Add VPC endpoints for ELB, CloudTrail, CloudWatch and SNS (#274)

main.tf

@@ -851,7 +851,6 @@ resource "aws_vpc_endpoint" "kms" {
   private_dns_enabled = "${var.kms_endpoint_private_dns_enabled}"
 }
 
-
 #######################
 # VPC Endpoint for ECS
 #######################
@@ -873,7 +872,6 @@ resource "aws_vpc_endpoint" "ecs" {
   private_dns_enabled = "${var.ecs_endpoint_private_dns_enabled}"
 }
 
-
 #######################
 # VPC Endpoint for ECS Agent
 #######################
@@ -895,7 +893,6 @@ resource "aws_vpc_endpoint" "ecs_agent" {
   private_dns_enabled = "${var.ecs_agent_endpoint_private_dns_enabled}"
 }
 
-
 #######################
 # VPC Endpoint for ECS Telemetry
 #######################
@@ -917,6 +914,132 @@ resource "aws_vpc_endpoint" "ecs_telemetry" {
   private_dns_enabled = "${var.ecs_telemetry_endpoint_private_dns_enabled}"
 }
 
+#######################
+# VPC Endpoint for Elasic Load Balancing
+#######################
+data "aws_vpc_endpoint_service" "elasticloadbalancing" {
+  count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}"
+
+  service = "elasticloadbalancing"
+}
+
+resource "aws_vpc_endpoint" "elasticloadbalancing" {
+  count = "${var.create_vpc && var.enable_elasticloadbalancing_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.elasticloadbalancing.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.elasticloadbalancing_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.elasticloadbalancing_endpoint_private_dns_enabled}"
+}
+
+#######################
+# VPC Endpoint for SNS
+#######################
+data "aws_vpc_endpoint_service" "sns" {
+  count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}"
+
+  service = "sns"
+}
+
+resource "aws_vpc_endpoint" "sns" {
+  count = "${var.create_vpc && var.enable_sns_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.sns.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.sns_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.sns_endpoint_private_dns_enabled}"
+}
+
+#######################
+# VPC Endpoint for CloudWatch Logs
+#######################
+data "aws_vpc_endpoint_service" "logs" {
+  count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}"
+
+  service = "logs"
+}
+
+resource "aws_vpc_endpoint" "logs" {
+  count = "${var.create_vpc && var.enable_logs_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.logs.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.logs_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.logs_endpoint_private_dns_enabled}"
+}
+
+#######################
+# VPC Endpoint for CloudTrail
+#######################
+data "aws_vpc_endpoint_service" "cloudtrail" {
+  count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}"
+
+  service = "cloudtrail"
+}
+
+resource "aws_vpc_endpoint" "cloudtrail" {
+  count = "${var.create_vpc && var.enable_cloudtrail_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.cloudtrail.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.cloudtrail_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.cloudtrail_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.cloudtrail_endpoint_private_dns_enabled}"
+}
+
+#######################
+# VPC Endpoint for CloudWatch Monitoring
+#######################
+data "aws_vpc_endpoint_service" "monitoring" {
+  count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}"
+
+  service = "monitoring"
+}
+
+resource "aws_vpc_endpoint" "monitoring" {
+  count = "${var.create_vpc && var.enable_monitoring_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.monitoring.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.monitoring_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.monitoring_endpoint_private_dns_enabled}"
+}
+
+#######################
+# VPC Endpoint for CloudWatch Events
+#######################
+data "aws_vpc_endpoint_service" "events" {
+  count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}"
+
+  service = "events"
+}
+
+resource "aws_vpc_endpoint" "events" {
+  count = "${var.create_vpc && var.enable_events_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.events.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.events_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.events_endpoint_private_dns_enabled}"
+}
+
 ##########################
 # Route table association
 ##########################

outputs.tf

@@ -524,6 +524,96 @@ output "vpc_endpoint_ecs_telemetry_dns_entry" {
   value       = "${flatten(aws_vpc_endpoint.ecs_telemetry.*.dns_entry)}"
 }
 
+output "vpc_endpoint_sns_id" {
+  description = "The ID of VPC endpoint for SNS"
+  value       = "${element(concat(aws_vpc_endpoint.sns.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_sns_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SNS."
+  value       = "${flatten(aws_vpc_endpoint.sns.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_sns_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SNS."
+  value       = "${flatten(aws_vpc_endpoint.sns.*.dns_entry)}"
+}
+
+output "vpc_endpoint_monitoring_id" {
+  description = "The ID of VPC endpoint for CloudWatch Monitoring"
+  value       = "${element(concat(aws_vpc_endpoint.monitoring.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_monitoring_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring."
+  value       = "${flatten(aws_vpc_endpoint.monitoring.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_monitoring_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for CloudWatch Monitoring."
+  value       = "${flatten(aws_vpc_endpoint.monitoring.*.dns_entry)}"
+}
+
+output "vpc_endpoint_elasticloadbalancing_id" {
+  description = "The ID of VPC endpoint for Elastic Load Balancing"
+  value       = "${element(concat(aws_vpc_endpoint.elasticloadbalancing.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_elasticloadbalancing_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Elastic Load Balancing."
+  value       = "${flatten(aws_vpc_endpoint.elasticloadbalancing.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_elasticloadbalancing_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Elastic Load Balancing."
+  value       = "${flatten(aws_vpc_endpoint.elasticloadbalancing.*.dns_entry)}"
+}
+
+output "vpc_endpoint_cloudtrail_id" {
+  description = "The ID of VPC endpoint for CloudTrail"
+  value       = "${element(concat(aws_vpc_endpoint.cloudtrail.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_cloudtrail_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for CloudTrail."
+  value       = "${flatten(aws_vpc_endpoint.cloudtrail.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_cloudtrail_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for CloudTrail."
+  value       = "${flatten(aws_vpc_endpoint.cloudtrail.*.dns_entry)}"
+}
+
+output "vpc_endpoint_logs_id" {
+  description = "The ID of VPC endpoint for CloudWatch Logs"
+  value       = "${element(concat(aws_vpc_endpoint.logs.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_logs_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for CloudWatch Logs."
+  value       = "${flatten(aws_vpc_endpoint.logs.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_logs_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for CloudWatch Logs."
+  value       = "${flatten(aws_vpc_endpoint.logs.*.dns_entry)}"
+}
+
+output "vpc_endpoint_events_id" {
+  description = "The ID of VPC endpoint for CloudWatch Events"
+  value       = "${element(concat(aws_vpc_endpoint.events.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_events_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for CloudWatch Events."
+  value       = "${flatten(aws_vpc_endpoint.events.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_events_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for CloudWatch Events."
+  value       = "${flatten(aws_vpc_endpoint.events.*.dns_entry)}"
+}
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"

variables.tf

@@ -424,6 +424,126 @@ variable "ecs_telemetry_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_logs_endpoint" {
+  description = "Should be true if you want to provision a CloudWatch Logs endpoint to the VPC"
+  default     = false
+}
+
+variable "logs_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint"
+  default     = []
+}
+
+variable "logs_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "logs_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint"
+  default     = false
+}
+
+variable "enable_cloudtrail_endpoint" {
+  description = "Should be true if you want to provision a CloudTrail endpoint to the VPC"
+  default     = false
+}
+
+variable "cloudtrail_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CloudTrail endpoint"
+  default     = []
+}
+
+variable "cloudtrail_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "cloudtrail_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudTrail endpoint"
+  default     = false
+}
+
+variable "enable_elasticloadbalancing_endpoint" {
+  description = "Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC"
+  default     = false
+}
+
+variable "elasticloadbalancing_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint"
+  default     = []
+}
+
+variable "elasticloadbalancing_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "elasticloadbalancing_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint"
+  default     = false
+}
+
+variable "enable_sns_endpoint" {
+  description = "Should be true if you want to provision a SNS endpoint to the VPC"
+  default     = false
+}
+
+variable "sns_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SNS endpoint"
+  default     = []
+}
+
+variable "sns_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "sns_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint"
+  default     = false
+}
+
+variable "enable_events_endpoint" {
+  description = "Should be true if you want to provision a CloudWatch Events endpoint to the VPC"
+  default     = false
+}
+
+variable "events_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint"
+  default     = []
+}
+
+variable "events_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "events_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint"
+  default     = false
+}
+
+variable "enable_monitoring_endpoint" {
+  description = "Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC"
+  default     = false
+}
+
+variable "monitoring_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint"
+  default     = []
+}
+
+variable "monitoring_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "monitoring_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint"
+  default     = false
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   default     = true