feat: add vpc endpoint policies to supported services (#601)

* feat: add vpc endpoint policies to supported services * chore: empty commit to re-run * chore: Run pre-commit terraform_docs hook Co-authored-by: Anton Babenko <anton@antonbabenko.com>

feat: add vpc endpoint policies to supported services (#601)
* feat: add vpc endpoint policies to supported services * chore: empty commit to re-run * chore: Run pre-commit terraform_docs hook Co-authored-by: Anton Babenko <anton@antonbabenko.com>
93a6f40d · Bryant Biggs · GitHub · bbfd33e4 · 93a6f40d · 93a6f40d
Commit 93a6f40d authored Feb 23, 2021 by Bryant Biggs Committed by GitHub Feb 23, 2021
7 changed files
--- a/README.md
+++ b/README.md
--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -40,7 +40,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/security_group) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) |
+| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) |

 ## Inputs


--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -59,6 +59,7 @@ module "vpc" {

  # VPC endpoint for DynamoDB
  enable_dynamodb_endpoint = true
+  dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json

  # VPC endpoint for SSM
  enable_ssm_endpoint              = true
@@ -77,6 +78,7 @@ module "vpc" {

  # VPC Endpoint for EC2
  enable_ec2_endpoint              = true
+  ec2_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ec2_endpoint_private_dns_enabled = true
  ec2_endpoint_security_group_ids  = [data.aws_security_group.default.id]

@@ -87,11 +89,13 @@ module "vpc" {

  # VPC Endpoint for ECR API
  enable_ecr_api_endpoint              = true
+  ecr_api_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ecr_api_endpoint_private_dns_enabled = true
  ecr_api_endpoint_security_group_ids  = [data.aws_security_group.default.id]

  # VPC Endpoint for ECR DKR
  enable_ecr_dkr_endpoint              = true
+  ecr_dkr_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ecr_dkr_endpoint_private_dns_enabled = true
  ecr_dkr_endpoint_security_group_ids  = [data.aws_security_group.default.id]

@@ -142,3 +146,49 @@ module "vpc" {
    Endpoint = "true"
  }
 }
+
+# Data source used to avoid race condition
+data "aws_vpc_endpoint" "dynamodb" {
+  vpc_id       = module.vpc.vpc_id
+  service_name = "com.amazonaws.eu-west-1.dynamodb"
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["dynamodb:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}
--- a/examples/ipv6/README.md
+++ b/examples/ipv6/README.md
@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) |

 ## Inputs


--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -47,12 +47,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
-| [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
+| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) |

 ## Inputs


--- a/variables.tf
+++ b/variables.tf
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf