Extend endpoints for AWS Systems Manager use

README.md

@@ -211,6 +211,9 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | string | `"false"` | no |
 | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | list | `[]` | no |
 | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | string | `"false"` | no |
+| ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | list | `[]` | no |
+| ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no |
 | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no |
 | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no |
@@ -220,9 +223,11 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | enable\_dns\_support | Should be true to enable DNS support in the VPC | string | `"true"` | no |
 | enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | string | `"false"` | no |
 | enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | string | `"false"` | no |
+| enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no |
 | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no |
 | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no |
 | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | string | `"false"` | no |
+| enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | string | `"false"` | no |
 | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | string | `"false"` | no |
 | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no |
 | igw\_tags | Additional tags for the internet gateway | map | `{}` | no |
@@ -257,6 +262,9 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | string | `"false"` | no |
 | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list | `[]` | no |
 | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
+| ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | string | `"false"` | no |
+| ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list | `[]` | no |
+| ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | tags | A map of tags to add to all resources | map | `{}` | no |
 | vpc\_tags | Additional tags for the VPC | map | `{}` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | string | `""` | no |
@@ -314,11 +322,17 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | vpc\_endpoint\_ec2\_dns\_entry | The DNS entries for the VPC Endpoint for EC2. |
 | vpc\_endpoint\_ec2\_id | The ID of VPC endpoint for EC2 |
 | vpc\_endpoint\_ec2\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 |
+| vpc\_endpoint\_ec2messages\_dns\_entry | The DNS entries for the VPC Endpoint for EC2MESSAGES. |
+| vpc\_endpoint\_ec2messages\_id | The ID of VPC endpoint for EC2MESSAGES |
+| vpc\_endpoint\_ec2messages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2MESSAGES |
 | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 |
 | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. |
 | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
 | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
 | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |
+| vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
+| vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES |
+| vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
 | vpc\_id | The ID of the VPC |
 | vpc\_instance\_tenancy | Tenancy of instances spin up within VPC |
 | vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC |

examples/complete-vpc/main.tf

@@ -49,10 +49,18 @@ module "vpc" {
 
   //  ssm_endpoint_subnet_ids = ["..."]
 
+  # VPC endpoint for SSMMESSAGES
+  enable_ssmmessages_endpoint              = true
+  ssmmessages_endpoint_private_dns_enabled = true
+  ssmmessages_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
   # VPC Endpoint for EC2
   enable_ec2_endpoint              = true
   ec2_endpoint_private_dns_enabled = true
   ec2_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  # VPC Endpoint for EC2MESSAGES
+  enable_ec2messages_endpoint              = true
+  ec2messages_endpoint_private_dns_enabled = true
+  ec2messages_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
   tags = {
     Owner       = "user"
     Environment = "staging"

main.tf

@@ -404,9 +404,9 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
   route_table_id  = "${aws_route_table.public.id}"
 }
 
-######################
+#######################
 # VPC Endpoint for SSM
-######################
+#######################
 data "aws_vpc_endpoint_service" "ssm" {
   count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}"
 
@@ -425,9 +425,30 @@ resource "aws_vpc_endpoint" "ssm" {
   private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}"
 }
 
-######################
+###############################
+# VPC Endpoint for SSMMESSAGES
+###############################
+data "aws_vpc_endpoint_service" "ssmmessages" {
+  count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}"
+
+  service = "ssmmessages"
+}
+
+resource "aws_vpc_endpoint" "ssmmessages" {
+  count = "${var.create_vpc && var.enable_ssmmessages_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ssmmessages.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ssmmessages_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ssmmessages_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ssmmessages_endpoint_private_dns_enabled}"
+}
+
+#######################
 # VPC Endpoint for EC2
-######################
+#######################
 data "aws_vpc_endpoint_service" "ec2" {
   count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}"
 
@@ -446,6 +467,27 @@ resource "aws_vpc_endpoint" "ec2" {
   private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}"
 }
 
+###############################
+# VPC Endpoint for EC2MESSAGES
+###############################
+data "aws_vpc_endpoint_service" "ec2messages" {
+  count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}"
+
+  service = "ec2messages"
+}
+
+resource "aws_vpc_endpoint" "ec2messages" {
+  count = "${var.create_vpc && var.enable_ec2messages_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ec2messages.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ec2messages_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ec2messages_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ec2messages_endpoint_private_dns_enabled}"
+}
+
 ##########################
 # Route table association
 ##########################

outputs.tf

@@ -294,6 +294,21 @@ output "vpc_endpoint_ssm_dns_entry" {
   value       = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}"
 }
 
+output "vpc_endpoint_ssmmessages_id" {
+  description = "The ID of VPC endpoint for SSMMESSAGES"
+  value       = "${element(concat(aws_vpc_endpoint.ssmmessages.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ssmmessages_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SSMMESSAGES."
+  value       = "${flatten(aws_vpc_endpoint.ssmmessages.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ssmmessages_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SSMMESSAGES."
+  value       = "${flatten(aws_vpc_endpoint.ssmmessages.*.dns_entry)}"
+}
+
 output "vpc_endpoint_ec2_id" {
   description = "The ID of VPC endpoint for EC2"
   value       = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}"
@@ -309,6 +324,21 @@ output "vpc_endpoint_ec2_dns_entry" {
   value       = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}"
 }
 
+output "vpc_endpoint_ec2messages_id" {
+  description = "The ID of VPC endpoint for EC2MESSAGES"
+  value       = "${element(concat(aws_vpc_endpoint.ec2messages.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ec2messages_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EC2MESSAGES"
+  value       = "${flatten(aws_vpc_endpoint.ec2messages.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ec2messages_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for EC2MESSAGES."
+  value       = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}"
+}
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"

variables.tf

@@ -198,6 +198,26 @@ variable "ssm_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_ssmmessages_endpoint" {
+  description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC"
+  default     = false
+}
+
+variable "ssmmessages_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint"
+  default     = []
+}
+
+variable "ssmmessages_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "ssmmessages_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint"
+  default     = false
+}
+
 variable "enable_ec2_endpoint" {
   description = "Should be true if you want to provision an EC2 endpoint to the VPC"
   default     = false
@@ -218,6 +238,26 @@ variable "ec2_endpoint_subnet_ids" {
   default     = []
 }
 
+variable "enable_ec2messages_endpoint" {
+  description = "Should be true if you want to provision an EC2MESSAGES endpoint to the VPC"
+  default     = false
+}
+
+variable "ec2messages_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint"
+  default     = []
+}
+
+variable "ec2messages_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint"
+  default     = false
+}
+
+variable "ec2messages_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   default     = true