terraform-aws-tardigrade-vpc-endpoints

Terraform module to create VPC Endpoints

Default Security Group rules

Please be aware that the default Security Groups attached to Endpoints allow Ingress and Egress from anywhere (0.0.0.0/0). It is advised that users adjust these to fit their desired security posture. We recommend a minimum of restricting Ingress to the VPC cidr_block.

Terraform version requirements

Terraform >= 0.12.9 is required due to a bug fix related to empty sets with for_each. The fix was included in version 0.12.9 -- see the Changelog here. The original bug was reported as issue #22281.

Updating documentation

Portions of this module's README.md, and those in its tests directory, are generated automatically. To update the sections inside BEGIN TFDOCS and END TFDOCS run the following:

## This will run terraform-docs in the docker container, which of
## course requires that you have docker...
# The 'init' target is a one time task... it simply clones a "ci" repository to access shared make targets
make init
make docker/run target=docs/generate

## Or
## This will install terraform-docs to your local system, may not
## be desirable for you. And may not work if the make target does
## not account for your OS
make docs/generate

Then commit the updated files.

Testing

Manual testing:

# Replace "xxx" with an actual AWS profile, then execute the integration tests.
export AWS_PROFILE=xxx 
make terraform/pytest PYTEST_ARGS="-v --nomock"

For automated testing, PYTEST_ARGS is optional and no profile is needed:

make mockstack/up
make terraform/pytest PYTEST_ARGS="-v"
make mockstack/clean

Requirements

Name	Version
terraform	>= 0.12.26
aws	>= 3.0

Providers

Name	Version
aws	>= 3.0

Resources

Name	Type
aws_region.selected	data source
aws_subnet.selected	data source
aws_vpc_endpoint_service.this	data source

Inputs

Name	Description	Type	Default	Required
subnet_ids	Target Subnet IDs for "Interface" services. Also used to resolve the vpc_id.	list(string)	n/a	yes
vpc_endpoint_services	List of AWS Endpoint service names and types. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list.	list(object({ name = string type = string }))	n/a	yes
create_sg_per_endpoint	Toggle to create a SecurityGroup for each VPC Endpoint. Defaults to using just one for all Interface Endpoints. Note that Gateway Endpoints don't support SecurityGroups.	bool	false	no
route_table_ids	Target Route Table IDs to register "Gateway" services with. "Gateway" Endpoints use Route Tables while "Interface" Endpoints use DNS.	list(string)	[]	no
sg_egress_rules	Egress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules.	list(object({ description = string prefix_list_ids = list(string) from_port = number to_port = number protocol = string cidr_blocks = list(string) ipv6_cidr_blocks = list(string) security_groups = list(string) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "description": null, "from_port": 0, "ipv6_cidr_blocks": null, "prefix_list_ids": null, "protocol": "-1", "security_groups": null, "to_port": 0 } ]	no
sg_ingress_rules	Ingress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules.	list(object({ description = string prefix_list_ids = list(string) from_port = number to_port = number protocol = string cidr_blocks = list(string) ipv6_cidr_blocks = list(string) security_groups = list(string) }))	[ { "cidr_blocks": [ "0.0.0.0/0" ], "description": null, "from_port": 0, "ipv6_cidr_blocks": null, "prefix_list_ids": null, "protocol": "-1", "security_groups": null, "to_port": 0 } ]	no
tags	A map of tags to add to the VPC Endpoint and to the SecurityGroup(s).	map(string)	{}	no

Outputs

Name	Description
vpc_endpoint_gateway_services	n/a
vpc_endpoint_interface_services	n/a
vpc_endpoint_sgs	n/a