adding secrets manager vpc end point support

0f3d57ff · Christian Kemper · 1d5f04ca · 0f3d57ff · 0f3d57ff · 0f3d57ff
Commit 0f3d57ff authored Jul 15, 2019 by Christian Kemper
Show whitespace changes
Inline Side-by-side

Showing with 51 additions and 3 deletions

CHANGELOG.md CHANGELOG.md +2 -2

README.md README.md +4 -1

main.tf main.tf +21 -0

variables.tf variables.tf +24 -0

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
 <a name="unreleased"></a>
 ## [Unreleased]
+- Updated CHANGELOG
+- Added VPC endpoint for Secrets Manager,
 <a name="v2.7.0"></a>
 ## [v2.7.0] - 2019-06-17

--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ These types of resources are supported:
  * Gateway: S3, DynamoDB
  * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
               ECS, ECS Agent, ECS Telemetry, SNS, CloudWatch(Monitoring, Logs, Events), Elastic Load Balancing,
-               CloudTrail
+               CloudTrail, Secrets Manager
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
 * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html)
@@ -374,6 +374,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | ssm\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSM endpoint | bool | `"false"` | no |
 | ssm\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSM endpoint | list(string) | `[]` | no |
 | ssm\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSM endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | bool | `"false"` | no |
+| secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | list(string) | `[]` | no |
+| secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | bool | `"false"` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | list(string) | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |

--- a/main.tf
+++ b/main.tf
@@ -920,6 +920,27 @@ resource "aws_vpc_endpoint" "sqs" {
  private_dns_enabled = var.sqs_endpoint_private_dns_enabled
 }
+###################################
+# VPC Endpoint for Secrets Manager
+###################################
+data "aws_vpc_endpoint_service" "secretsmanager" {
+  count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0
+  service = "secretsmanager"
+}
+resource "aws_vpc_endpoint" "secretsmanager" {
+  count = var.create_vpc && var.enable_secretsmanager_endpoint ? 1 : 0
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.secretsmanager[0].service_name
+  vpc_endpoint_type = "Interface"
+  security_group_ids  = var.secretsmanager_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled
+}
 #######################
 # VPC Endpoint for SSM
 #######################

--- a/variables.tf
+++ b/variables.tf
@@ -262,6 +262,30 @@ variable "ssm_endpoint_private_dns_enabled" {
  default     = false
 }
+variable "enable_secretsmanager_endpoint" {
+  description = "Should be true if you want to provision an Secrets Manager endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+variable "secretsmanager_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint"
+  type        = list(string)
+  default     = []
+}
+variable "secretsmanager_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+variable "secretsmanager_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint"
+  type        = bool
+  default     = false
+}
 variable "enable_ssmmessages_endpoint" {
  description = "Should be true if you want to provision a SSMMESSAGES endpoint to the VPC"
  type        = bool