Added VPC Endpoints for AppStream, Athena & Rekognition (#335)

README.md

@@ -20,7 +20,8 @@ These types of resources are supported:
 ECS, ECS Agent, ECS Telemetry, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events), 
 Elastic Load Balancing, CloudTrail, Secrets Manager, Config, CodeBuild, CodeCommit, 
 Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), 
-CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog
+CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream,
+Athena, Rekognition
 
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
@@ -216,7 +217,13 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | appmesh\_envoy\_management\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint | bool | `"false"` | no |
 | appmesh\_envoy\_management\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for AppMesh endpoint | list(string) | `[]` | no |
 | appmesh\_envoy\_management\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| appstream\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for AppStream endpoint | bool | `"false"` | no |
+| appstream\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for AppStream endpoint | list(string) | `[]` | no |
+| appstream\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for AppStream endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | assign\_ipv6\_address\_on\_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map_public_ip_on_launch | bool | `"false"` | no |
+| athena\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint | bool | `"false"` | no |
+| athena\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Athena endpoint | list(string) | `[]` | no |
+| athena\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | azs | A list of availability zones in the region | list(string) | `[]` | no |
 | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no |
 | cloudformation\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint | bool | `"false"` | no |
@@ -308,6 +315,8 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | bool | `"false"` | no |
 | enable\_appmesh\_envoy\_management\_endpoint | Should be true if you want to provision a AppMesh endpoint to the VPC | bool | `"false"` | no |
+| enable\_appstream\_endpoint | Should be true if you want to provision a AppStream endpoint to the VPC | bool | `"false"` | no |
+| enable\_athena\_endpoint | Should be true if you want to provision a Athena endpoint to the VPC | bool | `"false"` | no |
 | enable\_classiclink | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool | `"null"` | no |
 | enable\_classiclink\_dns\_support | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool | `"null"` | no |
 | enable\_cloudformation\_endpoint | Should be true if you want to provision a Cloudformation endpoint to the VPC | bool | `"false"` | no |
@@ -339,6 +348,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | bool | `"false"` | no |
 | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool | `"false"` | no |
 | enable\_public\_redshift | Controls if redshift should have public routing table | bool | `"false"` | no |
+| enable\_rekognition\_endpoint | Should be true if you want to provision a Rekognition endpoint to the VPC | bool | `"false"` | no |
 | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | bool | `"false"` | no |
 | enable\_sagemaker\_api\_endpoint | Should be true if you want to provision a SageMaker API endpoint to the VPC | bool | `"false"` | no |
 | enable\_sagemaker\_notebook\_endpoint | Should be true if you want to provision a Sagemaker Notebook endpoint to the VPC | bool | `"false"` | no |
@@ -431,6 +441,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no |
 | redshift\_subnet\_tags | Additional tags for the redshift subnets | map(string) | `{}` | no |
 | redshift\_subnets | A list of redshift subnets | list(string) | `[]` | no |
+| rekognition\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint | bool | `"false"` | no |
+| rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | list(string) | `[]` | no |
+| rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool | `"false"` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | bool | `"false"` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | list(string) | `[]` | no |
@@ -554,6 +567,12 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | vpc\_endpoint\_appmesh\_envoy\_management\_dns\_entry | The DNS entries for the VPC Endpoint for AppMesh. |
 | vpc\_endpoint\_appmesh\_envoy\_management\_id | The ID of VPC endpoint for AppMesh |
 | vpc\_endpoint\_appmesh\_envoy\_management\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for AppMesh. |
+| vpc\_endpoint\_appstream\_dns\_entry | The DNS entries for the VPC Endpoint for AppStream. |
+| vpc\_endpoint\_appstream\_id | The ID of VPC endpoint for AppStream |
+| vpc\_endpoint\_appstream\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for AppStream. |
+| vpc\_endpoint\_athena\_dns\_entry | The DNS entries for the VPC Endpoint for Athena. |
+| vpc\_endpoint\_athena\_id | The ID of VPC endpoint for Athena |
+| vpc\_endpoint\_athena\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Athena. |
 | vpc\_endpoint\_cloudformation\_dns\_entry | The DNS entries for the VPC Endpoint for Cloudformation. |
 | vpc\_endpoint\_cloudformation\_id | The ID of VPC endpoint for Cloudformation |
 | vpc\_endpoint\_cloudformation\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Cloudformation. |
@@ -622,6 +641,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. |
 | vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring |
 | vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. |
+| vpc\_endpoint\_rekognition\_dns\_entry | The DNS entries for the VPC Endpoint for Rekognition. |
+| vpc\_endpoint\_rekognition\_id | The ID of VPC endpoint for Rekognition |
+| vpc\_endpoint\_rekognition\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Rekognition. |
 | vpc\_endpoint\_s3\_id | The ID of VPC endpoint for S3 |
 | vpc\_endpoint\_s3\_pl\_id | The prefix list for the S3 VPC endpoint. |
 | vpc\_endpoint\_sagemaker\_api\_dns\_entry | The DNS entries for the VPC Endpoint for SageMaker API. |

outputs.tf

@@ -901,6 +901,7 @@ output "vpc_endpoint_sagemaker_api_dns_entry" {
   description = "The DNS entries for the VPC Endpoint for SageMaker API."
   value       = flatten(aws_vpc_endpoint.sagemaker_api.*.dns_entry)
 }
+
 output "vpc_endpoint_sagemaker_runtime_id" {
   description = "The ID of VPC endpoint for SageMaker Runtime"
   value       = concat(aws_vpc_endpoint.sagemaker_runtime.*.id, [""])[0]
@@ -916,6 +917,51 @@ output "vpc_endpoint_sagemaker_runtime_dns_entry" {
   value       = flatten(aws_vpc_endpoint.sagemaker_runtime.*.dns_entry)
 }
 
+output "vpc_endpoint_appstream_id" {
+  description = "The ID of VPC endpoint for AppStream"
+  value       = concat(aws_vpc_endpoint.appstream.*.id, [""])[0]
+}
+
+output "vpc_endpoint_appstream_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for AppStream."
+  value       = flatten(aws_vpc_endpoint.appstream.*.network_interface_ids)
+}
+
+output "vpc_endpoint_appstream_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for AppStream."
+  value       = flatten(aws_vpc_endpoint.appstream.*.dns_entry)
+}
+
+output "vpc_endpoint_athena_id" {
+  description = "The ID of VPC endpoint for Athena"
+  value       = concat(aws_vpc_endpoint.athena.*.id, [""])[0]
+}
+
+output "vpc_endpoint_athena_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Athena."
+  value       = flatten(aws_vpc_endpoint.athena.*.network_interface_ids)
+}
+
+output "vpc_endpoint_athena_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Athena."
+  value       = flatten(aws_vpc_endpoint.athena.*.dns_entry)
+}
+
+output "vpc_endpoint_rekognition_id" {
+  description = "The ID of VPC endpoint for Rekognition"
+  value       = concat(aws_vpc_endpoint.rekognition.*.id, [""])[0]
+}
+
+output "vpc_endpoint_rekognition_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Rekognition."
+  value       = flatten(aws_vpc_endpoint.rekognition.*.network_interface_ids)
+}
+
+output "vpc_endpoint_rekognition_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Rekognition."
+  value       = flatten(aws_vpc_endpoint.rekognition.*.dns_entry)
+}
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"

variables.tf

@@ -1178,6 +1178,78 @@ variable "sagemaker_runtime_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_appstream_endpoint" {
+  description = "Should be true if you want to provision a AppStream endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "appstream_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for AppStream endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "appstream_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for AppStream endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "appstream_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for AppStream endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_athena_endpoint" {
+  description = "Should be true if you want to provision a Athena endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "athena_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Athena endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "athena_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "athena_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_rekognition_endpoint" {
+  description = "Should be true if you want to provision a Rekognition endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "rekognition_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Rekognition endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "rekognition_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "rekognition_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool

vpc-endpoints.tf

@@ -891,3 +891,69 @@ resource "aws_vpc_endpoint" "sagemaker_runtime" {
   private_dns_enabled = var.sagemaker_runtime_endpoint_private_dns_enabled
   tags                = local.vpce_tags
 }
+
+#############################
+# VPC Endpoint for AppStream
+#############################
+data "aws_vpc_endpoint_service" "appstream" {
+  count = var.create_vpc && var.enable_appstream_endpoint ? 1 : 0
+
+  service = "appstream"
+}
+
+resource "aws_vpc_endpoint" "appstream" {
+  count = var.create_vpc && var.enable_appstream_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.appstream[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.appstream_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.appstream_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.appstream_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for Athena
+#############################
+data "aws_vpc_endpoint_service" "athena" {
+  count = var.create_vpc && var.enable_athena_endpoint ? 1 : 0
+
+  service = "athena"
+}
+
+resource "aws_vpc_endpoint" "athena" {
+  count = var.create_vpc && var.enable_athena_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.athena[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.athena_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.athena_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.athena_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for Rekognition
+#############################
+data "aws_vpc_endpoint_service" "rekognition" {
+  count = var.create_vpc && var.enable_rekognition_endpoint ? 1 : 0
+
+  service = "rekognition"
+}
+
+resource "aws_vpc_endpoint" "rekognition" {
+  count = var.create_vpc && var.enable_rekognition_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.rekognition[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.rekognition_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.rekognition_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.rekognition_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}