Added VPC endpoints for SQS (closes #248)

8ab27d0e · Anton Babenko · 03e8c62a · 8ab27d0e · 8ab27d0e · 8ab27d0e
Commit 8ab27d0e authored May 24, 2019 by Anton Babenko
6 changed files
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.8.1
+  rev: v1.11.0
  hooks:
    - id: terraform_fmt
    - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.1.0
+  rev: v2.2.3
  hooks:
    - id: check-merge-conflict
--- a/README.md
+++ b/README.md
--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -45,7 +45,7 @@ module "vpc" {
  # VPC endpoint for SSM
  enable_ssm_endpoint              = true
  ssm_endpoint_private_dns_enabled = true
-  ssm_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"] # ssm_endpoint_subnet_ids = ["..."]
+  ssm_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
  # VPC endpoint for SSMMESSAGES
  enable_ssmmessages_endpoint              = true
@@ -77,7 +77,20 @@ module "vpc" {
  kms_endpoint_private_dns_enabled = true
  kms_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
-  # kms_endpoint_subnet_ids = ["..."]
+  # VPC endpoint for ECS
+  enable_ecs_endpoint              = true
+  ecs_endpoint_private_dns_enabled = true
+  ecs_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  # VPC endpoint for ECS telemetry
+  enable_ecs_telemetry_endpoint              = true
+  ecs_telemetry_endpoint_private_dns_enabled = true
+  ecs_telemetry_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+  # VPC endpoint for SQS
+  enable_sqs_endpoint              = true
+  sqs_endpoint_private_dns_enabled = true
+  sqs_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
  tags = {
    Owner       = "user"

--- a/main.tf
+++ b/main.tf
@@ -122,7 +122,7 @@ resource "aws_route_table" "database" {
 }
 resource "aws_route" "database_internet_gateway" {
-  count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0}"
+  count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && ! var.create_database_nat_gateway_route ? 1 : 0}"
  route_table_id         = "${aws_route_table.database.id}"
  destination_cidr_block = "0.0.0.0/0"
@@ -134,7 +134,7 @@ resource "aws_route" "database_internet_gateway" {
 }
 resource "aws_route" "database_nat_gateway" {
-  count                  = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}"
+  count                  = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && ! var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}"
  route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = "${element(aws_nat_gateway.this.*.id, count.index)}"
@@ -181,7 +181,7 @@ resource "aws_route_table" "intra" {
 # Public subnet
 ################
 resource "aws_subnet" "public" {
-  count = "${var.create_vpc && length(var.public_subnets) > 0 && (!var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}"
+  count = "${var.create_vpc && length(var.public_subnets) > 0 && (! var.one_nat_gateway_per_az || length(var.public_subnets) >= length(var.azs)) ? length(var.public_subnets) : 0}"
  vpc_id                  = "${local.vpc_id}"
  cidr_block              = "${element(concat(var.public_subnets, list("")), count.index)}"
@@ -558,7 +558,7 @@ locals {
 }
 resource "aws_eip" "nat" {
-  count = "${var.create_vpc && (var.enable_nat_gateway && !var.reuse_nat_ips) ? local.nat_gateway_count : 0}"
+  count = "${var.create_vpc && (var.enable_nat_gateway && ! var.reuse_nat_ips) ? local.nat_gateway_count : 0}"
  vpc = true
@@ -662,6 +662,27 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
  route_table_id  = "${aws_route_table.public.id}"
 }
+#######################
+# VPC Endpoint for SQS
+#######################
+data "aws_vpc_endpoint_service" "sqs" {
+  count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}"
+  service = "sqs"
+}
+resource "aws_vpc_endpoint" "sqs" {
+  count = "${var.create_vpc && var.enable_sqs_endpoint ? 1 : 0}"
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.sqs.service_name}"
+  vpc_endpoint_type = "Interface"
+  security_group_ids  = ["${var.sqs_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.sqs_endpoint_private_dns_enabled}"
+}
 #######################
 # VPC Endpoint for SSM
 #######################
@@ -888,7 +909,7 @@ resource "aws_vpc_endpoint" "ecs_telemetry" {
  count = "${var.create_vpc && var.enable_ecs_telemetry_endpoint ? 1 : 0}"
  vpc_id            = "${local.vpc_id}"
-  service_name      = "${data.aws_vpc_endpoint_service.ecs.service_name}"
+  service_name      = "${data.aws_vpc_endpoint_service.ecs_telemetry.service_name}"
  vpc_endpoint_type = "Interface"
  security_group_ids  = ["${var.ecs_telemetry_endpoint_security_group_ids}"]
@@ -914,7 +935,7 @@ resource "aws_route_table_association" "database" {
 }
 resource "aws_route_table_association" "redshift" {
-  count = "${var.create_vpc && length(var.redshift_subnets) > 0 && !var.enable_public_redshift ? length(var.redshift_subnets) : 0}"
+  count = "${var.create_vpc && length(var.redshift_subnets) > 0 && ! var.enable_public_redshift ? length(var.redshift_subnets) : 0}"
  subnet_id      = "${element(aws_subnet.redshift.*.id, count.index)}"
  route_table_id = "${element(coalescelist(aws_route_table.redshift.*.id, aws_route_table.private.*.id), (var.single_nat_gateway || var.create_redshift_subnet_route_table ? 0 : count.index))}"

--- a/outputs.tf
+++ b/outputs.tf
@@ -344,6 +344,21 @@ output "vpc_endpoint_dynamodb_pl_id" {
  value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}"
 }
+output "vpc_endpoint_sqs_id" {
+  description = "The ID of VPC endpoint for SQS"
+  value       = "${element(concat(aws_vpc_endpoint.sqs.*.id, list("")), 0)}"
+}
+output "vpc_endpoint_sqs_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SQS."
+  value       = "${flatten(aws_vpc_endpoint.sqs.*.network_interface_ids)}"
+}
+output "vpc_endpoint_sqs_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SQS."
+  value       = "${flatten(aws_vpc_endpoint.sqs.*.dns_entry)}"
+}
 output "vpc_endpoint_ssm_id" {
  description = "The ID of VPC endpoint for SSM"
  value       = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}"

--- a/variables.tf
+++ b/variables.tf
@@ -184,6 +184,26 @@ variable "enable_s3_endpoint" {
  default     = false
 }
+variable "enable_sqs_endpoint" {
+  description = "Should be true if you want to provision an SQS endpoint to the VPC"
+  default     = false
+}
+variable "sqs_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SQS endpoint"
+  default     = []
+}
+variable "sqs_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+variable "sqs_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint"
+  default     = false
+}
 variable "enable_ssm_endpoint" {
  description = "Should be true if you want to provision an SSM endpoint to the VPC"
  default     = false
@@ -687,7 +707,7 @@ variable "default_network_acl_ingress" {
    to_port    = 0
    protocol   = "-1"
    cidr_block = "0.0.0.0/0"
-  },
+    },
    {
      rule_no         = 101
      action          = "allow"
@@ -709,7 +729,7 @@ variable "default_network_acl_egress" {
    to_port    = 0
    protocol   = "-1"
    cidr_block = "0.0.0.0/0"
-  },
+    },
    {
      rule_no         = 101
      action          = "allow"