appvia · gambol99 · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024 · Aug 30, 2024
diff --git a/README.md b/README.md
@@ -165,7 +165,6 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_dns_security_group"></a> [dns\_security\_group](#module\_dns\_security\_group) | terraform-aws-modules/security-group/aws | 5.1.2 |
-| <a name="module_endpoints"></a> [endpoints](#module\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | 5.13.0 |
 | <a name="module_ram_share"></a> [ram\_share](#module\_ram\_share) | ./modules/ram_share | n/a |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | appvia/network/aws | 0.3.1 |
 
@@ -178,6 +177,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_endpoint) | resource |
 | [aws_route53_resolver_rule.endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
 | [aws_route53_resolver_rule.endpoints_single](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_rule) | resource |
+| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_security_group_egress_rule.allow_https_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.allow_https_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [aws_route53_resolver_endpoint.outbound](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_resolver_endpoint) | data source |
 
 ## Inputs
@@ -196,7 +199,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 
 | Name | Description |
 |------|-------------|
-| <a name="output_endpoints"></a> [endpoints](#output\_endpoints) | The attributes of the endpoints we created |
+| <a name="output_endpoints"></a> [endpoints](#output\_endpoints) | Array containing the full resource object and attributes for all endpoints created |
 | <a name="output_outbound_resolver_endpoint_id"></a> [outbound\_resolver\_endpoint\_id](#output\_outbound\_resolver\_endpoint\_id) | The id of the outbound resolver if we created one |
 | <a name="output_outbound_resolver_ip_addresses"></a> [outbound\_resolver\_ip\_addresses](#output\_outbound\_resolver\_ip\_addresses) | The ip addresses of the outbound resolver if we created one |
 | <a name="output_private_subnet_attributes_by_az"></a> [private\_subnet\_attributes\_by\_az](#output\_private\_subnet\_attributes\_by\_az) | The attributes of the private subnets |

diff --git a/locals.tf b/locals.tf
@@ -42,4 +42,7 @@ locals {
 
   ## A of the domains to endpoint configuration 
   endpoints_rules = { for x in var.endpoints : format("%s.%s.amazonaws.com", x.service, var.region) => x }
+
+  ## The security group ids to use for the endpoints 
+  security_group_ids = [aws_security_group.this.id]
 }
diff --git a/main.tf b/main.tf
@@ -19,33 +19,62 @@ module "vpc" {
   vpc_netmask                            = var.network.vpc_netmask
 }
 
-## Provision the VPC endpoints within the network 
-module "endpoints" {
-  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "5.13.0"
-
-  create_security_group      = true
-  endpoints                  = local.endpoints
-  security_group_description = "Allow all https traffic to the private endpoints"
-  security_group_name_prefix = "${var.name}-default"
-  security_group_tags        = var.tags
-  subnet_ids                 = local.private_subnet_ids
-  tags                       = var.tags
-  vpc_id                     = local.vpc_id
-
-  security_group_rules = {
-    ingress_https = {
-      description = "Allow all https traffic to the private endpoints"
-      cidr_blocks = ["10.0.0.0/8"]
-    }
-    egress_all = {
-      description = "Allow all https traffic to the private endpoints"
-      cidr_blocks = ["10.0.0.0/8"]
-      from_port   = 443
-      to_port     = 443
-      type        = "egress"
+## Provision the private endpoint within the network
+resource "aws_vpc_endpoint" "this" {
+  for_each = local.endpoints
+
+  auto_accept         = try(each.value.auto_accept, null)
+  ip_address_type     = try(each.value.ip_address_type, null)
+  policy              = try(each.value.policy, null)
+  private_dns_enabled = try(each.value.service_type, "Interface") == "Interface" ? try(each.value.private_dns_enabled, null) : null
+  route_table_ids     = try(each.value.service_type, "Interface") == "Gateway" ? lookup(each.value, "route_table_ids", null) : null
+  security_group_ids  = try(each.value.service_type, "Interface") == "Interface" ? length(distinct(concat(local.security_group_ids, lookup(each.value, "security_group_ids", [])))) > 0 ? distinct(concat(local.security_group_ids, lookup(each.value, "security_group_ids", []))) : null : null
+  service_name        = try(each.value.service_endpoint, null)
+  subnet_ids          = try(each.value.service_type, "Interface") == "Interface" ? distinct(concat(local.private_subnet_ids, lookup(each.value, "subnet_ids", []))) : null
+  tags                = merge(var.tags, try(each.value.tags, {}))
+  vpc_endpoint_type   = try(each.value.service_type, "Interface")
+  vpc_id              = local.vpc_id
+
+  dynamic "dns_options" {
+    for_each = try([each.value.dns_options], [])
+
+    content {
+      dns_record_ip_type                             = try(dns_options.value.dns_options.dns_record_ip_type, null)
+      private_dns_only_for_inbound_resolver_endpoint = try(dns_options.value.private_dns_only_for_inbound_resolver_endpoint, null)
     }
   }
+}
+
+## Provision the security group for the private endpoints 
+resource "aws_security_group" "this" {
+  description = "Security group for the private endpoints for the ${var.name} environment"
+  name        = "${var.name}-default"
+  tags        = merge(var.tags, { "Name" = "${var.name}-default" })
+  vpc_id      = local.vpc_id
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+## Provision the security group rule to permit all internal traffic 
+resource "aws_vpc_security_group_ingress_rule" "allow_https_ingress" {
+  cidr_ipv4         = "10.0.0.0/8"
+  description       = "Allow all https traffic to the private endpoint for the ${var.name} environment"
+  from_port         = 443
+  ip_protocol       = "tcp"
+  security_group_id = aws_security_group.this.id
+  tags              = var.tags
+  to_port           = 443
+}
 
-  depends_on = [module.vpc]
+## Provision the security group rules to allow all https egress traffic 
+resource "aws_vpc_security_group_egress_rule" "allow_https_egress" {
+  cidr_ipv4         = "10.0.0.0/8"
+  description       = "Allow all https traffic from the private endpoints for the ${var.name} environment"
+  from_port         = 443
+  ip_protocol       = "tcp"
+  security_group_id = aws_security_group.this.id
+  tags              = var.tags
+  to_port           = 443
 }
diff --git a/outputs.tf b/outputs.tf
@@ -1,7 +1,7 @@
 
 output "endpoints" {
-  description = "The attributes of the endpoints we created"
-  value       = module.endpoints.endpoints
+  description = "Array containing the full resource object and attributes for all endpoints created"
+  value       = aws_vpc_endpoint.this
 }
 
 output "outbound_resolver_endpoint_id" {

diff --git a/resolvers.tf b/resolvers.tf
@@ -34,7 +34,6 @@ resource "aws_route53_resolver_endpoint" "outbound" {
   }
 
   depends_on = [
-    module.endpoints,
     module.vpc,
   ]
 }
diff --git a/rules.tf b/rules.tf
@@ -13,7 +13,7 @@ resource "aws_route53_resolver_rule" "endpoints" {
     ip = local.vpc_dns_resolver
   }
 
-  depends_on = [module.endpoints, module.vpc]
+  depends_on = [module.vpc]
 }
 
 ## Provision a single resolver rule for all endpoints 
@@ -30,5 +30,5 @@ resource "aws_route53_resolver_rule" "endpoints_single" {
     ip = local.vpc_dns_resolver
   }
 
-  depends_on = [module.endpoints, module.vpc]
+  depends_on = [module.vpc]
 }