From bb60b18aa8f939871a492641293073fb01889bb7 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 19 Apr 2021 09:17:01 -0400 Subject: [PATCH 1/4] refactor: remove existing vpc endpoint configurations from base module and move into sub-module BREAKING: VPC endpoint resources are removed in favor of sub-module and `for_each` creation of any VPC endpoints BREAKING: AWS provider has been updated from v2.70 to v3.15 for VPC endpoint changes and available attributes --- README.md | 741 +------ UPGRADE-3.0.md | 56 + examples/complete-vpc/README.md | 9 +- examples/complete-vpc/main.tf | 282 +-- examples/complete-vpc/outputs.tf | 12 +- examples/complete-vpc/versions.tf | 4 +- examples/ipv6/README.md | 12 +- examples/ipv6/main.tf | 11 +- examples/ipv6/versions.tf | 4 +- .../issue-108-route-already-exists/README.md | 57 - .../issue-108-route-already-exists/main.tf | 21 - .../issue-108-route-already-exists/outputs.tf | 33 - .../versions.tf | 10 - .../README.md | 55 - .../main.tf | 28 - .../outputs.tf | 33 - .../variables.tf | 0 .../issue-46-no-private-subnets/README.md | 55 - examples/issue-46-no-private-subnets/main.tf | 26 - .../issue-46-no-private-subnets/outputs.tf | 33 - .../issue-46-no-private-subnets/variables.tf | 0 examples/issues/README.md | 72 + examples/issues/main.tf | 80 + examples/issues/outputs.tf | 110 + .../variables.tf | 0 .../versions.tf | 4 +- examples/manage-default-vpc/README.md | 4 +- examples/manage-default-vpc/main.tf | 8 + examples/manage-default-vpc/versions.tf | 4 +- examples/network-acls/README.md | 4 +- examples/network-acls/main.tf | 98 +- examples/network-acls/versions.tf | 4 +- examples/outpost/README.md | 6 +- examples/outpost/main.tf | 103 +- examples/outpost/versions.tf | 7 +- examples/secondary-cidr-blocks/README.md | 4 +- examples/secondary-cidr-blocks/main.tf | 11 +- examples/secondary-cidr-blocks/versions.tf | 4 +- examples/simple-vpc/README.md | 4 +- examples/simple-vpc/main.tf | 15 +- examples/simple-vpc/versions.tf | 4 +- examples/vpc-flow-logs/README.md | 4 +- examples/vpc-flow-logs/cloud-watch-logs.tf | 103 - examples/vpc-flow-logs/main.tf | 160 +- examples/vpc-flow-logs/s3.tf | 73 - examples/vpc-flow-logs/versions.tf | 2 +- .../README.md | 4 +- .../vpc-separate-private-route-tables/main.tf | 11 +- .../versions.tf | 4 +- main.tf | 175 +- modules/vpc-endpoints/README.md | 101 + modules/vpc-endpoints/main.tf | 38 + modules/vpc-endpoints/outputs.tf | 4 + modules/vpc-endpoints/variables.tf | 34 + .../vpc-endpoints}/versions.tf | 4 +- outputs.tf | 966 +-------- variables.tf | 1861 ----------------- versions.tf | 4 +- vpc-endpoints.tf | 1590 -------------- vpc-flow-logs.tf | 13 +- 60 files changed, 1145 insertions(+), 6034 deletions(-) create mode 100644 UPGRADE-3.0.md delete mode 100644 examples/issue-108-route-already-exists/README.md delete mode 100644 examples/issue-108-route-already-exists/main.tf delete mode 100644 examples/issue-108-route-already-exists/outputs.tf delete mode 100644 examples/issue-108-route-already-exists/versions.tf delete mode 100644 examples/issue-44-asymmetric-private-subnets/README.md delete mode 100644 examples/issue-44-asymmetric-private-subnets/main.tf delete mode 100644 examples/issue-44-asymmetric-private-subnets/outputs.tf delete mode 100644 examples/issue-44-asymmetric-private-subnets/variables.tf delete mode 100644 examples/issue-46-no-private-subnets/README.md delete mode 100644 examples/issue-46-no-private-subnets/main.tf delete mode 100644 examples/issue-46-no-private-subnets/outputs.tf delete mode 100644 examples/issue-46-no-private-subnets/variables.tf create mode 100644 examples/issues/README.md create mode 100644 examples/issues/main.tf create mode 100644 examples/issues/outputs.tf rename examples/{issue-108-route-already-exists => issues}/variables.tf (100%) rename examples/{issue-44-asymmetric-private-subnets => issues}/versions.tf (60%) delete mode 100644 examples/vpc-flow-logs/cloud-watch-logs.tf delete mode 100644 examples/vpc-flow-logs/s3.tf create mode 100644 modules/vpc-endpoints/README.md create mode 100644 modules/vpc-endpoints/main.tf create mode 100644 modules/vpc-endpoints/outputs.tf create mode 100644 modules/vpc-endpoints/variables.tf rename {examples/issue-46-no-private-subnets => modules/vpc-endpoints}/versions.tf (60%) delete mode 100644 vpc-endpoints.tf diff --git a/README.md b/README.md index 2b16892c5..f86098ecd 100644 --- a/README.md +++ b/README.md @@ -1,50 +1,11 @@ # AWS VPC Terraform module -[![Help Contribute to Open Source](https://www.codetriage.com/terraform-aws-modules/terraform-aws-vpc/badges/users.svg)](https://www.codetriage.com/terraform-aws-modules/terraform-aws-vpc) -![GitHub tag (latest by date)](https://img.shields.io/github/v/tag/terraform-aws-modules/terraform-aws-vpc) - - Terraform module which creates VPC resources on AWS. -These types of resources are supported: - -* [VPC](https://www.terraform.io/docs/providers/aws/r/vpc.html) -* [Subnet](https://www.terraform.io/docs/providers/aws/r/subnet.html) -* [Route](https://www.terraform.io/docs/providers/aws/r/route.html) -* [Route table](https://www.terraform.io/docs/providers/aws/r/route_table.html) -* [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html) -* [Network ACL](https://www.terraform.io/docs/providers/aws/r/network_acl.html) -* [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html) -* [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) -* [VPC Flow Log](https://www.terraform.io/docs/providers/aws/r/flow_log.html) -* [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): - * Gateway: S3, DynamoDB - * Interface: S3, EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS, -ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events), -Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codeartifact(API, Repositories), CodeBuild, CodeCommit, -Git-Codecommit, Textract, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), -CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream API, AppStream Streaming, -Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR), -DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans, -Application Auto Scaling, Workspaces, ACM PCA, RDS, CodeDeploy, CodeDeploy Commands Secure, DMS - -* [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) -* [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) -* [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) -* [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html) -* [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html) -* [Default Network ACL](https://www.terraform.io/docs/providers/aws/r/default_network_acl.html) - Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://www.cloudcraft.co/?utm_source=terraform-aws-vpc) Cloudcraft - the best way to draw AWS diagrams -## Terraform versions - -Terraform 0.12 and newer. Pin module version to `~> v2.0`. Submit pull-requests to `master` branch. - -Terraform 0.11. Pin module version to `~> v1.0`. Submit pull-requests to `terraform011` branch. - ## Usage ```hcl @@ -77,6 +38,7 @@ To that end, it is possible to assign existing IPs to the NAT Gateways. This prevents the destruction of the VPC from releasing those IPs, while making it possible that a re-created VPC uses the same IPs. To achieve this, allocate the IPs outside the VPC module declaration. + ```hcl resource "aws_eip" "nat" { count = 3 @@ -86,6 +48,7 @@ resource "aws_eip" "nat" { ``` Then, pass the allocated IPs as a parameter to this module. + ```hcl module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -107,24 +70,24 @@ Passing the IPs into the module is done by setting two variables `reuse_nat_ips This module supports three scenarios for creating NAT gateways. Each will be explained in further detail in the corresponding sections. -* One NAT Gateway per subnet (default behavior) - * `enable_nat_gateway = true` - * `single_nat_gateway = false` - * `one_nat_gateway_per_az = false` -* Single NAT Gateway - * `enable_nat_gateway = true` - * `single_nat_gateway = true` - * `one_nat_gateway_per_az = false` -* One NAT Gateway per availability zone - * `enable_nat_gateway = true` - * `single_nat_gateway = false` - * `one_nat_gateway_per_az = true` +- One NAT Gateway per subnet (default behavior) + - `enable_nat_gateway = true` + - `single_nat_gateway = false` + - `one_nat_gateway_per_az = false` +- Single NAT Gateway + - `enable_nat_gateway = true` + - `single_nat_gateway = true` + - `one_nat_gateway_per_az = false` +- One NAT Gateway per availability zone + - `enable_nat_gateway = true` + - `single_nat_gateway = false` + - `one_nat_gateway_per_az = true` If both `single_nat_gateway` and `one_nat_gateway_per_az` are set to `true`, then `single_nat_gateway` takes precedence. ### One NAT Gateway per subnet (default) -By default, the module will determine the number of NAT Gateways to create based on the the `max()` of the private subnet lists (`database_subnets`, `elasticache_subnets`, `private_subnets`, and `redshift_subnets`). The module **does not** take into account the number of `intra_subnets`, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following: +By default, the module will determine the number of NAT Gateways to create based on the the `max()` of the private subnet lists (`database_subnets`, `elasticache_subnets`, `private_subnets`, and `redshift_subnets`). The module **does not** take into account the number of `intra_subnets`, since the latter are designed to have no Internet access via NAT Gateway. For example, if your configuration looks like the following: ```hcl database_subnets = ["10.0.21.0/24", "10.0.22.0/24"] @@ -144,8 +107,8 @@ If `single_nat_gateway = true`, then all private subnets will route their Intern If `one_nat_gateway_per_az = true` and `single_nat_gateway = false`, then the module will place one NAT gateway in each availability zone you specify in `var.azs`. There are some requirements around using this feature flag: -* The variable `var.azs` **must** be specified. -* The number of public subnet CIDR blocks specified in `public_subnets` **must** be greater than or equal to the number of availability zones specified in `var.azs`. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to. +- The variable `var.azs` **must** be specified. +- The number of public subnet CIDR blocks specified in `public_subnets` **must** be greater than or equal to the number of availability zones specified in `var.azs`. This is to ensure that each NAT Gateway has a dedicated public subnet to deploy to. ## "private" versus "intra" subnets @@ -214,29 +177,29 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway ## Examples -* [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) -* [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks) -* [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) -* [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6) -* [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) -* [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs) -* [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost) -* [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) -* Few tests and edge cases examples: [#46](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-46-no-private-subnets), [#44](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-44-asymmetric-private-subnets), [#108](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-108-route-already-exists) +- [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) +- [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks) +- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) +- [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6) +- [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) +- [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs) +- [VPC with Outpost](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/outpost) +- [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) +- [Few tests and edge case examples](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issues) ## Requirements | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.70 | +| [aws](#provider\_aws) | >= 3.15 | ## Modules @@ -315,80 +278,6 @@ No modules. | [aws_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) | resource | | [aws_vpc_dhcp_options.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) | resource | | [aws_vpc_dhcp_options_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) | resource | -| [aws_vpc_endpoint.access_analyzer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.acm_pca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.apigw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.appmesh_envoy_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.appstream_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.appstream_streaming](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.athena](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.auto_scaling_plans](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.cloud_directory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.cloudformation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codeartifact_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codeartifact_repositories](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codedeploy_commands_secure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.datasync](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.dms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ec2_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ec2messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ecr_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ecr_dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ecs_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ecs_telemetry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.elastic_inference_runtime](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.elasticbeanstalk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.elasticbeanstalk_health](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.elasticloadbalancing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.emr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.git_codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.glue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.kinesis_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.kinesis_streams](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.qldb_session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.rekognition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sagemaker_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sagemaker_notebook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sagemaker_runtime](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ses](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.ssmmessages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.storagegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.textract](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.transfer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.transferserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint.workspaces](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | -| [aws_vpc_endpoint_route_table_association.intra_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | -| [aws_vpc_endpoint_route_table_association.intra_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | -| [aws_vpc_endpoint_route_table_association.private_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | -| [aws_vpc_endpoint_route_table_association.private_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | -| [aws_vpc_endpoint_route_table_association.public_dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | -| [aws_vpc_endpoint_route_table_association.public_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource | | [aws_vpc_ipv4_cidr_block_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) | resource | | [aws_vpn_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway) | resource | | [aws_vpn_gateway_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_attachment) | resource | @@ -397,148 +286,15 @@ No modules. | [aws_vpn_gateway_route_propagation.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) | resource | | [aws_iam_policy_document.flow_log_cloudwatch_assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.vpc_flow_log_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_vpc_endpoint_service.access_analyzer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.acm_pca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.apigw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.appmesh_envoy_management](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.appstream_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.appstream_streaming](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.athena](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.auto_scaling_plans](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.cloud_directory](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.cloudformation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codeartifact_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codeartifact_repositories](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codebuild](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codedeploy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codedeploy_commands_secure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.codepipeline](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.datasync](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.dms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ebs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ec2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ec2_autoscaling](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ec2messages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ecr_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ecr_dkr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ecs_agent](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ecs_telemetry](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.efs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.elastic_inference_runtime](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.elasticbeanstalk](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.elasticbeanstalk_health](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.elasticloadbalancing](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.emr](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.events](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.git_codecommit](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.glue](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.kinesis_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.kinesis_streams](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.monitoring](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.qldb_session](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.rds](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.rekognition](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sagemaker_api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sagemaker_notebook](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sagemaker_runtime](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.secretsmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.servicecatalog](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ses](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sqs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ssm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.ssmmessages](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.states](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.storagegateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.sts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.textract](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.transfer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.transferserver](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | -| [aws_vpc_endpoint_service.workspaces](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [access\_analyzer\_endpoint\_policy](#input\_access\_analyzer\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [access\_analyzer\_endpoint\_private\_dns\_enabled](#input\_access\_analyzer\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint | `bool` | `false` | no | -| [access\_analyzer\_endpoint\_security\_group\_ids](#input\_access\_analyzer\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint | `list(string)` | `[]` | no | -| [access\_analyzer\_endpoint\_subnet\_ids](#input\_access\_analyzer\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [acm\_pca\_endpoint\_policy](#input\_acm\_pca\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [acm\_pca\_endpoint\_private\_dns\_enabled](#input\_acm\_pca\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint | `bool` | `false` | no | -| [acm\_pca\_endpoint\_security\_group\_ids](#input\_acm\_pca\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint | `list(string)` | `[]` | no | -| [acm\_pca\_endpoint\_subnet\_ids](#input\_acm\_pca\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [amazon\_side\_asn](#input\_amazon\_side\_asn) | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no | -| [apigw\_endpoint\_policy](#input\_apigw\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [apigw\_endpoint\_private\_dns\_enabled](#input\_apigw\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | `bool` | `false` | no | -| [apigw\_endpoint\_security\_group\_ids](#input\_apigw\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for API GW endpoint | `list(string)` | `[]` | no | -| [apigw\_endpoint\_subnet\_ids](#input\_apigw\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [appmesh\_envoy\_management\_endpoint\_private\_dns\_enabled](#input\_appmesh\_envoy\_management\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint | `bool` | `false` | no | -| [appmesh\_envoy\_management\_endpoint\_security\_group\_ids](#input\_appmesh\_envoy\_management\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for AppMesh endpoint | `list(string)` | `[]` | no | -| [appmesh\_envoy\_management\_endpoint\_subnet\_ids](#input\_appmesh\_envoy\_management\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [appstream\_api\_endpoint\_private\_dns\_enabled](#input\_appstream\_api\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for AppStream API endpoint | `bool` | `false` | no | -| [appstream\_api\_endpoint\_security\_group\_ids](#input\_appstream\_api\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for AppStream API endpoint | `list(string)` | `[]` | no | -| [appstream\_api\_endpoint\_subnet\_ids](#input\_appstream\_api\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for AppStream API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [appstream\_streaming\_endpoint\_private\_dns\_enabled](#input\_appstream\_streaming\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for AppStream Streaming endpoint | `bool` | `false` | no | -| [appstream\_streaming\_endpoint\_security\_group\_ids](#input\_appstream\_streaming\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for AppStream Streaming endpoint | `list(string)` | `[]` | no | -| [appstream\_streaming\_endpoint\_subnet\_ids](#input\_appstream\_streaming\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for AppStream Streaming endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [assign\_ipv6\_address\_on\_creation](#input\_assign\_ipv6\_address\_on\_creation) | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no | -| [athena\_endpoint\_policy](#input\_athena\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [athena\_endpoint\_private\_dns\_enabled](#input\_athena\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint | `bool` | `false` | no | -| [athena\_endpoint\_security\_group\_ids](#input\_athena\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Athena endpoint | `list(string)` | `[]` | no | -| [athena\_endpoint\_subnet\_ids](#input\_athena\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [auto\_scaling\_plans\_endpoint\_policy](#input\_auto\_scaling\_plans\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [auto\_scaling\_plans\_endpoint\_private\_dns\_enabled](#input\_auto\_scaling\_plans\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint | `bool` | `false` | no | -| [auto\_scaling\_plans\_endpoint\_security\_group\_ids](#input\_auto\_scaling\_plans\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint | `list(string)` | `[]` | no | -| [auto\_scaling\_plans\_endpoint\_subnet\_ids](#input\_auto\_scaling\_plans\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | | [azs](#input\_azs) | A list of availability zones names or ids in the region | `list(string)` | `[]` | no | | [cidr](#input\_cidr) | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | `string` | `"0.0.0.0/0"` | no | -| [cloud\_directory\_endpoint\_policy](#input\_cloud\_directory\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [cloud\_directory\_endpoint\_private\_dns\_enabled](#input\_cloud\_directory\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint | `bool` | `false` | no | -| [cloud\_directory\_endpoint\_security\_group\_ids](#input\_cloud\_directory\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint | `list(string)` | `[]` | no | -| [cloud\_directory\_endpoint\_subnet\_ids](#input\_cloud\_directory\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [cloudformation\_endpoint\_private\_dns\_enabled](#input\_cloudformation\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint | `bool` | `false` | no | -| [cloudformation\_endpoint\_security\_group\_ids](#input\_cloudformation\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Cloudformation endpoint | `list(string)` | `[]` | no | -| [cloudformation\_endpoint\_subnet\_ids](#input\_cloudformation\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [cloudtrail\_endpoint\_private\_dns\_enabled](#input\_cloudtrail\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint | `bool` | `false` | no | -| [cloudtrail\_endpoint\_security\_group\_ids](#input\_cloudtrail\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CloudTrail endpoint | `list(string)` | `[]` | no | -| [cloudtrail\_endpoint\_subnet\_ids](#input\_cloudtrail\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codeartifact\_api\_endpoint\_private\_dns\_enabled](#input\_codeartifact\_api\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Codeartifact API endpoint | `bool` | `false` | no | -| [codeartifact\_api\_endpoint\_security\_group\_ids](#input\_codeartifact\_api\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Codeartifact API endpoint | `list(string)` | `[]` | no | -| [codeartifact\_api\_endpoint\_subnet\_ids](#input\_codeartifact\_api\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Codeartifact API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codeartifact\_repositories\_endpoint\_private\_dns\_enabled](#input\_codeartifact\_repositories\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Codeartifact repositories endpoint | `bool` | `false` | no | -| [codeartifact\_repositories\_endpoint\_security\_group\_ids](#input\_codeartifact\_repositories\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Codeartifact repositories endpoint | `list(string)` | `[]` | no | -| [codeartifact\_repositories\_endpoint\_subnet\_ids](#input\_codeartifact\_repositories\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codebuild\_endpoint\_policy](#input\_codebuild\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [codebuild\_endpoint\_private\_dns\_enabled](#input\_codebuild\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | `bool` | `false` | no | -| [codebuild\_endpoint\_security\_group\_ids](#input\_codebuild\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | `list(string)` | `[]` | no | -| [codebuild\_endpoint\_subnet\_ids](#input\_codebuild\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codecommit\_endpoint\_policy](#input\_codecommit\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [codecommit\_endpoint\_private\_dns\_enabled](#input\_codecommit\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | `bool` | `false` | no | -| [codecommit\_endpoint\_security\_group\_ids](#input\_codecommit\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | `list(string)` | `[]` | no | -| [codecommit\_endpoint\_subnet\_ids](#input\_codecommit\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codedeploy\_commands\_secure\_endpoint\_private\_dns\_enabled](#input\_codedeploy\_commands\_secure\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy Commands Secure endpoint | `bool` | `false` | no | -| [codedeploy\_commands\_secure\_endpoint\_security\_group\_ids](#input\_codedeploy\_commands\_secure\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CodeDeploy Commands Secure endpoint | `list(string)` | `[]` | no | -| [codedeploy\_commands\_secure\_endpoint\_subnet\_ids](#input\_codedeploy\_commands\_secure\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codedeploy\_endpoint\_private\_dns\_enabled](#input\_codedeploy\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy endpoint | `bool` | `false` | no | -| [codedeploy\_endpoint\_security\_group\_ids](#input\_codedeploy\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CodeDeploy endpoint | `list(string)` | `[]` | no | -| [codedeploy\_endpoint\_subnet\_ids](#input\_codedeploy\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CodeDeploy endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [codepipeline\_endpoint\_private\_dns\_enabled](#input\_codepipeline\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint | `bool` | `false` | no | -| [codepipeline\_endpoint\_security\_group\_ids](#input\_codepipeline\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CodePipeline endpoint | `list(string)` | `[]` | no | -| [codepipeline\_endpoint\_subnet\_ids](#input\_codepipeline\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [config\_endpoint\_private\_dns\_enabled](#input\_config\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for config endpoint | `bool` | `false` | no | -| [config\_endpoint\_security\_group\_ids](#input\_config\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for config endpoint | `list(string)` | `[]` | no | -| [config\_endpoint\_subnet\_ids](#input\_config\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [create\_database\_internet\_gateway\_route](#input\_create\_database\_internet\_gateway\_route) | Controls if an internet gateway route for public database access should be created | `bool` | `false` | no | | [create\_database\_nat\_gateway\_route](#input\_create\_database\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the database subnets | `bool` | `false` | no | | [create\_database\_subnet\_group](#input\_create\_database\_subnet\_group) | Controls if database subnet group should be created (n.b. database\_subnets must also be set) | `bool` | `true` | no | @@ -565,9 +321,6 @@ No modules. | [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no | | [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no | | [database\_subnets](#input\_database\_subnets) | A list of database subnets | `list(string)` | `[]` | no | -| [datasync\_endpoint\_private\_dns\_enabled](#input\_datasync\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Data Sync endpoint | `bool` | `false` | no | -| [datasync\_endpoint\_security\_group\_ids](#input\_datasync\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Data Sync endpoint | `list(string)` | `[]` | no | -| [datasync\_endpoint\_subnet\_ids](#input\_datasync\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Data Sync endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | | [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` |
[
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no | | [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` |
[
{
"action": "allow",
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_no": 100,
"to_port": 0
},
{
"action": "allow",
"from_port": 0,
"ipv6_cidr_block": "::/0",
"protocol": "-1",
"rule_no": 101,
"to_port": 0
}
]
| no | | [default\_network\_acl\_name](#input\_default\_network\_acl\_name) | Name to be used on the Default Network ACL | `string` | `""` | no | @@ -590,52 +343,6 @@ No modules. | [dhcp\_options\_netbios\_node\_type](#input\_dhcp\_options\_netbios\_node\_type) | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no | | [dhcp\_options\_ntp\_servers](#input\_dhcp\_options\_ntp\_servers) | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no | | [dhcp\_options\_tags](#input\_dhcp\_options\_tags) | Additional tags for the DHCP option set (requires enable\_dhcp\_options set to true) | `map(string)` | `{}` | no | -| [dms\_endpoint\_private\_dns\_enabled](#input\_dms\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint | `bool` | `false` | no | -| [dms\_endpoint\_security\_group\_ids](#input\_dms\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for DMS endpoint | `list(string)` | `[]` | no | -| [dms\_endpoint\_subnet\_ids](#input\_dms\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [dynamodb\_endpoint\_policy](#input\_dynamodb\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [dynamodb\_endpoint\_private\_dns\_enabled](#input\_dynamodb\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint | `bool` | `false` | no | -| [dynamodb\_endpoint\_security\_group\_ids](#input\_dynamodb\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint | `list(string)` | `[]` | no | -| [dynamodb\_endpoint\_subnet\_ids](#input\_dynamodb\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [dynamodb\_endpoint\_type](#input\_dynamodb\_endpoint\_type) | DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available | `string` | `"Gateway"` | no | -| [ebs\_endpoint\_private\_dns\_enabled](#input\_ebs\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no | -| [ebs\_endpoint\_security\_group\_ids](#input\_ebs\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no | -| [ebs\_endpoint\_subnet\_ids](#input\_ebs\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ec2\_autoscaling\_endpoint\_policy](#input\_ec2\_autoscaling\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [ec2\_autoscaling\_endpoint\_private\_dns\_enabled](#input\_ec2\_autoscaling\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint | `bool` | `false` | no | -| [ec2\_autoscaling\_endpoint\_security\_group\_ids](#input\_ec2\_autoscaling\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EC2 Autoscaling endpoint | `list(string)` | `[]` | no | -| [ec2\_autoscaling\_endpoint\_subnet\_ids](#input\_ec2\_autoscaling\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EC2 Autoscaling endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ec2\_endpoint\_policy](#input\_ec2\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [ec2\_endpoint\_private\_dns\_enabled](#input\_ec2\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | `bool` | `false` | no | -| [ec2\_endpoint\_security\_group\_ids](#input\_ec2\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EC2 endpoint | `list(string)` | `[]` | no | -| [ec2\_endpoint\_subnet\_ids](#input\_ec2\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ec2messages\_endpoint\_private\_dns\_enabled](#input\_ec2messages\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | `bool` | `false` | no | -| [ec2messages\_endpoint\_security\_group\_ids](#input\_ec2messages\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | `list(string)` | `[]` | no | -| [ec2messages\_endpoint\_subnet\_ids](#input\_ec2messages\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ecr\_api\_endpoint\_policy](#input\_ecr\_api\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [ecr\_api\_endpoint\_private\_dns\_enabled](#input\_ecr\_api\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | `bool` | `false` | no | -| [ecr\_api\_endpoint\_security\_group\_ids](#input\_ecr\_api\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ECR API endpoint | `list(string)` | `[]` | no | -| [ecr\_api\_endpoint\_subnet\_ids](#input\_ecr\_api\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ecr\_dkr\_endpoint\_policy](#input\_ecr\_dkr\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [ecr\_dkr\_endpoint\_private\_dns\_enabled](#input\_ecr\_dkr\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | `bool` | `false` | no | -| [ecr\_dkr\_endpoint\_security\_group\_ids](#input\_ecr\_dkr\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | `list(string)` | `[]` | no | -| [ecr\_dkr\_endpoint\_subnet\_ids](#input\_ecr\_dkr\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ecs\_agent\_endpoint\_private\_dns\_enabled](#input\_ecs\_agent\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint | `bool` | `false` | no | -| [ecs\_agent\_endpoint\_security\_group\_ids](#input\_ecs\_agent\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ECS Agent endpoint | `list(string)` | `[]` | no | -| [ecs\_agent\_endpoint\_subnet\_ids](#input\_ecs\_agent\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ecs\_endpoint\_private\_dns\_enabled](#input\_ecs\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint | `bool` | `false` | no | -| [ecs\_endpoint\_security\_group\_ids](#input\_ecs\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ECS endpoint | `list(string)` | `[]` | no | -| [ecs\_endpoint\_subnet\_ids](#input\_ecs\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ecs\_telemetry\_endpoint\_private\_dns\_enabled](#input\_ecs\_telemetry\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | `bool` | `false` | no | -| [ecs\_telemetry\_endpoint\_security\_group\_ids](#input\_ecs\_telemetry\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | `list(string)` | `[]` | no | -| [ecs\_telemetry\_endpoint\_subnet\_ids](#input\_ecs\_telemetry\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [efs\_endpoint\_policy](#input\_efs\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [efs\_endpoint\_private\_dns\_enabled](#input\_efs\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint | `bool` | `false` | no | -| [efs\_endpoint\_security\_group\_ids](#input\_efs\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EFS endpoint | `list(string)` | `[]` | no | -| [efs\_endpoint\_subnet\_ids](#input\_efs\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [elastic\_inference\_runtime\_endpoint\_private\_dns\_enabled](#input\_elastic\_inference\_runtime\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Elastic Inference Runtime endpoint | `bool` | `false` | no | -| [elastic\_inference\_runtime\_endpoint\_security\_group\_ids](#input\_elastic\_inference\_runtime\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Elastic Inference Runtime endpoint | `list(string)` | `[]` | no | -| [elastic\_inference\_runtime\_endpoint\_subnet\_ids](#input\_elastic\_inference\_runtime\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | | [elasticache\_acl\_tags](#input\_elasticache\_acl\_tags) | Additional tags for the elasticache subnets network ACL | `map(string)` | `{}` | no | | [elasticache\_dedicated\_network\_acl](#input\_elasticache\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | `bool` | `false` | no | | [elasticache\_inbound\_acl\_rules](#input\_elasticache\_inbound\_acl\_rules) | Elasticache subnets inbound network ACL rules | `list(map(string))` |
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no | @@ -646,104 +353,16 @@ No modules. | [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no | | [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no | | [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets | `list(string)` | `[]` | no | -| [elasticbeanstalk\_endpoint\_policy](#input\_elasticbeanstalk\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [elasticbeanstalk\_endpoint\_private\_dns\_enabled](#input\_elasticbeanstalk\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint | `bool` | `false` | no | -| [elasticbeanstalk\_endpoint\_security\_group\_ids](#input\_elasticbeanstalk\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint | `list(string)` | `[]` | no | -| [elasticbeanstalk\_endpoint\_subnet\_ids](#input\_elasticbeanstalk\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [elasticbeanstalk\_health\_endpoint\_private\_dns\_enabled](#input\_elasticbeanstalk\_health\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint | `bool` | `false` | no | -| [elasticbeanstalk\_health\_endpoint\_security\_group\_ids](#input\_elasticbeanstalk\_health\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint | `list(string)` | `[]` | no | -| [elasticbeanstalk\_health\_endpoint\_subnet\_ids](#input\_elasticbeanstalk\_health\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [elasticloadbalancing\_endpoint\_policy](#input\_elasticloadbalancing\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [elasticloadbalancing\_endpoint\_private\_dns\_enabled](#input\_elasticloadbalancing\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | `bool` | `false` | no | -| [elasticloadbalancing\_endpoint\_security\_group\_ids](#input\_elasticloadbalancing\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | `list(string)` | `[]` | no | -| [elasticloadbalancing\_endpoint\_subnet\_ids](#input\_elasticloadbalancing\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [emr\_endpoint\_policy](#input\_emr\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [emr\_endpoint\_private\_dns\_enabled](#input\_emr\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint | `bool` | `false` | no | -| [emr\_endpoint\_security\_group\_ids](#input\_emr\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for EMR endpoint | `list(string)` | `[]` | no | -| [emr\_endpoint\_subnet\_ids](#input\_emr\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [enable\_access\_analyzer\_endpoint](#input\_enable\_access\_analyzer\_endpoint) | Should be true if you want to provision an Access Analyzer endpoint to the VPC | `bool` | `false` | no | -| [enable\_acm\_pca\_endpoint](#input\_enable\_acm\_pca\_endpoint) | Should be true if you want to provision an ACM PCA endpoint to the VPC | `bool` | `false` | no | -| [enable\_apigw\_endpoint](#input\_enable\_apigw\_endpoint) | Should be true if you want to provision an api gateway endpoint to the VPC | `bool` | `false` | no | -| [enable\_appmesh\_envoy\_management\_endpoint](#input\_enable\_appmesh\_envoy\_management\_endpoint) | Should be true if you want to provision a AppMesh endpoint to the VPC | `bool` | `false` | no | -| [enable\_appstream\_api\_endpoint](#input\_enable\_appstream\_api\_endpoint) | Should be true if you want to provision a AppStream API endpoint to the VPC | `bool` | `false` | no | -| [enable\_appstream\_streaming\_endpoint](#input\_enable\_appstream\_streaming\_endpoint) | Should be true if you want to provision a AppStream Streaming endpoint to the VPC | `bool` | `false` | no | -| [enable\_athena\_endpoint](#input\_enable\_athena\_endpoint) | Should be true if you want to provision a Athena endpoint to the VPC | `bool` | `false` | no | -| [enable\_auto\_scaling\_plans\_endpoint](#input\_enable\_auto\_scaling\_plans\_endpoint) | Should be true if you want to provision an Auto Scaling Plans endpoint to the VPC | `bool` | `false` | no | | [enable\_classiclink](#input\_enable\_classiclink) | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no | | [enable\_classiclink\_dns\_support](#input\_enable\_classiclink\_dns\_support) | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no | -| [enable\_cloud\_directory\_endpoint](#input\_enable\_cloud\_directory\_endpoint) | Should be true if you want to provision an Cloud Directory endpoint to the VPC | `bool` | `false` | no | -| [enable\_cloudformation\_endpoint](#input\_enable\_cloudformation\_endpoint) | Should be true if you want to provision a Cloudformation endpoint to the VPC | `bool` | `false` | no | -| [enable\_cloudtrail\_endpoint](#input\_enable\_cloudtrail\_endpoint) | Should be true if you want to provision a CloudTrail endpoint to the VPC | `bool` | `false` | no | -| [enable\_codeartifact\_api\_endpoint](#input\_enable\_codeartifact\_api\_endpoint) | Should be true if you want to provision an Codeartifact API endpoint to the VPC | `bool` | `false` | no | -| [enable\_codeartifact\_repositories\_endpoint](#input\_enable\_codeartifact\_repositories\_endpoint) | Should be true if you want to provision an Codeartifact repositories endpoint to the VPC | `bool` | `false` | no | -| [enable\_codebuild\_endpoint](#input\_enable\_codebuild\_endpoint) | Should be true if you want to provision an Codebuild endpoint to the VPC | `bool` | `false` | no | -| [enable\_codecommit\_endpoint](#input\_enable\_codecommit\_endpoint) | Should be true if you want to provision an Codecommit endpoint to the VPC | `bool` | `false` | no | -| [enable\_codedeploy\_commands\_secure\_endpoint](#input\_enable\_codedeploy\_commands\_secure\_endpoint) | Should be true if you want to provision an CodeDeploy Commands Secure endpoint to the VPC | `bool` | `false` | no | -| [enable\_codedeploy\_endpoint](#input\_enable\_codedeploy\_endpoint) | Should be true if you want to provision an CodeDeploy endpoint to the VPC | `bool` | `false` | no | -| [enable\_codepipeline\_endpoint](#input\_enable\_codepipeline\_endpoint) | Should be true if you want to provision a CodePipeline endpoint to the VPC | `bool` | `false` | no | -| [enable\_config\_endpoint](#input\_enable\_config\_endpoint) | Should be true if you want to provision an config endpoint to the VPC | `bool` | `false` | no | -| [enable\_datasync\_endpoint](#input\_enable\_datasync\_endpoint) | Should be true if you want to provision an Data Sync endpoint to the VPC | `bool` | `false` | no | | [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no | -| [enable\_dms\_endpoint](#input\_enable\_dms\_endpoint) | Should be true if you want to provision a DMS endpoint to the VPC | `bool` | `false` | no | | [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `false` | no | | [enable\_dns\_support](#input\_enable\_dns\_support) | Should be true to enable DNS support in the VPC | `bool` | `true` | no | -| [enable\_dynamodb\_endpoint](#input\_enable\_dynamodb\_endpoint) | Should be true if you want to provision a DynamoDB endpoint to the VPC | `bool` | `false` | no | -| [enable\_ebs\_endpoint](#input\_enable\_ebs\_endpoint) | Should be true if you want to provision an EBS endpoint to the VPC | `bool` | `false` | no | -| [enable\_ec2\_autoscaling\_endpoint](#input\_enable\_ec2\_autoscaling\_endpoint) | Should be true if you want to provision an EC2 Autoscaling endpoint to the VPC | `bool` | `false` | no | -| [enable\_ec2\_endpoint](#input\_enable\_ec2\_endpoint) | Should be true if you want to provision an EC2 endpoint to the VPC | `bool` | `false` | no | -| [enable\_ec2messages\_endpoint](#input\_enable\_ec2messages\_endpoint) | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | `bool` | `false` | no | -| [enable\_ecr\_api\_endpoint](#input\_enable\_ecr\_api\_endpoint) | Should be true if you want to provision an ecr api endpoint to the VPC | `bool` | `false` | no | -| [enable\_ecr\_dkr\_endpoint](#input\_enable\_ecr\_dkr\_endpoint) | Should be true if you want to provision an ecr dkr endpoint to the VPC | `bool` | `false` | no | -| [enable\_ecs\_agent\_endpoint](#input\_enable\_ecs\_agent\_endpoint) | Should be true if you want to provision a ECS Agent endpoint to the VPC | `bool` | `false` | no | -| [enable\_ecs\_endpoint](#input\_enable\_ecs\_endpoint) | Should be true if you want to provision a ECS endpoint to the VPC | `bool` | `false` | no | -| [enable\_ecs\_telemetry\_endpoint](#input\_enable\_ecs\_telemetry\_endpoint) | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | `bool` | `false` | no | -| [enable\_efs\_endpoint](#input\_enable\_efs\_endpoint) | Should be true if you want to provision an EFS endpoint to the VPC | `bool` | `false` | no | -| [enable\_elastic\_inference\_runtime\_endpoint](#input\_enable\_elastic\_inference\_runtime\_endpoint) | Should be true if you want to provision an Elastic Inference Runtime endpoint to the VPC | `bool` | `false` | no | -| [enable\_elasticbeanstalk\_endpoint](#input\_enable\_elasticbeanstalk\_endpoint) | Should be true if you want to provision a Elastic Beanstalk endpoint to the VPC | `bool` | `false` | no | -| [enable\_elasticbeanstalk\_health\_endpoint](#input\_enable\_elasticbeanstalk\_health\_endpoint) | Should be true if you want to provision a Elastic Beanstalk Health endpoint to the VPC | `bool` | `false` | no | -| [enable\_elasticloadbalancing\_endpoint](#input\_enable\_elasticloadbalancing\_endpoint) | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | `bool` | `false` | no | -| [enable\_emr\_endpoint](#input\_enable\_emr\_endpoint) | Should be true if you want to provision an EMR endpoint to the VPC | `bool` | `false` | no | -| [enable\_events\_endpoint](#input\_enable\_events\_endpoint) | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | `bool` | `false` | no | | [enable\_flow\_log](#input\_enable\_flow\_log) | Whether or not to enable VPC Flow Logs | `bool` | `false` | no | -| [enable\_git\_codecommit\_endpoint](#input\_enable\_git\_codecommit\_endpoint) | Should be true if you want to provision an Git Codecommit endpoint to the VPC | `bool` | `false` | no | -| [enable\_glue\_endpoint](#input\_enable\_glue\_endpoint) | Should be true if you want to provision a Glue endpoint to the VPC | `bool` | `false` | no | | [enable\_ipv6](#input\_enable\_ipv6) | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. | `bool` | `false` | no | -| [enable\_kinesis\_firehose\_endpoint](#input\_enable\_kinesis\_firehose\_endpoint) | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | `bool` | `false` | no | -| [enable\_kinesis\_streams\_endpoint](#input\_enable\_kinesis\_streams\_endpoint) | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | `bool` | `false` | no | -| [enable\_kms\_endpoint](#input\_enable\_kms\_endpoint) | Should be true if you want to provision a KMS endpoint to the VPC | `bool` | `false` | no | -| [enable\_lambda\_endpoint](#input\_enable\_lambda\_endpoint) | Should be true if you want to provision a Lambda endpoint to the VPC | `bool` | `false` | no | -| [enable\_logs\_endpoint](#input\_enable\_logs\_endpoint) | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | `bool` | `false` | no | -| [enable\_monitoring\_endpoint](#input\_enable\_monitoring\_endpoint) | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | `bool` | `false` | no | | [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no | | [enable\_public\_redshift](#input\_enable\_public\_redshift) | Controls if redshift should have public routing table | `bool` | `false` | no | -| [enable\_public\_s3\_endpoint](#input\_enable\_public\_s3\_endpoint) | Whether to enable S3 VPC Endpoint for public subnets | `bool` | `true` | no | -| [enable\_qldb\_session\_endpoint](#input\_enable\_qldb\_session\_endpoint) | Should be true if you want to provision an QLDB Session endpoint to the VPC | `bool` | `false` | no | -| [enable\_rds\_endpoint](#input\_enable\_rds\_endpoint) | Should be true if you want to provision an RDS endpoint to the VPC | `bool` | `false` | no | -| [enable\_rekognition\_endpoint](#input\_enable\_rekognition\_endpoint) | Should be true if you want to provision a Rekognition endpoint to the VPC | `bool` | `false` | no | -| [enable\_s3\_endpoint](#input\_enable\_s3\_endpoint) | Should be true if you want to provision an S3 endpoint to the VPC | `bool` | `false` | no | -| [enable\_sagemaker\_api\_endpoint](#input\_enable\_sagemaker\_api\_endpoint) | Should be true if you want to provision a SageMaker API endpoint to the VPC | `bool` | `false` | no | -| [enable\_sagemaker\_notebook\_endpoint](#input\_enable\_sagemaker\_notebook\_endpoint) | Should be true if you want to provision a Sagemaker Notebook endpoint to the VPC | `bool` | `false` | no | -| [enable\_sagemaker\_runtime\_endpoint](#input\_enable\_sagemaker\_runtime\_endpoint) | Should be true if you want to provision a SageMaker Runtime endpoint to the VPC | `bool` | `false` | no | -| [enable\_secretsmanager\_endpoint](#input\_enable\_secretsmanager\_endpoint) | Should be true if you want to provision an Secrets Manager endpoint to the VPC | `bool` | `false` | no | -| [enable\_servicecatalog\_endpoint](#input\_enable\_servicecatalog\_endpoint) | Should be true if you want to provision a Service Catalog endpoint to the VPC | `bool` | `false` | no | -| [enable\_ses\_endpoint](#input\_enable\_ses\_endpoint) | Should be true if you want to provision an SES endpoint to the VPC | `bool` | `false` | no | -| [enable\_sms\_endpoint](#input\_enable\_sms\_endpoint) | Should be true if you want to provision an SMS endpoint to the VPC | `bool` | `false` | no | -| [enable\_sns\_endpoint](#input\_enable\_sns\_endpoint) | Should be true if you want to provision a SNS endpoint to the VPC | `bool` | `false` | no | -| [enable\_sqs\_endpoint](#input\_enable\_sqs\_endpoint) | Should be true if you want to provision an SQS endpoint to the VPC | `bool` | `false` | no | -| [enable\_ssm\_endpoint](#input\_enable\_ssm\_endpoint) | Should be true if you want to provision an SSM endpoint to the VPC | `bool` | `false` | no | -| [enable\_ssmmessages\_endpoint](#input\_enable\_ssmmessages\_endpoint) | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | `bool` | `false` | no | -| [enable\_states\_endpoint](#input\_enable\_states\_endpoint) | Should be true if you want to provision a Step Function endpoint to the VPC | `bool` | `false` | no | -| [enable\_storagegateway\_endpoint](#input\_enable\_storagegateway\_endpoint) | Should be true if you want to provision a Storage Gateway endpoint to the VPC | `bool` | `false` | no | -| [enable\_sts\_endpoint](#input\_enable\_sts\_endpoint) | Should be true if you want to provision a STS endpoint to the VPC | `bool` | `false` | no | -| [enable\_textract\_endpoint](#input\_enable\_textract\_endpoint) | Should be true if you want to provision an Textract endpoint to the VPC | `bool` | `false` | no | -| [enable\_transfer\_endpoint](#input\_enable\_transfer\_endpoint) | Should be true if you want to provision a Transfer endpoint to the VPC | `bool` | `false` | no | -| [enable\_transferserver\_endpoint](#input\_enable\_transferserver\_endpoint) | Should be true if you want to provision a Transfer Server endpoint to the VPC | `bool` | `false` | no | | [enable\_vpn\_gateway](#input\_enable\_vpn\_gateway) | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no | -| [enable\_workspaces\_endpoint](#input\_enable\_workspaces\_endpoint) | Should be true if you want to provision an Workspaces endpoint to the VPC | `bool` | `false` | no | -| [events\_endpoint\_policy](#input\_events\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [events\_endpoint\_private\_dns\_enabled](#input\_events\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | `bool` | `false` | no | -| [events\_endpoint\_security\_group\_ids](#input\_events\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | `list(string)` | `[]` | no | -| [events\_endpoint\_subnet\_ids](#input\_events\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [external\_nat\_ip\_ids](#input\_external\_nat\_ip\_ids) | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse\_nat\_ips) | `list(string)` | `[]` | no | | [external\_nat\_ips](#input\_external\_nat\_ips) | List of EIPs to be used for `nat_public_ips` output (used in combination with reuse\_nat\_ips and external\_nat\_ip\_ids) | `list(string)` | `[]` | no | | [flow\_log\_cloudwatch\_iam\_role\_arn](#input\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group. When flow\_log\_destination\_arn is set to ARN of Cloudwatch Logs, this argument needs to be provided. | `string` | `""` | no | @@ -755,12 +374,6 @@ No modules. | [flow\_log\_log\_format](#input\_flow\_log\_log\_format) | The fields to include in the flow log record, in the order in which they should appear. | `string` | `null` | no | | [flow\_log\_max\_aggregation\_interval](#input\_flow\_log\_max\_aggregation\_interval) | The maximum interval of time during which a flow of packets is captured and aggregated into a flow log record. Valid Values: `60` seconds or `600` seconds. | `number` | `600` | no | | [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL. | `string` | `"ALL"` | no | -| [git\_codecommit\_endpoint\_private\_dns\_enabled](#input\_git\_codecommit\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint | `bool` | `false` | no | -| [git\_codecommit\_endpoint\_security\_group\_ids](#input\_git\_codecommit\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint | `list(string)` | `[]` | no | -| [git\_codecommit\_endpoint\_subnet\_ids](#input\_git\_codecommit\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [glue\_endpoint\_private\_dns\_enabled](#input\_glue\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint | `bool` | `false` | no | -| [glue\_endpoint\_security\_group\_ids](#input\_glue\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Glue endpoint | `list(string)` | `[]` | no | -| [glue\_endpoint\_subnet\_ids](#input\_glue\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no | | [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no | | [intra\_acl\_tags](#input\_intra\_acl\_tags) | Additional tags for the intra subnets network ACL | `map(string)` | `{}` | no | @@ -773,34 +386,11 @@ No modules. | [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no | | [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no | | [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets | `list(string)` | `[]` | no | -| [kinesis\_firehose\_endpoint\_policy](#input\_kinesis\_firehose\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [kinesis\_firehose\_endpoint\_private\_dns\_enabled](#input\_kinesis\_firehose\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | `bool` | `false` | no | -| [kinesis\_firehose\_endpoint\_security\_group\_ids](#input\_kinesis\_firehose\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | `list(string)` | `[]` | no | -| [kinesis\_firehose\_endpoint\_subnet\_ids](#input\_kinesis\_firehose\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [kinesis\_streams\_endpoint\_policy](#input\_kinesis\_streams\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [kinesis\_streams\_endpoint\_private\_dns\_enabled](#input\_kinesis\_streams\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | `bool` | `false` | no | -| [kinesis\_streams\_endpoint\_security\_group\_ids](#input\_kinesis\_streams\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | `list(string)` | `[]` | no | -| [kinesis\_streams\_endpoint\_subnet\_ids](#input\_kinesis\_streams\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [kms\_endpoint\_policy](#input\_kms\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [kms\_endpoint\_private\_dns\_enabled](#input\_kms\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | `bool` | `false` | no | -| [kms\_endpoint\_security\_group\_ids](#input\_kms\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for KMS endpoint | `list(string)` | `[]` | no | -| [kms\_endpoint\_subnet\_ids](#input\_kms\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [lambda\_endpoint\_private\_dns\_enabled](#input\_lambda\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint | `bool` | `false` | no | -| [lambda\_endpoint\_security\_group\_ids](#input\_lambda\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Lambda endpoint | `list(string)` | `[]` | no | -| [lambda\_endpoint\_subnet\_ids](#input\_lambda\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [logs\_endpoint\_policy](#input\_logs\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [logs\_endpoint\_private\_dns\_enabled](#input\_logs\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | `bool` | `false` | no | -| [logs\_endpoint\_security\_group\_ids](#input\_logs\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | `list(string)` | `[]` | no | -| [logs\_endpoint\_subnet\_ids](#input\_logs\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [manage\_default\_network\_acl](#input\_manage\_default\_network\_acl) | Should be true to adopt and manage Default Network ACL | `bool` | `false` | no | | [manage\_default\_route\_table](#input\_manage\_default\_route\_table) | Should be true to manage default route table | `bool` | `false` | no | | [manage\_default\_security\_group](#input\_manage\_default\_security\_group) | Should be true to adopt and manage default security group | `bool` | `false` | no | | [manage\_default\_vpc](#input\_manage\_default\_vpc) | Should be true to adopt and manage Default VPC | `bool` | `false` | no | | [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no | -| [monitoring\_endpoint\_policy](#input\_monitoring\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [monitoring\_endpoint\_private\_dns\_enabled](#input\_monitoring\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | `bool` | `false` | no | -| [monitoring\_endpoint\_security\_group\_ids](#input\_monitoring\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | `list(string)` | `[]` | no | -| [monitoring\_endpoint\_subnet\_ids](#input\_monitoring\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [name](#input\_name) | Name to be used on all the resources as identifier | `string` | `""` | no | | [nat\_eip\_tags](#input\_nat\_eip\_tags) | Additional tags for the NAT EIP | `map(string)` | `{}` | no | | [nat\_gateway\_tags](#input\_nat\_gateway\_tags) | Additional tags for the NAT gateways | `map(string)` | `{}` | no | @@ -839,12 +429,6 @@ No modules. | [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no | | [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no | | [public\_subnets](#input\_public\_subnets) | A list of public subnets inside the VPC | `list(string)` | `[]` | no | -| [qldb\_session\_endpoint\_private\_dns\_enabled](#input\_qldb\_session\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint | `bool` | `false` | no | -| [qldb\_session\_endpoint\_security\_group\_ids](#input\_qldb\_session\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for QLDB Session endpoint | `list(string)` | `[]` | no | -| [qldb\_session\_endpoint\_subnet\_ids](#input\_qldb\_session\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [rds\_endpoint\_private\_dns\_enabled](#input\_rds\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint | `bool` | `false` | no | -| [rds\_endpoint\_security\_group\_ids](#input\_rds\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for RDS endpoint | `list(string)` | `[]` | no | -| [rds\_endpoint\_subnet\_ids](#input\_rds\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [redshift\_acl\_tags](#input\_redshift\_acl\_tags) | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no | | [redshift\_dedicated\_network\_acl](#input\_redshift\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | `bool` | `false` | no | | [redshift\_inbound\_acl\_rules](#input\_redshift\_inbound\_acl\_rules) | Redshift subnets inbound network ACL rules | `list(map(string))` |
[
{
"cidr_block": "0.0.0.0/0",
"from_port": 0,
"protocol": "-1",
"rule_action": "allow",
"rule_number": 100,
"to_port": 0
}
]
| no | @@ -856,90 +440,16 @@ No modules. | [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no | | [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no | | [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets | `list(string)` | `[]` | no | -| [rekognition\_endpoint\_policy](#input\_rekognition\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [rekognition\_endpoint\_private\_dns\_enabled](#input\_rekognition\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint | `bool` | `false` | no | -| [rekognition\_endpoint\_security\_group\_ids](#input\_rekognition\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | `list(string)` | `[]` | no | -| [rekognition\_endpoint\_subnet\_ids](#input\_rekognition\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no | -| [s3\_endpoint\_policy](#input\_s3\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [s3\_endpoint\_private\_dns\_enabled](#input\_s3\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint | `bool` | `false` | no | -| [s3\_endpoint\_security\_group\_ids](#input\_s3\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for S3 interface endpoint | `list(string)` | `[]` | no | -| [s3\_endpoint\_subnet\_ids](#input\_s3\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [s3\_endpoint\_type](#input\_s3\_endpoint\_type) | S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later | `string` | `"Gateway"` | no | -| [sagemaker\_api\_endpoint\_policy](#input\_sagemaker\_api\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sagemaker\_api\_endpoint\_private\_dns\_enabled](#input\_sagemaker\_api\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | `bool` | `false` | no | -| [sagemaker\_api\_endpoint\_security\_group\_ids](#input\_sagemaker\_api\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | `list(string)` | `[]` | no | -| [sagemaker\_api\_endpoint\_subnet\_ids](#input\_sagemaker\_api\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [sagemaker\_notebook\_endpoint\_policy](#input\_sagemaker\_notebook\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sagemaker\_notebook\_endpoint\_private\_dns\_enabled](#input\_sagemaker\_notebook\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint | `bool` | `false` | no | -| [sagemaker\_notebook\_endpoint\_region](#input\_sagemaker\_notebook\_endpoint\_region) | Region to use for Sagemaker Notebook endpoint | `string` | `""` | no | -| [sagemaker\_notebook\_endpoint\_security\_group\_ids](#input\_sagemaker\_notebook\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Sagemaker Notebook endpoint | `list(string)` | `[]` | no | -| [sagemaker\_notebook\_endpoint\_subnet\_ids](#input\_sagemaker\_notebook\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Sagemaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [sagemaker\_runtime\_endpoint\_policy](#input\_sagemaker\_runtime\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sagemaker\_runtime\_endpoint\_private\_dns\_enabled](#input\_sagemaker\_runtime\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint | `bool` | `false` | no | -| [sagemaker\_runtime\_endpoint\_security\_group\_ids](#input\_sagemaker\_runtime\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint | `list(string)` | `[]` | no | -| [sagemaker\_runtime\_endpoint\_subnet\_ids](#input\_sagemaker\_runtime\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no | -| [secretsmanager\_endpoint\_policy](#input\_secretsmanager\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [secretsmanager\_endpoint\_private\_dns\_enabled](#input\_secretsmanager\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | `bool` | `false` | no | -| [secretsmanager\_endpoint\_security\_group\_ids](#input\_secretsmanager\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | `list(string)` | `[]` | no | -| [secretsmanager\_endpoint\_subnet\_ids](#input\_secretsmanager\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [servicecatalog\_endpoint\_private\_dns\_enabled](#input\_servicecatalog\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint | `bool` | `false` | no | -| [servicecatalog\_endpoint\_security\_group\_ids](#input\_servicecatalog\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Service Catalog endpoint | `list(string)` | `[]` | no | -| [servicecatalog\_endpoint\_subnet\_ids](#input\_servicecatalog\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ses\_endpoint\_private\_dns\_enabled](#input\_ses\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SES endpoint | `bool` | `false` | no | -| [ses\_endpoint\_security\_group\_ids](#input\_ses\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SES endpoint | `list(string)` | `[]` | no | -| [ses\_endpoint\_subnet\_ids](#input\_ses\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no | -| [sms\_endpoint\_private\_dns\_enabled](#input\_sms\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint | `bool` | `false` | no | -| [sms\_endpoint\_security\_group\_ids](#input\_sms\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SMS endpoint | `list(string)` | `[]` | no | -| [sms\_endpoint\_subnet\_ids](#input\_sms\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | -| [sns\_endpoint\_policy](#input\_sns\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sns\_endpoint\_private\_dns\_enabled](#input\_sns\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | `bool` | `false` | no | -| [sns\_endpoint\_security\_group\_ids](#input\_sns\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SNS endpoint | `list(string)` | `[]` | no | -| [sns\_endpoint\_subnet\_ids](#input\_sns\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [sqs\_endpoint\_policy](#input\_sqs\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sqs\_endpoint\_private\_dns\_enabled](#input\_sqs\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | `bool` | `false` | no | -| [sqs\_endpoint\_security\_group\_ids](#input\_sqs\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SQS endpoint | `list(string)` | `[]` | no | -| [sqs\_endpoint\_subnet\_ids](#input\_sqs\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ssm\_endpoint\_private\_dns\_enabled](#input\_ssm\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | `bool` | `false` | no | -| [ssm\_endpoint\_security\_group\_ids](#input\_ssm\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SSM endpoint | `list(string)` | `[]` | no | -| [ssm\_endpoint\_subnet\_ids](#input\_ssm\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [ssmmessages\_endpoint\_private\_dns\_enabled](#input\_ssmmessages\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | `bool` | `false` | no | -| [ssmmessages\_endpoint\_security\_group\_ids](#input\_ssmmessages\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | `list(string)` | `[]` | no | -| [ssmmessages\_endpoint\_subnet\_ids](#input\_ssmmessages\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [states\_endpoint\_policy](#input\_states\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [states\_endpoint\_private\_dns\_enabled](#input\_states\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint | `bool` | `false` | no | -| [states\_endpoint\_security\_group\_ids](#input\_states\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Step Function endpoint | `list(string)` | `[]` | no | -| [states\_endpoint\_subnet\_ids](#input\_states\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [storagegateway\_endpoint\_private\_dns\_enabled](#input\_storagegateway\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint | `bool` | `false` | no | -| [storagegateway\_endpoint\_security\_group\_ids](#input\_storagegateway\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint | `list(string)` | `[]` | no | -| [storagegateway\_endpoint\_subnet\_ids](#input\_storagegateway\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [sts\_endpoint\_policy](#input\_sts\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [sts\_endpoint\_private\_dns\_enabled](#input\_sts\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for STS endpoint | `bool` | `false` | no | -| [sts\_endpoint\_security\_group\_ids](#input\_sts\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for STS endpoint | `list(string)` | `[]` | no | -| [sts\_endpoint\_subnet\_ids](#input\_sts\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | -| [textract\_endpoint\_private\_dns\_enabled](#input\_textract\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Textract endpoint | `bool` | `false` | no | -| [textract\_endpoint\_security\_group\_ids](#input\_textract\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Textract endpoint | `list(string)` | `[]` | no | -| [textract\_endpoint\_subnet\_ids](#input\_textract\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Textract endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [transfer\_endpoint\_private\_dns\_enabled](#input\_transfer\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint | `bool` | `false` | no | -| [transfer\_endpoint\_security\_group\_ids](#input\_transfer\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Transfer endpoint | `list(string)` | `[]` | no | -| [transfer\_endpoint\_subnet\_ids](#input\_transfer\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [transferserver\_endpoint\_private\_dns\_enabled](#input\_transferserver\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | `bool` | `false` | no | -| [transferserver\_endpoint\_security\_group\_ids](#input\_transferserver\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | `list(string)` | `[]` | no | -| [transferserver\_endpoint\_subnet\_ids](#input\_transferserver\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | -| [vpc\_endpoint\_tags](#input\_vpc\_endpoint\_tags) | Additional tags for the VPC Endpoints | `map(string)` | `{}` | no | | [vpc\_flow\_log\_permissions\_boundary](#input\_vpc\_flow\_log\_permissions\_boundary) | The ARN of the Permissions Boundary for the VPC Flow Log IAM Role | `string` | `null` | no | | [vpc\_flow\_log\_tags](#input\_vpc\_flow\_log\_tags) | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no | | [vpc\_tags](#input\_vpc\_tags) | Additional tags for the VPC | `map(string)` | `{}` | no | | [vpn\_gateway\_az](#input\_vpn\_gateway\_az) | The Availability Zone for the VPN Gateway | `string` | `null` | no | | [vpn\_gateway\_id](#input\_vpn\_gateway\_id) | ID of VPN Gateway to attach to the VPC | `string` | `""` | no | | [vpn\_gateway\_tags](#input\_vpn\_gateway\_tags) | Additional tags for the VPN gateway | `map(string)` | `{}` | no | -| [workspaces\_endpoint\_policy](#input\_workspaces\_endpoint\_policy) | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no | -| [workspaces\_endpoint\_private\_dns\_enabled](#input\_workspaces\_endpoint\_private\_dns\_enabled) | Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint | `bool` | `false` | no | -| [workspaces\_endpoint\_security\_group\_ids](#input\_workspaces\_endpoint\_security\_group\_ids) | The ID of one or more security groups to associate with the network interface for Workspaces endpoint | `list(string)` | `[]` | no | -| [workspaces\_endpoint\_subnet\_ids](#input\_workspaces\_endpoint\_subnet\_ids) | The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | ## Outputs @@ -1042,199 +552,6 @@ No modules. | [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC | | [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support | | [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support | -| [vpc\_endpoint\_access\_analyzer\_dns\_entry](#output\_vpc\_endpoint\_access\_analyzer\_dns\_entry) | The DNS entries for the VPC Endpoint for Access Analyzer. | -| [vpc\_endpoint\_access\_analyzer\_id](#output\_vpc\_endpoint\_access\_analyzer\_id) | The ID of VPC endpoint for Access Analyzer | -| [vpc\_endpoint\_access\_analyzer\_network\_interface\_ids](#output\_vpc\_endpoint\_access\_analyzer\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Access Analyzer. | -| [vpc\_endpoint\_acm\_pca\_dns\_entry](#output\_vpc\_endpoint\_acm\_pca\_dns\_entry) | The DNS entries for the VPC Endpoint for ACM PCA. | -| [vpc\_endpoint\_acm\_pca\_id](#output\_vpc\_endpoint\_acm\_pca\_id) | The ID of VPC endpoint for ACM PCA | -| [vpc\_endpoint\_acm\_pca\_network\_interface\_ids](#output\_vpc\_endpoint\_acm\_pca\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ACM PCA. | -| [vpc\_endpoint\_apigw\_dns\_entry](#output\_vpc\_endpoint\_apigw\_dns\_entry) | The DNS entries for the VPC Endpoint for APIGW. | -| [vpc\_endpoint\_apigw\_id](#output\_vpc\_endpoint\_apigw\_id) | The ID of VPC endpoint for APIGW | -| [vpc\_endpoint\_apigw\_network\_interface\_ids](#output\_vpc\_endpoint\_apigw\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for APIGW. | -| [vpc\_endpoint\_appmesh\_envoy\_management\_dns\_entry](#output\_vpc\_endpoint\_appmesh\_envoy\_management\_dns\_entry) | The DNS entries for the VPC Endpoint for AppMesh. | -| [vpc\_endpoint\_appmesh\_envoy\_management\_id](#output\_vpc\_endpoint\_appmesh\_envoy\_management\_id) | The ID of VPC endpoint for AppMesh | -| [vpc\_endpoint\_appmesh\_envoy\_management\_network\_interface\_ids](#output\_vpc\_endpoint\_appmesh\_envoy\_management\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for AppMesh. | -| [vpc\_endpoint\_appstream\_api\_dns\_entry](#output\_vpc\_endpoint\_appstream\_api\_dns\_entry) | The DNS entries for the VPC Endpoint for AppStream API. | -| [vpc\_endpoint\_appstream\_api\_id](#output\_vpc\_endpoint\_appstream\_api\_id) | The ID of VPC endpoint for AppStream API | -| [vpc\_endpoint\_appstream\_api\_network\_interface\_ids](#output\_vpc\_endpoint\_appstream\_api\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for AppStream API. | -| [vpc\_endpoint\_appstream\_streaming\_dns\_entry](#output\_vpc\_endpoint\_appstream\_streaming\_dns\_entry) | The DNS entries for the VPC Endpoint for AppStream Streaming. | -| [vpc\_endpoint\_appstream\_streaming\_id](#output\_vpc\_endpoint\_appstream\_streaming\_id) | The ID of VPC endpoint for AppStream Streaming | -| [vpc\_endpoint\_appstream\_streaming\_network\_interface\_ids](#output\_vpc\_endpoint\_appstream\_streaming\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for AppStream Streaming. | -| [vpc\_endpoint\_athena\_dns\_entry](#output\_vpc\_endpoint\_athena\_dns\_entry) | The DNS entries for the VPC Endpoint for Athena. | -| [vpc\_endpoint\_athena\_id](#output\_vpc\_endpoint\_athena\_id) | The ID of VPC endpoint for Athena | -| [vpc\_endpoint\_athena\_network\_interface\_ids](#output\_vpc\_endpoint\_athena\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Athena. | -| [vpc\_endpoint\_auto\_scaling\_plans\_dns\_entry](#output\_vpc\_endpoint\_auto\_scaling\_plans\_dns\_entry) | The DNS entries for the VPC Endpoint for Auto Scaling Plans. | -| [vpc\_endpoint\_auto\_scaling\_plans\_id](#output\_vpc\_endpoint\_auto\_scaling\_plans\_id) | The ID of VPC endpoint for Auto Scaling Plans | -| [vpc\_endpoint\_auto\_scaling\_plans\_network\_interface\_ids](#output\_vpc\_endpoint\_auto\_scaling\_plans\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Auto Scaling Plans. | -| [vpc\_endpoint\_cloud\_directory\_dns\_entry](#output\_vpc\_endpoint\_cloud\_directory\_dns\_entry) | The DNS entries for the VPC Endpoint for Cloud Directory. | -| [vpc\_endpoint\_cloud\_directory\_id](#output\_vpc\_endpoint\_cloud\_directory\_id) | The ID of VPC endpoint for Cloud Directory | -| [vpc\_endpoint\_cloud\_directory\_network\_interface\_ids](#output\_vpc\_endpoint\_cloud\_directory\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Cloud Directory. | -| [vpc\_endpoint\_cloudformation\_dns\_entry](#output\_vpc\_endpoint\_cloudformation\_dns\_entry) | The DNS entries for the VPC Endpoint for Cloudformation. | -| [vpc\_endpoint\_cloudformation\_id](#output\_vpc\_endpoint\_cloudformation\_id) | The ID of VPC endpoint for Cloudformation | -| [vpc\_endpoint\_cloudformation\_network\_interface\_ids](#output\_vpc\_endpoint\_cloudformation\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Cloudformation. | -| [vpc\_endpoint\_cloudtrail\_dns\_entry](#output\_vpc\_endpoint\_cloudtrail\_dns\_entry) | The DNS entries for the VPC Endpoint for CloudTrail. | -| [vpc\_endpoint\_cloudtrail\_id](#output\_vpc\_endpoint\_cloudtrail\_id) | The ID of VPC endpoint for CloudTrail | -| [vpc\_endpoint\_cloudtrail\_network\_interface\_ids](#output\_vpc\_endpoint\_cloudtrail\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for CloudTrail. | -| [vpc\_endpoint\_codeartifact\_api\_dns\_entry](#output\_vpc\_endpoint\_codeartifact\_api\_dns\_entry) | The DNS entries for the VPC Endpoint for Codeartifact API. | -| [vpc\_endpoint\_codeartifact\_api\_id](#output\_vpc\_endpoint\_codeartifact\_api\_id) | The ID of VPC endpoint for Codeartifact API | -| [vpc\_endpoint\_codeartifact\_api\_network\_interface\_ids](#output\_vpc\_endpoint\_codeartifact\_api\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Codeartifact API. | -| [vpc\_endpoint\_codeartifact\_repositories\_dns\_entry](#output\_vpc\_endpoint\_codeartifact\_repositories\_dns\_entry) | The DNS entries for the VPC Endpoint for Codeartifact repositories. | -| [vpc\_endpoint\_codeartifact\_repositories\_id](#output\_vpc\_endpoint\_codeartifact\_repositories\_id) | The ID of VPC endpoint for Codeartifact repositories | -| [vpc\_endpoint\_codeartifact\_repositories\_network\_interface\_ids](#output\_vpc\_endpoint\_codeartifact\_repositories\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Codeartifact repositories. | -| [vpc\_endpoint\_codebuild\_dns\_entry](#output\_vpc\_endpoint\_codebuild\_dns\_entry) | The DNS entries for the VPC Endpoint for codebuild. | -| [vpc\_endpoint\_codebuild\_id](#output\_vpc\_endpoint\_codebuild\_id) | The ID of VPC endpoint for codebuild | -| [vpc\_endpoint\_codebuild\_network\_interface\_ids](#output\_vpc\_endpoint\_codebuild\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for codebuild. | -| [vpc\_endpoint\_codecommit\_dns\_entry](#output\_vpc\_endpoint\_codecommit\_dns\_entry) | The DNS entries for the VPC Endpoint for codecommit. | -| [vpc\_endpoint\_codecommit\_id](#output\_vpc\_endpoint\_codecommit\_id) | The ID of VPC endpoint for codecommit | -| [vpc\_endpoint\_codecommit\_network\_interface\_ids](#output\_vpc\_endpoint\_codecommit\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for codecommit. | -| [vpc\_endpoint\_codepipeline\_dns\_entry](#output\_vpc\_endpoint\_codepipeline\_dns\_entry) | The DNS entries for the VPC Endpoint for CodePipeline. | -| [vpc\_endpoint\_codepipeline\_id](#output\_vpc\_endpoint\_codepipeline\_id) | The ID of VPC endpoint for CodePipeline | -| [vpc\_endpoint\_codepipeline\_network\_interface\_ids](#output\_vpc\_endpoint\_codepipeline\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for CodePipeline. | -| [vpc\_endpoint\_config\_dns\_entry](#output\_vpc\_endpoint\_config\_dns\_entry) | The DNS entries for the VPC Endpoint for config. | -| [vpc\_endpoint\_config\_id](#output\_vpc\_endpoint\_config\_id) | The ID of VPC endpoint for config | -| [vpc\_endpoint\_config\_network\_interface\_ids](#output\_vpc\_endpoint\_config\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for config. | -| [vpc\_endpoint\_datasync\_dns\_entry](#output\_vpc\_endpoint\_datasync\_dns\_entry) | The DNS entries for the VPC Endpoint for DataSync. | -| [vpc\_endpoint\_datasync\_id](#output\_vpc\_endpoint\_datasync\_id) | The ID of VPC endpoint for DataSync | -| [vpc\_endpoint\_datasync\_network\_interface\_ids](#output\_vpc\_endpoint\_datasync\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for DataSync. | -| [vpc\_endpoint\_dms\_dns\_entry](#output\_vpc\_endpoint\_dms\_dns\_entry) | The DNS entries for the VPC Endpoint for DMS. | -| [vpc\_endpoint\_dms\_id](#output\_vpc\_endpoint\_dms\_id) | The ID of VPC endpoint for DMS | -| [vpc\_endpoint\_dms\_network\_interface\_ids](#output\_vpc\_endpoint\_dms\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for DMS. | -| [vpc\_endpoint\_dynamodb\_id](#output\_vpc\_endpoint\_dynamodb\_id) | The ID of VPC endpoint for DynamoDB | -| [vpc\_endpoint\_dynamodb\_pl\_id](#output\_vpc\_endpoint\_dynamodb\_pl\_id) | The prefix list for the DynamoDB VPC endpoint. | -| [vpc\_endpoint\_ebs\_dns\_entry](#output\_vpc\_endpoint\_ebs\_dns\_entry) | The DNS entries for the VPC Endpoint for EBS. | -| [vpc\_endpoint\_ebs\_id](#output\_vpc\_endpoint\_ebs\_id) | The ID of VPC endpoint for EBS | -| [vpc\_endpoint\_ebs\_network\_interface\_ids](#output\_vpc\_endpoint\_ebs\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EBS. | -| [vpc\_endpoint\_ec2\_autoscaling\_dns\_entry](#output\_vpc\_endpoint\_ec2\_autoscaling\_dns\_entry) | The DNS entries for the VPC Endpoint for EC2 Autoscaling. | -| [vpc\_endpoint\_ec2\_autoscaling\_id](#output\_vpc\_endpoint\_ec2\_autoscaling\_id) | The ID of VPC endpoint for EC2 Autoscaling | -| [vpc\_endpoint\_ec2\_autoscaling\_network\_interface\_ids](#output\_vpc\_endpoint\_ec2\_autoscaling\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EC2 Autoscaling | -| [vpc\_endpoint\_ec2\_dns\_entry](#output\_vpc\_endpoint\_ec2\_dns\_entry) | The DNS entries for the VPC Endpoint for EC2. | -| [vpc\_endpoint\_ec2\_id](#output\_vpc\_endpoint\_ec2\_id) | The ID of VPC endpoint for EC2 | -| [vpc\_endpoint\_ec2\_network\_interface\_ids](#output\_vpc\_endpoint\_ec2\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EC2 | -| [vpc\_endpoint\_ec2messages\_dns\_entry](#output\_vpc\_endpoint\_ec2messages\_dns\_entry) | The DNS entries for the VPC Endpoint for EC2MESSAGES. | -| [vpc\_endpoint\_ec2messages\_id](#output\_vpc\_endpoint\_ec2messages\_id) | The ID of VPC endpoint for EC2MESSAGES | -| [vpc\_endpoint\_ec2messages\_network\_interface\_ids](#output\_vpc\_endpoint\_ec2messages\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EC2MESSAGES | -| [vpc\_endpoint\_ecr\_api\_dns\_entry](#output\_vpc\_endpoint\_ecr\_api\_dns\_entry) | The DNS entries for the VPC Endpoint for ECR API. | -| [vpc\_endpoint\_ecr\_api\_id](#output\_vpc\_endpoint\_ecr\_api\_id) | The ID of VPC endpoint for ECR API | -| [vpc\_endpoint\_ecr\_api\_network\_interface\_ids](#output\_vpc\_endpoint\_ecr\_api\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ECR API. | -| [vpc\_endpoint\_ecr\_dkr\_dns\_entry](#output\_vpc\_endpoint\_ecr\_dkr\_dns\_entry) | The DNS entries for the VPC Endpoint for ECR DKR. | -| [vpc\_endpoint\_ecr\_dkr\_id](#output\_vpc\_endpoint\_ecr\_dkr\_id) | The ID of VPC endpoint for ECR DKR | -| [vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids](#output\_vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ECR DKR. | -| [vpc\_endpoint\_ecs\_agent\_dns\_entry](#output\_vpc\_endpoint\_ecs\_agent\_dns\_entry) | The DNS entries for the VPC Endpoint for ECS Agent. | -| [vpc\_endpoint\_ecs\_agent\_id](#output\_vpc\_endpoint\_ecs\_agent\_id) | The ID of VPC endpoint for ECS Agent | -| [vpc\_endpoint\_ecs\_agent\_network\_interface\_ids](#output\_vpc\_endpoint\_ecs\_agent\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ECS Agent. | -| [vpc\_endpoint\_ecs\_dns\_entry](#output\_vpc\_endpoint\_ecs\_dns\_entry) | The DNS entries for the VPC Endpoint for ECS. | -| [vpc\_endpoint\_ecs\_id](#output\_vpc\_endpoint\_ecs\_id) | The ID of VPC endpoint for ECS | -| [vpc\_endpoint\_ecs\_network\_interface\_ids](#output\_vpc\_endpoint\_ecs\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ECS. | -| [vpc\_endpoint\_ecs\_telemetry\_dns\_entry](#output\_vpc\_endpoint\_ecs\_telemetry\_dns\_entry) | The DNS entries for the VPC Endpoint for ECS Telemetry. | -| [vpc\_endpoint\_ecs\_telemetry\_id](#output\_vpc\_endpoint\_ecs\_telemetry\_id) | The ID of VPC endpoint for ECS Telemetry | -| [vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids](#output\_vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for ECS Telemetry. | -| [vpc\_endpoint\_efs\_dns\_entry](#output\_vpc\_endpoint\_efs\_dns\_entry) | The DNS entries for the VPC Endpoint for EFS. | -| [vpc\_endpoint\_efs\_id](#output\_vpc\_endpoint\_efs\_id) | The ID of VPC endpoint for EFS | -| [vpc\_endpoint\_efs\_network\_interface\_ids](#output\_vpc\_endpoint\_efs\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EFS. | -| [vpc\_endpoint\_elastic\_inference\_runtime\_dns\_entry](#output\_vpc\_endpoint\_elastic\_inference\_runtime\_dns\_entry) | The DNS entries for the VPC Endpoint for Elastic Inference Runtime. | -| [vpc\_endpoint\_elastic\_inference\_runtime\_id](#output\_vpc\_endpoint\_elastic\_inference\_runtime\_id) | The ID of VPC endpoint for Elastic Inference Runtime | -| [vpc\_endpoint\_elastic\_inference\_runtime\_network\_interface\_ids](#output\_vpc\_endpoint\_elastic\_inference\_runtime\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Elastic Inference Runtime. | -| [vpc\_endpoint\_elasticbeanstalk\_dns\_entry](#output\_vpc\_endpoint\_elasticbeanstalk\_dns\_entry) | The DNS entries for the VPC Endpoint for Elastic Beanstalk. | -| [vpc\_endpoint\_elasticbeanstalk\_health\_dns\_entry](#output\_vpc\_endpoint\_elasticbeanstalk\_health\_dns\_entry) | The DNS entries for the VPC Endpoint for Elastic Beanstalk Health. | -| [vpc\_endpoint\_elasticbeanstalk\_health\_id](#output\_vpc\_endpoint\_elasticbeanstalk\_health\_id) | The ID of VPC endpoint for Elastic Beanstalk Health | -| [vpc\_endpoint\_elasticbeanstalk\_health\_network\_interface\_ids](#output\_vpc\_endpoint\_elasticbeanstalk\_health\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk Health. | -| [vpc\_endpoint\_elasticbeanstalk\_id](#output\_vpc\_endpoint\_elasticbeanstalk\_id) | The ID of VPC endpoint for Elastic Beanstalk | -| [vpc\_endpoint\_elasticbeanstalk\_network\_interface\_ids](#output\_vpc\_endpoint\_elasticbeanstalk\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk. | -| [vpc\_endpoint\_elasticloadbalancing\_dns\_entry](#output\_vpc\_endpoint\_elasticloadbalancing\_dns\_entry) | The DNS entries for the VPC Endpoint for Elastic Load Balancing. | -| [vpc\_endpoint\_elasticloadbalancing\_id](#output\_vpc\_endpoint\_elasticloadbalancing\_id) | The ID of VPC endpoint for Elastic Load Balancing | -| [vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids](#output\_vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. | -| [vpc\_endpoint\_elasticmapreduce\_dns\_entry](#output\_vpc\_endpoint\_elasticmapreduce\_dns\_entry) | The DNS entries for the VPC Endpoint for EMR. | -| [vpc\_endpoint\_elasticmapreduce\_id](#output\_vpc\_endpoint\_elasticmapreduce\_id) | The ID of VPC endpoint for EMR | -| [vpc\_endpoint\_elasticmapreduce\_network\_interface\_ids](#output\_vpc\_endpoint\_elasticmapreduce\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for EMR. | -| [vpc\_endpoint\_events\_dns\_entry](#output\_vpc\_endpoint\_events\_dns\_entry) | The DNS entries for the VPC Endpoint for CloudWatch Events. | -| [vpc\_endpoint\_events\_id](#output\_vpc\_endpoint\_events\_id) | The ID of VPC endpoint for CloudWatch Events | -| [vpc\_endpoint\_events\_network\_interface\_ids](#output\_vpc\_endpoint\_events\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for CloudWatch Events. | -| [vpc\_endpoint\_git\_codecommit\_dns\_entry](#output\_vpc\_endpoint\_git\_codecommit\_dns\_entry) | The DNS entries for the VPC Endpoint for git\_codecommit. | -| [vpc\_endpoint\_git\_codecommit\_id](#output\_vpc\_endpoint\_git\_codecommit\_id) | The ID of VPC endpoint for git\_codecommit | -| [vpc\_endpoint\_git\_codecommit\_network\_interface\_ids](#output\_vpc\_endpoint\_git\_codecommit\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for git\_codecommit. | -| [vpc\_endpoint\_glue\_dns\_entry](#output\_vpc\_endpoint\_glue\_dns\_entry) | The DNS entries for the VPC Endpoint for Glue. | -| [vpc\_endpoint\_glue\_id](#output\_vpc\_endpoint\_glue\_id) | The ID of VPC endpoint for Glue | -| [vpc\_endpoint\_glue\_network\_interface\_ids](#output\_vpc\_endpoint\_glue\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Glue. | -| [vpc\_endpoint\_kinesis\_firehose\_dns\_entry](#output\_vpc\_endpoint\_kinesis\_firehose\_dns\_entry) | The DNS entries for the VPC Endpoint for Kinesis Firehose. | -| [vpc\_endpoint\_kinesis\_firehose\_id](#output\_vpc\_endpoint\_kinesis\_firehose\_id) | The ID of VPC endpoint for Kinesis Firehose | -| [vpc\_endpoint\_kinesis\_firehose\_network\_interface\_ids](#output\_vpc\_endpoint\_kinesis\_firehose\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Kinesis Firehose. | -| [vpc\_endpoint\_kinesis\_streams\_dns\_entry](#output\_vpc\_endpoint\_kinesis\_streams\_dns\_entry) | The DNS entries for the VPC Endpoint for Kinesis Streams. | -| [vpc\_endpoint\_kinesis\_streams\_id](#output\_vpc\_endpoint\_kinesis\_streams\_id) | The ID of VPC endpoint for Kinesis Streams | -| [vpc\_endpoint\_kinesis\_streams\_network\_interface\_ids](#output\_vpc\_endpoint\_kinesis\_streams\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Kinesis Streams. | -| [vpc\_endpoint\_kms\_dns\_entry](#output\_vpc\_endpoint\_kms\_dns\_entry) | The DNS entries for the VPC Endpoint for KMS. | -| [vpc\_endpoint\_kms\_id](#output\_vpc\_endpoint\_kms\_id) | The ID of VPC endpoint for KMS | -| [vpc\_endpoint\_kms\_network\_interface\_ids](#output\_vpc\_endpoint\_kms\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for KMS. | -| [vpc\_endpoint\_lambda\_dns\_entry](#output\_vpc\_endpoint\_lambda\_dns\_entry) | The DNS entries for the VPC Endpoint for Lambda. | -| [vpc\_endpoint\_lambda\_id](#output\_vpc\_endpoint\_lambda\_id) | The ID of VPC endpoint for Lambda | -| [vpc\_endpoint\_lambda\_network\_interface\_ids](#output\_vpc\_endpoint\_lambda\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Lambda. | -| [vpc\_endpoint\_logs\_dns\_entry](#output\_vpc\_endpoint\_logs\_dns\_entry) | The DNS entries for the VPC Endpoint for CloudWatch Logs. | -| [vpc\_endpoint\_logs\_id](#output\_vpc\_endpoint\_logs\_id) | The ID of VPC endpoint for CloudWatch Logs | -| [vpc\_endpoint\_logs\_network\_interface\_ids](#output\_vpc\_endpoint\_logs\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. | -| [vpc\_endpoint\_monitoring\_dns\_entry](#output\_vpc\_endpoint\_monitoring\_dns\_entry) | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. | -| [vpc\_endpoint\_monitoring\_id](#output\_vpc\_endpoint\_monitoring\_id) | The ID of VPC endpoint for CloudWatch Monitoring | -| [vpc\_endpoint\_monitoring\_network\_interface\_ids](#output\_vpc\_endpoint\_monitoring\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. | -| [vpc\_endpoint\_qldb\_session\_dns\_entry](#output\_vpc\_endpoint\_qldb\_session\_dns\_entry) | The DNS entries for the VPC Endpoint for QLDB Session. | -| [vpc\_endpoint\_qldb\_session\_id](#output\_vpc\_endpoint\_qldb\_session\_id) | The ID of VPC endpoint for QLDB Session | -| [vpc\_endpoint\_qldb\_session\_network\_interface\_ids](#output\_vpc\_endpoint\_qldb\_session\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for QLDB Session. | -| [vpc\_endpoint\_rds\_dns\_entry](#output\_vpc\_endpoint\_rds\_dns\_entry) | The DNS entries for the VPC Endpoint for RDS. | -| [vpc\_endpoint\_rds\_id](#output\_vpc\_endpoint\_rds\_id) | The ID of VPC endpoint for RDS | -| [vpc\_endpoint\_rds\_network\_interface\_ids](#output\_vpc\_endpoint\_rds\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for RDS. | -| [vpc\_endpoint\_rekognition\_dns\_entry](#output\_vpc\_endpoint\_rekognition\_dns\_entry) | The DNS entries for the VPC Endpoint for Rekognition. | -| [vpc\_endpoint\_rekognition\_id](#output\_vpc\_endpoint\_rekognition\_id) | The ID of VPC endpoint for Rekognition | -| [vpc\_endpoint\_rekognition\_network\_interface\_ids](#output\_vpc\_endpoint\_rekognition\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Rekognition. | -| [vpc\_endpoint\_s3\_id](#output\_vpc\_endpoint\_s3\_id) | The ID of VPC endpoint for S3 | -| [vpc\_endpoint\_s3\_pl\_id](#output\_vpc\_endpoint\_s3\_pl\_id) | The prefix list for the S3 VPC endpoint. | -| [vpc\_endpoint\_sagemaker\_api\_dns\_entry](#output\_vpc\_endpoint\_sagemaker\_api\_dns\_entry) | The DNS entries for the VPC Endpoint for SageMaker API. | -| [vpc\_endpoint\_sagemaker\_api\_id](#output\_vpc\_endpoint\_sagemaker\_api\_id) | The ID of VPC endpoint for SageMaker API | -| [vpc\_endpoint\_sagemaker\_api\_network\_interface\_ids](#output\_vpc\_endpoint\_sagemaker\_api\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SageMaker API. | -| [vpc\_endpoint\_sagemaker\_runtime\_dns\_entry](#output\_vpc\_endpoint\_sagemaker\_runtime\_dns\_entry) | The DNS entries for the VPC Endpoint for SageMaker Runtime. | -| [vpc\_endpoint\_sagemaker\_runtime\_id](#output\_vpc\_endpoint\_sagemaker\_runtime\_id) | The ID of VPC endpoint for SageMaker Runtime | -| [vpc\_endpoint\_sagemaker\_runtime\_network\_interface\_ids](#output\_vpc\_endpoint\_sagemaker\_runtime\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SageMaker Runtime. | -| [vpc\_endpoint\_secretsmanager\_dns\_entry](#output\_vpc\_endpoint\_secretsmanager\_dns\_entry) | The DNS entries for the VPC Endpoint for secretsmanager. | -| [vpc\_endpoint\_secretsmanager\_id](#output\_vpc\_endpoint\_secretsmanager\_id) | The ID of VPC endpoint for secretsmanager | -| [vpc\_endpoint\_secretsmanager\_network\_interface\_ids](#output\_vpc\_endpoint\_secretsmanager\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for secretsmanager. | -| [vpc\_endpoint\_servicecatalog\_dns\_entry](#output\_vpc\_endpoint\_servicecatalog\_dns\_entry) | The DNS entries for the VPC Endpoint for Service Catalog. | -| [vpc\_endpoint\_servicecatalog\_id](#output\_vpc\_endpoint\_servicecatalog\_id) | The ID of VPC endpoint for Service Catalog | -| [vpc\_endpoint\_servicecatalog\_network\_interface\_ids](#output\_vpc\_endpoint\_servicecatalog\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Service Catalog. | -| [vpc\_endpoint\_ses\_dns\_entry](#output\_vpc\_endpoint\_ses\_dns\_entry) | The DNS entries for the VPC Endpoint for SES. | -| [vpc\_endpoint\_ses\_id](#output\_vpc\_endpoint\_ses\_id) | The ID of VPC endpoint for SES | -| [vpc\_endpoint\_ses\_network\_interface\_ids](#output\_vpc\_endpoint\_ses\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SES. | -| [vpc\_endpoint\_sms\_dns\_entry](#output\_vpc\_endpoint\_sms\_dns\_entry) | The DNS entries for the VPC Endpoint for SMS. | -| [vpc\_endpoint\_sms\_id](#output\_vpc\_endpoint\_sms\_id) | The ID of VPC endpoint for SMS | -| [vpc\_endpoint\_sms\_network\_interface\_ids](#output\_vpc\_endpoint\_sms\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SMS. | -| [vpc\_endpoint\_sns\_dns\_entry](#output\_vpc\_endpoint\_sns\_dns\_entry) | The DNS entries for the VPC Endpoint for SNS. | -| [vpc\_endpoint\_sns\_id](#output\_vpc\_endpoint\_sns\_id) | The ID of VPC endpoint for SNS | -| [vpc\_endpoint\_sns\_network\_interface\_ids](#output\_vpc\_endpoint\_sns\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SNS. | -| [vpc\_endpoint\_sqs\_dns\_entry](#output\_vpc\_endpoint\_sqs\_dns\_entry) | The DNS entries for the VPC Endpoint for SQS. | -| [vpc\_endpoint\_sqs\_id](#output\_vpc\_endpoint\_sqs\_id) | The ID of VPC endpoint for SQS | -| [vpc\_endpoint\_sqs\_network\_interface\_ids](#output\_vpc\_endpoint\_sqs\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SQS. | -| [vpc\_endpoint\_ssm\_dns\_entry](#output\_vpc\_endpoint\_ssm\_dns\_entry) | The DNS entries for the VPC Endpoint for SSM. | -| [vpc\_endpoint\_ssm\_id](#output\_vpc\_endpoint\_ssm\_id) | The ID of VPC endpoint for SSM | -| [vpc\_endpoint\_ssm\_network\_interface\_ids](#output\_vpc\_endpoint\_ssm\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SSM. | -| [vpc\_endpoint\_ssmmessages\_dns\_entry](#output\_vpc\_endpoint\_ssmmessages\_dns\_entry) | The DNS entries for the VPC Endpoint for SSMMESSAGES. | -| [vpc\_endpoint\_ssmmessages\_id](#output\_vpc\_endpoint\_ssmmessages\_id) | The ID of VPC endpoint for SSMMESSAGES | -| [vpc\_endpoint\_ssmmessages\_network\_interface\_ids](#output\_vpc\_endpoint\_ssmmessages\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. | -| [vpc\_endpoint\_states\_dns\_entry](#output\_vpc\_endpoint\_states\_dns\_entry) | The DNS entries for the VPC Endpoint for Step Function. | -| [vpc\_endpoint\_states\_id](#output\_vpc\_endpoint\_states\_id) | The ID of VPC endpoint for Step Function | -| [vpc\_endpoint\_states\_network\_interface\_ids](#output\_vpc\_endpoint\_states\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Step Function. | -| [vpc\_endpoint\_storagegateway\_dns\_entry](#output\_vpc\_endpoint\_storagegateway\_dns\_entry) | The DNS entries for the VPC Endpoint for Storage Gateway. | -| [vpc\_endpoint\_storagegateway\_id](#output\_vpc\_endpoint\_storagegateway\_id) | The ID of VPC endpoint for Storage Gateway | -| [vpc\_endpoint\_storagegateway\_network\_interface\_ids](#output\_vpc\_endpoint\_storagegateway\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Storage Gateway. | -| [vpc\_endpoint\_sts\_dns\_entry](#output\_vpc\_endpoint\_sts\_dns\_entry) | The DNS entries for the VPC Endpoint for STS. | -| [vpc\_endpoint\_sts\_id](#output\_vpc\_endpoint\_sts\_id) | The ID of VPC endpoint for STS | -| [vpc\_endpoint\_sts\_network\_interface\_ids](#output\_vpc\_endpoint\_sts\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for STS. | -| [vpc\_endpoint\_textract\_dns\_entry](#output\_vpc\_endpoint\_textract\_dns\_entry) | The DNS entries for the VPC Endpoint for Textract. | -| [vpc\_endpoint\_textract\_id](#output\_vpc\_endpoint\_textract\_id) | The ID of VPC endpoint for Textract | -| [vpc\_endpoint\_textract\_network\_interface\_ids](#output\_vpc\_endpoint\_textract\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Textract. | -| [vpc\_endpoint\_transfer\_dns\_entry](#output\_vpc\_endpoint\_transfer\_dns\_entry) | The DNS entries for the VPC Endpoint for Transfer. | -| [vpc\_endpoint\_transfer\_id](#output\_vpc\_endpoint\_transfer\_id) | The ID of VPC endpoint for Transfer | -| [vpc\_endpoint\_transfer\_network\_interface\_ids](#output\_vpc\_endpoint\_transfer\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Transfer. | -| [vpc\_endpoint\_transferserver\_dns\_entry](#output\_vpc\_endpoint\_transferserver\_dns\_entry) | The DNS entries for the VPC Endpoint for transferserver. | -| [vpc\_endpoint\_transferserver\_id](#output\_vpc\_endpoint\_transferserver\_id) | The ID of VPC endpoint for transferserver | -| [vpc\_endpoint\_transferserver\_network\_interface\_ids](#output\_vpc\_endpoint\_transferserver\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for transferserver | -| [vpc\_endpoint\_workspaces\_dns\_entry](#output\_vpc\_endpoint\_workspaces\_dns\_entry) | The DNS entries for the VPC Endpoint for Workspaces. | -| [vpc\_endpoint\_workspaces\_id](#output\_vpc\_endpoint\_workspaces\_id) | The ID of VPC endpoint for Workspaces | -| [vpc\_endpoint\_workspaces\_network\_interface\_ids](#output\_vpc\_endpoint\_workspaces\_network\_interface\_ids) | One or more network interfaces for the VPC Endpoint for Workspaces. | | [vpc\_flow\_log\_cloudwatch\_iam\_role\_arn](#output\_vpc\_flow\_log\_cloudwatch\_iam\_role\_arn) | The ARN of the IAM role used when pushing logs to Cloudwatch log group | | [vpc\_flow\_log\_destination\_arn](#output\_vpc\_flow\_log\_destination\_arn) | The ARN of the destination for VPC Flow Logs | | [vpc\_flow\_log\_destination\_type](#output\_vpc\_flow\_log\_destination\_type) | The type of the destination for VPC Flow Logs | diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md new file mode 100644 index 000000000..10339a095 --- /dev/null +++ b/UPGRADE-3.0.md @@ -0,0 +1,56 @@ +# Upgrade from v2.x to v3.x + +If you have any questions regarding this upgrade process, please consult the `examples` directory: + +- [Complete-VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) + +If you find a bug, please open an issue with supporting configuration to reproduce. + +## List of backwards incompatible changes + +Previously, VPC endpoints were configured as standalone resources with their own set of variables and attributes. Now, this functionality is provided via a module which loops over a map of maps using `for_each` to generate the desired VPC endpoints. Therefore, to maintain the existing set of functionality while upgrading, you will need to perform the following changes: + +1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured: + +``` +tf state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]' +tf state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]' +tf state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]' +... +``` + +2. Remove the gateway endpoint route table association separate resources. The route table associations are now managed in the VPC endpoint resource itself via the map of maps provided to the VPC endpoint sub-module. Perform the necessary removals for each route table association and for S3 and/or DynamoDB depending on your configuration: + +``` +tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]' +tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]' +tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]' +... +``` + +### Variable and output changes + +1. Removed variables: + + - `enable_*_endpoint` + - `*_endpoint_type` + - `*_endpoint_security_group_ids` + - `*_endpoint_subnet_ids` + - `*_endpoint_private_dns_enabled` + - `*_endpoint_policy` + +2. Renamed variables: + +See the [VPC endpoint sub-module](modules/vpc-endpoints) for the more information on the variables to utilize for VPC endpoints + + - None + +3. Removed outputs: + + - `vpc_endpoint_*` + +4. Renamed outputs: + +VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs. + + - None diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index 908b9d456..ab83431aa 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -21,20 +21,21 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 3.10 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.10 | +| [aws](#provider\_aws) | >= 3.15 | ## Modules | Name | Source | Version | |------|--------|---------| | [vpc](#module\_vpc) | ../../ | | +| [vpc\_endpoints](#module\_vpc\_endpoints) | ../../modules/vpc-endpoints | | ## Resources @@ -43,7 +44,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source | -| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source | +| [aws_vpc_endpoint_service.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | ## Inputs diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index 258152886..fe2002a70 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -1,20 +1,87 @@ provider "aws" { + region = local.region +} + +locals { + name = "complete-example" region = "eu-west-1" + tags = { + Owner = "user" + Environment = "staging" + Name = "complete" + } } +################################################################################ +# Supporting Resources +################################################################################ + data "aws_security_group" "default" { name = "default" vpc_id = module.vpc.vpc_id } +# Data source used to avoid race condition +data "aws_vpc_endpoint_service" "dynamodb" { + service = "dynamodb" + + filter { + name = "service-type" + values = ["Gateway"] + } +} + +data "aws_iam_policy_document" "dynamodb_endpoint_policy" { + statement { + effect = "Deny" + actions = ["dynamodb:*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:sourceVpce" + + values = [data.aws_vpc_endpoint_service.dynamodb.id] + } + } +} + +data "aws_iam_policy_document" "generic_endpoint_policy" { + statement { + effect = "Deny" + actions = ["*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:sourceVpce" + + values = [data.aws_vpc_endpoint_service.dynamodb.id] + } + } +} + +################################################################################ +# VPC Module +################################################################################ + module "vpc" { source = "../../" - name = "complete-example" - + name = local.name cidr = "20.10.0.0/16" # 10.0.0.0/8 is reserved for EC2-Classic - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] private_subnets = ["20.10.1.0/24", "20.10.2.0/24", "20.10.3.0/24"] public_subnets = ["20.10.11.0/24", "20.10.12.0/24", "20.10.13.0/24"] database_subnets = ["20.10.21.0/24", "20.10.22.0/24", "20.10.23.0/24"] @@ -53,80 +120,6 @@ module "vpc" { dhcp_options_domain_name = "service.consul" dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"] - # VPC endpoint for S3 - # Note - S3 Interface type support is only available on AWS provider 3.10 and later - enable_s3_endpoint = true - s3_endpoint_type = "Interface" - s3_endpoint_private_dns_enabled = false - s3_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for DynamoDB - enable_dynamodb_endpoint = true - dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json - - # VPC endpoint for SSM - enable_ssm_endpoint = true - ssm_endpoint_private_dns_enabled = true - ssm_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for Lambda - enable_lambda_endpoint = true - lambda_endpoint_private_dns_enabled = true - lambda_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for SSMMESSAGES - enable_ssmmessages_endpoint = true - ssmmessages_endpoint_private_dns_enabled = true - ssmmessages_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC Endpoint for EC2 - enable_ec2_endpoint = true - ec2_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json - ec2_endpoint_private_dns_enabled = true - ec2_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC Endpoint for EC2MESSAGES - enable_ec2messages_endpoint = true - ec2messages_endpoint_private_dns_enabled = true - ec2messages_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC Endpoint for ECR API - enable_ecr_api_endpoint = true - ecr_api_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json - ecr_api_endpoint_private_dns_enabled = true - ecr_api_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC Endpoint for ECR DKR - enable_ecr_dkr_endpoint = true - ecr_dkr_endpoint_policy = data.aws_iam_policy_document.generic_endpoint_policy.json - ecr_dkr_endpoint_private_dns_enabled = true - ecr_dkr_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for KMS - enable_kms_endpoint = true - kms_endpoint_private_dns_enabled = true - kms_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for ECS - enable_ecs_endpoint = true - ecs_endpoint_private_dns_enabled = true - ecs_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for ECS telemetry - enable_ecs_telemetry_endpoint = true - ecs_telemetry_endpoint_private_dns_enabled = true - ecs_telemetry_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for CodeDeploy - enable_codedeploy_endpoint = true - codedeploy_endpoint_private_dns_enabled = true - codedeploy_endpoint_security_group_ids = [data.aws_security_group.default.id] - - # VPC endpoint for CodeDeploy Commands Secure - enable_codedeploy_commands_secure_endpoint = true - codedeploy_commands_secure_endpoint_private_dns_enabled = true - codedeploy_commands_secure_endpoint_security_group_ids = [data.aws_security_group.default.id] - # Default security group - ingress/egress rules cleared to deny all manage_default_security_group = true default_security_group_ingress = [] @@ -138,60 +131,97 @@ module "vpc" { create_flow_log_cloudwatch_iam_role = true flow_log_max_aggregation_interval = 60 - tags = { - Owner = "user" - Environment = "staging" - Name = "complete" - } - - vpc_endpoint_tags = { - Project = "Secret" - Endpoint = "true" - } -} - -# Data source used to avoid race condition -data "aws_vpc_endpoint" "dynamodb" { - vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.eu-west-1.dynamodb" + tags = local.tags } -data "aws_iam_policy_document" "dynamodb_endpoint_policy" { - statement { - effect = "Deny" - actions = ["dynamodb:*"] - resources = ["*"] +################################################################################ +# VPC Endpoints Module +################################################################################ - principals { - type = "*" - identifiers = ["*"] - } +module "vpc_endpoints" { + source = "../../modules/vpc-endpoints" - condition { - test = "StringNotEquals" - variable = "aws:sourceVpce" + vpc_id = module.vpc.vpc_id + security_group_ids = [data.aws_security_group.default.id] - values = [data.aws_vpc_endpoint.dynamodb.id] - } + endpoints = { + s3 = { + service = "s3" + tags = { Name = "s3-vpc-endpoint" } + }, + dynamodb = { + service = "dynamodb" + service_type = "Gateway" + route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids]) + policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json + tags = { Name = "dynamodb-vpc-endpoint" } + }, + ssm = { + service = "ssm" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ssmmessages = { + service = "ssmmessages" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + lambda = { + service = "lambda" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ecs = { + service = "ecs" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ecs_telemetry = { + service = "ecs-telemetry" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ec2 = { + service = "ec2" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ec2messages = { + service = "ec2messages" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + ecr_api = { + service = "ecr.api" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + policy = data.aws_iam_policy_document.generic_endpoint_policy.json + }, + ecr_dkr = { + service = "ecr.dkr" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + policy = data.aws_iam_policy_document.generic_endpoint_policy.json + }, + kms = { + service = "kms" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + codedeploy = { + service = "codedeploy" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, + codedeploy_commands_secure = { + service = "codedeploy-commands-secure" + private_dns_enabled = true + subnet_ids = module.vpc.private_subnets + }, } -} - -data "aws_iam_policy_document" "generic_endpoint_policy" { - statement { - effect = "Deny" - actions = ["*"] - resources = ["*"] - - principals { - type = "*" - identifiers = ["*"] - } - - condition { - test = "StringNotEquals" - variable = "aws:sourceVpce" - values = [data.aws_vpc_endpoint.dynamodb.id] - } - } + tags = merge(local.tags, { + Project = "Secret" + Endpoint = "true" + }) } diff --git a/examples/complete-vpc/outputs.tf b/examples/complete-vpc/outputs.tf index 0d24ff272..7dd0b6ddf 100644 --- a/examples/complete-vpc/outputs.tf +++ b/examples/complete-vpc/outputs.tf @@ -44,32 +44,32 @@ output "nat_public_ips" { # VPC endpoints output "vpc_endpoint_ssm_id" { description = "The ID of VPC endpoint for SSM" - value = module.vpc.vpc_endpoint_ssm_id + value = module.vpc_endpoints.endpoints["ssm"].id } output "vpc_endpoint_ssm_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for SSM." - value = module.vpc.vpc_endpoint_ssm_network_interface_ids + value = module.vpc_endpoints.endpoints["ssm"].network_interface_ids } output "vpc_endpoint_ssm_dns_entry" { description = "The DNS entries for the VPC Endpoint for SSM." - value = module.vpc.vpc_endpoint_ssm_dns_entry + value = module.vpc_endpoints.endpoints["ssm"].dns_entry } output "vpc_endpoint_lambda_id" { description = "The ID of VPC endpoint for Lambda" - value = module.vpc.vpc_endpoint_lambda_id + value = module.vpc_endpoints.endpoints["lambda"].id } output "vpc_endpoint_lambda_network_interface_ids" { description = "One or more network interfaces for the VPC Endpoint for Lambda." - value = module.vpc.vpc_endpoint_lambda_network_interface_ids + value = module.vpc_endpoints.endpoints["lambda"].network_interface_ids } output "vpc_endpoint_lambda_dns_entry" { description = "The DNS entries for the VPC Endpoint for Lambda." - value = module.vpc.vpc_endpoint_lambda_dns_entry + value = module.vpc_endpoints.endpoints["lambda"].dns_entry } # Customer Gateway diff --git a/examples/complete-vpc/versions.tf b/examples/complete-vpc/versions.tf index 3a618a90d..dc46f697a 100644 --- a/examples/complete-vpc/versions.tf +++ b/examples/complete-vpc/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.10" + version = ">= 3.15" } } } diff --git a/examples/ipv6/README.md b/examples/ipv6/README.md index 25775aed9..a1ec4ac73 100644 --- a/examples/ipv6/README.md +++ b/examples/ipv6/README.md @@ -19,14 +19,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers -| Name | Version | -|------|---------| -| [aws](#provider\_aws) | >= 2.70 | +No providers. ## Modules @@ -36,9 +34,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP ## Resources -| Name | Type | -|------|------| -| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | +No resources. ## Inputs diff --git a/examples/ipv6/main.tf b/examples/ipv6/main.tf index 8bb2782d4..ce6709921 100644 --- a/examples/ipv6/main.tf +++ b/examples/ipv6/main.tf @@ -1,17 +1,22 @@ provider "aws" { + region = local.region +} + +locals { region = "eu-west-1" } -data "aws_availability_zones" "available" {} +################################################################################ +# VPC Module +################################################################################ module "vpc" { source = "../.." name = "ipv6" - cidr = "10.0.0.0/16" - azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] + azs = ["${local.region}a", "${local.region}b"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] database_subnets = ["10.0.103.0/24", "10.0.104.0/24"] diff --git a/examples/ipv6/versions.tf b/examples/ipv6/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/ipv6/versions.tf +++ b/examples/ipv6/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/issue-108-route-already-exists/README.md b/examples/issue-108-route-already-exists/README.md deleted file mode 100644 index 78cc0d3cc..000000000 --- a/examples/issue-108-route-already-exists/README.md +++ /dev/null @@ -1,57 +0,0 @@ -# Issue 108 - VPC - -Configuration in this directory creates set of VPC resources to cover issues reported on GitHub: - -* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108#issue-308084655 -* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102#issuecomment-374877706 -* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44#issuecomment-378679404 - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | - -## Providers - -No providers. - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [vpc](#module\_vpc) | ../../ | | - -## Resources - -No resources. - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | -| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets | -| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | -| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | -| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | -| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | - diff --git a/examples/issue-108-route-already-exists/main.tf b/examples/issue-108-route-already-exists/main.tf deleted file mode 100644 index 199b47a9f..000000000 --- a/examples/issue-108-route-already-exists/main.tf +++ /dev/null @@ -1,21 +0,0 @@ -provider "aws" { - region = "us-east-1" -} - -module "vpc" { - source = "../../" - - name = "route-already-exists" - - cidr = "10.0.0.0/16" - - azs = ["us-east-1a", "us-east-1b", "us-east-1c"] - private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"] - public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"] - - single_nat_gateway = true - enable_nat_gateway = true - - enable_s3_endpoint = true - enable_dynamodb_endpoint = true -} diff --git a/examples/issue-108-route-already-exists/outputs.tf b/examples/issue-108-route-already-exists/outputs.tf deleted file mode 100644 index 51b4e83b7..000000000 --- a/examples/issue-108-route-already-exists/outputs.tf +++ /dev/null @@ -1,33 +0,0 @@ -# VPC -output "vpc_id" { - description = "The ID of the VPC" - value = module.vpc.vpc_id -} - -# Subnets -output "private_subnets" { - description = "List of IDs of private subnets" - value = module.vpc.private_subnets -} - -output "public_subnets" { - description = "List of IDs of public subnets" - value = module.vpc.public_subnets -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = module.vpc.database_subnets -} - -output "elasticache_subnets" { - description = "List of IDs of elasticache subnets" - value = module.vpc.elasticache_subnets -} - -# NAT gateways -output "nat_public_ips" { - description = "List of public Elastic IPs created for AWS NAT Gateway" - value = module.vpc.nat_public_ips -} - diff --git a/examples/issue-108-route-already-exists/versions.tf b/examples/issue-108-route-already-exists/versions.tf deleted file mode 100644 index 238ed698b..000000000 --- a/examples/issue-108-route-already-exists/versions.tf +++ /dev/null @@ -1,10 +0,0 @@ -terraform { - required_version = ">= 0.12.21" - - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 2.70" - } - } -} diff --git a/examples/issue-44-asymmetric-private-subnets/README.md b/examples/issue-44-asymmetric-private-subnets/README.md deleted file mode 100644 index b07362008..000000000 --- a/examples/issue-44-asymmetric-private-subnets/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Issue 44 - VPC - -Configuration in this directory creates set of VPC resources to cover issues reported on GitHub: - -* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44 - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | - -## Providers - -No providers. - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [vpc](#module\_vpc) | ../../ | | - -## Resources - -No resources. - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | -| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets | -| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | -| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | -| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | -| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | - diff --git a/examples/issue-44-asymmetric-private-subnets/main.tf b/examples/issue-44-asymmetric-private-subnets/main.tf deleted file mode 100644 index 07f3f0fe7..000000000 --- a/examples/issue-44-asymmetric-private-subnets/main.tf +++ /dev/null @@ -1,28 +0,0 @@ -# List of AZs and private subnets are not of equal length -# -# This example creates resources which are not present in all AZs. -# This should be seldomly needed from architectural point of view, -# and it can also lead this module to some edge cases. -# -# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44 -module "vpc" { - source = "../../" - - name = "asymmetrical" - - cidr = "10.0.0.0/16" - - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - private_subnets = ["10.0.1.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] - database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"] - - create_database_subnet_group = true - enable_nat_gateway = true - - tags = { - Issue = "44" - Name = "asymmetrical" - } -} - diff --git a/examples/issue-44-asymmetric-private-subnets/outputs.tf b/examples/issue-44-asymmetric-private-subnets/outputs.tf deleted file mode 100644 index 51b4e83b7..000000000 --- a/examples/issue-44-asymmetric-private-subnets/outputs.tf +++ /dev/null @@ -1,33 +0,0 @@ -# VPC -output "vpc_id" { - description = "The ID of the VPC" - value = module.vpc.vpc_id -} - -# Subnets -output "private_subnets" { - description = "List of IDs of private subnets" - value = module.vpc.private_subnets -} - -output "public_subnets" { - description = "List of IDs of public subnets" - value = module.vpc.public_subnets -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = module.vpc.database_subnets -} - -output "elasticache_subnets" { - description = "List of IDs of elasticache subnets" - value = module.vpc.elasticache_subnets -} - -# NAT gateways -output "nat_public_ips" { - description = "List of public Elastic IPs created for AWS NAT Gateway" - value = module.vpc.nat_public_ips -} - diff --git a/examples/issue-44-asymmetric-private-subnets/variables.tf b/examples/issue-44-asymmetric-private-subnets/variables.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/issue-46-no-private-subnets/README.md b/examples/issue-46-no-private-subnets/README.md deleted file mode 100644 index 0fa6c2556..000000000 --- a/examples/issue-46-no-private-subnets/README.md +++ /dev/null @@ -1,55 +0,0 @@ -# Issue 46 - VPC - -Configuration in this directory creates set of VPC resources to cover issues reported on GitHub: - -* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46 - -## Usage - -To run this example you need to execute: - -```bash -$ terraform init -$ terraform plan -$ terraform apply -``` - -Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - - -## Requirements - -| Name | Version | -|------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | - -## Providers - -No providers. - -## Modules - -| Name | Source | Version | -|------|--------|---------| -| [vpc](#module\_vpc) | ../../ | | - -## Resources - -No resources. - -## Inputs - -No inputs. - -## Outputs - -| Name | Description | -|------|-------------| -| [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets | -| [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets | -| [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | -| [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets | -| [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets | -| [vpc\_id](#output\_vpc\_id) | The ID of the VPC | - diff --git a/examples/issue-46-no-private-subnets/main.tf b/examples/issue-46-no-private-subnets/main.tf deleted file mode 100644 index e9e5ec517..000000000 --- a/examples/issue-46-no-private-subnets/main.tf +++ /dev/null @@ -1,26 +0,0 @@ -# There are no private subnets in this VPC setup. -# -# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46 -module "vpc" { - source = "../../" - - name = "no-private-subnets" - - cidr = "10.0.0.0/16" - - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] - private_subnets = [] - database_subnets = ["10.0.128.0/24", "10.0.129.0/24"] - elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"] - - enable_dns_support = true - enable_dns_hostnames = true - enable_nat_gateway = false - - tags = { - Issue = "46" - Name = "no-private-subnets" - } -} - diff --git a/examples/issue-46-no-private-subnets/outputs.tf b/examples/issue-46-no-private-subnets/outputs.tf deleted file mode 100644 index 51b4e83b7..000000000 --- a/examples/issue-46-no-private-subnets/outputs.tf +++ /dev/null @@ -1,33 +0,0 @@ -# VPC -output "vpc_id" { - description = "The ID of the VPC" - value = module.vpc.vpc_id -} - -# Subnets -output "private_subnets" { - description = "List of IDs of private subnets" - value = module.vpc.private_subnets -} - -output "public_subnets" { - description = "List of IDs of public subnets" - value = module.vpc.public_subnets -} - -output "database_subnets" { - description = "List of IDs of database subnets" - value = module.vpc.database_subnets -} - -output "elasticache_subnets" { - description = "List of IDs of elasticache subnets" - value = module.vpc.elasticache_subnets -} - -# NAT gateways -output "nat_public_ips" { - description = "List of public Elastic IPs created for AWS NAT Gateway" - value = module.vpc.nat_public_ips -} - diff --git a/examples/issue-46-no-private-subnets/variables.tf b/examples/issue-46-no-private-subnets/variables.tf deleted file mode 100644 index e69de29bb..000000000 diff --git a/examples/issues/README.md b/examples/issues/README.md new file mode 100644 index 000000000..228c70537 --- /dev/null +++ b/examples/issues/README.md @@ -0,0 +1,72 @@ +# Issues + +Configuration in this directory creates set of VPC resources to cover issues reported on GitHub: + +- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44 +- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46 +- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102 +- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108 + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [vpc\_issue\_108](#module\_vpc\_issue\_108) | ../../ | | +| [vpc\_issue\_44](#module\_vpc\_issue\_44) | ../../ | | +| [vpc\_issue\_46](#module\_vpc\_issue\_46) | ../../ | | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +| Name | Description | +|------|-------------| +| [issue\_108\_database\_subnets](#output\_issue\_108\_database\_subnets) | List of IDs of database subnets | +| [issue\_108\_elasticache\_subnets](#output\_issue\_108\_elasticache\_subnets) | List of IDs of elasticache subnets | +| [issue\_108\_nat\_public\_ips](#output\_issue\_108\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | +| [issue\_108\_private\_subnets](#output\_issue\_108\_private\_subnets) | List of IDs of private subnets | +| [issue\_108\_public\_subnets](#output\_issue\_108\_public\_subnets) | List of IDs of public subnets | +| [issue\_108\_vpc\_id](#output\_issue\_108\_vpc\_id) | The ID of the VPC | +| [issue\_44\_database\_subnets](#output\_issue\_44\_database\_subnets) | List of IDs of database subnets | +| [issue\_44\_elasticache\_subnets](#output\_issue\_44\_elasticache\_subnets) | List of IDs of elasticache subnets | +| [issue\_44\_nat\_public\_ips](#output\_issue\_44\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | +| [issue\_44\_private\_subnets](#output\_issue\_44\_private\_subnets) | List of IDs of private subnets | +| [issue\_44\_public\_subnets](#output\_issue\_44\_public\_subnets) | List of IDs of public subnets | +| [issue\_44\_vpc\_id](#output\_issue\_44\_vpc\_id) | The ID of the VPC | +| [issue\_46\_database\_subnets](#output\_issue\_46\_database\_subnets) | List of IDs of database subnets | +| [issue\_46\_elasticache\_subnets](#output\_issue\_46\_elasticache\_subnets) | List of IDs of elasticache subnets | +| [issue\_46\_nat\_public\_ips](#output\_issue\_46\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway | +| [issue\_46\_private\_subnets](#output\_issue\_46\_private\_subnets) | List of IDs of private subnets | +| [issue\_46\_public\_subnets](#output\_issue\_46\_public\_subnets) | List of IDs of public subnets | +| [issue\_46\_vpc\_id](#output\_issue\_46\_vpc\_id) | The ID of the VPC | + diff --git a/examples/issues/main.tf b/examples/issues/main.tf new file mode 100644 index 000000000..a838239d3 --- /dev/null +++ b/examples/issues/main.tf @@ -0,0 +1,80 @@ +provider "aws" { + region = local.region +} + +locals { + region = "eu-west-1" +} + +################################################################################ +# Issue 44 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44 +################################################################################ + +module "vpc_issue_44" { + source = "../../" + + name = "asymmetrical" + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + private_subnets = ["10.0.1.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24"] + database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"] + + create_database_subnet_group = true + enable_nat_gateway = true + + tags = { + Issue = "44" + Name = "asymmetrical" + } +} + +################################################################################ +# Issue 46 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46 +################################################################################ + +module "vpc_issue_46" { + source = "../../" + + name = "no-private-subnets" + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + public_subnets = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"] + private_subnets = [] + database_subnets = ["10.0.128.0/24", "10.0.129.0/24"] + elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"] + + enable_dns_support = true + enable_dns_hostnames = true + enable_nat_gateway = false + + tags = { + Issue = "46" + Name = "no-private-subnets" + } +} + +################################################################################ +# Issue 108 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108 +################################################################################ + +module "vpc_issue_108" { + source = "../../" + + name = "route-already-exists" + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"] + public_subnets = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"] + + single_nat_gateway = true + enable_nat_gateway = true + + tags = { + Issue = "108" + Name = "route-already-exists" + } +} diff --git a/examples/issues/outputs.tf b/examples/issues/outputs.tf new file mode 100644 index 000000000..adcd57608 --- /dev/null +++ b/examples/issues/outputs.tf @@ -0,0 +1,110 @@ +################################################################################ +# Issue 44 +################################################################################ + +# VPC +output "issue_44_vpc_id" { + description = "The ID of the VPC" + value = module.vpc_issue_44.vpc_id +} + +# Subnets +output "issue_44_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc_issue_44.private_subnets +} + +output "issue_44_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc_issue_44.public_subnets +} + +output "issue_44_database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc_issue_44.database_subnets +} + +output "issue_44_elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc_issue_44.elasticache_subnets +} + +# NAT gateways +output "issue_44_nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc_issue_44.nat_public_ips +} + +################################################################################ +# Issue 46 +################################################################################ + +# VPC +output "issue_46_vpc_id" { + description = "The ID of the VPC" + value = module.vpc_issue_46.vpc_id +} + +# Subnets +output "issue_46_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc_issue_46.private_subnets +} + +output "issue_46_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc_issue_46.public_subnets +} + +output "issue_46_database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc_issue_46.database_subnets +} + +output "issue_46_elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc_issue_46.elasticache_subnets +} + +# NAT gateways +output "issue_46_nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc_issue_46.nat_public_ips +} + +################################################################################ +# Issue 108 +################################################################################ + +# VPC +output "issue_108_vpc_id" { + description = "The ID of the VPC" + value = module.vpc_issue_108.vpc_id +} + +# Subnets +output "issue_108_private_subnets" { + description = "List of IDs of private subnets" + value = module.vpc_issue_108.private_subnets +} + +output "issue_108_public_subnets" { + description = "List of IDs of public subnets" + value = module.vpc_issue_108.public_subnets +} + +output "issue_108_database_subnets" { + description = "List of IDs of database subnets" + value = module.vpc_issue_108.database_subnets +} + +output "issue_108_elasticache_subnets" { + description = "List of IDs of elasticache subnets" + value = module.vpc_issue_108.elasticache_subnets +} + +# NAT gateways +output "issue_108_nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = module.vpc_issue_108.nat_public_ips +} diff --git a/examples/issue-108-route-already-exists/variables.tf b/examples/issues/variables.tf similarity index 100% rename from examples/issue-108-route-already-exists/variables.tf rename to examples/issues/variables.tf diff --git a/examples/issue-44-asymmetric-private-subnets/versions.tf b/examples/issues/versions.tf similarity index 60% rename from examples/issue-44-asymmetric-private-subnets/versions.tf rename to examples/issues/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/issue-44-asymmetric-private-subnets/versions.tf +++ b/examples/issues/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/manage-default-vpc/README.md b/examples/manage-default-vpc/README.md index d2694a380..6bacea116 100644 --- a/examples/manage-default-vpc/README.md +++ b/examples/manage-default-vpc/README.md @@ -21,8 +21,8 @@ Run `terraform destroy` when you don't need these resources. | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers diff --git a/examples/manage-default-vpc/main.tf b/examples/manage-default-vpc/main.tf index 5f645dd8e..8e3797432 100644 --- a/examples/manage-default-vpc/main.tf +++ b/examples/manage-default-vpc/main.tf @@ -1,7 +1,15 @@ provider "aws" { + region = local.region +} + +locals { region = "eu-west-1" } +################################################################################ +# VPC Module +################################################################################ + module "vpc" { source = "../../" diff --git a/examples/manage-default-vpc/versions.tf b/examples/manage-default-vpc/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/manage-default-vpc/versions.tf +++ b/examples/manage-default-vpc/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index 04a6f1f90..55beb7631 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -23,8 +23,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 8677bf2b6..0d820aac8 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -1,58 +1,10 @@ provider "aws" { - region = "eu-west-1" -} - -module "vpc" { - source = "../../" - - name = "network-acls-example" - - cidr = "10.0.0.0/16" - - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] - - public_dedicated_network_acl = true - public_inbound_acl_rules = concat( - local.network_acls["default_inbound"], - local.network_acls["public_inbound"], - ) - public_outbound_acl_rules = concat( - local.network_acls["default_outbound"], - local.network_acls["public_outbound"], - ) - elasticache_outbound_acl_rules = concat( - local.network_acls["default_outbound"], - local.network_acls["elasticache_outbound"], - ) - - private_dedicated_network_acl = false - elasticache_dedicated_network_acl = true - - manage_default_network_acl = true - - enable_ipv6 = true - - enable_nat_gateway = false - single_nat_gateway = true - - public_subnet_tags = { - Name = "overridden-name-public" - } - - tags = { - Owner = "user" - Environment = "dev" - } - - vpc_tags = { - Name = "vpc-name" - } + region = local.region } locals { + region = "eu-west-1" + network_acls = { default_inbound = [ { @@ -202,3 +154,47 @@ locals { ] } } + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../../" + + name = "network-acls-example" + cidr = "10.0.0.0/16" + + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] + + public_dedicated_network_acl = true + public_inbound_acl_rules = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"]) + public_outbound_acl_rules = concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"]) + elasticache_outbound_acl_rules = concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"]) + + private_dedicated_network_acl = false + elasticache_dedicated_network_acl = true + + manage_default_network_acl = true + + enable_ipv6 = true + + enable_nat_gateway = false + single_nat_gateway = true + + public_subnet_tags = { + Name = "overridden-name-public" + } + + tags = { + Owner = "user" + Environment = "dev" + } + + vpc_tags = { + Name = "vpc-name" + } +} diff --git a/examples/network-acls/versions.tf b/examples/network-acls/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/network-acls/versions.tf +++ b/examples/network-acls/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/outpost/README.md b/examples/outpost/README.md index 2c6200d90..16b9a35da 100644 --- a/examples/outpost/README.md +++ b/examples/outpost/README.md @@ -23,14 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 3.5.0 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.5.0 | +| [aws](#provider\_aws) | >= 3.15 | ## Modules diff --git a/examples/outpost/main.tf b/examples/outpost/main.tf index 49bb96735..d923e083d 100644 --- a/examples/outpost/main.tf +++ b/examples/outpost/main.tf @@ -1,58 +1,14 @@ provider "aws" { - region = "us-west-2" + region = local.region assume_role { role_arn = "arn:aws:iam::562806027032:role/outpost-shared-anton" } } -data "aws_outposts_outpost" "shared" { - name = "SEA19.07" -} - -data "aws_availability_zones" "available" {} - -module "vpc" { - source = "../../" - - name = "outpost-example" - - cidr = "10.0.0.0/16" - - azs = [ - data.aws_availability_zones.available.names[0], - data.aws_availability_zones.available.names[1], - data.aws_availability_zones.available.names[2], - ] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - - # Outpost is using single AZ specified in `outpost_az` - outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"] - outpost_arn = data.aws_outposts_outpost.shared.arn - outpost_az = data.aws_outposts_outpost.shared.availability_zone - - # IPv6 - enable_ipv6 = true - outpost_subnet_assign_ipv6_address_on_creation = true - outpost_subnet_ipv6_prefixes = [2, 3, 4] - - # NAT Gateway - enable_nat_gateway = true - single_nat_gateway = true - - # Network ACLs - outpost_dedicated_network_acl = true - outpost_inbound_acl_rules = local.network_acls["outpost_inbound"] - outpost_outbound_acl_rules = local.network_acls["outpost_outbound"] - - tags = { - Owner = "user" - Environment = "dev" - } -} - locals { + region = "eu-west-1" + network_acls = { outpost_inbound = [ { @@ -148,3 +104,56 @@ locals { ] } } + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_outposts_outpost" "shared" { + name = "SEA19.07" +} + +data "aws_availability_zones" "available" {} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc" { + source = "../../" + + name = "outpost-example" + cidr = "10.0.0.0/16" + + azs = [ + data.aws_availability_zones.available.names[0], + data.aws_availability_zones.available.names[1], + data.aws_availability_zones.available.names[2], + ] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + # Outpost is using single AZ specified in `outpost_az` + outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"] + outpost_arn = data.aws_outposts_outpost.shared.arn + outpost_az = data.aws_outposts_outpost.shared.availability_zone + + # IPv6 + enable_ipv6 = true + outpost_subnet_assign_ipv6_address_on_creation = true + outpost_subnet_ipv6_prefixes = [2, 3, 4] + + # NAT Gateway + enable_nat_gateway = true + single_nat_gateway = true + + # Network ACLs + outpost_dedicated_network_acl = true + outpost_inbound_acl_rules = local.network_acls["outpost_inbound"] + outpost_outbound_acl_rules = local.network_acls["outpost_outbound"] + + tags = { + Owner = "user" + Environment = "dev" + } +} diff --git a/examples/outpost/versions.tf b/examples/outpost/versions.tf index cf5a417d4..dc46f697a 100644 --- a/examples/outpost/versions.tf +++ b/examples/outpost/versions.tf @@ -1,7 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { - aws = ">= 3.5.0" + aws = { + source = "hashicorp/aws" + version = ">= 3.15" + } } } diff --git a/examples/secondary-cidr-blocks/README.md b/examples/secondary-cidr-blocks/README.md index 78fe53623..f8b0c4f24 100644 --- a/examples/secondary-cidr-blocks/README.md +++ b/examples/secondary-cidr-blocks/README.md @@ -21,8 +21,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers diff --git a/examples/secondary-cidr-blocks/main.tf b/examples/secondary-cidr-blocks/main.tf index 6c621913e..76cb4c551 100644 --- a/examples/secondary-cidr-blocks/main.tf +++ b/examples/secondary-cidr-blocks/main.tf @@ -1,7 +1,15 @@ provider "aws" { + region = local.region +} + +locals { region = "eu-west-1" } +################################################################################ +# VPC Module +################################################################################ + module "vpc" { source = "../../" @@ -10,7 +18,7 @@ module "vpc" { cidr = "10.0.0.0/16" secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"] - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"] public_subnets = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"] @@ -32,4 +40,3 @@ module "vpc" { Name = "vpc-name" } } - diff --git a/examples/secondary-cidr-blocks/versions.tf b/examples/secondary-cidr-blocks/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/secondary-cidr-blocks/versions.tf +++ b/examples/secondary-cidr-blocks/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/simple-vpc/README.md b/examples/simple-vpc/README.md index f205fb6a8..fd7b88200 100644 --- a/examples/simple-vpc/README.md +++ b/examples/simple-vpc/README.md @@ -25,8 +25,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf index ab315deaf..63de4446e 100644 --- a/examples/simple-vpc/main.tf +++ b/examples/simple-vpc/main.tf @@ -1,15 +1,22 @@ provider "aws" { + region = local.region +} + +locals { region = "eu-west-1" } +################################################################################ +# VPC Module +################################################################################ + module "vpc" { source = "../../" name = "simple-example" - cidr = "10.0.0.0/16" - azs = ["eu-west-1a", "eu-west-1b", "euw1-az3"] + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] @@ -18,9 +25,6 @@ module "vpc" { enable_nat_gateway = false single_nat_gateway = true - enable_s3_endpoint = true - enable_dynamodb_endpoint = true - public_subnet_tags = { Name = "overridden-name-public" } @@ -34,4 +38,3 @@ module "vpc" { Name = "vpc-name" } } - diff --git a/examples/simple-vpc/versions.tf b/examples/simple-vpc/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/simple-vpc/versions.tf +++ b/examples/simple-vpc/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/examples/vpc-flow-logs/README.md b/examples/vpc-flow-logs/README.md index e75fa7134..d728bd5ba 100644 --- a/examples/vpc-flow-logs/README.md +++ b/examples/vpc-flow-logs/README.md @@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.12.26 | -| [aws](#requirement\_aws) | >= 2.70 | +| [aws](#requirement\_aws) | >= 3.15 | | [random](#requirement\_random) | >= 2 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 2.70 | +| [aws](#provider\_aws) | >= 3.15 | | [random](#provider\_random) | >= 2 | ## Modules diff --git a/examples/vpc-flow-logs/cloud-watch-logs.tf b/examples/vpc-flow-logs/cloud-watch-logs.tf deleted file mode 100644 index 3ceed5b83..000000000 --- a/examples/vpc-flow-logs/cloud-watch-logs.tf +++ /dev/null @@ -1,103 +0,0 @@ -########################################################### -# VPC flow logs => Cloudwatch logs (created automatically) -########################################################### -module "vpc_with_flow_logs_cloudwatch_logs_default" { - source = "../../" - - name = "vpc-flow-logs-cloudwatch-logs-default" - - cidr = "10.10.0.0/16" - - azs = ["eu-west-1a"] - public_subnets = ["10.10.101.0/24"] - - # Cloudwatch log group and IAM role will be created - enable_flow_log = true - create_flow_log_cloudwatch_log_group = true - create_flow_log_cloudwatch_iam_role = true - flow_log_max_aggregation_interval = 60 - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-cloudwatch-logs-default" - } -} - -######################################################## -# VPC flow logs => Cloudwatch logs (CloudWatch Log Group and IAM role created separately) -######################################################## -module "vpc_with_flow_logs_cloudwatch_logs" { - source = "../../" - - name = "vpc-flow-logs-cloudwatch-logs" - - cidr = "10.20.0.0/16" - - azs = ["eu-west-1a"] - public_subnets = ["10.20.101.0/24"] - - enable_flow_log = true - flow_log_destination_type = "cloud-watch-logs" - flow_log_destination_arn = aws_cloudwatch_log_group.flow_log.arn - flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-cloudwatch-logs" - } -} - -####################### -# CloudWatch Log group -####################### -resource "aws_cloudwatch_log_group" "flow_log" { - name = local.cloudwatch_log_group_name -} - -########### -# IAM Role -########### -resource "aws_iam_role" "vpc_flow_log_cloudwatch" { - name_prefix = "vpc-flow-log-role-" - assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json -} - -data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" { - statement { - principals { - type = "Service" - identifiers = ["vpc-flow-logs.amazonaws.com"] - } - - effect = "Allow" - - actions = ["sts:AssumeRole"] - } -} - -resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" { - role = aws_iam_role.vpc_flow_log_cloudwatch.name - policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch.arn -} - -resource "aws_iam_policy" "vpc_flow_log_cloudwatch" { - name_prefix = "vpc-flow-log-cloudwatch-" - policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch.json -} - -data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" { - statement { - sid = "AWSVPCFlowLogsPushToCloudWatch" - - effect = "Allow" - - actions = [ - "logs:CreateLogGroup", - "logs:CreateLogStream", - "logs:PutLogEvents", - "logs:DescribeLogGroups", - "logs:DescribeLogStreams", - ] - - resources = ["*"] - } -} - diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 0e915d463..608396f45 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -1,12 +1,170 @@ provider "aws" { - region = "eu-west-1" + region = local.region } locals { + region = "eu-west-1" + s3_bucket_name = "vpc-flow-logs-to-s3-${random_pet.this.id}" cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}" } +################################################################################ +# Supporting Resources +################################################################################ + resource "random_pet" "this" { length = 2 } + +# S3 Bucket +module "s3_bucket" { + source = "terraform-aws-modules/s3-bucket/aws" + version = "~> 1.0" + + bucket = local.s3_bucket_name + policy = data.aws_iam_policy_document.flow_log_s3.json + force_destroy = true + + tags = { + Name = "vpc-flow-logs-s3-bucket" + } +} + +data "aws_iam_policy_document" "flow_log_s3" { + statement { + sid = "AWSLogDeliveryWrite" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:PutObject"] + + resources = ["arn:aws:s3:::${local.s3_bucket_name}/AWSLogs/*"] + } + + statement { + sid = "AWSLogDeliveryAclCheck" + + principals { + type = "Service" + identifiers = ["delivery.logs.amazonaws.com"] + } + + actions = ["s3:GetBucketAcl"] + + resources = ["arn:aws:s3:::${local.s3_bucket_name}"] + } +} + +# Cloudwatch logs +resource "aws_cloudwatch_log_group" "flow_log" { + name = local.cloudwatch_log_group_name +} + +resource "aws_iam_role" "vpc_flow_log_cloudwatch" { + name_prefix = "vpc-flow-log-role-" + assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json +} + +data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" { + statement { + principals { + type = "Service" + identifiers = ["vpc-flow-logs.amazonaws.com"] + } + + actions = ["sts:AssumeRole"] + } +} + +resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" { + role = aws_iam_role.vpc_flow_log_cloudwatch.name + policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch.arn +} + +resource "aws_iam_policy" "vpc_flow_log_cloudwatch" { + name_prefix = "vpc-flow-log-cloudwatch-" + policy = data.aws_iam_policy_document.vpc_flow_log_cloudwatch.json +} + +data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" { + statement { + sid = "AWSVPCFlowLogsPushToCloudWatch" + + actions = [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogGroups", + "logs:DescribeLogStreams", + ] + + resources = ["*"] + } +} + +################################################################################ +# VPC Module +################################################################################ + +module "vpc_with_flow_logs_s3_bucket" { + source = "../../" + + name = "vpc-flow-logs-s3-bucket" + cidr = "10.30.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.30.101.0/24"] + + enable_flow_log = true + flow_log_destination_type = "s3" + flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-s3-bucket" + } +} + +# CloudWatch Log Group and IAM role created automatically +module "vpc_with_flow_logs_cloudwatch_logs_default" { + source = "../../" + + name = "vpc-flow-logs-cloudwatch-logs-default" + cidr = "10.10.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.10.101.0/24"] + + # Cloudwatch log group and IAM role will be created + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-cloudwatch-logs-default" + } +} + +# CloudWatch Log Group and IAM role created separately +module "vpc_with_flow_logs_cloudwatch_logs" { + source = "../../" + + name = "vpc-flow-logs-cloudwatch-logs" + cidr = "10.20.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.20.101.0/24"] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + flow_log_destination_arn = aws_cloudwatch_log_group.flow_log.arn + flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-cloudwatch-logs" + } +} diff --git a/examples/vpc-flow-logs/s3.tf b/examples/vpc-flow-logs/s3.tf deleted file mode 100644 index fead03f51..000000000 --- a/examples/vpc-flow-logs/s3.tf +++ /dev/null @@ -1,73 +0,0 @@ -############################# -# VPC flow logs => S3 bucket -############################# -module "vpc_with_flow_logs_s3_bucket" { - source = "../../" - - name = "vpc-flow-logs-s3-bucket" - - cidr = "10.30.0.0/16" - - azs = ["eu-west-1a"] - public_subnets = ["10.30.101.0/24"] - - enable_flow_log = true - flow_log_destination_type = "s3" - flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-s3-bucket" - } -} - -############ -# S3 bucket -############ -module "s3_bucket" { - source = "terraform-aws-modules/s3-bucket/aws" - version = "~> 1.0" - - bucket = local.s3_bucket_name - policy = data.aws_iam_policy_document.flow_log_s3.json - force_destroy = true - - tags = { - Name = "vpc-flow-logs-s3-bucket" - } -} - -data "aws_iam_policy_document" "flow_log_s3" { - statement { - sid = "AWSLogDeliveryWrite" - - principals { - type = "Service" - identifiers = ["delivery.logs.amazonaws.com"] - } - - effect = "Allow" - - actions = [ - "s3:PutObject", - ] - - resources = ["arn:aws:s3:::${local.s3_bucket_name}/AWSLogs/*"] - } - - statement { - sid = "AWSLogDeliveryAclCheck" - - principals { - type = "Service" - identifiers = ["delivery.logs.amazonaws.com"] - } - - effect = "Allow" - - actions = [ - "s3:GetBucketAcl", - ] - - resources = ["arn:aws:s3:::${local.s3_bucket_name}"] - } -} diff --git a/examples/vpc-flow-logs/versions.tf b/examples/vpc-flow-logs/versions.tf index 225586b9f..5ea674e1d 100644 --- a/examples/vpc-flow-logs/versions.tf +++ b/examples/vpc-flow-logs/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } random = { diff --git a/examples/vpc-separate-private-route-tables/README.md b/examples/vpc-separate-private-route-tables/README.md index 898990738..d3578c4d9 100644 --- a/examples/vpc-separate-private-route-tables/README.md +++ b/examples/vpc-separate-private-route-tables/README.md @@ -21,8 +21,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.12.21 | -| [aws](#requirement\_aws) | >= 2.70 | +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | ## Providers diff --git a/examples/vpc-separate-private-route-tables/main.tf b/examples/vpc-separate-private-route-tables/main.tf index 99d996840..b9536fdd2 100644 --- a/examples/vpc-separate-private-route-tables/main.tf +++ b/examples/vpc-separate-private-route-tables/main.tf @@ -1,7 +1,15 @@ provider "aws" { + region = local.region +} + +locals { region = "eu-west-1" } +################################################################################ +# VPC Module +################################################################################ + module "vpc" { source = "../../" @@ -9,7 +17,7 @@ module "vpc" { cidr = "10.10.0.0/16" - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + azs = ["${local.region}a", "${local.region}b", "${local.region}c"] private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"] public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"] database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"] @@ -29,4 +37,3 @@ module "vpc" { Name = "separate-private-route-tables" } } - diff --git a/examples/vpc-separate-private-route-tables/versions.tf b/examples/vpc-separate-private-route-tables/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/vpc-separate-private-route-tables/versions.tf +++ b/examples/vpc-separate-private-route-tables/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/main.tf b/main.tf index 6388d4c14..a6d75a83f 100644 --- a/main.tf +++ b/main.tf @@ -16,16 +16,12 @@ locals { ), 0, ) - - vpce_tags = merge( - var.tags, - var.vpc_endpoint_tags, - ) } -###### +################################################################################ # VPC -###### +################################################################################ + resource "aws_vpc" "this" { count = var.create_vpc ? 1 : 0 @@ -98,9 +94,10 @@ resource "aws_default_security_group" "this" { ) } -################### +################################################################################ # DHCP Options Set -################### +################################################################################ + resource "aws_vpc_dhcp_options" "this" { count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 @@ -119,9 +116,6 @@ resource "aws_vpc_dhcp_options" "this" { ) } -############################### -# DHCP Options Set Association -############################### resource "aws_vpc_dhcp_options_association" "this" { count = var.create_vpc && var.enable_dhcp_options ? 1 : 0 @@ -129,9 +123,10 @@ resource "aws_vpc_dhcp_options_association" "this" { dhcp_options_id = aws_vpc_dhcp_options.this[0].id } -################### +################################################################################ # Internet Gateway -################### +################################################################################ + resource "aws_internet_gateway" "this" { count = var.create_vpc && var.create_igw && length(var.public_subnets) > 0 ? 1 : 0 @@ -160,9 +155,9 @@ resource "aws_egress_only_internet_gateway" "this" { ) } -############### +################################################################################ # Default route -############### +################################################################################ resource "aws_default_route_table" "default" { count = var.create_vpc && var.manage_default_route_table ? 1 : 0 @@ -178,14 +173,13 @@ resource "aws_default_route_table" "default" { ipv6_cidr_block = lookup(route.value, "ipv6_cidr_block", null) # One of the following targets must be provided - egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null) - gateway_id = lookup(route.value, "gateway_id", null) - instance_id = lookup(route.value, "instance_id", null) - nat_gateway_id = lookup(route.value, "nat_gateway_id", null) - network_interface_id = lookup(route.value, "network_interface_id", null) - transit_gateway_id = lookup(route.value, "transit_gateway_id", null) - # `vpc_endpoint_id` was recently added in v3.15.0 - # vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null) + egress_only_gateway_id = lookup(route.value, "egress_only_gateway_id", null) + gateway_id = lookup(route.value, "gateway_id", null) + instance_id = lookup(route.value, "instance_id", null) + nat_gateway_id = lookup(route.value, "nat_gateway_id", null) + network_interface_id = lookup(route.value, "network_interface_id", null) + transit_gateway_id = lookup(route.value, "transit_gateway_id", null) + vpc_endpoint_id = lookup(route.value, "vpc_endpoint_id", null) vpc_peering_connection_id = lookup(route.value, "vpc_peering_connection_id", null) } } @@ -197,9 +191,10 @@ resource "aws_default_route_table" "default" { ) } -################ +################################################################################ # Publiс routes -################ +################################################################################ + resource "aws_route_table" "public" { count = var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0 @@ -234,10 +229,11 @@ resource "aws_route" "public_internet_gateway_ipv6" { gateway_id = aws_internet_gateway.this[0].id } -################# +################################################################################ # Private routes # There are as many routing tables as the number of NAT gateways -################# +################################################################################ + resource "aws_route_table" "private" { count = var.create_vpc && local.max_subnet_length > 0 ? local.nat_gateway_count : 0 @@ -256,9 +252,10 @@ resource "aws_route_table" "private" { ) } -################# +################################################################################ # Database routes -################# +################################################################################ + resource "aws_route_table" "database" { count = var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 ? var.single_nat_gateway || var.create_database_internet_gateway_route ? 1 : length(var.database_subnets) : 0 @@ -313,9 +310,10 @@ resource "aws_route" "database_ipv6_egress" { } } -################# +################################################################################ # Redshift routes -################# +################################################################################ + resource "aws_route_table" "redshift" { count = var.create_vpc && var.create_redshift_subnet_route_table && length(var.redshift_subnets) > 0 ? 1 : 0 @@ -330,9 +328,10 @@ resource "aws_route_table" "redshift" { ) } -################# +################################################################################ # Elasticache routes -################# +################################################################################ + resource "aws_route_table" "elasticache" { count = var.create_vpc && var.create_elasticache_subnet_route_table && length(var.elasticache_subnets) > 0 ? 1 : 0 @@ -347,9 +346,10 @@ resource "aws_route_table" "elasticache" { ) } -################# +################################################################################ # Intra routes -################# +################################################################################ + resource "aws_route_table" "intra" { count = var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0 @@ -364,9 +364,10 @@ resource "aws_route_table" "intra" { ) } -################ +################################################################################ # Public subnet -################ +################################################################################ + resource "aws_subnet" "public" { count = var.create_vpc && length(var.public_subnets) > 0 && (false == var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0 @@ -392,9 +393,10 @@ resource "aws_subnet" "public" { ) } -################# +################################################################################ # Private subnet -################# +################################################################################ + resource "aws_subnet" "private" { count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 @@ -419,9 +421,10 @@ resource "aws_subnet" "private" { ) } -################# +################################################################################ # Outpost subnet -################# +################################################################################ + resource "aws_subnet" "outpost" { count = var.create_vpc && length(var.outpost_subnets) > 0 ? length(var.outpost_subnets) : 0 @@ -447,9 +450,10 @@ resource "aws_subnet" "outpost" { ) } -################## +################################################################################ # Database subnet -################## +################################################################################ + resource "aws_subnet" "database" { count = var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_subnets) : 0 @@ -490,9 +494,10 @@ resource "aws_db_subnet_group" "database" { ) } -################## +################################################################################ # Redshift subnet -################## +################################################################################ + resource "aws_subnet" "redshift" { count = var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_subnets) : 0 @@ -533,9 +538,10 @@ resource "aws_redshift_subnet_group" "redshift" { ) } -##################### +################################################################################ # ElastiCache subnet -##################### +################################################################################ + resource "aws_subnet" "elasticache" { count = var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_subnets) : 0 @@ -568,9 +574,10 @@ resource "aws_elasticache_subnet_group" "elasticache" { subnet_ids = aws_subnet.elasticache.*.id } -##################################################### -# intra subnets - private subnet without NAT gateway -##################################################### +################################################################################ +# Intra subnets - private subnet without NAT gateway +################################################################################ + resource "aws_subnet" "intra" { count = var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_subnets) : 0 @@ -595,9 +602,10 @@ resource "aws_subnet" "intra" { ) } -####################### +################################################################################ # Default Network ACLs -####################### +################################################################################ + resource "aws_default_network_acl" "this" { count = var.create_vpc && var.manage_default_network_acl ? 1 : 0 @@ -664,9 +672,10 @@ resource "aws_default_network_acl" "this" { ) } -######################## +################################################################################ # Public Network ACLs -######################## +################################################################################ + resource "aws_network_acl" "public" { count = var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0 @@ -716,9 +725,10 @@ resource "aws_network_acl_rule" "public_outbound" { ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -####################### +################################################################################ # Private Network ACLs -####################### +################################################################################ + resource "aws_network_acl" "private" { count = var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0 @@ -768,9 +778,10 @@ resource "aws_network_acl_rule" "private_outbound" { ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -####################### +################################################################################ # Outpost Network ACLs -####################### +################################################################################ + resource "aws_network_acl" "outpost" { count = var.create_vpc && var.outpost_dedicated_network_acl && length(var.outpost_subnets) > 0 ? 1 : 0 @@ -820,9 +831,10 @@ resource "aws_network_acl_rule" "outpost_outbound" { ipv6_cidr_block = lookup(var.outpost_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -######################## +################################################################################ # Intra Network ACLs -######################## +################################################################################ + resource "aws_network_acl" "intra" { count = var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0 @@ -872,9 +884,10 @@ resource "aws_network_acl_rule" "intra_outbound" { ipv6_cidr_block = lookup(var.intra_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -######################## +################################################################################ # Database Network ACLs -######################## +################################################################################ + resource "aws_network_acl" "database" { count = var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0 @@ -924,9 +937,10 @@ resource "aws_network_acl_rule" "database_outbound" { ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -######################## +################################################################################ # Redshift Network ACLs -######################## +################################################################################ + resource "aws_network_acl" "redshift" { count = var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0 @@ -976,9 +990,10 @@ resource "aws_network_acl_rule" "redshift_outbound" { ipv6_cidr_block = lookup(var.redshift_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -########################### +################################################################################ # Elasticache Network ACLs -########################### +################################################################################ + resource "aws_network_acl" "elasticache" { count = var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0 @@ -1028,9 +1043,10 @@ resource "aws_network_acl_rule" "elasticache_outbound" { ipv6_cidr_block = lookup(var.elasticache_outbound_acl_rules[count.index], "ipv6_cidr_block", null) } -############## +################################################################################ # NAT Gateway -############## +################################################################################ + # Workaround for interpolation not being able to "short-circuit" the evaluation of the conditional branch that doesn't end up being used # Source: https://github.com/hashicorp/terraform/issues/11566#issuecomment-289417805 # @@ -1111,9 +1127,10 @@ resource "aws_route" "private_ipv6_egress" { egress_only_gateway_id = element(aws_egress_only_internet_gateway.this.*.id, 0) } -########################## +################################################################################ # Route table association -########################## +################################################################################ + resource "aws_route_table_association" "private" { count = var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_subnets) : 0 @@ -1191,9 +1208,10 @@ resource "aws_route_table_association" "public" { route_table_id = aws_route_table.public[0].id } -#################### +################################################################################ # Customer Gateways -#################### +################################################################################ + resource "aws_customer_gateway" "this" { for_each = var.customer_gateways @@ -1210,9 +1228,10 @@ resource "aws_customer_gateway" "this" { ) } -############## +################################################################################ # VPN Gateway -############## +################################################################################ + resource "aws_vpn_gateway" "this" { count = var.create_vpc && var.enable_vpn_gateway ? 1 : 0 @@ -1275,9 +1294,10 @@ resource "aws_vpn_gateway_route_propagation" "intra" { ) } -########### +################################################################################ # Defaults -########### +################################################################################ + resource "aws_default_vpc" "this" { count = var.manage_default_vpc ? 1 : 0 @@ -1293,4 +1313,3 @@ resource "aws_default_vpc" "this" { var.default_vpc_tags, ) } - diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md new file mode 100644 index 000000000..95d101463 --- /dev/null +++ b/modules/vpc-endpoints/README.md @@ -0,0 +1,101 @@ +# AWS VPC Endpoints Terraform sub-module + +Terraform sub-module which creates VPC endpoint resources on AWS. + +The following resources are supported: + +- [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) + +## Usage + +See [`examples`](./examples) directory for working examples to reference: + +```hcl +module "endpoints" { + source = "terraform-aws-modules/vpc/aws//vpc-endpoints" + + vpc_id = "vpc-12345678" + security_group_ids = ["sg-12345678"] + + gateway_endpoints = { + s3 = { + service = "s3" + private_dns_enabled = true + route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"] + tags = { Name = "s3-vpc-endpoint" } + }, + dynamodb = { + service = "dynamodb" + route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"] + tags = { Name = "dynamodb-vpc-endpoint" } + } + } + + interface_endpoints = { + sns = { + service = "sns" + subnet_ids = ["subnet-12345678", "subnet-87654321"] + tags = { Name = "sns-vpc-endpoint" } + }, + sqs = { + service = "sqs" + private_dns_enabled = true + security_group_ids = ["sg-987654321"] + subnet_ids = ["subnet-12345678", "subnet-87654321"] + tags = { Name = "sqs-vpc-endpoint" } + }, + } + + tags = { + Owner = "user" + Environment = "dev" + } +} +``` + +## Examples + +- [Complete-VPC](../../examples/complete-vpc) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 0.12.26 | +| [aws](#requirement\_aws) | >= 3.15 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | >= 3.15 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource | +| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no | +| [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no | +| [subnet\_ids](#input\_subnet\_ids) | Default subnets IDs to associate with the VPC endpoints | `list(string)` | `[]` | no | +| [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no | +| [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | `map(string)` | `{}` | no | +| [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [endpoints](#output\_endpoints) | Array containing the full resource object and attributes for all endpoints created | + diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf new file mode 100644 index 000000000..7434687e0 --- /dev/null +++ b/modules/vpc-endpoints/main.tf @@ -0,0 +1,38 @@ +################################################################################ +# Endpoint(s) +################################################################################ + +data "aws_vpc_endpoint_service" "this" { + for_each = var.endpoints + + service = lookup(each.value, "service", null) + service_name = lookup(each.value, "service_name", null) + + filter { + name = "service-type" + values = [lookup(each.value, "service_type", "Interface")] + } +} + +resource "aws_vpc_endpoint" "this" { + for_each = var.endpoints + + vpc_id = var.vpc_id + service_name = data.aws_vpc_endpoint_service.this[each.key].service_name + vpc_endpoint_type = lookup(each.value, "service_type", "Interface") + auto_accept = lookup(each.value, "auto_accept", null) + + security_group_ids = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.security_group_ids, lookup(each.value, "security_group_ids", []))) : null + subnet_ids = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.subnet_ids, lookup(each.value, "subnet_ids", []))) : null + route_table_ids = lookup(each.value, "service_type", "Interface") == "Gateway" ? lookup(each.value, "route_table_ids", null) : null + policy = lookup(each.value, "policy", null) + private_dns_enabled = lookup(each.value, "service_type", "Interface") == "Interface" ? lookup(each.value, "private_dns_enabled", null) : null + + tags = merge(var.tags, lookup(each.value, "tags", {})) + + timeouts { + create = lookup(var.timeouts, "create", "10m") + update = lookup(var.timeouts, "update", "10m") + delete = lookup(var.timeouts, "delete", "10m") + } +} diff --git a/modules/vpc-endpoints/outputs.tf b/modules/vpc-endpoints/outputs.tf new file mode 100644 index 000000000..88aa989fa --- /dev/null +++ b/modules/vpc-endpoints/outputs.tf @@ -0,0 +1,4 @@ +output "endpoints" { + description = "Array containing the full resource object and attributes for all endpoints created" + value = aws_vpc_endpoint.this +} diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf new file mode 100644 index 000000000..a0dd9cb65 --- /dev/null +++ b/modules/vpc-endpoints/variables.tf @@ -0,0 +1,34 @@ +variable "vpc_id" { + description = "The ID of the VPC in which the endpoint will be used" + type = string +} + +variable "endpoints" { + description = "A map of interface and/or gateway endpoints containing their properties and configurations" + type = any + default = {} +} + +variable "security_group_ids" { + description = "Default security group IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "subnet_ids" { + description = "Default subnets IDs to associate with the VPC endpoints" + type = list(string) + default = [] +} + +variable "tags" { + description = "A map of tags to use on all resources" + type = map(string) + default = {} +} + +variable "timeouts" { + description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources" + type = map(string) + default = {} +} diff --git a/examples/issue-46-no-private-subnets/versions.tf b/modules/vpc-endpoints/versions.tf similarity index 60% rename from examples/issue-46-no-private-subnets/versions.tf rename to modules/vpc-endpoints/versions.tf index 238ed698b..dc46f697a 100644 --- a/examples/issue-46-no-private-subnets/versions.tf +++ b/modules/vpc-endpoints/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/outputs.tf b/outputs.tf index a6e3a68dc..aa9866039 100644 --- a/outputs.tf +++ b/outputs.tf @@ -380,11 +380,7 @@ output "this_customer_gateway" { output "vgw_id" { description = "The ID of the VPN Gateway" - value = concat( - aws_vpn_gateway.this.*.id, - aws_vpn_gateway_attachment.this.*.vpn_gateway_id, - [""], - )[0] + value = concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, [""])[0] } output "vgw_arn" { @@ -512,966 +508,6 @@ output "elasticache_network_acl_arn" { value = concat(aws_network_acl.elasticache.*.arn, [""])[0] } -# VPC Endpoints -output "vpc_endpoint_s3_id" { - description = "The ID of VPC endpoint for S3" - value = concat(aws_vpc_endpoint.s3.*.id, [""])[0] -} - -output "vpc_endpoint_s3_pl_id" { - description = "The prefix list for the S3 VPC endpoint." - value = concat(aws_vpc_endpoint.s3.*.prefix_list_id, [""])[0] -} - -output "vpc_endpoint_dynamodb_id" { - description = "The ID of VPC endpoint for DynamoDB" - value = concat(aws_vpc_endpoint.dynamodb.*.id, [""])[0] -} - -output "vpc_endpoint_dynamodb_pl_id" { - description = "The prefix list for the DynamoDB VPC endpoint." - value = concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, [""])[0] -} - -output "vpc_endpoint_sqs_id" { - description = "The ID of VPC endpoint for SQS" - value = concat(aws_vpc_endpoint.sqs.*.id, [""])[0] -} - -output "vpc_endpoint_sqs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SQS." - value = flatten(aws_vpc_endpoint.sqs.*.network_interface_ids) -} - -output "vpc_endpoint_sqs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SQS." - value = flatten(aws_vpc_endpoint.sqs.*.dns_entry) -} - -output "vpc_endpoint_lambda_id" { - description = "The ID of VPC endpoint for Lambda" - value = concat(aws_vpc_endpoint.lambda.*.id, [""])[0] -} - -output "vpc_endpoint_lambda_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Lambda." - value = flatten(aws_vpc_endpoint.lambda.*.network_interface_ids) -} - -output "vpc_endpoint_lambda_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Lambda." - value = flatten(aws_vpc_endpoint.lambda.*.dns_entry) -} - -output "vpc_endpoint_codebuild_id" { - description = "The ID of VPC endpoint for codebuild" - value = concat(aws_vpc_endpoint.codebuild.*.id, [""])[0] -} - -output "vpc_endpoint_codebuild_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for codebuild." - value = flatten(aws_vpc_endpoint.codebuild.*.network_interface_ids) -} - -output "vpc_endpoint_codebuild_dns_entry" { - description = "The DNS entries for the VPC Endpoint for codebuild." - value = flatten(aws_vpc_endpoint.codebuild.*.dns_entry) -} - -output "vpc_endpoint_codecommit_id" { - description = "The ID of VPC endpoint for codecommit" - value = concat(aws_vpc_endpoint.codecommit.*.id, [""])[0] -} - -output "vpc_endpoint_codecommit_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for codecommit." - value = flatten(aws_vpc_endpoint.codecommit.*.network_interface_ids) -} - -output "vpc_endpoint_codecommit_dns_entry" { - description = "The DNS entries for the VPC Endpoint for codecommit." - value = flatten(aws_vpc_endpoint.codecommit.*.dns_entry) -} - -output "vpc_endpoint_git_codecommit_id" { - description = "The ID of VPC endpoint for git_codecommit" - value = concat(aws_vpc_endpoint.git_codecommit.*.id, [""])[0] -} - -output "vpc_endpoint_git_codecommit_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for git_codecommit." - value = flatten(aws_vpc_endpoint.git_codecommit.*.network_interface_ids) -} - -output "vpc_endpoint_git_codecommit_dns_entry" { - description = "The DNS entries for the VPC Endpoint for git_codecommit." - value = flatten(aws_vpc_endpoint.git_codecommit.*.dns_entry) -} - -output "vpc_endpoint_config_id" { - description = "The ID of VPC endpoint for config" - value = concat(aws_vpc_endpoint.config.*.id, [""])[0] -} - -output "vpc_endpoint_config_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for config." - value = flatten(aws_vpc_endpoint.config.*.network_interface_ids) -} - -output "vpc_endpoint_config_dns_entry" { - description = "The DNS entries for the VPC Endpoint for config." - value = flatten(aws_vpc_endpoint.config.*.dns_entry) -} - -output "vpc_endpoint_secretsmanager_id" { - description = "The ID of VPC endpoint for secretsmanager" - value = concat(aws_vpc_endpoint.secretsmanager.*.id, [""])[0] -} - -output "vpc_endpoint_secretsmanager_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for secretsmanager." - value = flatten(aws_vpc_endpoint.secretsmanager.*.network_interface_ids) -} - -output "vpc_endpoint_secretsmanager_dns_entry" { - description = "The DNS entries for the VPC Endpoint for secretsmanager." - value = flatten(aws_vpc_endpoint.secretsmanager.*.dns_entry) -} - -output "vpc_endpoint_ssm_id" { - description = "The ID of VPC endpoint for SSM" - value = concat(aws_vpc_endpoint.ssm.*.id, [""])[0] -} - -output "vpc_endpoint_ssm_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SSM." - value = flatten(aws_vpc_endpoint.ssm.*.network_interface_ids) -} - -output "vpc_endpoint_ssm_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SSM." - value = flatten(aws_vpc_endpoint.ssm.*.dns_entry) -} - -output "vpc_endpoint_ssmmessages_id" { - description = "The ID of VPC endpoint for SSMMESSAGES" - value = concat(aws_vpc_endpoint.ssmmessages.*.id, [""])[0] -} - -output "vpc_endpoint_ssmmessages_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES." - value = flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids) -} - -output "vpc_endpoint_ssmmessages_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SSMMESSAGES." - value = flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry) -} - -output "vpc_endpoint_ec2_id" { - description = "The ID of VPC endpoint for EC2" - value = concat(aws_vpc_endpoint.ec2.*.id, [""])[0] -} - -output "vpc_endpoint_ec2_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EC2" - value = flatten(aws_vpc_endpoint.ec2.*.network_interface_ids) -} - -output "vpc_endpoint_ec2_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EC2." - value = flatten(aws_vpc_endpoint.ec2.*.dns_entry) -} - -output "vpc_endpoint_ec2messages_id" { - description = "The ID of VPC endpoint for EC2MESSAGES" - value = concat(aws_vpc_endpoint.ec2messages.*.id, [""])[0] -} - -output "vpc_endpoint_ec2messages_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES" - value = flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids) -} - -output "vpc_endpoint_ec2messages_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EC2MESSAGES." - value = flatten(aws_vpc_endpoint.ec2messages.*.dns_entry) -} - -output "vpc_endpoint_ec2_autoscaling_id" { - description = "The ID of VPC endpoint for EC2 Autoscaling" - value = concat(aws_vpc_endpoint.ec2_autoscaling.*.id, [""])[0] -} - -output "vpc_endpoint_ec2_autoscaling_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EC2 Autoscaling" - value = flatten(aws_vpc_endpoint.ec2_autoscaling.*.network_interface_ids) -} - -output "vpc_endpoint_ec2_autoscaling_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EC2 Autoscaling." - value = flatten(aws_vpc_endpoint.ec2_autoscaling.*.dns_entry) -} - -output "vpc_endpoint_transferserver_id" { - description = "The ID of VPC endpoint for transferserver" - value = concat(aws_vpc_endpoint.transferserver.*.id, [""])[0] -} - -output "vpc_endpoint_transferserver_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for transferserver" - value = flatten(aws_vpc_endpoint.transferserver.*.network_interface_ids) -} - -output "vpc_endpoint_transferserver_dns_entry" { - description = "The DNS entries for the VPC Endpoint for transferserver." - value = flatten(aws_vpc_endpoint.transferserver.*.dns_entry) -} - -output "vpc_endpoint_glue_id" { - description = "The ID of VPC endpoint for Glue" - value = concat(aws_vpc_endpoint.glue.*.id, [""])[0] -} - -output "vpc_endpoint_glue_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Glue." - value = flatten(aws_vpc_endpoint.glue.*.network_interface_ids) -} - -output "vpc_endpoint_glue_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Glue." - value = flatten(aws_vpc_endpoint.glue.*.dns_entry) -} - -output "vpc_endpoint_kms_id" { - description = "The ID of VPC endpoint for KMS" - value = concat(aws_vpc_endpoint.kms.*.id, [""])[0] -} - -output "vpc_endpoint_kms_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for KMS." - value = flatten(aws_vpc_endpoint.kms.*.network_interface_ids) -} - -output "vpc_endpoint_kms_dns_entry" { - description = "The DNS entries for the VPC Endpoint for KMS." - value = flatten(aws_vpc_endpoint.kms.*.dns_entry) -} - -output "vpc_endpoint_kinesis_firehose_id" { - description = "The ID of VPC endpoint for Kinesis Firehose" - value = concat(aws_vpc_endpoint.kinesis_firehose.*.id, [""])[0] -} - -output "vpc_endpoint_kinesis_firehose_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Kinesis Firehose." - value = flatten(aws_vpc_endpoint.kinesis_firehose.*.network_interface_ids) -} - -output "vpc_endpoint_kinesis_firehose_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Kinesis Firehose." - value = flatten(aws_vpc_endpoint.kinesis_firehose.*.dns_entry) -} - -output "vpc_endpoint_kinesis_streams_id" { - description = "The ID of VPC endpoint for Kinesis Streams" - value = concat(aws_vpc_endpoint.kinesis_streams.*.id, [""])[0] -} - -output "vpc_endpoint_kinesis_streams_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Kinesis Streams." - value = flatten(aws_vpc_endpoint.kinesis_streams.*.network_interface_ids) -} - -output "vpc_endpoint_kinesis_streams_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Kinesis Streams." - value = flatten(aws_vpc_endpoint.kinesis_streams.*.dns_entry) -} - -output "vpc_endpoint_ecr_api_id" { - description = "The ID of VPC endpoint for ECR API" - value = concat(aws_vpc_endpoint.ecr_api.*.id, [""])[0] -} - -output "vpc_endpoint_ecr_api_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECR API." - value = flatten(aws_vpc_endpoint.ecr_api.*.network_interface_ids) -} - -output "vpc_endpoint_ecr_api_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECR API." - value = flatten(aws_vpc_endpoint.ecr_api.*.dns_entry) -} - -output "vpc_endpoint_ecr_dkr_id" { - description = "The ID of VPC endpoint for ECR DKR" - value = concat(aws_vpc_endpoint.ecr_dkr.*.id, [""])[0] -} - -output "vpc_endpoint_ecr_dkr_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECR DKR." - value = flatten(aws_vpc_endpoint.ecr_dkr.*.network_interface_ids) -} - -output "vpc_endpoint_ecr_dkr_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECR DKR." - value = flatten(aws_vpc_endpoint.ecr_dkr.*.dns_entry) -} - -output "vpc_endpoint_apigw_id" { - description = "The ID of VPC endpoint for APIGW" - value = concat(aws_vpc_endpoint.apigw.*.id, [""])[0] -} - -output "vpc_endpoint_apigw_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for APIGW." - value = flatten(aws_vpc_endpoint.apigw.*.network_interface_ids) -} - -output "vpc_endpoint_apigw_dns_entry" { - description = "The DNS entries for the VPC Endpoint for APIGW." - value = flatten(aws_vpc_endpoint.apigw.*.dns_entry) -} - -output "vpc_endpoint_ecs_id" { - description = "The ID of VPC endpoint for ECS" - value = concat(aws_vpc_endpoint.ecs.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS." - value = flatten(aws_vpc_endpoint.ecs.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS." - value = flatten(aws_vpc_endpoint.ecs.*.dns_entry) -} - -output "vpc_endpoint_ecs_agent_id" { - description = "The ID of VPC endpoint for ECS Agent" - value = concat(aws_vpc_endpoint.ecs_agent.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_agent_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS Agent." - value = flatten(aws_vpc_endpoint.ecs_agent.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_agent_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS Agent." - value = flatten(aws_vpc_endpoint.ecs_agent.*.dns_entry) -} - -output "vpc_endpoint_ecs_telemetry_id" { - description = "The ID of VPC endpoint for ECS Telemetry" - value = concat(aws_vpc_endpoint.ecs_telemetry.*.id, [""])[0] -} - -output "vpc_endpoint_ecs_telemetry_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ECS Telemetry." - value = flatten(aws_vpc_endpoint.ecs_telemetry.*.network_interface_ids) -} - -output "vpc_endpoint_ecs_telemetry_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ECS Telemetry." - value = flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry) -} - -output "vpc_endpoint_sns_id" { - description = "The ID of VPC endpoint for SNS" - value = concat(aws_vpc_endpoint.sns.*.id, [""])[0] -} - -output "vpc_endpoint_sns_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SNS." - value = flatten(aws_vpc_endpoint.sns.*.network_interface_ids) -} - -output "vpc_endpoint_sns_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SNS." - value = flatten(aws_vpc_endpoint.sns.*.dns_entry) -} - -output "vpc_endpoint_monitoring_id" { - description = "The ID of VPC endpoint for CloudWatch Monitoring" - value = concat(aws_vpc_endpoint.monitoring.*.id, [""])[0] -} - -output "vpc_endpoint_monitoring_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring." - value = flatten(aws_vpc_endpoint.monitoring.*.network_interface_ids) -} - -output "vpc_endpoint_monitoring_dns_entry" { - description = "The DNS entries for the VPC Endpoint for CloudWatch Monitoring." - value = flatten(aws_vpc_endpoint.monitoring.*.dns_entry) -} - -output "vpc_endpoint_logs_id" { - description = "The ID of VPC endpoint for CloudWatch Logs" - value = concat(aws_vpc_endpoint.logs.*.id, [""])[0] -} - -output "vpc_endpoint_logs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for CloudWatch Logs." - value = flatten(aws_vpc_endpoint.logs.*.network_interface_ids) -} - -output "vpc_endpoint_logs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for CloudWatch Logs." - value = flatten(aws_vpc_endpoint.logs.*.dns_entry) -} - -output "vpc_endpoint_events_id" { - description = "The ID of VPC endpoint for CloudWatch Events" - value = concat(aws_vpc_endpoint.events.*.id, [""])[0] -} - -output "vpc_endpoint_events_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for CloudWatch Events." - value = flatten(aws_vpc_endpoint.events.*.network_interface_ids) -} - -output "vpc_endpoint_events_dns_entry" { - description = "The DNS entries for the VPC Endpoint for CloudWatch Events." - value = flatten(aws_vpc_endpoint.events.*.dns_entry) -} - -output "vpc_endpoint_elasticloadbalancing_id" { - description = "The ID of VPC endpoint for Elastic Load Balancing" - value = concat(aws_vpc_endpoint.elasticloadbalancing.*.id, [""])[0] -} - -output "vpc_endpoint_elasticloadbalancing_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Elastic Load Balancing." - value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.network_interface_ids) -} - -output "vpc_endpoint_elasticloadbalancing_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Elastic Load Balancing." - value = flatten(aws_vpc_endpoint.elasticloadbalancing.*.dns_entry) -} - -output "vpc_endpoint_cloudtrail_id" { - description = "The ID of VPC endpoint for CloudTrail" - value = concat(aws_vpc_endpoint.cloudtrail.*.id, [""])[0] -} - -output "vpc_endpoint_cloudtrail_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for CloudTrail." - value = flatten(aws_vpc_endpoint.cloudtrail.*.network_interface_ids) -} - -output "vpc_endpoint_cloudtrail_dns_entry" { - description = "The DNS entries for the VPC Endpoint for CloudTrail." - value = flatten(aws_vpc_endpoint.cloudtrail.*.dns_entry) -} - -output "vpc_endpoint_sts_id" { - description = "The ID of VPC endpoint for STS" - value = concat(aws_vpc_endpoint.sts.*.id, [""])[0] -} - -output "vpc_endpoint_sts_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for STS." - value = flatten(aws_vpc_endpoint.sts.*.network_interface_ids) -} - -output "vpc_endpoint_sts_dns_entry" { - description = "The DNS entries for the VPC Endpoint for STS." - value = flatten(aws_vpc_endpoint.sts.*.dns_entry) -} - -output "vpc_endpoint_cloudformation_id" { - description = "The ID of VPC endpoint for Cloudformation" - value = concat(aws_vpc_endpoint.cloudformation.*.id, [""])[0] -} - -output "vpc_endpoint_cloudformation_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Cloudformation." - value = flatten(aws_vpc_endpoint.cloudformation.*.network_interface_ids) -} - -output "vpc_endpoint_cloudformation_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Cloudformation." - value = flatten(aws_vpc_endpoint.cloudformation.*.dns_entry) -} -output "vpc_endpoint_codepipeline_id" { - description = "The ID of VPC endpoint for CodePipeline" - value = concat(aws_vpc_endpoint.codepipeline.*.id, [""])[0] -} - -output "vpc_endpoint_codepipeline_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for CodePipeline." - value = flatten(aws_vpc_endpoint.codepipeline.*.network_interface_ids) -} - -output "vpc_endpoint_codepipeline_dns_entry" { - description = "The DNS entries for the VPC Endpoint for CodePipeline." - value = flatten(aws_vpc_endpoint.codepipeline.*.dns_entry) -} -output "vpc_endpoint_appmesh_envoy_management_id" { - description = "The ID of VPC endpoint for AppMesh" - value = concat(aws_vpc_endpoint.appmesh_envoy_management.*.id, [""])[0] -} - -output "vpc_endpoint_appmesh_envoy_management_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for AppMesh." - value = flatten(aws_vpc_endpoint.appmesh_envoy_management.*.network_interface_ids) -} - -output "vpc_endpoint_appmesh_envoy_management_dns_entry" { - description = "The DNS entries for the VPC Endpoint for AppMesh." - value = flatten(aws_vpc_endpoint.appmesh_envoy_management.*.dns_entry) -} -output "vpc_endpoint_servicecatalog_id" { - description = "The ID of VPC endpoint for Service Catalog" - value = concat(aws_vpc_endpoint.servicecatalog.*.id, [""])[0] -} - -output "vpc_endpoint_servicecatalog_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Service Catalog." - value = flatten(aws_vpc_endpoint.servicecatalog.*.network_interface_ids) -} - -output "vpc_endpoint_servicecatalog_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Service Catalog." - value = flatten(aws_vpc_endpoint.servicecatalog.*.dns_entry) -} -output "vpc_endpoint_storagegateway_id" { - description = "The ID of VPC endpoint for Storage Gateway" - value = concat(aws_vpc_endpoint.storagegateway.*.id, [""])[0] -} - -output "vpc_endpoint_storagegateway_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Storage Gateway." - value = flatten(aws_vpc_endpoint.storagegateway.*.network_interface_ids) -} - -output "vpc_endpoint_storagegateway_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Storage Gateway." - value = flatten(aws_vpc_endpoint.storagegateway.*.dns_entry) -} -output "vpc_endpoint_transfer_id" { - description = "The ID of VPC endpoint for Transfer" - value = concat(aws_vpc_endpoint.transfer.*.id, [""])[0] -} - -output "vpc_endpoint_transfer_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Transfer." - value = flatten(aws_vpc_endpoint.transfer.*.network_interface_ids) -} - -output "vpc_endpoint_transfer_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Transfer." - value = flatten(aws_vpc_endpoint.transfer.*.dns_entry) -} -output "vpc_endpoint_sagemaker_api_id" { - description = "The ID of VPC endpoint for SageMaker API" - value = concat(aws_vpc_endpoint.sagemaker_api.*.id, [""])[0] -} - -output "vpc_endpoint_sagemaker_api_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SageMaker API." - value = flatten(aws_vpc_endpoint.sagemaker_api.*.network_interface_ids) -} - -output "vpc_endpoint_sagemaker_api_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SageMaker API." - value = flatten(aws_vpc_endpoint.sagemaker_api.*.dns_entry) -} - -output "vpc_endpoint_sagemaker_runtime_id" { - description = "The ID of VPC endpoint for SageMaker Runtime" - value = concat(aws_vpc_endpoint.sagemaker_runtime.*.id, [""])[0] -} - -output "vpc_endpoint_sagemaker_runtime_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SageMaker Runtime." - value = flatten(aws_vpc_endpoint.sagemaker_runtime.*.network_interface_ids) -} - -output "vpc_endpoint_sagemaker_runtime_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SageMaker Runtime." - value = flatten(aws_vpc_endpoint.sagemaker_runtime.*.dns_entry) -} - -output "vpc_endpoint_appstream_api_id" { - description = "The ID of VPC endpoint for AppStream API" - value = concat(aws_vpc_endpoint.appstream_api.*.id, [""])[0] -} - -output "vpc_endpoint_appstream_api_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for AppStream API." - value = flatten(aws_vpc_endpoint.appstream_api.*.network_interface_ids) -} - -output "vpc_endpoint_appstream_api_dns_entry" { - description = "The DNS entries for the VPC Endpoint for AppStream API." - value = flatten(aws_vpc_endpoint.appstream_api.*.dns_entry) -} - -output "vpc_endpoint_appstream_streaming_id" { - description = "The ID of VPC endpoint for AppStream Streaming" - value = concat(aws_vpc_endpoint.appstream_streaming.*.id, [""])[0] -} - -output "vpc_endpoint_appstream_streaming_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for AppStream Streaming." - value = flatten(aws_vpc_endpoint.appstream_streaming.*.network_interface_ids) -} - -output "vpc_endpoint_appstream_streaming_dns_entry" { - description = "The DNS entries for the VPC Endpoint for AppStream Streaming." - value = flatten(aws_vpc_endpoint.appstream_streaming.*.dns_entry) -} - -output "vpc_endpoint_athena_id" { - description = "The ID of VPC endpoint for Athena" - value = concat(aws_vpc_endpoint.athena.*.id, [""])[0] -} - -output "vpc_endpoint_athena_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Athena." - value = flatten(aws_vpc_endpoint.athena.*.network_interface_ids) -} - -output "vpc_endpoint_athena_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Athena." - value = flatten(aws_vpc_endpoint.athena.*.dns_entry) -} - -output "vpc_endpoint_rekognition_id" { - description = "The ID of VPC endpoint for Rekognition" - value = concat(aws_vpc_endpoint.rekognition.*.id, [""])[0] -} - -output "vpc_endpoint_rekognition_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Rekognition." - value = flatten(aws_vpc_endpoint.rekognition.*.network_interface_ids) -} - -output "vpc_endpoint_rekognition_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Rekognition." - value = flatten(aws_vpc_endpoint.rekognition.*.dns_entry) -} - -output "vpc_endpoint_efs_id" { - description = "The ID of VPC endpoint for EFS" - value = concat(aws_vpc_endpoint.efs.*.id, [""])[0] -} - -output "vpc_endpoint_efs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EFS." - value = flatten(aws_vpc_endpoint.efs.*.network_interface_ids) -} - -output "vpc_endpoint_efs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EFS." - value = flatten(aws_vpc_endpoint.efs.*.dns_entry) -} - -output "vpc_endpoint_cloud_directory_id" { - description = "The ID of VPC endpoint for Cloud Directory" - value = concat(aws_vpc_endpoint.cloud_directory.*.id, [""])[0] -} - -output "vpc_endpoint_cloud_directory_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Cloud Directory." - value = flatten(aws_vpc_endpoint.cloud_directory.*.network_interface_ids) -} - -output "vpc_endpoint_cloud_directory_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Cloud Directory." - value = flatten(aws_vpc_endpoint.cloud_directory.*.dns_entry) -} - -output "vpc_endpoint_elasticmapreduce_id" { - description = "The ID of VPC endpoint for EMR" - value = concat(aws_vpc_endpoint.emr.*.id, [""])[0] -} - -output "vpc_endpoint_elasticmapreduce_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EMR." - value = flatten(aws_vpc_endpoint.emr.*.network_interface_ids) -} - -output "vpc_endpoint_elasticmapreduce_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EMR." - value = flatten(aws_vpc_endpoint.emr.*.dns_entry) -} - -output "vpc_endpoint_sms_id" { - description = "The ID of VPC endpoint for SMS" - value = concat(aws_vpc_endpoint.sms.*.id, [""])[0] -} - -output "vpc_endpoint_sms_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SMS." - value = flatten(aws_vpc_endpoint.sms.*.network_interface_ids) -} - -output "vpc_endpoint_sms_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SMS." - value = flatten(aws_vpc_endpoint.sms.*.dns_entry) -} - -output "vpc_endpoint_states_id" { - description = "The ID of VPC endpoint for Step Function" - value = concat(aws_vpc_endpoint.states.*.id, [""])[0] -} - -output "vpc_endpoint_states_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Step Function." - value = flatten(aws_vpc_endpoint.states.*.network_interface_ids) -} - -output "vpc_endpoint_states_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Step Function." - value = flatten(aws_vpc_endpoint.states.*.dns_entry) -} - -output "vpc_endpoint_elastic_inference_runtime_id" { - description = "The ID of VPC endpoint for Elastic Inference Runtime" - value = concat(aws_vpc_endpoint.elastic_inference_runtime.*.id, [""])[0] -} - -output "vpc_endpoint_elastic_inference_runtime_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Elastic Inference Runtime." - value = flatten(aws_vpc_endpoint.elastic_inference_runtime.*.network_interface_ids) -} - -output "vpc_endpoint_elastic_inference_runtime_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Elastic Inference Runtime." - value = flatten(aws_vpc_endpoint.elastic_inference_runtime.*.dns_entry) -} - -output "vpc_endpoint_elasticbeanstalk_id" { - description = "The ID of VPC endpoint for Elastic Beanstalk" - value = concat(aws_vpc_endpoint.elasticbeanstalk.*.id, [""])[0] -} - -output "vpc_endpoint_elasticbeanstalk_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Elastic Beanstalk." - value = flatten(aws_vpc_endpoint.elasticbeanstalk.*.network_interface_ids) -} - -output "vpc_endpoint_elasticbeanstalk_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Elastic Beanstalk." - value = flatten(aws_vpc_endpoint.elasticbeanstalk.*.dns_entry) -} - -output "vpc_endpoint_elasticbeanstalk_health_id" { - description = "The ID of VPC endpoint for Elastic Beanstalk Health" - value = concat(aws_vpc_endpoint.elasticbeanstalk_health.*.id, [""])[0] -} - -output "vpc_endpoint_elasticbeanstalk_health_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Elastic Beanstalk Health." - value = flatten(aws_vpc_endpoint.elasticbeanstalk_health.*.network_interface_ids) -} - -output "vpc_endpoint_elasticbeanstalk_health_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Elastic Beanstalk Health." - value = flatten(aws_vpc_endpoint.elasticbeanstalk_health.*.dns_entry) -} - -output "vpc_endpoint_workspaces_id" { - description = "The ID of VPC endpoint for Workspaces" - value = concat(aws_vpc_endpoint.workspaces.*.id, [""])[0] -} - -output "vpc_endpoint_workspaces_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Workspaces." - value = flatten(aws_vpc_endpoint.workspaces.*.network_interface_ids) -} - -output "vpc_endpoint_workspaces_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Workspaces." - value = flatten(aws_vpc_endpoint.workspaces.*.dns_entry) -} - -output "vpc_endpoint_auto_scaling_plans_id" { - description = "The ID of VPC endpoint for Auto Scaling Plans" - value = concat(aws_vpc_endpoint.auto_scaling_plans.*.id, [""])[0] -} - -output "vpc_endpoint_auto_scaling_plans_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Auto Scaling Plans." - value = flatten(aws_vpc_endpoint.auto_scaling_plans.*.network_interface_ids) -} - -output "vpc_endpoint_auto_scaling_plans_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Auto Scaling Plans." - value = flatten(aws_vpc_endpoint.auto_scaling_plans.*.dns_entry) -} - -output "vpc_endpoint_ebs_id" { - description = "The ID of VPC endpoint for EBS" - value = concat(aws_vpc_endpoint.ebs.*.id, [""])[0] -} - -output "vpc_endpoint_ebs_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for EBS." - value = flatten(aws_vpc_endpoint.ebs.*.network_interface_ids) -} - -output "vpc_endpoint_ebs_dns_entry" { - description = "The DNS entries for the VPC Endpoint for EBS." - value = flatten(aws_vpc_endpoint.ebs.*.dns_entry) -} - -output "vpc_endpoint_qldb_session_id" { - description = "The ID of VPC endpoint for QLDB Session" - value = concat(aws_vpc_endpoint.qldb_session.*.id, [""])[0] -} - -output "vpc_endpoint_qldb_session_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for QLDB Session." - value = flatten(aws_vpc_endpoint.qldb_session.*.network_interface_ids) -} - -output "vpc_endpoint_qldb_session_dns_entry" { - description = "The DNS entries for the VPC Endpoint for QLDB Session." - value = flatten(aws_vpc_endpoint.qldb_session.*.dns_entry) -} - -output "vpc_endpoint_datasync_id" { - description = "The ID of VPC endpoint for DataSync" - value = concat(aws_vpc_endpoint.datasync.*.id, [""])[0] -} - -output "vpc_endpoint_datasync_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for DataSync." - value = flatten(aws_vpc_endpoint.datasync.*.network_interface_ids) -} - -output "vpc_endpoint_datasync_dns_entry" { - description = "The DNS entries for the VPC Endpoint for DataSync." - value = flatten(aws_vpc_endpoint.datasync.*.dns_entry) -} - -output "vpc_endpoint_access_analyzer_id" { - description = "The ID of VPC endpoint for Access Analyzer" - value = concat(aws_vpc_endpoint.access_analyzer.*.id, [""])[0] -} - -output "vpc_endpoint_access_analyzer_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Access Analyzer." - value = flatten(aws_vpc_endpoint.access_analyzer.*.network_interface_ids) -} - -output "vpc_endpoint_access_analyzer_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Access Analyzer." - value = flatten(aws_vpc_endpoint.access_analyzer.*.dns_entry) -} - -output "vpc_endpoint_acm_pca_id" { - description = "The ID of VPC endpoint for ACM PCA" - value = concat(aws_vpc_endpoint.acm_pca.*.id, [""])[0] -} - -output "vpc_endpoint_acm_pca_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for ACM PCA." - value = flatten(aws_vpc_endpoint.acm_pca.*.network_interface_ids) -} - -output "vpc_endpoint_acm_pca_dns_entry" { - description = "The DNS entries for the VPC Endpoint for ACM PCA." - value = flatten(aws_vpc_endpoint.acm_pca.*.dns_entry) -} - -output "vpc_endpoint_ses_id" { - description = "The ID of VPC endpoint for SES" - value = concat(aws_vpc_endpoint.ses.*.id, [""])[0] -} - -output "vpc_endpoint_ses_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for SES." - value = flatten(aws_vpc_endpoint.ses.*.network_interface_ids) -} - -output "vpc_endpoint_ses_dns_entry" { - description = "The DNS entries for the VPC Endpoint for SES." - value = flatten(aws_vpc_endpoint.ses.*.dns_entry) -} - -output "vpc_endpoint_textract_id" { - description = "The ID of VPC endpoint for Textract" - value = concat(aws_vpc_endpoint.textract.*.id, [""])[0] -} - -output "vpc_endpoint_textract_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Textract." - value = flatten(aws_vpc_endpoint.textract.*.network_interface_ids) -} - -output "vpc_endpoint_textract_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Textract." - value = flatten(aws_vpc_endpoint.textract.*.dns_entry) -} - -output "vpc_endpoint_codeartifact_api_id" { - description = "The ID of VPC endpoint for Codeartifact API" - value = concat(aws_vpc_endpoint.codeartifact_api.*.id, [""])[0] -} - -output "vpc_endpoint_codeartifact_api_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Codeartifact API." - value = flatten(aws_vpc_endpoint.codeartifact_api.*.network_interface_ids) -} - -output "vpc_endpoint_codeartifact_api_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Codeartifact API." - value = flatten(aws_vpc_endpoint.codeartifact_api.*.dns_entry) -} - -output "vpc_endpoint_codeartifact_repositories_id" { - description = "The ID of VPC endpoint for Codeartifact repositories" - value = concat(aws_vpc_endpoint.codeartifact_repositories.*.id, [""])[0] -} - -output "vpc_endpoint_codeartifact_repositories_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for Codeartifact repositories." - value = flatten(aws_vpc_endpoint.codeartifact_repositories.*.network_interface_ids) -} - -output "vpc_endpoint_codeartifact_repositories_dns_entry" { - description = "The DNS entries for the VPC Endpoint for Codeartifact repositories." - value = flatten(aws_vpc_endpoint.codeartifact_repositories.*.dns_entry) -} - -output "vpc_endpoint_dms_id" { - description = "The ID of VPC endpoint for DMS" - value = concat(aws_vpc_endpoint.sns.*.id, [""])[0] -} - -output "vpc_endpoint_dms_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for DMS." - value = flatten(aws_vpc_endpoint.sns.*.network_interface_ids) -} - -output "vpc_endpoint_dms_dns_entry" { - description = "The DNS entries for the VPC Endpoint for DMS." - value = flatten(aws_vpc_endpoint.sns.*.dns_entry) -} - -output "vpc_endpoint_rds_id" { - description = "The ID of VPC endpoint for RDS" - value = concat(aws_vpc_endpoint.rds.*.id, [""])[0] -} - -output "vpc_endpoint_rds_network_interface_ids" { - description = "One or more network interfaces for the VPC Endpoint for RDS." - value = flatten(aws_vpc_endpoint.rds.*.network_interface_ids) -} - -output "vpc_endpoint_rds_dns_entry" { - description = "The DNS entries for the VPC Endpoint for RDS." - value = flatten(aws_vpc_endpoint.rds.*.dns_entry) -} - # VPC flow log output "vpc_flow_log_id" { description = "The ID of the Flow Log resource" diff --git a/variables.tf b/variables.tf index f23e60790..9754193ca 100644 --- a/variables.tf +++ b/variables.tf @@ -328,1861 +328,6 @@ variable "external_nat_ips" { default = [] } -variable "enable_public_s3_endpoint" { - description = "Whether to enable S3 VPC Endpoint for public subnets" - default = true - type = bool -} - -variable "enable_dynamodb_endpoint" { - description = "Should be true if you want to provision a DynamoDB endpoint to the VPC" - type = bool - default = false -} - -variable "dynamodb_endpoint_type" { - description = "DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available" - type = string - default = "Gateway" -} - -variable "dynamodb_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint" - type = list(string) - default = [] -} - -variable "dynamodb_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "dynamodb_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint" - type = bool - default = false -} - -variable "dynamodb_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "enable_s3_endpoint" { - description = "Should be true if you want to provision an S3 endpoint to the VPC" - type = bool - default = false -} - -variable "s3_endpoint_type" { - description = "S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later" - type = string - default = "Gateway" -} - -variable "s3_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for S3 interface endpoint" - type = list(string) - default = [] -} - -variable "s3_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "s3_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint" - type = bool - default = false -} - -variable "s3_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "enable_codeartifact_api_endpoint" { - description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC" - type = bool - default = false -} - -variable "codeartifact_api_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Codeartifact API endpoint" - type = list(string) - default = [] -} - -variable "codeartifact_api_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codeartifact API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codeartifact_api_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Codeartifact API endpoint" - type = bool - default = false -} - -variable "enable_codeartifact_repositories_endpoint" { - description = "Should be true if you want to provision an Codeartifact repositories endpoint to the VPC" - type = bool - default = false -} - -variable "codeartifact_repositories_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Codeartifact repositories endpoint" - type = list(string) - default = [] -} - -variable "codeartifact_repositories_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codeartifact_repositories_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Codeartifact repositories endpoint" - type = bool - default = false -} - -variable "enable_codebuild_endpoint" { - description = "Should be true if you want to provision an Codebuild endpoint to the VPC" - type = bool - default = false -} - -variable "codebuild_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Codebuild endpoint" - type = list(string) - default = [] -} - -variable "codebuild_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codebuild_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "codebuild_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint" - type = bool - default = false -} - -variable "enable_codecommit_endpoint" { - description = "Should be true if you want to provision an Codecommit endpoint to the VPC" - type = bool - default = false -} - -variable "codecommit_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Codecommit endpoint" - type = list(string) - default = [] -} - -variable "codecommit_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codecommit_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "codecommit_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint" - type = bool - default = false -} - -variable "enable_git_codecommit_endpoint" { - description = "Should be true if you want to provision an Git Codecommit endpoint to the VPC" - type = bool - default = false -} - -variable "git_codecommit_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Git Codecommit endpoint" - type = list(string) - default = [] -} - -variable "git_codecommit_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Git Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "git_codecommit_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Git Codecommit endpoint" - type = bool - default = false -} - -variable "enable_config_endpoint" { - description = "Should be true if you want to provision an config endpoint to the VPC" - type = bool - default = false -} - -variable "config_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for config endpoint" - type = list(string) - default = [] -} - -variable "config_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for config endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "config_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for config endpoint" - type = bool - default = false -} - -variable "enable_sqs_endpoint" { - description = "Should be true if you want to provision an SQS endpoint to the VPC" - type = bool - default = false -} - -variable "sqs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SQS endpoint" - type = list(string) - default = [] -} - -variable "sqs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sqs_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sqs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint" - type = bool - default = false -} - -variable "enable_lambda_endpoint" { - description = "Should be true if you want to provision a Lambda endpoint to the VPC" - type = bool - default = false -} - -variable "lambda_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Lambda endpoint" - type = list(string) - default = [] -} - -variable "lambda_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "lambda_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint" - type = bool - default = false -} - -variable "enable_ssm_endpoint" { - description = "Should be true if you want to provision an SSM endpoint to the VPC" - type = bool - default = false -} - -variable "ssm_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SSM endpoint" - type = list(string) - default = [] -} - -variable "ssm_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ssm_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint" - type = bool - default = false -} - -variable "enable_secretsmanager_endpoint" { - description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC" - type = bool - default = false -} - -variable "secretsmanager_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint" - type = list(string) - default = [] -} - -variable "secretsmanager_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "secretsmanager_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "secretsmanager_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint" - type = bool - default = false -} - -variable "enable_apigw_endpoint" { - description = "Should be true if you want to provision an api gateway endpoint to the VPC" - type = bool - default = false -} - -variable "apigw_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for API GW endpoint" - type = list(string) - default = [] -} - -variable "apigw_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "apigw_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint" - type = bool - default = false -} - -variable "apigw_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "enable_ssmmessages_endpoint" { - description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC" - type = bool - default = false -} - -variable "ssmmessages_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint" - type = list(string) - default = [] -} - -variable "ssmmessages_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ssmmessages_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint" - type = bool - default = false -} - -variable "enable_textract_endpoint" { - description = "Should be true if you want to provision an Textract endpoint to the VPC" - type = bool - default = false -} - -variable "textract_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Textract endpoint" - type = list(string) - default = [] -} - -variable "textract_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Textract endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "textract_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Textract endpoint" - type = bool - default = false -} - -variable "enable_transferserver_endpoint" { - description = "Should be true if you want to provision a Transfer Server endpoint to the VPC" - type = bool - default = false -} - -variable "transferserver_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Transfer Server endpoint" - type = list(string) - default = [] -} - -variable "transferserver_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "transferserver_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint" - type = bool - default = false -} - - -variable "enable_ec2_endpoint" { - description = "Should be true if you want to provision an EC2 endpoint to the VPC" - type = bool - default = false -} - -variable "ec2_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EC2 endpoint" - type = list(string) - default = [] -} - -variable "ec2_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "ec2_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint" - type = bool - default = false -} - -variable "ec2_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "enable_ec2messages_endpoint" { - description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC" - type = bool - default = false -} - -variable "ec2messages_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint" - type = list(string) - default = [] -} - -variable "ec2messages_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint" - type = bool - default = false -} - -variable "ec2messages_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - - -variable "enable_ec2_autoscaling_endpoint" { - description = "Should be true if you want to provision an EC2 Autoscaling endpoint to the VPC" - type = bool - default = false -} - -variable "ec2_autoscaling_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EC2 Autoscaling endpoint" - type = list(string) - default = [] -} - -variable "ec2_autoscaling_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "ec2_autoscaling_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint" - type = bool - default = false -} - -variable "ec2_autoscaling_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EC2 Autoscaling endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "enable_ecr_api_endpoint" { - description = "Should be true if you want to provision an ecr api endpoint to the VPC" - type = bool - default = false -} - -variable "ecr_api_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ecr_api_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "ecr_api_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint" - type = bool - default = false -} - -variable "ecr_api_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECR API endpoint" - type = list(string) - default = [] -} - -variable "enable_ecr_dkr_endpoint" { - description = "Should be true if you want to provision an ecr dkr endpoint to the VPC" - type = bool - default = false -} - -variable "ecr_dkr_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ecr_dkr_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "ecr_dkr_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint" - type = bool - default = false -} - -variable "ecr_dkr_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECR DKR endpoint" - type = list(string) - default = [] -} - -variable "enable_kms_endpoint" { - description = "Should be true if you want to provision a KMS endpoint to the VPC" - type = bool - default = false -} - -variable "kms_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for KMS endpoint" - type = list(string) - default = [] -} - -variable "kms_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "kms_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "kms_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint" - type = bool - default = false -} - -variable "enable_ecs_endpoint" { - description = "Should be true if you want to provision a ECS endpoint to the VPC" - type = bool - default = false -} - -variable "ecs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS endpoint" - type = list(string) - default = [] -} - -variable "ecs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ecs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS endpoint" - type = bool - default = false -} - -variable "enable_ecs_agent_endpoint" { - description = "Should be true if you want to provision a ECS Agent endpoint to the VPC" - type = bool - default = false -} - -variable "ecs_agent_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS Agent endpoint" - type = list(string) - default = [] -} - -variable "ecs_agent_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ecs_agent_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Agent endpoint" - type = bool - default = false -} - -variable "enable_ecs_telemetry_endpoint" { - description = "Should be true if you want to provision a ECS Telemetry endpoint to the VPC" - type = bool - default = false -} - -variable "ecs_telemetry_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint" - type = list(string) - default = [] -} - -variable "ecs_telemetry_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ecs_telemetry_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint" - type = bool - default = false -} - -variable "enable_sns_endpoint" { - description = "Should be true if you want to provision a SNS endpoint to the VPC" - type = bool - default = false -} - -variable "sns_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SNS endpoint" - type = list(string) - default = [] -} - -variable "sns_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sns_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sns_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint" - type = bool - default = false -} - -variable "enable_monitoring_endpoint" { - description = "Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC" - type = bool - default = false -} - -variable "monitoring_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint" - type = list(string) - default = [] -} - -variable "monitoring_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "monitoring_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "monitoring_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint" - type = bool - default = false -} - -variable "enable_elasticloadbalancing_endpoint" { - description = "Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC" - type = bool - default = false -} - -variable "elasticloadbalancing_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint" - type = list(string) - default = [] -} - -variable "elasticloadbalancing_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "elasticloadbalancing_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "elasticloadbalancing_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint" - type = bool - default = false -} - -variable "enable_events_endpoint" { - description = "Should be true if you want to provision a CloudWatch Events endpoint to the VPC" - type = bool - default = false -} - -variable "events_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint" - type = list(string) - default = [] -} - -variable "events_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "events_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "events_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint" - type = bool - default = false -} - -variable "enable_logs_endpoint" { - description = "Should be true if you want to provision a CloudWatch Logs endpoint to the VPC" - type = bool - default = false -} - -variable "logs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint" - type = list(string) - default = [] -} - -variable "logs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "logs_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "logs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint" - type = bool - default = false -} - -variable "enable_cloudtrail_endpoint" { - description = "Should be true if you want to provision a CloudTrail endpoint to the VPC" - type = bool - default = false -} - -variable "cloudtrail_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CloudTrail endpoint" - type = list(string) - default = [] -} - -variable "cloudtrail_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "cloudtrail_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint" - type = bool - default = false -} - -variable "enable_kinesis_streams_endpoint" { - description = "Should be true if you want to provision a Kinesis Streams endpoint to the VPC" - type = bool - default = false -} - -variable "kinesis_streams_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint" - type = list(string) - default = [] -} - -variable "kinesis_streams_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "kinesis_streams_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "kinesis_streams_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint" - type = bool - default = false -} - -variable "enable_kinesis_firehose_endpoint" { - description = "Should be true if you want to provision a Kinesis Firehose endpoint to the VPC" - type = bool - default = false -} - -variable "kinesis_firehose_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint" - type = list(string) - default = [] -} - -variable "kinesis_firehose_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "kinesis_firehose_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "kinesis_firehose_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint" - type = bool - default = false -} - -variable "enable_glue_endpoint" { - description = "Should be true if you want to provision a Glue endpoint to the VPC" - type = bool - default = false -} - -variable "glue_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Glue endpoint" - type = list(string) - default = [] -} - -variable "glue_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Glue endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "glue_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Glue endpoint" - type = bool - default = false -} - -variable "enable_sagemaker_notebook_endpoint" { - description = "Should be true if you want to provision a Sagemaker Notebook endpoint to the VPC" - type = bool - default = false -} - -variable "sagemaker_notebook_endpoint_region" { - description = "Region to use for Sagemaker Notebook endpoint" - type = string - default = "" -} - -variable "sagemaker_notebook_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Sagemaker Notebook endpoint" - type = list(string) - default = [] -} - -variable "sagemaker_notebook_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Sagemaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sagemaker_notebook_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sagemaker_notebook_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint" - type = bool - default = false -} - -variable "enable_sts_endpoint" { - description = "Should be true if you want to provision a STS endpoint to the VPC" - type = bool - default = false -} - -variable "sts_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for STS endpoint" - type = list(string) - default = [] -} - -variable "sts_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sts_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sts_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for STS endpoint" - type = bool - default = false -} - -variable "enable_cloudformation_endpoint" { - description = "Should be true if you want to provision a Cloudformation endpoint to the VPC" - type = bool - default = false -} - -variable "cloudformation_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Cloudformation endpoint" - type = list(string) - default = [] -} - -variable "cloudformation_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "cloudformation_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint" - type = bool - default = false -} -variable "enable_codepipeline_endpoint" { - description = "Should be true if you want to provision a CodePipeline endpoint to the VPC" - type = bool - default = false -} - -variable "codepipeline_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CodePipeline endpoint" - type = list(string) - default = [] -} - -variable "codepipeline_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codepipeline_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint" - type = bool - default = false -} -variable "enable_appmesh_envoy_management_endpoint" { - description = "Should be true if you want to provision a AppMesh endpoint to the VPC" - type = bool - default = false -} - -variable "appmesh_envoy_management_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for AppMesh endpoint" - type = list(string) - default = [] -} - -variable "appmesh_envoy_management_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "appmesh_envoy_management_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint" - type = bool - default = false -} -variable "enable_servicecatalog_endpoint" { - description = "Should be true if you want to provision a Service Catalog endpoint to the VPC" - type = bool - default = false -} - -variable "servicecatalog_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Service Catalog endpoint" - type = list(string) - default = [] -} - -variable "servicecatalog_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "servicecatalog_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint" - type = bool - default = false -} -variable "enable_storagegateway_endpoint" { - description = "Should be true if you want to provision a Storage Gateway endpoint to the VPC" - type = bool - default = false -} - -variable "storagegateway_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint" - type = list(string) - default = [] -} - -variable "storagegateway_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "storagegateway_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint" - type = bool - default = false -} -variable "enable_transfer_endpoint" { - description = "Should be true if you want to provision a Transfer endpoint to the VPC" - type = bool - default = false -} - -variable "transfer_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Transfer endpoint" - type = list(string) - default = [] -} - -variable "transfer_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "transfer_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint" - type = bool - default = false -} -variable "enable_sagemaker_api_endpoint" { - description = "Should be true if you want to provision a SageMaker API endpoint to the VPC" - type = bool - default = false -} - -variable "sagemaker_api_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SageMaker API endpoint" - type = list(string) - default = [] -} - -variable "sagemaker_api_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sagemaker_api_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sagemaker_api_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint" - type = bool - default = false -} -variable "enable_sagemaker_runtime_endpoint" { - description = "Should be true if you want to provision a SageMaker Runtime endpoint to the VPC" - type = bool - default = false -} - -variable "sagemaker_runtime_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint" - type = list(string) - default = [] -} - -variable "sagemaker_runtime_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sagemaker_runtime_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "sagemaker_runtime_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint" - type = bool - default = false -} - -variable "enable_appstream_api_endpoint" { - description = "Should be true if you want to provision a AppStream API endpoint to the VPC" - type = bool - default = false -} - -variable "appstream_api_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for AppStream API endpoint" - type = list(string) - default = [] -} - -variable "appstream_api_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for AppStream API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "appstream_api_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for AppStream API endpoint" - type = bool - default = false -} - -variable "enable_appstream_streaming_endpoint" { - description = "Should be true if you want to provision a AppStream Streaming endpoint to the VPC" - type = bool - default = false -} - -variable "appstream_streaming_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for AppStream Streaming endpoint" - type = list(string) - default = [] -} - -variable "appstream_streaming_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for AppStream Streaming endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "appstream_streaming_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for AppStream Streaming endpoint" - type = bool - default = false -} - -variable "enable_athena_endpoint" { - description = "Should be true if you want to provision a Athena endpoint to the VPC" - type = bool - default = false -} - -variable "athena_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Athena endpoint" - type = list(string) - default = [] -} - -variable "athena_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "athena_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "athena_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint" - type = bool - default = false -} - -variable "enable_rekognition_endpoint" { - description = "Should be true if you want to provision a Rekognition endpoint to the VPC" - type = bool - default = false -} - -variable "rekognition_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Rekognition endpoint" - type = list(string) - default = [] -} - -variable "rekognition_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "rekognition_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "rekognition_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint" - type = bool - default = false -} - -variable "enable_efs_endpoint" { - description = "Should be true if you want to provision an EFS endpoint to the VPC" - type = bool - default = false -} - -variable "efs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EFS endpoint" - type = list(string) - default = [] -} - -variable "efs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "efs_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "efs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint" - type = bool - default = false -} - -variable "enable_cloud_directory_endpoint" { - description = "Should be true if you want to provision an Cloud Directory endpoint to the VPC" - type = bool - default = false -} - -variable "cloud_directory_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint" - type = list(string) - default = [] -} - -variable "cloud_directory_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "cloud_directory_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "cloud_directory_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint" - type = bool - default = false -} - -variable "enable_ses_endpoint" { - description = "Should be true if you want to provision an SES endpoint to the VPC" - type = bool - default = false -} - -variable "ses_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SES endpoint" - type = list(string) - default = [] -} - -variable "ses_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "enable_auto_scaling_plans_endpoint" { - description = "Should be true if you want to provision an Auto Scaling Plans endpoint to the VPC" - type = bool - default = false -} - -variable "auto_scaling_plans_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint" - type = list(string) - default = [] -} - -variable "auto_scaling_plans_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "auto_scaling_plans_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "auto_scaling_plans_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint" - type = bool - default = false -} - -variable "ses_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SES endpoint" - type = bool - default = false -} - -variable "enable_workspaces_endpoint" { - description = "Should be true if you want to provision an Workspaces endpoint to the VPC" - type = bool - default = false -} - -variable "workspaces_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Workspaces endpoint" - type = list(string) - default = [] -} - -variable "workspaces_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "workspaces_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "workspaces_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint" - type = bool - default = false -} - -variable "enable_access_analyzer_endpoint" { - description = "Should be true if you want to provision an Access Analyzer endpoint to the VPC" - type = bool - default = false -} - -variable "access_analyzer_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint" - type = list(string) - default = [] -} - -variable "access_analyzer_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "access_analyzer_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "access_analyzer_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint" - type = bool - default = false -} - -variable "enable_ebs_endpoint" { - description = "Should be true if you want to provision an EBS endpoint to the VPC" - type = bool - default = false -} - -variable "ebs_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EBS endpoint" - type = list(string) - default = [] -} - -variable "ebs_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "ebs_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint" - type = bool - default = false -} - -variable "enable_datasync_endpoint" { - description = "Should be true if you want to provision an Data Sync endpoint to the VPC" - type = bool - default = false -} - -variable "datasync_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Data Sync endpoint" - type = list(string) - default = [] -} - -variable "datasync_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Data Sync endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "datasync_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Data Sync endpoint" - type = bool - default = false -} - -variable "enable_elastic_inference_runtime_endpoint" { - description = "Should be true if you want to provision an Elastic Inference Runtime endpoint to the VPC" - type = bool - default = false -} - -variable "elastic_inference_runtime_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Elastic Inference Runtime endpoint" - type = list(string) - default = [] -} - -variable "elastic_inference_runtime_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "elastic_inference_runtime_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Inference Runtime endpoint" - type = bool - default = false -} - -variable "enable_sms_endpoint" { - description = "Should be true if you want to provision an SMS endpoint to the VPC" - type = bool - default = false -} - -variable "sms_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for SMS endpoint" - type = list(string) - default = [] -} - -variable "sms_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "sms_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint" - type = bool - default = false -} - -variable "enable_emr_endpoint" { - description = "Should be true if you want to provision an EMR endpoint to the VPC" - type = bool - default = false -} - -variable "emr_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for EMR endpoint" - type = list(string) - default = [] -} - -variable "emr_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "emr_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "emr_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint" - type = bool - default = false -} - -variable "enable_qldb_session_endpoint" { - description = "Should be true if you want to provision an QLDB Session endpoint to the VPC" - type = bool - default = false -} - -variable "qldb_session_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for QLDB Session endpoint" - type = list(string) - default = [] -} - -variable "qldb_session_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "qldb_session_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint" - type = bool - default = false -} - -variable "enable_elasticbeanstalk_endpoint" { - description = "Should be true if you want to provision a Elastic Beanstalk endpoint to the VPC" - type = bool - default = false -} - -variable "elasticbeanstalk_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint" - type = list(string) - default = [] -} - -variable "elasticbeanstalk_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "elasticbeanstalk_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "elasticbeanstalk_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint" - type = bool - default = false -} - -variable "enable_elasticbeanstalk_health_endpoint" { - description = "Should be true if you want to provision a Elastic Beanstalk Health endpoint to the VPC" - type = bool - default = false -} - -variable "elasticbeanstalk_health_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint" - type = list(string) - default = [] -} - -variable "elasticbeanstalk_health_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "elasticbeanstalk_health_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint" - type = bool - default = false -} - -variable "enable_states_endpoint" { - description = "Should be true if you want to provision a Step Function endpoint to the VPC" - type = bool - default = false -} - -variable "states_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for Step Function endpoint" - type = list(string) - default = [] -} - -variable "states_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "states_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "states_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint" - type = bool - default = false -} - -variable "enable_rds_endpoint" { - description = "Should be true if you want to provision an RDS endpoint to the VPC" - type = bool - default = false -} - -variable "rds_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for RDS endpoint" - type = list(string) - default = [] -} - -variable "rds_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "rds_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint" - type = bool - default = false -} - -variable "enable_codedeploy_endpoint" { - description = "Should be true if you want to provision an CodeDeploy endpoint to the VPC" - type = bool - default = false -} - -variable "codedeploy_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CodeDeploy endpoint" - type = list(string) - default = [] -} - -variable "codedeploy_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CodeDeploy endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codedeploy_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy endpoint" - type = bool - default = false -} - -variable "enable_codedeploy_commands_secure_endpoint" { - description = "Should be true if you want to provision an CodeDeploy Commands Secure endpoint to the VPC" - type = bool - default = false -} - -variable "codedeploy_commands_secure_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for CodeDeploy Commands Secure endpoint" - type = list(string) - default = [] -} - -variable "codedeploy_commands_secure_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "codedeploy_commands_secure_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for CodeDeploy Commands Secure endpoint" - type = bool - default = false -} - -variable "enable_acm_pca_endpoint" { - description = "Should be true if you want to provision an ACM PCA endpoint to the VPC" - type = bool - default = false -} - -variable "acm_pca_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint" - type = list(string) - default = [] -} - -variable "acm_pca_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "acm_pca_endpoint_policy" { - description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access" - type = string - default = null -} - -variable "acm_pca_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint" - type = bool - default = false -} - -variable "enable_dms_endpoint" { - description = "Should be true if you want to provision a DMS endpoint to the VPC" - type = bool - default = false -} - -variable "dms_endpoint_security_group_ids" { - description = "The ID of one or more security groups to associate with the network interface for DMS endpoint" - type = list(string) - default = [] -} - -variable "dms_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." - type = list(string) - default = [] -} - -variable "dms_endpoint_private_dns_enabled" { - description = "Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint" - type = bool - default = false -} - variable "map_public_ip_on_launch" { description = "Should be false if you do not want to auto-assign public IP on launch" type = bool @@ -2441,12 +586,6 @@ variable "vpn_gateway_tags" { default = {} } -variable "vpc_endpoint_tags" { - description = "Additional tags for the VPC Endpoints" - type = map(string) - default = {} -} - variable "vpc_flow_log_tags" { description = "Additional tags for the VPC Flow Logs" type = map(string) diff --git a/versions.tf b/versions.tf index 238ed698b..dc46f697a 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 0.12.21" + required_version = ">= 0.12.26" required_providers { aws = { source = "hashicorp/aws" - version = ">= 2.70" + version = ">= 3.15" } } } diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf deleted file mode 100644 index 94fefe0ef..000000000 --- a/vpc-endpoints.tf +++ /dev/null @@ -1,1590 +0,0 @@ -###################### -# VPC Endpoint for S3 -###################### -data "aws_vpc_endpoint_service" "s3" { - count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 - - service = "s3" - - # Used for backwards compatability where `service_type` is not yet available in the provider used - filter { - name = "service-type" - values = [var.s3_endpoint_type] - } -} - -resource "aws_vpc_endpoint" "s3" { - count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.s3[0].service_name - vpc_endpoint_type = var.s3_endpoint_type - - security_group_ids = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_security_group_ids : null - subnet_ids = var.s3_endpoint_type == "Interface" ? coalescelist(var.s3_endpoint_subnet_ids, aws_subnet.private.*.id) : null - policy = var.s3_endpoint_policy - private_dns_enabled = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_private_dns_enabled : null - - tags = local.vpce_tags -} - -resource "aws_vpc_endpoint_route_table_association" "private_s3" { - count = var.create_vpc && var.enable_s3_endpoint && var.s3_endpoint_type == "Gateway" ? local.nat_gateway_count : 0 - - vpc_endpoint_id = aws_vpc_endpoint.s3[0].id - route_table_id = element(aws_route_table.private.*.id, count.index) -} - -resource "aws_vpc_endpoint_route_table_association" "intra_s3" { - count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0 - - vpc_endpoint_id = aws_vpc_endpoint.s3[0].id - route_table_id = element(aws_route_table.intra.*.id, 0) -} - -resource "aws_vpc_endpoint_route_table_association" "public_s3" { - count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0 - - vpc_endpoint_id = aws_vpc_endpoint.s3[0].id - route_table_id = aws_route_table.public[0].id -} - -############################ -# VPC Endpoint for DynamoDB -############################ -data "aws_vpc_endpoint_service" "dynamodb" { - count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 - - service = "dynamodb" - - # Used for backwards compatability where `service_type` is not yet available in the provider used - filter { - name = "service-type" - values = [var.dynamodb_endpoint_type] - } -} - -resource "aws_vpc_endpoint" "dynamodb" { - count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name - vpc_endpoint_type = var.dynamodb_endpoint_type - - security_group_ids = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_security_group_ids : null - subnet_ids = var.dynamodb_endpoint_type == "Interface" ? coalescelist(var.dynamodb_endpoint_subnet_ids, aws_subnet.private.*.id) : null - policy = var.dynamodb_endpoint_policy - private_dns_enabled = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_private_dns_enabled : null - - tags = local.vpce_tags -} - -resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" { - count = var.create_vpc && var.enable_dynamodb_endpoint && var.dynamodb_endpoint_type == "Gateway" ? local.nat_gateway_count : 0 - - vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id - route_table_id = element(aws_route_table.private.*.id, count.index) -} - -resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" { - count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0 - - vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id - route_table_id = element(aws_route_table.intra.*.id, 0) -} - -resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" { - count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0 - - vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id - route_table_id = aws_route_table.public[0].id -} - - -############################# -# VPC Endpoint for Codebuild -############################# -data "aws_vpc_endpoint_service" "codebuild" { - count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 - - service = "codebuild" -} - -resource "aws_vpc_endpoint" "codebuild" { - count = var.create_vpc && var.enable_codebuild_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codebuild[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codebuild_endpoint_security_group_ids - subnet_ids = coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.codebuild_endpoint_policy - private_dns_enabled = var.codebuild_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################### -# VPC Endpoint for Code Commit -############################### -data "aws_vpc_endpoint_service" "codecommit" { - count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 - - service = "codecommit" -} - -resource "aws_vpc_endpoint" "codecommit" { - count = var.create_vpc && var.enable_codecommit_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codecommit[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codecommit_endpoint_security_group_ids - subnet_ids = coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.codecommit_endpoint_policy - private_dns_enabled = var.codecommit_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -################################### -# VPC Endpoint for Git Code Commit -################################### -data "aws_vpc_endpoint_service" "git_codecommit" { - count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 - - service = "git-codecommit" -} - -resource "aws_vpc_endpoint" "git_codecommit" { - count = var.create_vpc && var.enable_git_codecommit_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.git_codecommit[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.git_codecommit_endpoint_security_group_ids - subnet_ids = coalescelist(var.git_codecommit_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.git_codecommit_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -########################## -# VPC Endpoint for Config -########################## -data "aws_vpc_endpoint_service" "config" { - count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 - - service = "config" -} - -resource "aws_vpc_endpoint" "config" { - count = var.create_vpc && var.enable_config_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.config[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.config_endpoint_security_group_ids - subnet_ids = coalescelist(var.config_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.config_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for SQS -####################### -data "aws_vpc_endpoint_service" "sqs" { - count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 - - service = "sqs" -} - -resource "aws_vpc_endpoint" "sqs" { - count = var.create_vpc && var.enable_sqs_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sqs[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sqs_endpoint_security_group_ids - subnet_ids = coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sqs_endpoint_policy - private_dns_enabled = var.sqs_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -######################### -# VPC Endpoint for Lambda -######################### -data "aws_vpc_endpoint_service" "lambda" { - count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0 - - service = "lambda" -} -resource "aws_vpc_endpoint" "lambda" { - count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.lambda[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.lambda_endpoint_security_group_ids - subnet_ids = coalescelist(var.lambda_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.lambda_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -################################### -# VPC Endpoint for Secrets Manager -################################### -data "aws_vpc_endpoint_service" "secretsmanager" { - count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 - - service = "secretsmanager" -} - -resource "aws_vpc_endpoint" "secretsmanager" { - count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.secretsmanager[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.secretsmanager_endpoint_security_group_ids - subnet_ids = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.secretsmanager_endpoint_policy - private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for SSM -####################### -data "aws_vpc_endpoint_service" "ssm" { - count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 - - service = "ssm" -} - -resource "aws_vpc_endpoint" "ssm" { - count = var.create_vpc && var.enable_ssm_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ssm[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ssm_endpoint_security_group_ids - subnet_ids = coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ssm_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################### -# VPC Endpoint for SSMMESSAGES -############################### -data "aws_vpc_endpoint_service" "ssmmessages" { - count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 - - service = "ssmmessages" -} - -resource "aws_vpc_endpoint" "ssmmessages" { - count = var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ssmmessages[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ssmmessages_endpoint_security_group_ids - subnet_ids = coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ssmmessages_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for EC2 -####################### -data "aws_vpc_endpoint_service" "ec2" { - count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 - - service = "ec2" -} - -resource "aws_vpc_endpoint" "ec2" { - count = var.create_vpc && var.enable_ec2_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ec2[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ec2_endpoint_security_group_ids - subnet_ids = coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.ec2_endpoint_policy - private_dns_enabled = var.ec2_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################### -# VPC Endpoint for EC2MESSAGES -############################### -data "aws_vpc_endpoint_service" "ec2messages" { - count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 - - service = "ec2messages" -} - -resource "aws_vpc_endpoint" "ec2messages" { - count = var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ec2messages[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ec2messages_endpoint_security_group_ids - subnet_ids = coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ec2messages_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################### -# VPC Endpoint for EC2 Autoscaling -############################### -data "aws_vpc_endpoint_service" "ec2_autoscaling" { - count = var.create_vpc && var.enable_ec2_autoscaling_endpoint ? 1 : 0 - - service = "autoscaling" -} - -resource "aws_vpc_endpoint" "ec2_autoscaling" { - count = var.create_vpc && var.enable_ec2_autoscaling_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ec2_autoscaling[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ec2_autoscaling_endpoint_security_group_ids - subnet_ids = coalescelist(var.ec2_autoscaling_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.ec2_autoscaling_endpoint_policy - private_dns_enabled = var.ec2_autoscaling_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -################################### -# VPC Endpoint for Transfer Server -################################### -data "aws_vpc_endpoint_service" "transferserver" { - count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 - - service = "transfer.server" -} - -resource "aws_vpc_endpoint" "transferserver" { - count = var.create_vpc && var.enable_transferserver_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.transferserver[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.transferserver_endpoint_security_group_ids - subnet_ids = coalescelist(var.transferserver_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.transferserver_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -########################### -# VPC Endpoint for ECR API -########################### -data "aws_vpc_endpoint_service" "ecr_api" { - count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 - - service = "ecr.api" -} - -resource "aws_vpc_endpoint" "ecr_api" { - count = var.create_vpc && var.enable_ecr_api_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ecr_api[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ecr_api_endpoint_security_group_ids - subnet_ids = coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.ecr_api_endpoint_policy - private_dns_enabled = var.ecr_api_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -########################### -# VPC Endpoint for ECR DKR -########################### -data "aws_vpc_endpoint_service" "ecr_dkr" { - count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 - - service = "ecr.dkr" -} - -resource "aws_vpc_endpoint" "ecr_dkr" { - count = var.create_vpc && var.enable_ecr_dkr_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ecr_dkr[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ecr_dkr_endpoint_security_group_ids - subnet_ids = coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.ecr_dkr_endpoint_policy - private_dns_enabled = var.ecr_dkr_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for API Gateway -####################### -data "aws_vpc_endpoint_service" "apigw" { - count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 - - service = "execute-api" -} - -resource "aws_vpc_endpoint" "apigw" { - count = var.create_vpc && var.enable_apigw_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.apigw[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.apigw_endpoint_security_group_ids - subnet_ids = coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.apigw_endpoint_policy - private_dns_enabled = var.apigw_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for KMS -####################### -data "aws_vpc_endpoint_service" "kms" { - count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 - - service = "kms" -} - -resource "aws_vpc_endpoint" "kms" { - count = var.create_vpc && var.enable_kms_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.kms[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.kms_endpoint_security_group_ids - subnet_ids = coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.kms_endpoint_policy - private_dns_enabled = var.kms_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for ECS -####################### -data "aws_vpc_endpoint_service" "ecs" { - count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 - - service = "ecs" -} - -resource "aws_vpc_endpoint" "ecs" { - count = var.create_vpc && var.enable_ecs_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ecs[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ecs_endpoint_security_group_ids - subnet_ids = coalescelist(var.ecs_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ecs_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for ECS Agent -####################### -data "aws_vpc_endpoint_service" "ecs_agent" { - count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 - - service = "ecs-agent" -} - -resource "aws_vpc_endpoint" "ecs_agent" { - count = var.create_vpc && var.enable_ecs_agent_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ecs_agent[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ecs_agent_endpoint_security_group_ids - subnet_ids = coalescelist(var.ecs_agent_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ecs_agent_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for ECS Telemetry -####################### -data "aws_vpc_endpoint_service" "ecs_telemetry" { - count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 - - service = "ecs-telemetry" -} - -resource "aws_vpc_endpoint" "ecs_telemetry" { - count = var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ecs_telemetry[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ecs_telemetry_endpoint_security_group_ids - subnet_ids = coalescelist(var.ecs_telemetry_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ecs_telemetry_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for SNS -####################### -data "aws_vpc_endpoint_service" "sns" { - count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0 - - service = "sns" -} - -resource "aws_vpc_endpoint" "sns" { - count = var.create_vpc && var.enable_sns_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sns[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sns_endpoint_security_group_ids - subnet_ids = coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sns_endpoint_policy - private_dns_enabled = var.sns_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for CloudWatch Monitoring -####################### -data "aws_vpc_endpoint_service" "monitoring" { - count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0 - - service = "monitoring" -} - -resource "aws_vpc_endpoint" "monitoring" { - count = var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.monitoring[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.monitoring_endpoint_security_group_ids - subnet_ids = coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.monitoring_endpoint_policy - private_dns_enabled = var.monitoring_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for CloudWatch Logs -####################### -data "aws_vpc_endpoint_service" "logs" { - count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0 - - service = "logs" -} - -resource "aws_vpc_endpoint" "logs" { - count = var.create_vpc && var.enable_logs_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.logs[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.logs_endpoint_security_group_ids - subnet_ids = coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.logs_endpoint_policy - private_dns_enabled = var.logs_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for CloudWatch Events -####################### -data "aws_vpc_endpoint_service" "events" { - count = var.create_vpc && var.enable_events_endpoint ? 1 : 0 - - service = "events" -} - -resource "aws_vpc_endpoint" "events" { - count = var.create_vpc && var.enable_events_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.events[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.events_endpoint_security_group_ids - subnet_ids = coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.events_endpoint_policy - private_dns_enabled = var.events_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for Elastic Load Balancing -####################### -data "aws_vpc_endpoint_service" "elasticloadbalancing" { - count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0 - - service = "elasticloadbalancing" -} - -resource "aws_vpc_endpoint" "elasticloadbalancing" { - count = var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.elasticloadbalancing[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.elasticloadbalancing_endpoint_security_group_ids - subnet_ids = coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.elasticloadbalancing_endpoint_policy - private_dns_enabled = var.elasticloadbalancing_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for CloudTrail -####################### -data "aws_vpc_endpoint_service" "cloudtrail" { - count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0 - - service = "cloudtrail" -} - -resource "aws_vpc_endpoint" "cloudtrail" { - count = var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.cloudtrail[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.cloudtrail_endpoint_security_group_ids - subnet_ids = coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.cloudtrail_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for Kinesis Streams -####################### -data "aws_vpc_endpoint_service" "kinesis_streams" { - count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 - - service = "kinesis-streams" -} - -resource "aws_vpc_endpoint" "kinesis_streams" { - count = var.create_vpc && var.enable_kinesis_streams_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.kinesis_streams[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.kinesis_streams_endpoint_security_group_ids - subnet_ids = coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.kinesis_streams_endpoint_policy - private_dns_enabled = var.kinesis_streams_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -####################### -# VPC Endpoint for Kinesis Firehose -####################### -data "aws_vpc_endpoint_service" "kinesis_firehose" { - count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 - - service = "kinesis-firehose" -} - -resource "aws_vpc_endpoint" "kinesis_firehose" { - count = var.create_vpc && var.enable_kinesis_firehose_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.kinesis_firehose[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.kinesis_firehose_endpoint_security_group_ids - subnet_ids = coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.kinesis_firehose_endpoint_policy - private_dns_enabled = var.kinesis_firehose_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Glue -####################### -data "aws_vpc_endpoint_service" "glue" { - count = var.create_vpc && var.enable_glue_endpoint ? 1 : 0 - - service = "glue" -} - -resource "aws_vpc_endpoint" "glue" { - count = var.create_vpc && var.enable_glue_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.glue[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.glue_endpoint_security_group_ids - subnet_ids = coalescelist(var.glue_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.glue_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -###################################### -# VPC Endpoint for Sagemaker Notebooks -###################################### -data "aws_vpc_endpoint_service" "sagemaker_notebook" { - count = var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0 - - service_name = "aws.sagemaker.${var.sagemaker_notebook_endpoint_region}.notebook" -} - -resource "aws_vpc_endpoint" "sagemaker_notebook" { - count = var.create_vpc && var.enable_sagemaker_notebook_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sagemaker_notebook[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sagemaker_notebook_endpoint_security_group_ids - subnet_ids = coalescelist(var.sagemaker_notebook_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sagemaker_notebook_endpoint_policy - private_dns_enabled = var.sagemaker_notebook_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for STS -####################### -data "aws_vpc_endpoint_service" "sts" { - count = var.create_vpc && var.enable_sts_endpoint ? 1 : 0 - - service = "sts" -} - -resource "aws_vpc_endpoint" "sts" { - count = var.create_vpc && var.enable_sts_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sts[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sts_endpoint_security_group_ids - subnet_ids = coalescelist(var.sts_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sts_endpoint_policy - private_dns_enabled = var.sts_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Cloudformation -############################# -data "aws_vpc_endpoint_service" "cloudformation" { - count = var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0 - - service = "cloudformation" -} - -resource "aws_vpc_endpoint" "cloudformation" { - count = var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.cloudformation[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.cloudformation_endpoint_security_group_ids - subnet_ids = coalescelist(var.cloudformation_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.cloudformation_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for CodePipeline -############################# -data "aws_vpc_endpoint_service" "codepipeline" { - count = var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0 - - service = "codepipeline" -} - -resource "aws_vpc_endpoint" "codepipeline" { - count = var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codepipeline[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codepipeline_endpoint_security_group_ids - subnet_ids = coalescelist(var.codepipeline_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.codepipeline_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for AppMesh -############################# -data "aws_vpc_endpoint_service" "appmesh_envoy_management" { - count = var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1 : 0 - - service = "appmesh-envoy-management" -} - -resource "aws_vpc_endpoint" "appmesh_envoy_management" { - count = var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.appmesh_envoy_management[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.appmesh_envoy_management_endpoint_security_group_ids - subnet_ids = coalescelist(var.appmesh_envoy_management_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.appmesh_envoy_management_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for Service Catalog -############################# -data "aws_vpc_endpoint_service" "servicecatalog" { - count = var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0 - - service = "servicecatalog" -} - -resource "aws_vpc_endpoint" "servicecatalog" { - count = var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.servicecatalog[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.servicecatalog_endpoint_security_group_ids - subnet_ids = coalescelist(var.servicecatalog_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.servicecatalog_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for Storage Gateway -############################# -data "aws_vpc_endpoint_service" "storagegateway" { - count = var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0 - - service = "storagegateway" -} - -resource "aws_vpc_endpoint" "storagegateway" { - count = var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.storagegateway[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.storagegateway_endpoint_security_group_ids - subnet_ids = coalescelist(var.storagegateway_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.storagegateway_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for Transfer -############################# -data "aws_vpc_endpoint_service" "transfer" { - count = var.create_vpc && var.enable_transfer_endpoint ? 1 : 0 - - service = "transfer" -} - -resource "aws_vpc_endpoint" "transfer" { - count = var.create_vpc && var.enable_transfer_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.transfer[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.transfer_endpoint_security_group_ids - subnet_ids = coalescelist(var.transfer_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.transfer_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for SageMaker API -############################# -data "aws_vpc_endpoint_service" "sagemaker_api" { - count = var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0 - - service = "sagemaker.api" -} - -resource "aws_vpc_endpoint" "sagemaker_api" { - count = var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sagemaker_api[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sagemaker_api_endpoint_security_group_ids - subnet_ids = coalescelist(var.sagemaker_api_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sagemaker_api_endpoint_policy - private_dns_enabled = var.sagemaker_api_endpoint_private_dns_enabled - tags = local.vpce_tags -} -############################# -# VPC Endpoint for SageMaker Runtime -############################# -data "aws_vpc_endpoint_service" "sagemaker_runtime" { - count = var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0 - - service = "sagemaker.runtime" -} - -resource "aws_vpc_endpoint" "sagemaker_runtime" { - count = var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sagemaker_runtime[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sagemaker_runtime_endpoint_security_group_ids - subnet_ids = coalescelist(var.sagemaker_runtime_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.sagemaker_runtime_endpoint_policy - private_dns_enabled = var.sagemaker_runtime_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for AppStream API -############################# -data "aws_vpc_endpoint_service" "appstream_api" { - count = var.create_vpc && var.enable_appstream_streaming_endpoint ? 1 : 0 - - service = "appstream.api" -} - -resource "aws_vpc_endpoint" "appstream_api" { - count = var.create_vpc && var.enable_appstream_api_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.appstream_api[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.appstream_api_endpoint_security_group_ids - subnet_ids = coalescelist(var.appstream_api_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.appstream_api_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for AppStream STREAMING -############################# -data "aws_vpc_endpoint_service" "appstream_streaming" { - count = var.create_vpc && var.enable_appstream_streaming_endpoint ? 1 : 0 - - service = "appstream.streaming" -} - -resource "aws_vpc_endpoint" "appstream_streaming" { - count = var.create_vpc && var.enable_appstream_streaming_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.appstream_streaming[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.appstream_streaming_endpoint_security_group_ids - subnet_ids = coalescelist(var.appstream_streaming_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.appstream_streaming_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Athena -############################# -data "aws_vpc_endpoint_service" "athena" { - count = var.create_vpc && var.enable_athena_endpoint ? 1 : 0 - - service = "athena" -} - -resource "aws_vpc_endpoint" "athena" { - count = var.create_vpc && var.enable_athena_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.athena[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.athena_endpoint_security_group_ids - subnet_ids = coalescelist(var.athena_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.athena_endpoint_policy - private_dns_enabled = var.athena_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Rekognition -############################# -data "aws_vpc_endpoint_service" "rekognition" { - count = var.create_vpc && var.enable_rekognition_endpoint ? 1 : 0 - - service = "rekognition" -} - -resource "aws_vpc_endpoint" "rekognition" { - count = var.create_vpc && var.enable_rekognition_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.rekognition[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.rekognition_endpoint_security_group_ids - subnet_ids = coalescelist(var.rekognition_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.rekognition_endpoint_policy - private_dns_enabled = var.rekognition_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for EFS -####################### -data "aws_vpc_endpoint_service" "efs" { - count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0 - - service = "elasticfilesystem" -} - -resource "aws_vpc_endpoint" "efs" { - count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.efs[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.efs_endpoint_security_group_ids - subnet_ids = coalescelist(var.efs_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.efs_endpoint_policy - private_dns_enabled = var.efs_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Cloud Directory -####################### -data "aws_vpc_endpoint_service" "cloud_directory" { - count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0 - - service = "clouddirectory" -} - -resource "aws_vpc_endpoint" "cloud_directory" { - count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.cloud_directory[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.cloud_directory_endpoint_security_group_ids - subnet_ids = coalescelist(var.cloud_directory_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.cloud_directory_endpoint_policy - private_dns_enabled = var.cloud_directory_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Auto Scaling Plans -####################### -data "aws_vpc_endpoint_service" "auto_scaling_plans" { - count = var.create_vpc && var.enable_auto_scaling_plans_endpoint ? 1 : 0 - - service = "autoscaling-plans" -} - -resource "aws_vpc_endpoint" "auto_scaling_plans" { - count = var.create_vpc && var.enable_auto_scaling_plans_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.auto_scaling_plans[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.auto_scaling_plans_endpoint_security_group_ids - subnet_ids = coalescelist(var.auto_scaling_plans_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.auto_scaling_plans_endpoint_policy - private_dns_enabled = var.auto_scaling_plans_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Workspaces -####################### -data "aws_vpc_endpoint_service" "workspaces" { - count = var.create_vpc && var.enable_workspaces_endpoint ? 1 : 0 - - service = "workspaces" -} - -resource "aws_vpc_endpoint" "workspaces" { - count = var.create_vpc && var.enable_workspaces_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.workspaces[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.workspaces_endpoint_security_group_ids - subnet_ids = coalescelist(var.workspaces_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.workspaces_endpoint_policy - private_dns_enabled = var.workspaces_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Access Analyzer -####################### -data "aws_vpc_endpoint_service" "access_analyzer" { - count = var.create_vpc && var.enable_access_analyzer_endpoint ? 1 : 0 - - service = "access-analyzer" -} - -resource "aws_vpc_endpoint" "access_analyzer" { - count = var.create_vpc && var.enable_access_analyzer_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.access_analyzer[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.access_analyzer_endpoint_security_group_ids - subnet_ids = coalescelist(var.access_analyzer_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.access_analyzer_endpoint_policy - private_dns_enabled = var.access_analyzer_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for EBS -####################### -data "aws_vpc_endpoint_service" "ebs" { - count = var.create_vpc && var.enable_ebs_endpoint ? 1 : 0 - - service = "ebs" -} - -resource "aws_vpc_endpoint" "ebs" { - count = var.create_vpc && var.enable_ebs_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ebs[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ebs_endpoint_security_group_ids - subnet_ids = coalescelist(var.ebs_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ebs_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Data Sync -####################### -data "aws_vpc_endpoint_service" "datasync" { - count = var.create_vpc && var.enable_datasync_endpoint ? 1 : 0 - - service = "datasync" -} - -resource "aws_vpc_endpoint" "datasync" { - count = var.create_vpc && var.enable_datasync_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.datasync[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.datasync_endpoint_security_group_ids - subnet_ids = coalescelist(var.datasync_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.datasync_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for Elastic Inference Runtime -####################### -data "aws_vpc_endpoint_service" "elastic_inference_runtime" { - count = var.create_vpc && var.enable_elastic_inference_runtime_endpoint ? 1 : 0 - - service = "elastic-inference.runtime" -} - -resource "aws_vpc_endpoint" "elastic_inference_runtime" { - count = var.create_vpc && var.enable_elastic_inference_runtime_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.elastic_inference_runtime[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.elastic_inference_runtime_endpoint_security_group_ids - subnet_ids = coalescelist(var.elastic_inference_runtime_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.elastic_inference_runtime_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for SMS -####################### -data "aws_vpc_endpoint_service" "sms" { - count = var.create_vpc && var.enable_sms_endpoint ? 1 : 0 - - service = "sms" -} - -resource "aws_vpc_endpoint" "sms" { - count = var.create_vpc && var.enable_sms_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.sms[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.sms_endpoint_security_group_ids - subnet_ids = coalescelist(var.sms_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.sms_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for EMR -####################### -data "aws_vpc_endpoint_service" "emr" { - count = var.create_vpc && var.enable_emr_endpoint ? 1 : 0 - - service = "elasticmapreduce" -} - -resource "aws_vpc_endpoint" "emr" { - count = var.create_vpc && var.enable_emr_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.emr[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.emr_endpoint_security_group_ids - subnet_ids = coalescelist(var.emr_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.emr_endpoint_policy - private_dns_enabled = var.emr_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for QLDB Session -####################### -data "aws_vpc_endpoint_service" "qldb_session" { - count = var.create_vpc && var.enable_qldb_session_endpoint ? 1 : 0 - - service = "qldb.session" -} - -resource "aws_vpc_endpoint" "qldb_session" { - count = var.create_vpc && var.enable_qldb_session_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.qldb_session[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.qldb_session_endpoint_security_group_ids - subnet_ids = coalescelist(var.qldb_session_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.qldb_session_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Step Function -############################# -data "aws_vpc_endpoint_service" "states" { - count = var.create_vpc && var.enable_states_endpoint ? 1 : 0 - - service = "states" -} - -resource "aws_vpc_endpoint" "states" { - count = var.create_vpc && var.enable_states_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.states[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.states_endpoint_security_group_ids - subnet_ids = coalescelist(var.states_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.states_endpoint_policy - private_dns_enabled = var.states_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Elastic Beanstalk -############################# -data "aws_vpc_endpoint_service" "elasticbeanstalk" { - count = var.create_vpc && var.enable_elasticbeanstalk_endpoint ? 1 : 0 - - service = "elasticbeanstalk" -} - -resource "aws_vpc_endpoint" "elasticbeanstalk" { - count = var.create_vpc && var.enable_elasticbeanstalk_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.elasticbeanstalk[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.elasticbeanstalk_endpoint_security_group_ids - subnet_ids = coalescelist(var.elasticbeanstalk_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.elasticbeanstalk_endpoint_policy - private_dns_enabled = var.elasticbeanstalk_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for Elastic Beanstalk Health -############################# -data "aws_vpc_endpoint_service" "elasticbeanstalk_health" { - count = var.create_vpc && var.enable_elasticbeanstalk_health_endpoint ? 1 : 0 - - service = "elasticbeanstalk-health" -} - -resource "aws_vpc_endpoint" "elasticbeanstalk_health" { - count = var.create_vpc && var.enable_elasticbeanstalk_health_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.elasticbeanstalk_health[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.elasticbeanstalk_health_endpoint_security_group_ids - subnet_ids = coalescelist(var.elasticbeanstalk_health_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.elasticbeanstalk_health_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for ACM PCA -############################# -data "aws_vpc_endpoint_service" "acm_pca" { - count = var.create_vpc && var.enable_acm_pca_endpoint ? 1 : 0 - - service = "acm-pca" -} - -resource "aws_vpc_endpoint" "acm_pca" { - count = var.create_vpc && var.enable_acm_pca_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.acm_pca[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.acm_pca_endpoint_security_group_ids - subnet_ids = coalescelist(var.acm_pca_endpoint_subnet_ids, aws_subnet.private.*.id) - policy = var.acm_pca_endpoint_policy - private_dns_enabled = var.acm_pca_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -####################### -# VPC Endpoint for SES -####################### -data "aws_vpc_endpoint_service" "ses" { - count = var.create_vpc && var.enable_ses_endpoint ? 1 : 0 - - service = "email-smtp" -} - -resource "aws_vpc_endpoint" "ses" { - count = var.create_vpc && var.enable_ses_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.ses[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.ses_endpoint_security_group_ids - subnet_ids = coalescelist(var.ses_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.ses_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -###################### -# VPC Endpoint for RDS -###################### -data "aws_vpc_endpoint_service" "rds" { - count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 - - service = "rds" -} - -resource "aws_vpc_endpoint" "rds" { - count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.rds[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.rds_endpoint_security_group_ids - subnet_ids = coalescelist(var.rds_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.rds_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################# -# VPC Endpoint for CodeDeploy -############################# -data "aws_vpc_endpoint_service" "codedeploy" { - count = var.create_vpc && var.enable_codedeploy_endpoint ? 1 : 0 - - service = "codedeploy" -} - -resource "aws_vpc_endpoint" "codedeploy" { - count = var.create_vpc && var.enable_codedeploy_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codedeploy[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codedeploy_endpoint_security_group_ids - subnet_ids = coalescelist(var.codedeploy_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.codedeploy_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################################# -# VPC Endpoint for CodeDeploy Commands Secure -############################################# -data "aws_vpc_endpoint_service" "codedeploy_commands_secure" { - count = var.create_vpc && var.enable_codedeploy_commands_secure_endpoint ? 1 : 0 - - service = "codedeploy-commands-secure" -} - -resource "aws_vpc_endpoint" "codedeploy_commands_secure" { - count = var.create_vpc && var.enable_codedeploy_commands_secure_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codedeploy_commands_secure[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codedeploy_commands_secure_endpoint_security_group_ids - subnet_ids = coalescelist(var.codedeploy_commands_secure_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.codedeploy_commands_secure_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################################# -# VPC Endpoint for Textract -############################################# -data "aws_vpc_endpoint_service" "textract" { - count = var.create_vpc && var.enable_textract_endpoint ? 1 : 0 - - service = "textract" -} - -resource "aws_vpc_endpoint" "textract" { - count = var.create_vpc && var.enable_textract_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.textract[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.textract_endpoint_security_group_ids - subnet_ids = coalescelist(var.textract_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.textract_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################################# -# VPC Endpoint for Codeartifact API -############################################# -data "aws_vpc_endpoint_service" "codeartifact_api" { - count = var.create_vpc && var.enable_codeartifact_api_endpoint ? 1 : 0 - - service = "codeartifact.api" -} - -resource "aws_vpc_endpoint" "codeartifact_api" { - count = var.create_vpc && var.enable_codeartifact_api_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codeartifact_api[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codeartifact_api_endpoint_security_group_ids - subnet_ids = coalescelist(var.codeartifact_api_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.codeartifact_api_endpoint_private_dns_enabled - tags = local.vpce_tags -} - -############################################# -# VPC Endpoint for Codeartifact repositories -############################################# -data "aws_vpc_endpoint_service" "codeartifact_repositories" { - count = var.create_vpc && var.enable_codeartifact_repositories_endpoint ? 1 : 0 - - service = "codeartifact.repositories" -} - -resource "aws_vpc_endpoint" "codeartifact_repositories" { - count = var.create_vpc && var.enable_codeartifact_repositories_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.codeartifact_repositories[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.codeartifact_repositories_endpoint_security_group_ids - subnet_ids = coalescelist(var.codeartifact_repositories_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.codeartifact_repositories_endpoint_private_dns_enabled - tags = local.vpce_tags -} - - -############################################# -# VPC Endpoint for Database Migration Service -############################################# -data "aws_vpc_endpoint_service" "dms" { - count = var.create_vpc && var.enable_dms_endpoint ? 1 : 0 - - service = "dms" -} - -resource "aws_vpc_endpoint" "dms" { - count = var.create_vpc && var.enable_dms_endpoint ? 1 : 0 - - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.dms[0].service_name - vpc_endpoint_type = "Interface" - - security_group_ids = var.dms_endpoint_security_group_ids - subnet_ids = coalescelist(var.dms_endpoint_subnet_ids, aws_subnet.private.*.id) - private_dns_enabled = var.dms_endpoint_private_dns_enabled - tags = local.vpce_tags -} diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf index f35480649..c478748b4 100644 --- a/vpc-flow-logs.tf +++ b/vpc-flow-logs.tf @@ -9,9 +9,10 @@ locals { flow_log_iam_role_arn = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_cloudwatch_iam_role_arn } -################### +################################################################################ # Flow Log -################### +################################################################################ + resource "aws_flow_log" "this" { count = local.enable_flow_log ? 1 : 0 @@ -26,9 +27,10 @@ resource "aws_flow_log" "this" { tags = merge(var.tags, var.vpc_flow_log_tags) } -##################### +################################################################################ # Flow Log CloudWatch -##################### +################################################################################ + resource "aws_cloudwatch_log_group" "flow_log" { count = local.create_flow_log_cloudwatch_log_group ? 1 : 0 @@ -39,9 +41,6 @@ resource "aws_cloudwatch_log_group" "flow_log" { tags = merge(var.tags, var.vpc_flow_log_tags) } -######################### -# Flow Log CloudWatch IAM -######################### resource "aws_iam_role" "vpc_flow_log_cloudwatch" { count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0 From 5c6a2313e49d8f537b8d0e4f45f827c62d742541 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 19 Apr 2021 15:41:53 -0400 Subject: [PATCH 2/4] chore: update based on PR feedback --- UPGRADE-3.0.md | 18 ++--- examples/complete-vpc/README.md | 1 + examples/complete-vpc/main.tf | 124 ++++++++++++++-------------- examples/vpc-flow-logs/main.tf | 126 ++++++++++++++--------------- modules/vpc-endpoints/README.md | 19 ++--- modules/vpc-endpoints/main.tf | 8 +- modules/vpc-endpoints/variables.tf | 7 ++ 7 files changed, 156 insertions(+), 147 deletions(-) diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md index 10339a095..f1e5d24fa 100644 --- a/UPGRADE-3.0.md +++ b/UPGRADE-3.0.md @@ -13,18 +13,18 @@ Previously, VPC endpoints were configured as standalone resources with their own 1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured: ``` -tf state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]' -tf state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]' -tf state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]' +terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]' +terraform state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]' +terraform state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]' ... ``` 2. Remove the gateway endpoint route table association separate resources. The route table associations are now managed in the VPC endpoint resource itself via the map of maps provided to the VPC endpoint sub-module. Perform the necessary removals for each route table association and for S3 and/or DynamoDB depending on your configuration: ``` -tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]' -tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]' -tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]' +terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]' +terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]' +terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]' ... ``` @@ -43,14 +43,10 @@ tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb See the [VPC endpoint sub-module](modules/vpc-endpoints) for the more information on the variables to utilize for VPC endpoints - - None - 3. Removed outputs: - `vpc_endpoint_*` 4. Renamed outputs: -VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs. - - - None +VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md index ab83431aa..7a109cbe1 100644 --- a/examples/complete-vpc/README.md +++ b/examples/complete-vpc/README.md @@ -36,6 +36,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP |------|--------|---------| | [vpc](#module\_vpc) | ../../ | | | [vpc\_endpoints](#module\_vpc\_endpoints) | ../../modules/vpc-endpoints | | +| [vpc\_endpoints\_nocreate](#module\_vpc\_endpoints\_nocreate) | ../../modules/vpc-endpoints | | ## Resources diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index fe2002a70..bff0c1661 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -12,65 +12,6 @@ locals { } } -################################################################################ -# Supporting Resources -################################################################################ - -data "aws_security_group" "default" { - name = "default" - vpc_id = module.vpc.vpc_id -} - -# Data source used to avoid race condition -data "aws_vpc_endpoint_service" "dynamodb" { - service = "dynamodb" - - filter { - name = "service-type" - values = ["Gateway"] - } -} - -data "aws_iam_policy_document" "dynamodb_endpoint_policy" { - statement { - effect = "Deny" - actions = ["dynamodb:*"] - resources = ["*"] - - principals { - type = "*" - identifiers = ["*"] - } - - condition { - test = "StringNotEquals" - variable = "aws:sourceVpce" - - values = [data.aws_vpc_endpoint_service.dynamodb.id] - } - } -} - -data "aws_iam_policy_document" "generic_endpoint_policy" { - statement { - effect = "Deny" - actions = ["*"] - resources = ["*"] - - principals { - type = "*" - identifiers = ["*"] - } - - condition { - test = "StringNotEquals" - variable = "aws:sourceVpce" - - values = [data.aws_vpc_endpoint_service.dynamodb.id] - } - } -} - ################################################################################ # VPC Module ################################################################################ @@ -225,3 +166,68 @@ module "vpc_endpoints" { Endpoint = "true" }) } + +module "vpc_endpoints_nocreate" { + source = "../../modules/vpc-endpoints" + + create = false +} + +################################################################################ +# Supporting Resources +################################################################################ + +data "aws_security_group" "default" { + name = "default" + vpc_id = module.vpc.vpc_id +} + +# Data source used to avoid race condition +data "aws_vpc_endpoint_service" "dynamodb" { + service = "dynamodb" + + filter { + name = "service-type" + values = ["Gateway"] + } +} + +data "aws_iam_policy_document" "dynamodb_endpoint_policy" { + statement { + effect = "Deny" + actions = ["dynamodb:*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:sourceVpce" + + values = [data.aws_vpc_endpoint_service.dynamodb.id] + } + } +} + +data "aws_iam_policy_document" "generic_endpoint_policy" { + statement { + effect = "Deny" + actions = ["*"] + resources = ["*"] + + principals { + type = "*" + identifiers = ["*"] + } + + condition { + test = "StringNotEquals" + variable = "aws:sourceVpce" + + values = [data.aws_vpc_endpoint_service.dynamodb.id] + } + } +} diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf index 608396f45..4dd51d3b2 100644 --- a/examples/vpc-flow-logs/main.tf +++ b/examples/vpc-flow-logs/main.tf @@ -9,6 +9,69 @@ locals { cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}" } +################################################################################ +# VPC Module +################################################################################ + +module "vpc_with_flow_logs_s3_bucket" { + source = "../../" + + name = "vpc-flow-logs-s3-bucket" + cidr = "10.30.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.30.101.0/24"] + + enable_flow_log = true + flow_log_destination_type = "s3" + flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-s3-bucket" + } +} + +# CloudWatch Log Group and IAM role created automatically +module "vpc_with_flow_logs_cloudwatch_logs_default" { + source = "../../" + + name = "vpc-flow-logs-cloudwatch-logs-default" + cidr = "10.10.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.10.101.0/24"] + + # Cloudwatch log group and IAM role will be created + enable_flow_log = true + create_flow_log_cloudwatch_log_group = true + create_flow_log_cloudwatch_iam_role = true + flow_log_max_aggregation_interval = 60 + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-cloudwatch-logs-default" + } +} + +# CloudWatch Log Group and IAM role created separately +module "vpc_with_flow_logs_cloudwatch_logs" { + source = "../../" + + name = "vpc-flow-logs-cloudwatch-logs" + cidr = "10.20.0.0/16" + + azs = ["${local.region}a"] + public_subnets = ["10.20.101.0/24"] + + enable_flow_log = true + flow_log_destination_type = "cloud-watch-logs" + flow_log_destination_arn = aws_cloudwatch_log_group.flow_log.arn + flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn + + vpc_flow_log_tags = { + Name = "vpc-flow-logs-cloudwatch-logs" + } +} + ################################################################################ # Supporting Resources ################################################################################ @@ -105,66 +168,3 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" { resources = ["*"] } } - -################################################################################ -# VPC Module -################################################################################ - -module "vpc_with_flow_logs_s3_bucket" { - source = "../../" - - name = "vpc-flow-logs-s3-bucket" - cidr = "10.30.0.0/16" - - azs = ["${local.region}a"] - public_subnets = ["10.30.101.0/24"] - - enable_flow_log = true - flow_log_destination_type = "s3" - flow_log_destination_arn = module.s3_bucket.this_s3_bucket_arn - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-s3-bucket" - } -} - -# CloudWatch Log Group and IAM role created automatically -module "vpc_with_flow_logs_cloudwatch_logs_default" { - source = "../../" - - name = "vpc-flow-logs-cloudwatch-logs-default" - cidr = "10.10.0.0/16" - - azs = ["${local.region}a"] - public_subnets = ["10.10.101.0/24"] - - # Cloudwatch log group and IAM role will be created - enable_flow_log = true - create_flow_log_cloudwatch_log_group = true - create_flow_log_cloudwatch_iam_role = true - flow_log_max_aggregation_interval = 60 - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-cloudwatch-logs-default" - } -} - -# CloudWatch Log Group and IAM role created separately -module "vpc_with_flow_logs_cloudwatch_logs" { - source = "../../" - - name = "vpc-flow-logs-cloudwatch-logs" - cidr = "10.20.0.0/16" - - azs = ["${local.region}a"] - public_subnets = ["10.20.101.0/24"] - - enable_flow_log = true - flow_log_destination_type = "cloud-watch-logs" - flow_log_destination_arn = aws_cloudwatch_log_group.flow_log.arn - flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn - - vpc_flow_log_tags = { - Name = "vpc-flow-logs-cloudwatch-logs" - } -} diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index 95d101463..158c32c51 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -2,36 +2,30 @@ Terraform sub-module which creates VPC endpoint resources on AWS. -The following resources are supported: - -- [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) - ## Usage See [`examples`](./examples) directory for working examples to reference: ```hcl module "endpoints" { - source = "terraform-aws-modules/vpc/aws//vpc-endpoints" + source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints" vpc_id = "vpc-12345678" security_group_ids = ["sg-12345678"] - gateway_endpoints = { + endpoints = { s3 = { + # interface endpoint service = "s3" private_dns_enabled = true - route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"] tags = { Name = "s3-vpc-endpoint" } }, dynamodb = { + # gateway endpoint service = "dynamodb" route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"] tags = { Name = "dynamodb-vpc-endpoint" } - } - } - - interface_endpoints = { + }, sns = { service = "sns" subnet_ids = ["subnet-12345678", "subnet-87654321"] @@ -86,12 +80,13 @@ No modules. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| +| [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no | | [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no | | [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no | | [subnet\_ids](#input\_subnet\_ids) | Default subnets IDs to associate with the VPC endpoints | `list(string)` | `[]` | no | | [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no | | [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | `map(string)` | `{}` | no | -| [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | n/a | yes | +| [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | `null` | no | ## Outputs diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf index 7434687e0..394d471f0 100644 --- a/modules/vpc-endpoints/main.tf +++ b/modules/vpc-endpoints/main.tf @@ -1,9 +1,13 @@ +locals { + endpoints = var.create ? var.endpoints : {} +} + ################################################################################ # Endpoint(s) ################################################################################ data "aws_vpc_endpoint_service" "this" { - for_each = var.endpoints + for_each = local.endpoints service = lookup(each.value, "service", null) service_name = lookup(each.value, "service_name", null) @@ -15,7 +19,7 @@ data "aws_vpc_endpoint_service" "this" { } resource "aws_vpc_endpoint" "this" { - for_each = var.endpoints + for_each = local.endpoints vpc_id = var.vpc_id service_name = data.aws_vpc_endpoint_service.this[each.key].service_name diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf index a0dd9cb65..afcebc3d0 100644 --- a/modules/vpc-endpoints/variables.tf +++ b/modules/vpc-endpoints/variables.tf @@ -1,6 +1,13 @@ +variable "create" { + description = "Determines whether resources will be created" + type = bool + default = true +} + variable "vpc_id" { description = "The ID of the VPC in which the endpoint will be used" type = string + default = null } variable "endpoints" { From 0416cec959b9e8064df1d476420d033ea031bf38 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 19 Apr 2021 16:14:27 -0400 Subject: [PATCH 3/4] chore: fix conditional create of vpc endpoint submodule --- modules/vpc-endpoints/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf index 394d471f0..58b3270ee 100644 --- a/modules/vpc-endpoints/main.tf +++ b/modules/vpc-endpoints/main.tf @@ -1,5 +1,5 @@ locals { - endpoints = var.create ? var.endpoints : {} + endpoints = var.create ? var.endpoints : tomap({}) } ################################################################################ From 9cb332e984ffb05da84b367da1f9a3864a30557e Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 26 Apr 2021 09:47:03 +0200 Subject: [PATCH 4/4] Minor fixes --- .pre-commit-config.yaml | 2 +- README.md | 2 +- examples/complete-vpc/main.tf | 2 +- modules/vpc-endpoints/README.md | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 8814cf617..6dda89313 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.48.0 + rev: v1.50.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/README.md b/README.md index f86098ecd..110dce943 100644 --- a/README.md +++ b/README.md @@ -179,7 +179,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway - [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) - [Simple VPC with secondary CIDR blocks](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/secondary-cidr-blocks) -- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) +- [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) with VPC Endpoints. - [VPC with IPv6 enabled](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/ipv6) - [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) - [VPC Flow Logs](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/vpc-flow-logs) diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf index bff0c1661..042c83a7f 100644 --- a/examples/complete-vpc/main.tf +++ b/examples/complete-vpc/main.tf @@ -1,5 +1,5 @@ provider "aws" { - region = local.region + region = "eu-west-1" } locals { diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md index 158c32c51..f0c45fd8f 100644 --- a/modules/vpc-endpoints/README.md +++ b/modules/vpc-endpoints/README.md @@ -4,7 +4,7 @@ Terraform sub-module which creates VPC endpoint resources on AWS. ## Usage -See [`examples`](./examples) directory for working examples to reference: +See [`examples`](../../examples) directory for working examples to reference: ```hcl module "endpoints" { @@ -49,7 +49,7 @@ module "endpoints" { ## Examples -- [Complete-VPC](../../examples/complete-vpc) +- [Complete-VPC](../../examples/complete-vpc) with VPC Endpoints. ## Requirements