initial commit

modules/networking/vpc-endpoints/README.md

@@ -0,0 +1,275 @@
+# vpc-endpoints module
+This module deploys VPC endpoints.
+
+Automatically, this module performs the following additional tasks
+- Create and attach security group which allows access from the same VPC
+- Associate endpoints with 1 subnet in each availability zone
+
+# Inputs
+| Variable              | Type         | Required | Description                                     | 
+|-----------------------|--------------|----------|-------------------------------------------------|
+| voc-id                | string       | yes      | ID of VPC to deploy endpoints to                |
+| interface-ep-services | list(string) | yes      | Interface endpoint names                        |
+| gateway-ep-services   | list(string) | no       | Gateway endpoint names                          |
+| resource-prefix       | string       | yes      | Prefix that will be added to resource name tags |
+
+
+# Types of endpoints
+## Gateway endpoints
+At time of writing, AWS provides 2 gateway endpoints at no charge. 
+* s3
+* dynamodb
+
+For gateway endpoints, all route tables in the VPC will be updated with routes to the private links.
+
+Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
+
+## Interface endpoints
+Interface endpoints are placed in one subnet for every AZ. Security group is created automatically
+and allow access from the VPC's cidr, plus all additional CIDRs if applicable.
+
+At time of writing, AWS provides 200+ interface endpoints:
+* access-analyzer
+* account
+* execute-api
+* appmesh
+* appmesh-envoy-management
+* apprunner
+* apprunner.requests
+* application-autoscaling
+* mgn
+* appstream.api
+* appstream.streaming
+* appsync-api
+* athena
+* auditmanager
+* rds
+* autoscaling-plans
+* backup
+* backup-gateway
+* batch
+* billingconductor
+* braket
+* cleanrooms
+* cloudcontrolapi
+* cloudcontrolapi-fips
+* clouddirectory
+* cloudformation
+* cloudhsmv2
+* cloudtrail
+* evidently
+* evidently-dataplane
+* monitoring
+* rum
+* rum-dataplane
+* synthetics
+* events
+* logs
+* codeartifact.api
+* codeartifact.repositories
+* codebuild
+* codebuild-fips
+* codecommit
+* codecommit-fips
+* git-codecommit
+* git-codecommit-fips
+* codedeploy
+* codedeploy-commands-secure
+* codeguru-profiler
+* codeguru-reviewer
+* codepipeline
+* codestar-connections.api
+* comprehend
+* comprehendmedical
+* config
+* app-integrations
+* cases
+* connect-campaigns
+* profile
+* voiceid
+* wisdom
+* dataexchange
+* dms
+* dms-fips
+* datasync
+* devops-guru
+* ds
+* ebs
+* ec2
+* autoscaling
+* imagebuilder
+* ecr.api
+* ecr.dkr
+* ecs
+* ecs-agent
+* ecs-telemetry
+* eks
+* elasticbeanstalk
+* elasticbeanstalk-health
+* drs
+* elasticfilesystem
+* elasticfilesystem-fips
+* elastic-inference.runtime
+* elasticloadbalancing
+* elasticache
+* elasticache-fips
+* elasticmapreduce
+* emr-containers
+* emr-serverless
+* events
+* fis
+* finspace
+* finspace-api
+* forecast
+* forecastquery
+* forecast-fips
+* forecastquery-fips
+* frauddetector
+* fsx
+* fsx-fips
+* glue
+* databrew
+* grafana
+* grafana-workspace
+* groundstation
+* guardduty-data
+* guardduty-data-fips
+* healthlake
+* identitystore
+* rolesanywhere
+* inspector2
+* iot.data
+* iot.fleethub.api
+* deviceadvisor.iot
+* iotwireless.api
+* lorawan.cups
+* lorawan.lns
+* iotfleetwise
+* greengrass
+* iotroborunner
+* iotsitewise.api
+* iotsitewise.data
+* iottwinmaker.api
+* iottwinmaker.data
+* kendra
+* kendra-ranking
+* kms
+* kms-fips
+* cassandra
+* cassandra-fips
+* kinesis-firehose
+* kinesis-streams
+* lakeformation
+* lambda
+* models-v2-lex
+* runtime-v2-lex
+* license-manager
+* license-manager-fips
+* lookoutequipment
+* lookoutmetrics
+* lookoutvision
+* macie2
+* m2
+* aps
+* aps-workspaces
+* airflow.api
+* airflow.env
+* airflow.ops
+* console
+* signin
+* memory-db
+* memorydb-fips
+* migrationhub-orchestrator
+* refactor-spaces
+* migrationhub-strategy
+* nimble
+* analytics-omics
+* control-storage-omics
+* storage-omics
+* tags-omics
+* workflows-omics
+* service-managed
+* panorama
+* payment-cryptography.controlplane
+* payment-cryptography.dataplane
+* personalize
+* personalize-events
+* personalize-runtime
+* pinpoint
+* pinpoint-sms-voice-v2
+* polly
+* private-networks
+* acm-pca
+* proton
+* qldb.session
+* rds
+* rds-data
+* redshift
+* redshift-fips
+* redshift-data
+* rekognition
+* rekognition-fips
+* streaming-rekognition
+* streaming-rekognition-fips
+* robomaker
+* s3
+* com.amazonaws.s3-global.accesspoint
+* s3-outposts
+* aws.sagemaker.region.notebook
+* aws.sagemaker.region.studio
+* sagemaker.api
+* sagemaker.featurestore-runtime
+* sagemaker.metrics
+* sagemaker.runtime
+* sagemaker.runtime-fips
+* secretsmanager
+* securityhub
+* sts
+* servicecatalog
+* servicecatalog-appregistry
+* email-smtp
+* simspaceweaver
+* snow-device-management
+* sns
+* sqs
+* swf
+* swf-fips
+* states
+* sync-states
+* storagegateway
+* ec2messages
+* ssm
+* ssm-contacts
+* ssm-incidents
+* ssmmessages
+* tnb
+* textract
+* textract-fips
+* transcribe
+* transcribestreaming
+* transcribe
+* transcribestreaming
+* transfer
+* transfer.server
+* translate
+* verifiedpermissions
+* vpc-lattice
+* workspaces
+* xray
+
+
+Full documentation: https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
+
+
+## Example
+```hcl
+module "vpc-ep" {
+  count  = var.create-free-vpc-endpoints ? 1 : 0
+  source = "../vpc-endpoints"
+
+  gateway-ep-services   = ["s3", "dynamodb"]
+  interface-ep-services = []
+  resource-prefix       = var.resource-prefix
+  vpc-id                = aws_vpc.vpc.id
+}
+```

modules/networking/vpc-endpoints/main.tf

@@ -0,0 +1,102 @@
+data "aws_region" "this" {}
+data "aws_default_tags" "this" {
+  lifecycle {
+    postcondition {
+      condition     = length(self.tags) >= 1
+      error_message = "Validation failed: Provider default_tags not set."
+    }
+  }
+}
+
+resource "aws_vpc_endpoint" "vpc-interface-ep" {
+  for_each          = toset(var.interface-ep-services)
+  vpc_id            = data.aws_vpc.this-vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.this.id}.${each.value}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids = [
+    aws_security_group.vpc-ep-sg.id,
+  ]
+
+  # deploy to all subnets
+  subnet_ids = local.one_subnet_in_each_az
+
+  private_dns_enabled = true
+  tags                = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
+
+  lifecycle {
+    precondition {
+      condition     = data.aws_vpc.this-vpc.enable_dns_support
+      error_message = "enableDnsSupport needs to be turned on."
+    }
+  }
+}
+
+resource "aws_vpc_endpoint" "vpc-gateway-ep" {
+  for_each          = toset(var.gateway-ep-services)
+  vpc_id            = data.aws_vpc.this-vpc.id
+  service_name      = "com.amazonaws.${data.aws_region.this.id}.${each.value}"
+  vpc_endpoint_type = "Gateway"
+  route_table_ids   = data.aws_route_tables.this.ids
+  tags              = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
+}
+
+resource "random_id" "rid" {
+  byte_length = 2
+}
+
+resource "aws_security_group" "vpc-ep-sg" {
+  name        = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
+  description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
+  vpc_id      = data.aws_vpc.this-vpc.id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    # cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
+    cidr_blocks = data.aws_vpc.this-vpc.cidr_block_associations.*.cidr_block
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = { "Name" : "VpcEpAccess" }
+}
+
+data "aws_vpc" "this-vpc" {
+  id = var.vpc-id
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}
+
+# find all subnets for this vpc in all availability zones
+data "aws_subnets" "subnets_and_az" {
+  for_each = toset(data.aws_availability_zones.this.zone_ids)
+
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc-id]
+  }
+
+  filter {
+    name   = "availability-zone-id"
+    values = [each.value]
+  }
+}
+
+data "aws_route_tables" "this" {
+  vpc_id = var.vpc-id
+}
+
+locals {
+  # pick first subnet in each AZ
+  one_subnet_in_each_az = compact([for k, v in data.aws_subnets.subnets_and_az : try(element(v.ids, length(v.ids) - 1), "")])
+}

modules/networking/vpc-endpoints/provider.tf

@@ -0,0 +1,11 @@
+# requires 1.3.0 for postcondition validation
+# https://learn.hashicorp.com/tutorials/terraform/custom-conditions
+terraform {
+  required_version = ">= 1.3.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.75.2"
+    }
+  }
+}

modules/networking/vpc-endpoints/variables.tf

@@ -0,0 +1,18 @@
+variable vpc-id {}
+variable interface-ep-services {
+  type = list(string)
+  description = "List of interface endpoint. E.g. dkr,lambda,kms,elasticloadbalancing,execute-api,ec2,ssm,secretsmanager,monitoring,guardduty-data"
+}
+variable gateway-ep-services {
+  type = list(string)
+  default = []
+  description = "s3 and dynamodb gateway endpoints are free."
+}
+variable resource-prefix {}
+/*
+variable secondary_cidrs {
+  type = list(string)
+  description = "Additional cidr blocks"
+  default = []
+}
+*/