diff --git a/README.md b/README.md index 0cb7eed89..57d211a45 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(No CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream, Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR), DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans, -Application Auto Scaling, Workspaces, ACM PCA. +Application Auto Scaling, Workspaces, ACM PCA, RDS. * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) @@ -242,7 +242,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | access\_analyzer\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | | acm\_pca\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint | `bool` | `false` | no | | acm\_pca\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint | `list` | `[]` | no | -| acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | +| acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no | | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | `bool` | `false` | no | | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | `list(string)` | `[]` | no | @@ -435,6 +435,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | `bool` | `false` | no | | enable\_qldb\_session\_endpoint | Should be true if you want to provision an QLDB Session endpoint to the VPC | `bool` | `false` | no | +| enable\_rds\_endpoint | Should be true if you want to provision an RDS endpoint to the VPC | `bool` | `false` | no | | enable\_rekognition\_endpoint | Should be true if you want to provision a Rekognition endpoint to the VPC | `bool` | `false` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | `bool` | `false` | no | | enable\_sagemaker\_api\_endpoint | Should be true if you want to provision a SageMaker API endpoint to the VPC | `bool` | `false` | no | @@ -536,6 +537,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | qldb\_session\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint | `bool` | `false` | no | | qldb\_session\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for QLDB Session endpoint | `list(string)` | `[]` | no | | qldb\_session\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | +| rds\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint | `bool` | `false` | no | +| rds\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for RDS endpoint | `list(string)` | `[]` | no | +| rds\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no | | redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | `bool` | `false` | no | | redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | diff --git a/variables.tf b/variables.tf index 5881d501c..5afa82c9f 100644 --- a/variables.tf +++ b/variables.tf @@ -1646,13 +1646,37 @@ variable "enable_acm_pca_endpoint" { default = false } +variable "enable_rds_endpoint" { + description = "Should be true if you want to provision an RDS endpoint to the VPC" + type = bool + default = false +} + +variable "rds_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for RDS endpoint" + type = list(string) + default = [] +} + +variable "rds_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "rds_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint" + type = bool + default = false +} + variable "acm_pca_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint" default = [] } variable "acm_pca_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + description = "The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." default = [] } diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index d342bab72..2d5b39b16 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -1348,3 +1348,26 @@ resource "aws_vpc_endpoint" "ses" { tags = local.vpce_tags } + +###################### +# VPC Endpoint for RDS +###################### +data "aws_vpc_endpoint_service" "rds" { + count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 + + service = "rds" +} + +resource "aws_vpc_endpoint" "rds" { + count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.rds[0].service_name + vpc_endpoint_type = "Interface" + + security_group_ids = var.rds_endpoint_security_group_ids + subnet_ids = coalescelist(var.rds_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.rds_endpoint_private_dns_enabled + + tags = local.vpce_tags +}