/terraform-aws-unmanaged-endpoint

Primary LanguageHCL

terraform-aws-unmanaged-endpoint

Terraform resource module that creates a VPC interface endpoint with an optional alternative private FQDN and built-in security group.

The alternate private FQDN is accomplished by creating a private zone (or using an existing one), and establishing an alias record to this VPC endpoint. This is useful for communicating with services across a VPC endpoint via HTTPS when a given domain is protected by a certificate, or when a webserverx expects HTTP(s) headers to be of a particular initiating DNS name..

This module captures the usage patterns required to specify a working endpoint within a single invocation.

Features:

This module aims to enable inter-VPC communication using a VPC endpoint to an already established VPC endpoint service.

  • VPC interface endpoint creation.
  • VPC endpoint service attribute discovery.
  • Arbitrary private DNS FQDN creation, pointing to the created VPC endpoint.
  • Default security group open to private traffic. Default may be overridden.
  • Conditional resource creation.

Usage:

See the examples directory for complete example usage.

Dependencies

Binary Version
terraform >= 0.13.0
Provider Version
aws >= 2.41
Resource
aws_vpc
aws_subnet

Inputs:

Name Description Type Default Required
vpc_id AWS ID of the VPC in which resources will be created and associated with. string nil yes
name Name which will be applied to all created resources, where applicable. string "VPC Endpoint" no
vpc_endpoint_service_name AWS Registry name of the VPC endpoint service which this VPC endpoint will be associated with. Must be specified in the form of an FQDN. string nil yes
subnet_ids AWS Registry name of the VPC endpoint service which this VPC endpoint will be associated with. Must be specified in the form of an FQDN. list(string) nil yes
security_group_ids List of security groups that restrict access to this VPC endpoint. Overrides security_group_ingress_rules and security_group_cidr_blocks. list(string) nil yes
security_group_ingress_rules List of ingress rules that apply to the built-in security group. Overridden by security_group_ids. list(tuple([ number, number, string ])) [ [ 0, 0, "-1", ], ] no
security_group_cidr_blocks List of IPv4 CIDR blocks that apply to the built-in security group ingress rules. Overridden by security_group_ids list(string) [ "0.0.0.0/0", ] no
policy IAM policy for restricting access to this VPC endpoint. Defaults to full access. Expects an ARN. string nil no
alternate_private_dns Attributes which set a domain and alias record that points to a VPC endpoint. Useful when a VPC endpoint service requires traffic to be initated using a specific URL in order to route requests properly. object({name = string, domain = string, zone_id = ""}) {name = "", domain = "", zone_id = ""}) no
tags Map of AWS tags which apply to the VPC endpoint. map(string) nil no
create_resources Controls whether any resource in-module is created. bool true no

Outputs:

Name Description Type
endpoint_id AWS Id of the VPC interface endpoint. string
endpoint_network_interface_ids List of network interface (EIF) IDs for the VPC endpoint. list(string)
endpoint_dns_entry List of DNS attributes that describe the VPC endpoint interface(s) - accessible only within the VPC this VPC endpoint resides. Includes dns_name and hosted_zone_id. list(object({ dns_name = string, hosted_zone_id = string, }))
endpoint_alternate_dns_entry "Private DNS attributes associated with a VPC endpoint interface. This can be useful when dealing with VPC endpoint services which expect initiators to use a specific URL to route requests internally. object({dns_name = string, hosted_zone_id = string})

Resource Types

  • aws_vpc_endpoint
  • aws_route53_zone
  • aws_route53_record
  • aws_security_group

Contributing

Report issues/questions/feature requests on in the issues section.

Full contributing guidelines are covered here.

Change Log

The changelog captures all important release notes.

Authors

Created and maintained by David Hay - david.hay@nebulate.tech