to the VPC | `bool` | `false` | no |
 | enable\_datasync\_endpoint | Should be true if you want to provision an Data Sync endpoint to the VPC | `bool` | `false` | no |
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
index d2183ce7d..fbbbac1c5 100644
--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -101,10 +101,15 @@ module "vpc" {
   ecs_telemetry_endpoint_private_dns_enabled = true
   ecs_telemetry_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
-  # VPC endpoint for SQS
-  enable_sqs_endpoint              = true
-  sqs_endpoint_private_dns_enabled = true
-  sqs_endpoint_security_group_ids  = [data.aws_security_group.default.id]
+  # VPC endpoint for CodeDeploy
+  enable_codedeploy_endpoint              = true
+  codedeploy_endpoint_private_dns_enabled = true
+  codedeploy_endpoint_security_group_ids  = [data.aws_security_group.default.id]
+
+  # VPC endpoint for CodeDeploy Commands Secure
+  enable_codedeploy_commands_secure_endpoint              = true
+  codedeploy_commands_secure_endpoint_private_dns_enabled = true
+  codedeploy_commands_secure_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
   # Default security group - ingress/egress rules cleared to deny all
   manage_default_security_group  = true
diff --git a/variables.tf b/variables.tf
index 5afa82c9f..c22a609fa 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1670,6 +1670,54 @@ variable "rds_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_codedeploy_endpoint" {
+  description = "Should be true if you want to provision an CodeDeploy endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "codedeploy_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CodeDeploy endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "codedeploy_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CodeDeploy endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "codedeploy_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_codedeploy_commands_secure_endpoint" {
+  description = "Should be true if you want to provision an CodeDeploy Commands Secure endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "codedeploy_commands_secure_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CodeDeploy Commands Secure endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "codedeploy_commands_secure_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "codedeploy_commands_secure_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy Commands Secure endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "acm_pca_endpoint_security_group_ids" {
   description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint"
   default     = []
diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf
index 2d5b39b16..5b8a79439 100644
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -1371,3 +1371,49 @@ resource "aws_vpc_endpoint" "rds" {
 
   tags = local.vpce_tags
 }
+
+#############################
+# VPC Endpoint for CodeDeploy
+#############################
+data "aws_vpc_endpoint_service" "codedeploy" {
+  count = var.create_vpc && var.enable_codedeploy_endpoint ? 1 : 0
+
+  service = "codedeploy"
+}
+
+resource "aws_vpc_endpoint" "codedeploy" {
+  count = var.create_vpc && var.enable_codedeploy_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.codedeploy[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.codedeploy_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.codedeploy_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.codedeploy_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#############################################
+# VPC Endpoint for CodeDeploy Commands Secure
+#############################################
+data "aws_vpc_endpoint_service" "codedeploy_commands_secure" {
+  count = var.create_vpc && var.enable_codedeploy_commands_secure_endpoint ? 1 : 0
+
+  service = "codedeploy-commands-secure"
+}
+
+resource "aws_vpc_endpoint" "codedeploy_commands_secure" {
+  count = var.create_vpc && var.enable_codedeploy_commands_secure_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.codedeploy_commands_secure[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.codedeploy_commands_secure_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.codedeploy_commands_secure_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.codedeploy_commands_secure_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}