Merge pull request #22 from lorengordon/evan-master

Create security group per endpoint and add support for endpoint by name instead of URL
plus3it · Nov 4, 2019 · e595e67 · e595e67
2 parents 4001129 + b283b52
commit e595e67
Show file tree

Hide file tree

Showing 10 changed files with 105 additions and 31 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.2
+current_version = 2.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this project adheres to [Semantic Versioning](http://semver.org/).
 
+### 2.0.0
+
+**Released**: 2019.11.1
+
+**Commit Delta**: [Change from 1.0.2 release](https://github.com/plus3it/terraform-aws-tardigrade-vpc-endpoints/compare/1.0.2...2.0.0)
+
+**Summary**:
+
+*   Uses service names instead of interface names to identify vpc endpoints (backwards incompatible)
+*   Adds support for creating a security group per vpc endpoint
+
 ### 1.0.2
 
 **Released**: 2019.10.28

diff --git a/README.md b/README.md
@@ -6,8 +6,18 @@ Terraform module to create VPC Endpoints
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
+| create\_sg\_per\_endpoint | toggle to create a sg for each vpc endpoint. Defaults to using just one for all endpoints. | bool | `"false"` | no |
 | create\_vpc\_endpoints | toggle to create vpc endpoints | bool | `"true"` | no |
+| sg\_egress\_rules | Egress rules for the vpc endpoint sg(s). Set to empty list to disable default rules. | list | `"null"` | no |
+| sg\_ingress\_rules | Ingress rules for the vpc endpoint sg(s). Set to empty list to disable default rules. | list | `"null"` | no |
 | subnet\_ids | target subnet ids | list(string) | `<list>` | no |
 | tags | A map of tags to add to the VPC endpoint SG | map(string) | `<map>` | no |
-| vpc\_endpoint\_interfaces | List of aws api endpoints that are used to create VPC Interface endpoints. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | list(string) | `<list>` | no |
+| vpc\_endpoint\_services | List of aws endpoint service names that are used to create VPC Interface endpoints. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | list(string) | `<list>` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| vpc\_endpoint\_interface\_services |  |
+| vpc\_endpoint\_sgs |  |
 
diff --git a/main.tf b/main.tf
@@ -4,53 +4,83 @@ data "aws_subnet" "selected" {
   id = var.subnet_ids[0]
 }
 
+data "aws_vpc_endpoint_service" "this" {
+  count = var.create_vpc_endpoints ? length(var.vpc_endpoint_services) : 0
+
+  service = var.vpc_endpoint_services[count.index]
+}
+
 data "aws_vpc" "selected" {
   count = var.create_vpc_endpoints ? 1 : 0
 
   id = local.vpc_id
 }
 
 locals {
+  sg_egress_rules_default = list({
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  })
+  sg_ingress_rules_default = list({
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = [local.vpc_cidr]
+  })
   vpc_id   = join("", data.aws_subnet.selected.*.vpc_id)
   vpc_cidr = join("", data.aws_vpc.selected.*.cidr_block)
 }
 
 resource "aws_security_group" "this" {
-  count = var.create_vpc_endpoints ? 1 : 0
+  count = var.create_vpc_endpoints ? (var.create_sg_per_endpoint ? length(var.vpc_endpoint_services) : 1) : 0
 
-  description = "VPC Interface Endpoints - Allow inbound from ${local.vpc_id} and allow all outbound"
+  description = var.create_sg_per_endpoint ? "VPC Interface ${var.vpc_endpoint_services[count.index]} Endpoint" : "VPC Interface Endpoints - Allow inbound from ${local.vpc_id} and allow all outbound"
   vpc_id      = local.vpc_id
 
-  ingress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = [local.vpc_cidr]
+  dynamic "egress" {
+    for_each = var.sg_egress_rules != null ? var.sg_egress_rules : local.sg_egress_rules_default
+    content {
+      description      = lookup(egress.value, "description", null)
+      prefix_list_ids  = lookup(egress.value, "prefix_list_ids", null)
+      from_port        = lookup(egress.value, "from_port", null)
+      to_port          = lookup(egress.value, "to_port", null)
+      protocol         = lookup(egress.value, "protocol", null)
+      cidr_blocks      = lookup(egress.value, "cidr_blocks", null)
+      ipv6_cidr_blocks = lookup(egress.value, "ipv6_cidr_blocks", null)
+      security_groups  = lookup(egress.value, "security_groups", null)
+    }
   }
 
-  egress {
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
+  dynamic "ingress" {
+    for_each = var.sg_ingress_rules != null ? var.sg_ingress_rules : local.sg_ingress_rules_default
+    content {
+      description      = lookup(ingress.value, "description", null)
+      prefix_list_ids  = lookup(ingress.value, "prefix_list_ids", null)
+      from_port        = lookup(ingress.value, "from_port", null)
+      to_port          = lookup(ingress.value, "to_port", null)
+      protocol         = lookup(ingress.value, "protocol", null)
+      cidr_blocks      = lookup(ingress.value, "cidr_blocks", null)
+      ipv6_cidr_blocks = lookup(ingress.value, "ipv6_cidr_blocks", null)
+      security_groups  = lookup(ingress.value, "security_groups", null)
+    }
   }
 
   tags = var.tags
 }
 
 resource "aws_vpc_endpoint" "interface_services" {
-  count = var.create_vpc_endpoints ? length(var.vpc_endpoint_interfaces) : 0
+  count = var.create_vpc_endpoints ? length(var.vpc_endpoint_services) : 0
 
   vpc_id            = local.vpc_id
-  service_name      = var.vpc_endpoint_interfaces[count.index]
+  service_name      = data.aws_vpc_endpoint_service.this[count.index].service_name
   vpc_endpoint_type = "Interface"
   auto_accept       = true
 
   subnet_ids = var.subnet_ids
 
-  security_group_ids = [
-    aws_security_group.this[0].id,
-  ]
+  security_group_ids = var.create_sg_per_endpoint ? [aws_security_group.this[count.index].id] : [aws_security_group.this[0].id]
 
   private_dns_enabled = true # https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns
 }

diff --git a/outputs.tf b/outputs.tf
@@ -1 +1,7 @@
+output "vpc_endpoint_sgs" {
+  value = aws_security_group.this
+}
 
+output "vpc_endpoint_interface_services" {
+  value = aws_vpc_endpoint.interface_services
+}
diff --git a/tests/config_endpoint/main.tf b/tests/config_endpoint/main.tf
@@ -29,7 +29,7 @@ module "config_endpoint" {
     aws = aws
   }
 
-  create_vpc_endpoints    = true
-  vpc_endpoint_interfaces = ["com.amazonaws.us-east-1.config"]
-  subnet_ids              = module.vpc.private_subnets
+  create_vpc_endpoints  = true
+  vpc_endpoint_services = ["config"]
+  subnet_ids            = module.vpc.private_subnets
 }
diff --git a/tests/go.mod b/tests/go.mod
@@ -4,8 +4,6 @@ go 1.12
 
 require (
 	github.com/gruntwork-io/terratest v0.22.2
-	github.com/magiconair/properties v1.8.1 // indirect
-	github.com/stretchr/testify v1.4.0 // indirect
 	golang.org/x/crypto v0.0.0-20190829043050-9756ffdc2472 // indirect
 	golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297 // indirect
 )
diff --git a/tests/go.sum b/tests/go.sum
@@ -23,6 +23,7 @@ github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBW
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=

diff --git a/tests/multiple_endpoints/main.tf b/tests/multiple_endpoints/main.tf
@@ -30,11 +30,11 @@ module "config_endpoint" {
   }
 
   create_vpc_endpoints = true
-  vpc_endpoint_interfaces = [
-    "com.amazonaws.us-east-1.config",
-    "com.amazonaws.us-east-1.codepipeline",
-    "com.amazonaws.us-east-1.monitoring",
-    "com.amazonaws.us-east-1.ec2",
+  vpc_endpoint_services = [
+    "config",
+    "codepipeline",
+    "monitoring",
+    "ec2",
   ]
   subnet_ids = module.vpc.private_subnets
 }
diff --git a/variables.tf b/variables.tf
@@ -1,18 +1,36 @@
+variable "create_sg_per_endpoint" {
+  description = "toggle to create a sg for each vpc endpoint. Defaults to using just one for all endpoints."
+  type        = bool
+  default     = false
+}
+
 variable "create_vpc_endpoints" {
   description = "toggle to create vpc endpoints"
   type        = bool
   default     = true
 }
 
+variable "sg_egress_rules" {
+  description = "Egress rules for the vpc endpoint sg(s). Set to empty list to disable default rules."
+  type        = list
+  default     = null
+}
+
+variable "sg_ingress_rules" {
+  description = "Ingress rules for the vpc endpoint sg(s). Set to empty list to disable default rules."
+  type        = list
+  default     = null
+}
+
 variable "subnet_ids" {
   type        = list(string)
   description = "target subnet ids"
   default     = []
 }
 
-variable "vpc_endpoint_interfaces" {
+variable "vpc_endpoint_services" {
   type        = list(string)
-  description = "List of aws api endpoints that are used to create VPC Interface endpoints. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list."
+  description = "List of aws endpoint service names that are used to create VPC Interface endpoints. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list."
   default     = []
 }