initial commit
This commit is contained in:
@@ -0,0 +1,102 @@
|
||||
data "aws_region" "this" {}
|
||||
data "aws_default_tags" "this" {
|
||||
lifecycle {
|
||||
postcondition {
|
||||
condition = length(self.tags) >= 1
|
||||
error_message = "Validation failed: Provider default_tags not set."
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_vpc_endpoint" "vpc-interface-ep" {
|
||||
for_each = toset(var.interface-ep-services)
|
||||
vpc_id = data.aws_vpc.this-vpc.id
|
||||
service_name = "com.amazonaws.${data.aws_region.this.id}.${each.value}"
|
||||
vpc_endpoint_type = "Interface"
|
||||
|
||||
security_group_ids = [
|
||||
aws_security_group.vpc-ep-sg.id,
|
||||
]
|
||||
|
||||
# deploy to all subnets
|
||||
subnet_ids = local.one_subnet_in_each_az
|
||||
|
||||
private_dns_enabled = true
|
||||
tags = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
|
||||
|
||||
lifecycle {
|
||||
precondition {
|
||||
condition = data.aws_vpc.this-vpc.enable_dns_support
|
||||
error_message = "enableDnsSupport needs to be turned on."
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "aws_vpc_endpoint" "vpc-gateway-ep" {
|
||||
for_each = toset(var.gateway-ep-services)
|
||||
vpc_id = data.aws_vpc.this-vpc.id
|
||||
service_name = "com.amazonaws.${data.aws_region.this.id}.${each.value}"
|
||||
vpc_endpoint_type = "Gateway"
|
||||
route_table_ids = data.aws_route_tables.this.ids
|
||||
tags = { "Name" : "${var.resource-prefix}-vpcep-${each.value}" }
|
||||
}
|
||||
|
||||
resource "random_id" "rid" {
|
||||
byte_length = 2
|
||||
}
|
||||
|
||||
resource "aws_security_group" "vpc-ep-sg" {
|
||||
name = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
|
||||
description = "HttpsAccessToVpcEndpoints-${random_id.rid.dec}"
|
||||
vpc_id = data.aws_vpc.this-vpc.id
|
||||
|
||||
ingress {
|
||||
description = "TLS from VPC"
|
||||
from_port = 443
|
||||
to_port = 443
|
||||
protocol = "tcp"
|
||||
# cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
|
||||
cidr_blocks = data.aws_vpc.this-vpc.cidr_block_associations.*.cidr_block
|
||||
}
|
||||
|
||||
egress {
|
||||
from_port = 0
|
||||
to_port = 0
|
||||
protocol = "-1"
|
||||
cidr_blocks = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
tags = { "Name" : "VpcEpAccess" }
|
||||
}
|
||||
|
||||
data "aws_vpc" "this-vpc" {
|
||||
id = var.vpc-id
|
||||
}
|
||||
|
||||
data "aws_availability_zones" "this" {
|
||||
state = "available"
|
||||
}
|
||||
|
||||
# find all subnets for this vpc in all availability zones
|
||||
data "aws_subnets" "subnets_and_az" {
|
||||
for_each = toset(data.aws_availability_zones.this.zone_ids)
|
||||
|
||||
filter {
|
||||
name = "vpc-id"
|
||||
values = [var.vpc-id]
|
||||
}
|
||||
|
||||
filter {
|
||||
name = "availability-zone-id"
|
||||
values = [each.value]
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_route_tables" "this" {
|
||||
vpc_id = var.vpc-id
|
||||
}
|
||||
|
||||
locals {
|
||||
# pick first subnet in each AZ
|
||||
one_subnet_in_each_az = compact([for k, v in data.aws_subnets.subnets_and_az : try(element(v.ids, length(v.ids) - 1), "")])
|
||||
}
|
||||
Reference in New Issue
Block a user