From d040ce1753ee63f002112d0aaf63bb076680859f Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Sun, 30 Jan 2022 12:28:12 -0700 Subject: [PATCH 1/6] Associate Route Tables with Gateway Endpoints Unfortunately I missed this in #50 and it never bit me until now! The Interface Endpoints are working great as they take the Subnet IDs as an argument. But the Gateway endpoints were _never being used_! They created fine, but they never activated unless Route Table entries were added outside of the module. This update activates Gateway Endpoints by default by looking up the associated Route Tables for each provide Subnet. It then instructs AWS to insert Routes into each Table. --- main.tf | 10 ++++++++-- variables.tf | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 3128011..aabfa25 100644 --- a/main.tf +++ b/main.tf @@ -17,6 +17,12 @@ data "aws_vpc_endpoint_service" "this" { service_type = title(each.value.type) } +data aws_route_table "gateway_tables" { + for_each = toset(var.subnet_ids) + + subnet_id = each.key +} + locals { vpc_id = data.aws_subnet.selected.vpc_id @@ -83,8 +89,7 @@ resource "aws_vpc_endpoint" "interface_services" { tags = var.tags vpc_endpoint_type = "Interface" vpc_id = local.vpc_id - - subnet_ids = var.subnet_ids + subnet_ids = var.subnet_ids security_group_ids = var.create_sg_per_endpoint ? [aws_security_group.this[each.key].id] : [aws_security_group.this["shared"].id] @@ -100,4 +105,5 @@ resource "aws_vpc_endpoint" "gateway_services" { tags = var.tags vpc_endpoint_type = "Gateway" vpc_id = local.vpc_id + route_table_ids = [for t in data.aws_route_table.gateway_tables : t.route_table_id] } diff --git a/variables.tf b/variables.tf index 3251221..bb8bcaf 100644 --- a/variables.tf +++ b/variables.tf @@ -53,7 +53,7 @@ variable "sg_ingress_rules" { } variable "subnet_ids" { - description = "Target Subnet IDs for \"Interface\" services. Also used to resolve the `vpc_id` for \"Gateway\" services" + description = "Target Subnet IDs for \"Interface\" services. Also used to resolve the `vpc_id` and route_table_ids for \"Gateway\" services" type = list(string) } From f8e2a17e856ea5068afab617b234167d940fce6a Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Sun, 30 Jan 2022 15:24:23 -0700 Subject: [PATCH 2/6] Update readme, terraform fmt. --- README.md | 3 ++- main.tf | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8d26899..fb0f0dc 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ make mockstack/clean | Name | Type | |------|------| | [aws_region.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_route_table.gateway_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source | | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | @@ -75,7 +76,7 @@ make mockstack/clean | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [subnet\_ids](#input\_subnet\_ids) | Target Subnet IDs for "Interface" services. Also used to resolve the `vpc_id` for "Gateway" services | `list(string)` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | Target Subnet IDs for "Interface" services. Also used to resolve the `vpc_id` and route\_table\_ids for "Gateway" services | `list(string)` | n/a | yes | | [vpc\_endpoint\_services](#input\_vpc\_endpoint\_services) | List of AWS Endpoint service names and types. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | 
list(object({
    name = string
    type = string
  }))
| n/a | yes | | [create\_sg\_per\_endpoint](#input\_create\_sg\_per\_endpoint) | Toggle to create a SecurityGroup for each VPC Endpoint. Defaults to using just one for all Interface Endpoints. Note that Gateway Endpoints don't support SecurityGroups. | `bool` | `false` | no | | [sg\_egress\_rules](#input\_sg\_egress\_rules) | Egress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules. | 
list(object({
    description      = string
    prefix_list_ids  = list(string)
    from_port        = number
    to_port          = number
    protocol         = string
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    security_groups  = list(string)
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": null,
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "to_port": 0
  }
]
| no | diff --git a/main.tf b/main.tf index aabfa25..b1e1a6d 100644 --- a/main.tf +++ b/main.tf @@ -17,7 +17,7 @@ data "aws_vpc_endpoint_service" "this" { service_type = title(each.value.type) } -data aws_route_table "gateway_tables" { +data "aws_route_table" "gateway_tables" { for_each = toset(var.subnet_ids) subnet_id = each.key From 1c730c7f2492710910bdd9d78e6a4da31a9818ee Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Sun, 30 Jan 2022 19:26:39 -0700 Subject: [PATCH 3/6] Swap to aws_route_tables with appropriate filters. Enables single-phase, non-targetted plan/apply. --- main.tf | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/main.tf b/main.tf index b1e1a6d..3de7175 100644 --- a/main.tf +++ b/main.tf @@ -17,10 +17,16 @@ data "aws_vpc_endpoint_service" "this" { service_type = title(each.value.type) } -data "aws_route_table" "gateway_tables" { - for_each = toset(var.subnet_ids) +data "aws_route_tables" "gateway_tables" { + filter { + name = "association.subnet-id" + values = var.subnet_ids + } - subnet_id = each.key + filter { + name = "vpc-id" + values = [local.vpc_id] + } } locals { @@ -105,5 +111,5 @@ resource "aws_vpc_endpoint" "gateway_services" { tags = var.tags vpc_endpoint_type = "Gateway" vpc_id = local.vpc_id - route_table_ids = [for t in data.aws_route_table.gateway_tables : t.route_table_id] + route_table_ids = [for t in data.aws_route_tables.gateway_tables.ids : t] } From e38c61047a064c93ab8df0855e42554cc75b2734 Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Sun, 30 Jan 2022 19:32:47 -0700 Subject: [PATCH 4/6] update readme with plural data source --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index fb0f0dc..67c4f40 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,7 @@ make mockstack/clean | Name | Type | |------|------| | [aws_region.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_route_table.gateway_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source | +| [aws_route_tables.gateway_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | From d6f240ae2b3395021b73220b89af4c652d157c96 Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Mon, 31 Jan 2022 09:20:55 -0700 Subject: [PATCH 5/6] Require route_table_ids as variable. This is required so that there aren't race conditions between creating the subnet<->route table association and the route table lookup based on the subnets. Also, update tests. --- README.md | 4 ++-- main.tf | 14 +------------- tests/gateway_type_endpoint/main.tf | 3 ++- tests/multiple_endpoints/main.tf | 7 ++++++- variables.tf | 8 +++++++- 5 files changed, 18 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 67c4f40..4475b95 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,6 @@ make mockstack/clean | Name | Type | |------|------| | [aws_region.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_route_tables.gateway_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source | | [aws_subnet.selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet) | data source | | [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | @@ -76,9 +75,10 @@ make mockstack/clean | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [subnet\_ids](#input\_subnet\_ids) | Target Subnet IDs for "Interface" services. Also used to resolve the `vpc_id` and route\_table\_ids for "Gateway" services | `list(string)` | n/a | yes | +| [subnet\_ids](#input\_subnet\_ids) | Target Subnet IDs for "Interface" services. Also used to resolve the `vpc_id`. | `list(string)` | n/a | yes | | [vpc\_endpoint\_services](#input\_vpc\_endpoint\_services) | List of AWS Endpoint service names and types. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | 
list(object({
    name = string
    type = string
  }))
| n/a | yes | | [create\_sg\_per\_endpoint](#input\_create\_sg\_per\_endpoint) | Toggle to create a SecurityGroup for each VPC Endpoint. Defaults to using just one for all Interface Endpoints. Note that Gateway Endpoints don't support SecurityGroups. | `bool` | `false` | no | +| [route\_table\_ids](#input\_route\_table\_ids) | Target Route Table IDs to register "Gateway" services with. "Gateway" Endpoints use Route Tables while "Interface" Endpoints use DNS. | `list(string)` | `[]` | no | | [sg\_egress\_rules](#input\_sg\_egress\_rules) | Egress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules. | 
list(object({
    description      = string
    prefix_list_ids  = list(string)
    from_port        = number
    to_port          = number
    protocol         = string
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    security_groups  = list(string)
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": null,
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "to_port": 0
  }
]
| no | | [sg\_ingress\_rules](#input\_sg\_ingress\_rules) | Ingress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules. | 
list(object({
    description      = string
    prefix_list_ids  = list(string)
    from_port        = number
    to_port          = number
    protocol         = string
    cidr_blocks      = list(string)
    ipv6_cidr_blocks = list(string)
    security_groups  = list(string)
  }))
| 
[
  {
    "cidr_blocks": [
      "0.0.0.0/0"
    ],
    "description": null,
    "from_port": 0,
    "ipv6_cidr_blocks": null,
    "prefix_list_ids": null,
    "protocol": "-1",
    "security_groups": null,
    "to_port": 0
  }
]
| no | | [tags](#input\_tags) | A map of tags to add to the VPC Endpoint and to the SecurityGroup(s). | `map(string)` | `{}` | no | diff --git a/main.tf b/main.tf index 3de7175..e574f7a 100644 --- a/main.tf +++ b/main.tf @@ -17,18 +17,6 @@ data "aws_vpc_endpoint_service" "this" { service_type = title(each.value.type) } -data "aws_route_tables" "gateway_tables" { - filter { - name = "association.subnet-id" - values = var.subnet_ids - } - - filter { - name = "vpc-id" - values = [local.vpc_id] - } -} - locals { vpc_id = data.aws_subnet.selected.vpc_id @@ -111,5 +99,5 @@ resource "aws_vpc_endpoint" "gateway_services" { tags = var.tags vpc_endpoint_type = "Gateway" vpc_id = local.vpc_id - route_table_ids = [for t in data.aws_route_tables.gateway_tables.ids : t] + route_table_ids = var.route_table_ids } diff --git a/tests/gateway_type_endpoint/main.tf b/tests/gateway_type_endpoint/main.tf index a1b24e4..ca11777 100644 --- a/tests/gateway_type_endpoint/main.tf +++ b/tests/gateway_type_endpoint/main.tf @@ -26,5 +26,6 @@ module "gateway_type_endpoint" { }, ] - subnet_ids = module.vpc.private_subnets + subnet_ids = module.vpc.private_subnets + route_table_ids = module.vpc.private_route_table_ids } diff --git a/tests/multiple_endpoints/main.tf b/tests/multiple_endpoints/main.tf index cc01d0e..15d228c 100644 --- a/tests/multiple_endpoints/main.tf +++ b/tests/multiple_endpoints/main.tf @@ -40,7 +40,12 @@ module "config_endpoint" { name = "s3" type = "Interface" }, + { + name = "dynamodb" + type = "Gateway" + }, ] - subnet_ids = module.vpc.private_subnets + subnet_ids = module.vpc.private_subnets + route_table_ids = module.vpc.private_route_table_ids } diff --git a/variables.tf b/variables.tf index bb8bcaf..855e38b 100644 --- a/variables.tf +++ b/variables.tf @@ -53,10 +53,16 @@ variable "sg_ingress_rules" { } variable "subnet_ids" { - description = "Target Subnet IDs for \"Interface\" services. Also used to resolve the `vpc_id` and route_table_ids for \"Gateway\" services" + description = "Target Subnet IDs for \"Interface\" services. Also used to resolve the `vpc_id`." type = list(string) } +variable "route_table_ids" { + description = "Target Route Table IDs to register \"Gateway\" services with. \"Gateway\" Endpoints use Route Tables while \"Interface\" Endpoints use DNS." + type = list(string) + default = [] +} + variable "vpc_endpoint_services" { description = "List of AWS Endpoint service names and types. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list." type = list(object({ From 1da005d0299b5066495a0db08e8d6352eb14738a Mon Sep 17 00:00:00 2001 From: Matt Klich Date: Mon, 7 Feb 2022 11:29:15 -0700 Subject: [PATCH 6/6] Apply release/version patch --- .bumpversion.cfg | 2 +- CHANGELOG.md | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.bumpversion.cfg b/.bumpversion.cfg index b1d0534..13dcbf5 100644 --- a/.bumpversion.cfg +++ b/.bumpversion.cfg @@ -1,5 +1,5 @@ [bumpversion] -current_version = 6.0.0 +current_version = 6.1.0 commit = True message = Bumps version to {new_version} tag = False diff --git a/CHANGELOG.md b/CHANGELOG.md index b6d05ff..d77202e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,16 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/). +### 6.1.0 + +** Released**: 2021.02.05 + +**Commit Delta**: [Change from 6.0.0 release](https://github.com/plus3it/terraform-aws-tardigrade-vpc-endpoints/compare/6.0.0...6.1.0) + +**Summary**: + +* Adds `route_table_ids` to create route entries for Gateway endpoint services + ### 4.0.1 ** Released**: 2020.04.10