fix: Correct `for_each` map on VPC endpoints to propagate endpoint maps correctly (#729)

19fcf0d6 · Bryant Biggs · GitHub · 5f5d8776 · 19fcf0d6 · 19fcf0d6
Commit 19fcf0d6 authored Jan 11, 2022 by Bryant Biggs Committed by GitHub Jan 11, 2022
Showing with 123 additions and 107 deletions

README.md examples/complete-vpc/README.md +1 -0

main.tf examples/complete-vpc/main.tf +19 -0

main.tf modules/vpc-endpoints/main.tf +2 -6

outputs.tf outputs.tf +101 -101

No files found.
--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -42,6 +42,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name | Type |
 |------|------|
+| [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |

--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -102,6 +102,7 @@ module "vpc_endpoints" {
      service             = "ssm"
      private_dns_enabled = true
      subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
    },
    ssmmessages = {
      service             = "ssmmessages"
@@ -127,6 +128,7 @@ module "vpc_endpoints" {
      service             = "ec2"
      private_dns_enabled = true
      subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
    },
    ec2messages = {
      service             = "ec2messages"
@@ -149,6 +151,7 @@ module "vpc_endpoints" {
      service             = "kms"
      private_dns_enabled = true
      subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
    },
    codedeploy = {
      service             = "codedeploy"
@@ -232,3 +235,19 @@ data "aws_iam_policy_document" "generic_endpoint_policy" {
    }
  }
 }
+
+resource "aws_security_group" "vpc_tls" {
+  name_prefix = "${local.name}-vpc_tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  tags = local.tags
+}
--- a/modules/vpc-endpoints/main.tf
+++ b/modules/vpc-endpoints/main.tf
-locals {
-  endpoints = var.create ? var.endpoints : tomap({})
-}
-
 ################################################################################
 # Endpoint(s)
 ################################################################################

 data "aws_vpc_endpoint_service" "this" {
-  for_each = local.endpoints
+  for_each = { for k, v in var.endpoints : k => v if var.create }

  service      = lookup(each.value, "service", null)
  service_name = lookup(each.value, "service_name", null)
@@ -19,7 +15,7 @@ data "aws_vpc_endpoint_service" "this" {
 }

 resource "aws_vpc_endpoint" "this" {
-  for_each = local.endpoints
+  for_each = { for k, v in var.endpoints : k => v if var.create }

  vpc_id            = var.vpc_id
  service_name      = data.aws_vpc_endpoint_service.this[each.key].service_name

--- a/outputs.tf
+++ b/outputs.tf