Add support for KMS VPC endpoint creation (#243)

08c76596 · Nikos Loutas · Anton Babenko · 39f13386 · 08c76596 · 08c76596
Commit 08c76596 authored Apr 25, 2019 by Nikos Loutas Committed by Anton Babenko Apr 25, 2019
Show whitespace changes
Inline Side-by-side

Showing with 79 additions and 13 deletions

README.md README.md +8 -1

main.tf examples/complete-vpc/main.tf +7 -0

main.tf main.tf +21 -0

outputs.tf outputs.tf +15 -0

variables.tf variables.tf +28 -12

No files found.
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ These types of resources are supported:
 * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html)
 * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
  * Gateway: S3, DynamoDB
-  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway
+  * Interface: EC2, SSM, EC2 Messages, SSM Messages, ECR API, ECR DKR, API Gateway, KMS
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
 * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
@@ -269,6 +269,7 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | string | `"false"` | no |
 | enable\_ecr\_api\_endpoint | Should be true if you want to provision an ecr api endpoint to the VPC | string | `"false"` | no |
 | enable\_ecr\_dkr\_endpoint | Should be true if you want to provision an ecr dkr endpoint to the VPC | string | `"false"` | no |
+| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | string | `"false"` | no |
 | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | string | `"false"` | no |
 | enable\_public\_redshift | Controls if redshift should have public routing table | string | `"false"` | no |
 | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | string | `"false"` | no |
@@ -286,6 +287,9 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no |
 | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no |
 | intra\_subnets | A list of intra subnets | list | `[]` | no |
+| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | string | `"false"` | no |
+| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | list | `[]` | no |
+| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list | `[]` | no |
 | manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | string | `"false"` | no |
 | manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no |
 | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no |
@@ -404,6 +408,9 @@ Terraform version 0.10.3 or newer is required for this module to work.
 | vpc\_endpoint\_ecr\_dkr\_dns\_entry | The DNS entries for the VPC Endpoint for ECR DKR. |
 | vpc\_endpoint\_ecr\_dkr\_id | The ID of VPC endpoint for ECR DKR |
 | vpc\_endpoint\_ecr\_dkr\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECR DKR. |
+| vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. |
+| vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS |
+| vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. |
 | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 |
 | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. |
 | vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |

--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -72,6 +72,13 @@ module "vpc" {
  ecr_dkr_endpoint_private_dns_enabled = true
  ecr_dkr_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  # VPC endpoint for KMS
+  enable_kms_endpoint              = true
+  kms_endpoint_private_dns_enabled = true
+  kms_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  # kms_endpoint_subnet_ids = ["..."]
  tags = {
    Owner       = "user"
    Environment = "staging"

--- a/main.tf
+++ b/main.tf
@@ -809,6 +809,27 @@ resource "aws_vpc_endpoint" "apigw" {
  private_dns_enabled = "${var.apigw_endpoint_private_dns_enabled}"
 }
+#######################
+# VPC Endpoint for KMS
+#######################
+data "aws_vpc_endpoint_service" "kms" {
+  count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}"
+  service = "kms"
+}
+resource "aws_vpc_endpoint" "kms" {
+  count = "${var.create_vpc && var.enable_kms_endpoint ? 1 : 0}"
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.kms.service_name}"
+  vpc_endpoint_type = "Interface"
+  security_group_ids  = ["${var.kms_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}"
+}
 ##########################
 # Route table association
 ##########################

--- a/outputs.tf
+++ b/outputs.tf
@@ -369,6 +369,21 @@ output "vpc_endpoint_ec2messages_dns_entry" {
  value       = "${flatten(aws_vpc_endpoint.ec2messages.*.dns_entry)}"
 }
+output "vpc_endpoint_kms_id" {
+  description = "The ID of VPC endpoint for KMS"
+  value       = "${element(concat(aws_vpc_endpoint.kms.*.id, list("")), 0)}"
+}
+output "vpc_endpoint_kms_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for KMS."
+  value       = "${flatten(aws_vpc_endpoint.kms.*.network_interface_ids)}"
+}
+output "vpc_endpoint_kms_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for KMS."
+  value       = "${flatten(aws_vpc_endpoint.kms.*.dns_entry)}"
+}
 output "vpc_endpoint_ecr_api_id" {
  description = "The ID of VPC endpoint for ECR API"
  value       = "${element(concat(aws_vpc_endpoint.ecr_api.*.id, list("")), 0)}"

--- a/variables.tf
+++ b/variables.tf
@@ -69,25 +69,21 @@ variable "private_subnets" {
 }
 variable "database_subnets" {
-  type        = "list"
  description = "A list of database subnets"
  default     = []
 }
 variable "redshift_subnets" {
-  type        = "list"
  description = "A list of redshift subnets"
  default     = []
 }
 variable "elasticache_subnets" {
-  type        = "list"
  description = "A list of elasticache subnets"
  default     = []
 }
 variable "intra_subnets" {
-  type        = "list"
  description = "A list of intra subnets"
  default     = []
 }
@@ -174,7 +170,7 @@ variable "reuse_nat_ips" {
 variable "external_nat_ip_ids" {
  description = "List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)"
-  type        = "list"
  default = []
 }
@@ -328,6 +324,26 @@ variable "ecr_dkr_endpoint_security_group_ids" {
  default     = []
 }
+variable "enable_kms_endpoint" {
+  description = "Should be true if you want to provision a KMS endpoint to the VPC"
+  default     = false
+}
+variable "kms_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for KMS endpoint"
+  default     = []
+}
+variable "kms_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+variable "kms_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint"
+  default     = false
+}
 variable "map_public_ip_on_launch" {
  description = "Should be false if you do not want to auto-assign public IP on launch"
  default     = true
@@ -505,19 +521,19 @@ variable "dhcp_options_domain_name" {
 variable "dhcp_options_domain_name_servers" {
  description = "Specify a list of DNS server addresses for DHCP options set, default to AWS provided"
-  type        = "list"
  default = ["AmazonProvidedDNS"]
 }
 variable "dhcp_options_ntp_servers" {
  description = "Specify a list of NTP servers for DHCP options set"
-  type        = "list"
  default = []
 }
 variable "dhcp_options_netbios_name_servers" {
  description = "Specify a list of netbios servers for DHCP options set"
-  type        = "list"
  default = []
 }