fix: use filter for getting service type for S3 endpoint and update to allow...

fix: use filter for getting service type for S3 endpoint and update to allow s3 to use interface endpoint types (#597)

fix: use filter for getting service type for S3 endpoint and update to allow...
fix: use filter for getting service type for S3 endpoint and update to allow s3 to use interface endpoint types (#597)
5fcf6106 · Bryant Biggs · GitHub · 9f859de5 · 5fcf6106 · 5fcf6106
Commit 5fcf6106 authored Feb 22, 2021 by Bryant Biggs Committed by GitHub Feb 22, 2021
26 changed files
--- a/README.md
+++ b/README.md
--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -51,7 +51,11 @@ module "vpc" {
  dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
  # VPC endpoint for S3
-  enable_s3_endpoint = true
+  # Note - S3 Interface type support is only available on AWS provider 3.10 and later
+  enable_s3_endpoint              = true
+  s3_endpoint_type                = "Interface"
+  s3_endpoint_private_dns_enabled = false
+  s3_endpoint_security_group_ids  = [data.aws_security_group.default.id]
  # VPC endpoint for DynamoDB
  enable_dynamodb_endpoint = true

--- a/examples/ipv6/README.md
+++ b/examples/ipv6/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Modules
@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
 ## Inputs

--- a/examples/ipv6/versions.tf
+++ b/examples/ipv6/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/issue-108-route-already-exists/README.md
+++ b/examples/issue-108-route-already-exists/README.md
@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/issue-108-route-already-exists/versions.tf
+++ b/examples/issue-108-route-already-exists/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/issue-44-asymmetric-private-subnets/README.md
+++ b/examples/issue-44-asymmetric-private-subnets/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/issue-44-asymmetric-private-subnets/versions.tf
+++ b/examples/issue-44-asymmetric-private-subnets/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/issue-46-no-private-subnets/README.md
+++ b/examples/issue-46-no-private-subnets/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/issue-46-no-private-subnets/versions.tf
+++ b/examples/issue-46-no-private-subnets/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/manage-default-vpc/README.md
+++ b/examples/manage-default-vpc/README.md
@@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/manage-default-vpc/versions.tf
+++ b/examples/manage-default-vpc/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/network-acls/README.md
+++ b/examples/network-acls/README.md
@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/network-acls/versions.tf
+++ b/examples/network-acls/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/secondary-cidr-blocks/README.md
+++ b/examples/secondary-cidr-blocks/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/secondary-cidr-blocks/versions.tf
+++ b/examples/secondary-cidr-blocks/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/simple-vpc/README.md
+++ b/examples/simple-vpc/README.md
@@ -26,7 +26,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
@@ -18,8 +18,6 @@ module "vpc" {
  enable_nat_gateway = false
  single_nat_gateway = true
-  #  s3_endpoint_type = "Interface"
  enable_s3_endpoint       = true
  enable_dynamodb_endpoint = true

--- a/examples/simple-vpc/versions.tf
+++ b/examples/simple-vpc/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 ## Providers
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 ## Modules
@@ -47,11 +47,11 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/cloudwatch_log_group) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/iam_policy_document) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_policy) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role_policy_attachment) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
 | [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
 ## Inputs

--- a/examples/vpc-flow-logs/versions.tf
+++ b/examples/vpc-flow-logs/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
    random = {

--- a/examples/vpc-separate-private-route-tables/README.md
+++ b/examples/vpc-separate-private-route-tables/README.md
@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 2.68 |
+| aws | >= 2.70 |
 ## Providers

--- a/examples/vpc-separate-private-route-tables/versions.tf
+++ b/examples/vpc-separate-private-route-tables/versions.tf
@@ -2,6 +2,9 @@ terraform {
  required_version = ">= 0.12.21"
  required_providers {
-    aws = ">= 2.68"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.70"
+    }
  }
 }
--- a/variables.tf
+++ b/variables.tf
@@ -317,11 +317,29 @@ variable "enable_dynamodb_endpoint" {
 }
 variable "dynamodb_endpoint_type" {
-  description = "DynamoDB VPC endpoint type"
+  description = "DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available"
  type        = string
  default     = "Gateway"
 }
+variable "dynamodb_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint"
+  type        = list(string)
+  default     = []
+}
+variable "dynamodb_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+variable "dynamodb_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint"
+  type        = bool
+  default     = false
+}
 variable "enable_s3_endpoint" {
  description = "Should be true if you want to provision an S3 endpoint to the VPC"
  type        = bool
@@ -329,11 +347,29 @@ variable "enable_s3_endpoint" {
 }
 variable "s3_endpoint_type" {
-  description = "S3 VPC endpoint type"
+  description = "S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later"
  type        = string
  default     = "Gateway"
 }
+variable "s3_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for S3 interface endpoint"
+  type        = list(string)
+  default     = []
+}
+variable "s3_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+variable "s3_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint"
+  type        = bool
+  default     = false
+}
 variable "enable_codeartifact_api_endpoint" {
  description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
  type        = bool

--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
    }
  }
 }
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -4,8 +4,13 @@
 data "aws_vpc_endpoint_service" "s3" {
  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
-  service_type = var.s3_endpoint_type
+  service = "s3"
-  service      = "s3"
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.s3_endpoint_type]
+  }
 }
 resource "aws_vpc_endpoint" "s3" {
@@ -15,25 +20,29 @@ resource "aws_vpc_endpoint" "s3" {
  service_name      = data.aws_vpc_endpoint_service.s3[0].service_name
  vpc_endpoint_type = var.s3_endpoint_type
+  security_group_ids  = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_security_group_ids : null
+  subnet_ids          = var.s3_endpoint_type == "Interface" ? coalescelist(var.s3_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_private_dns_enabled : null
  tags = local.vpce_tags
 }
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.s3_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
  vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
  route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 resource "aws_vpc_endpoint_route_table_association" "intra_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
  vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
  route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 resource "aws_vpc_endpoint_route_table_association" "public_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
  vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
  route_table_id  = aws_route_table.public[0].id
@@ -45,36 +54,45 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
 data "aws_vpc_endpoint_service" "dynamodb" {
  count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
-  service_type = var.dynamodb_endpoint_type
+  service = "dynamodb"
-  service      = "dynamodb"
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.dynamodb_endpoint_type]
+  }
 }
 resource "aws_vpc_endpoint" "dynamodb" {
  count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
  vpc_id            = local.vpc_id
-  vpc_endpoint_type = var.dynamodb_endpoint_type
  service_name      = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+  vpc_endpoint_type = var.dynamodb_endpoint_type
+  security_group_ids  = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_security_group_ids : null
+  subnet_ids          = var.dynamodb_endpoint_type == "Interface" ? coalescelist(var.dynamodb_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_private_dns_enabled : null
  tags = local.vpce_tags
 }
 resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && var.dynamodb_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
  vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
  route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
  vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
  route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
  vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
  route_table_id  = aws_route_table.public[0].id