From c3340dd023d817885eeb893d65d9af96e1dffb1b Mon Sep 17 00:00:00 2001 From: Hao Chen Date: Fri, 11 Sep 2020 10:26:32 +0800 Subject: [PATCH 1/6] Add ability to provision rds endpoint to vpc --- variables.tf | 6 ++++++ vpc-endpoints.tf | 31 +++++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/variables.tf b/variables.tf index 5881d501c..5c17d0aa5 100644 --- a/variables.tf +++ b/variables.tf @@ -1646,6 +1646,12 @@ variable "enable_acm_pca_endpoint" { default = false } +variable "enable_rds_endpoint" { + description = "Should be true if you want to provision an RDS endpoint to the VPC" + type = bool + default = false +} + variable "acm_pca_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint" default = [] diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index d342bab72..cbbb049d2 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -1348,3 +1348,34 @@ resource "aws_vpc_endpoint" "ses" { tags = local.vpce_tags } + +###################### +# VPC Endpoint for RDS +###################### +data "aws_vpc_endpoint_service" "rds" { + count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 + + service = "rds" +} + +resource "aws_vpc_endpoint" "rds" { + count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 + + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.rds[0].service_name + tags = local.vpce_tags +} + +resource "aws_vpc_endpoint_route_table_association" "private_rds" { + count = var.create_vpc && var.enable_rds_endpoint ? local.nat_gateway_count : 0 + + vpc_endpoint_id = aws_vpc_endpoint.rds[0].id + route_table_id = element(aws_route_table.private.*.id, count.index) +} + +resource "aws_vpc_endpoint_route_table_association" "intra_rds" { + count = var.create_vpc && var.enable_rds_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 + + vpc_endpoint_id = aws_vpc_endpoint.rds[0].id + route_table_id = element(aws_route_table.intra.*.id, 0) +} From 2b5ecfec5d45e1c506f7c263fca1e34fe60cd5e9 Mon Sep 17 00:00:00 2001 From: Hao Chen Date: Fri, 11 Sep 2020 11:25:23 +0800 Subject: [PATCH 2/6] changed endpoint type to Interface --- variables.tf | 18 ++++++++++++++++++ vpc-endpoints.tf | 18 +++++------------- 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/variables.tf b/variables.tf index 5c17d0aa5..6bb17ef2a 100644 --- a/variables.tf +++ b/variables.tf @@ -1652,6 +1652,24 @@ variable "enable_rds_endpoint" { default = false } +variable "rds_endpoint_security_group_ids" { + description = "The ID of one or more security groups to associate with the network interface for RDS endpoint" + type = list(string) + default = [] +} + +variable "rds_endpoint_subnet_ids" { + description = "The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + type = list(string) + default = [] +} + +variable "rds_endpoint_private_dns_enabled" { + description = "Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint" + type = bool + default = false +} + variable "acm_pca_endpoint_security_group_ids" { description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint" default = [] diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index cbbb049d2..625fbe3ca 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -1363,19 +1363,11 @@ resource "aws_vpc_endpoint" "rds" { vpc_id = local.vpc_id service_name = data.aws_vpc_endpoint_service.rds[0].service_name - tags = local.vpce_tags -} - -resource "aws_vpc_endpoint_route_table_association" "private_rds" { - count = var.create_vpc && var.enable_rds_endpoint ? local.nat_gateway_count : 0 - - vpc_endpoint_id = aws_vpc_endpoint.rds[0].id - route_table_id = element(aws_route_table.private.*.id, count.index) -} + vpc_endpoint_type = "Interface" -resource "aws_vpc_endpoint_route_table_association" "intra_rds" { - count = var.create_vpc && var.enable_rds_endpoint && length(var.intra_subnets) > 0 ? 1 : 0 + security_group_ids = var.rds_endpoint_security_group_ids + subnet_ids = coalescelist(var.rds_endpoint_subnet_ids, aws_subnet.private.*.id) + private_dns_enabled = var.rds_endpoint_private_dns_enabled - vpc_endpoint_id = aws_vpc_endpoint.rds[0].id - route_table_id = element(aws_route_table.intra.*.id, 0) + tags = local.vpce_tags } From d58b650481ed26d034d1af665f4a1e1f23864955 Mon Sep 17 00:00:00 2001 From: Hao Chen Date: Fri, 11 Sep 2020 12:01:25 +0800 Subject: [PATCH 3/6] updated README.md --- README.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 0cb7eed89..d82fba907 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(No CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream, Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR), DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans, -Application Auto Scaling, Workspaces, ACM PCA. +Application Auto Scaling, Workspaces, ACM PCA, RDS. * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html) * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html) @@ -446,6 +446,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_sms\_endpoint | Should be true if you want to provision an SMS endpoint to the VPC | `bool` | `false` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | `bool` | `false` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | `bool` | `false` | no | +| enable\_rds\_endpoint | Should be true if you want to provision an RDS endpoint to the VPC | `bool` | `false` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | `bool` | `false` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | `bool` | `false` | no | | enable\_states\_endpoint | Should be true if you want to provision a Step Function endpoint to the VPC | `bool` | `false` | no | @@ -581,6 +582,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | `bool` | `false` | no | | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | `list` | `[]` | no | | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | +| rds\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint | `bool` | `false` | no | +| rds\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for RDS endpoint | `list` | `[]` | no | +| rds\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | `bool` | `false` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | `list(string)` | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | @@ -853,8 +857,11 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | | vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | -| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | +| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for RDS | | vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | +| vpc\_endpoint\_rds\_dns\_entry | The DNS entries for the VPC Endpoint for RDS. | +| vpc\_endpoint\_rds\_id | The ID of VPC endpoint for RDS | +| vpc\_endpoint\_rds\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | From 774c6f8a36782b822a8830d2cfcaa9c043eb3441 Mon Sep 17 00:00:00 2001 From: Hao Chen Date: Fri, 11 Sep 2020 12:20:43 +0800 Subject: [PATCH 4/6] fixed typo --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index d82fba907..446987b06 100644 --- a/README.md +++ b/README.md @@ -857,8 +857,8 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS | | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | | vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | -| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for RDS | -| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | +| vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | +| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | | vpc\_endpoint\_rds\_dns\_entry | The DNS entries for the VPC Endpoint for RDS. | | vpc\_endpoint\_rds\_id | The ID of VPC endpoint for RDS | | vpc\_endpoint\_rds\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | From 944d4ffd5383074a58b483c8acd75c9c78d77746 Mon Sep 17 00:00:00 2001 From: Hao Chen Date: Fri, 11 Sep 2020 12:21:32 +0800 Subject: [PATCH 5/6] fixed typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 446987b06..f53925efb 100644 --- a/README.md +++ b/README.md @@ -858,7 +858,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. | | vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | | vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | -| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | +| vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | | vpc\_endpoint\_rds\_dns\_entry | The DNS entries for the VPC Endpoint for RDS. | | vpc\_endpoint\_rds\_id | The ID of VPC endpoint for RDS | | vpc\_endpoint\_rds\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | From 74cd164c89dea94d03b3d4b7c962715fe9850d98 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 11 Sep 2020 13:25:36 +0200 Subject: [PATCH 6/6] fix: Fixed formatting --- README.md | 13 +++++-------- variables.tf | 2 +- vpc-endpoints.tf | 4 ++-- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index f53925efb..57d211a45 100644 --- a/README.md +++ b/README.md @@ -242,7 +242,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | access\_analyzer\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | | acm\_pca\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint | `bool` | `false` | no | | acm\_pca\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint | `list` | `[]` | no | -| acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | +| acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no | | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | `bool` | `false` | no | | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW endpoint | `list(string)` | `[]` | no | @@ -435,6 +435,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no | | enable\_public\_redshift | Controls if redshift should have public routing table | `bool` | `false` | no | | enable\_qldb\_session\_endpoint | Should be true if you want to provision an QLDB Session endpoint to the VPC | `bool` | `false` | no | +| enable\_rds\_endpoint | Should be true if you want to provision an RDS endpoint to the VPC | `bool` | `false` | no | | enable\_rekognition\_endpoint | Should be true if you want to provision a Rekognition endpoint to the VPC | `bool` | `false` | no | | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | `bool` | `false` | no | | enable\_sagemaker\_api\_endpoint | Should be true if you want to provision a SageMaker API endpoint to the VPC | `bool` | `false` | no | @@ -446,7 +447,6 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | enable\_sms\_endpoint | Should be true if you want to provision an SMS endpoint to the VPC | `bool` | `false` | no | | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | `bool` | `false` | no | | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | `bool` | `false` | no | -| enable\_rds\_endpoint | Should be true if you want to provision an RDS endpoint to the VPC | `bool` | `false` | no | | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | `bool` | `false` | no | | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | `bool` | `false` | no | | enable\_states\_endpoint | Should be true if you want to provision a Step Function endpoint to the VPC | `bool` | `false` | no | @@ -537,6 +537,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | qldb\_session\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint | `bool` | `false` | no | | qldb\_session\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for QLDB Session endpoint | `list(string)` | `[]` | no | | qldb\_session\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no | +| rds\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint | `bool` | `false` | no | +| rds\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for RDS endpoint | `list(string)` | `[]` | no | +| rds\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | | redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no | | redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | `bool` | `false` | no | | redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | `list(map(string))` | 
[
  {
    "cidr_block": "0.0.0.0/0",
    "from_port": 0,
    "protocol": "-1",
    "rule_action": "allow",
    "rule_number": 100,
    "to_port": 0
  }
]
| no | @@ -582,9 +585,6 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | `bool` | `false` | no | | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | `list` | `[]` | no | | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | -| rds\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for RDS endpoint | `bool` | `false` | no | -| rds\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for RDS endpoint | `list` | `[]` | no | -| rds\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for RDS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no | | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | `bool` | `false` | no | | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | `list(string)` | `[]` | no | | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no | @@ -859,9 +859,6 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway | vpc\_endpoint\_sqs\_dns\_entry | The DNS entries for the VPC Endpoint for SQS. | | vpc\_endpoint\_sqs\_id | The ID of VPC endpoint for SQS | | vpc\_endpoint\_sqs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SQS. | -| vpc\_endpoint\_rds\_dns\_entry | The DNS entries for the VPC Endpoint for RDS. | -| vpc\_endpoint\_rds\_id | The ID of VPC endpoint for RDS | -| vpc\_endpoint\_rds\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for RDS. | | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. | | vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM | | vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. | diff --git a/variables.tf b/variables.tf index 6bb17ef2a..5afa82c9f 100644 --- a/variables.tf +++ b/variables.tf @@ -1676,7 +1676,7 @@ variable "acm_pca_endpoint_security_group_ids" { } variable "acm_pca_endpoint_subnet_ids" { - description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." + description = "The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used." default = [] } diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf index 625fbe3ca..2d5b39b16 100644 --- a/vpc-endpoints.tf +++ b/vpc-endpoints.tf @@ -1361,8 +1361,8 @@ data "aws_vpc_endpoint_service" "rds" { resource "aws_vpc_endpoint" "rds" { count = var.create_vpc && var.enable_rds_endpoint ? 1 : 0 - vpc_id = local.vpc_id - service_name = data.aws_vpc_endpoint_service.rds[0].service_name + vpc_id = local.vpc_id + service_name = data.aws_vpc_endpoint_service.rds[0].service_name vpc_endpoint_type = "Interface" security_group_ids = var.rds_endpoint_security_group_ids