Add VPC endpoints for CloudFormation, CodePipeline, Storage Gateway, AppMesh,...

Add VPC endpoints for CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog & SageMaker(Runtime & API) (#324)

* add new endpoints

* merge change from master

outputs.tf

@@ -803,6 +803,119 @@ output "vpc_endpoint_sts_dns_entry" {
   value       = flatten(aws_vpc_endpoint.sts.*.dns_entry)
 }
 
+output "vpc_endpoint_cloudformation_id" {
+  description = "The ID of VPC endpoint for Cloudformation"
+  value       = concat(aws_vpc_endpoint.cloudformation.*.id, [""])[0]
+}
+
+output "vpc_endpoint_cloudformation_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Cloudformation."
+  value       = flatten(aws_vpc_endpoint.cloudformation.*.network_interface_ids)
+}
+
+output "vpc_endpoint_cloudformation_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Cloudformation."
+  value       = flatten(aws_vpc_endpoint.cloudformation.*.dns_entry)
+}
+output "vpc_endpoint_codepipeline_id" {
+  description = "The ID of VPC endpoint for CodePipeline"
+  value       = concat(aws_vpc_endpoint.codepipeline.*.id, [""])[0]
+}
+
+output "vpc_endpoint_codepipeline_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for CodePipeline."
+  value       = flatten(aws_vpc_endpoint.codepipeline.*.network_interface_ids)
+}
+
+output "vpc_endpoint_codepipeline_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for CodePipeline."
+  value       = flatten(aws_vpc_endpoint.codepipeline.*.dns_entry)
+}
+output "vpc_endpoint_appmesh_envoy_management_id" {
+  description = "The ID of VPC endpoint for AppMesh"
+  value       = concat(aws_vpc_endpoint.appmesh_envoy_management.*.id, [""])[0]
+}
+
+output "vpc_endpoint_appmesh_envoy_management_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for AppMesh."
+  value       = flatten(aws_vpc_endpoint.appmesh_envoy_management.*.network_interface_ids)
+}
+
+output "vpc_endpoint_appmesh_envoy_management_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for AppMesh."
+  value       = flatten(aws_vpc_endpoint.appmesh_envoy_management.*.dns_entry)
+}
+output "vpc_endpoint_servicecatalog_id" {
+  description = "The ID of VPC endpoint for Service Catalog"
+  value       = concat(aws_vpc_endpoint.servicecatalog.*.id, [""])[0]
+}
+
+output "vpc_endpoint_servicecatalog_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Service Catalog."
+  value       = flatten(aws_vpc_endpoint.servicecatalog.*.network_interface_ids)
+}
+
+output "vpc_endpoint_servicecatalog_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Service Catalog."
+  value       = flatten(aws_vpc_endpoint.servicecatalog.*.dns_entry)
+}
+output "vpc_endpoint_storagegateway_id" {
+  description = "The ID of VPC endpoint for Storage Gateway"
+  value       = concat(aws_vpc_endpoint.storagegateway.*.id, [""])[0]
+}
+
+output "vpc_endpoint_storagegateway_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Storage Gateway."
+  value       = flatten(aws_vpc_endpoint.storagegateway.*.network_interface_ids)
+}
+
+output "vpc_endpoint_storagegateway_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Storage Gateway."
+  value       = flatten(aws_vpc_endpoint.storagegateway.*.dns_entry)
+}
+output "vpc_endpoint_transfer_id" {
+  description = "The ID of VPC endpoint for Transfer"
+  value       = concat(aws_vpc_endpoint.transfer.*.id, [""])[0]
+}
+
+output "vpc_endpoint_transfer_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Transfer."
+  value       = flatten(aws_vpc_endpoint.transfer.*.network_interface_ids)
+}
+
+output "vpc_endpoint_transfer_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Transfer."
+  value       = flatten(aws_vpc_endpoint.transfer.*.dns_entry)
+}
+output "vpc_endpoint_sagemaker_api_id" {
+  description = "The ID of VPC endpoint for SageMaker API"
+  value       = concat(aws_vpc_endpoint.sagemaker_api.*.id, [""])[0]
+}
+
+output "vpc_endpoint_sagemaker_api_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SageMaker API."
+  value       = flatten(aws_vpc_endpoint.sagemaker_api.*.network_interface_ids)
+}
+
+output "vpc_endpoint_sagemaker_api_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SageMaker API."
+  value       = flatten(aws_vpc_endpoint.sagemaker_api.*.dns_entry)
+}
+output "vpc_endpoint_sagemaker_runtime_id" {
+  description = "The ID of VPC endpoint for SageMaker Runtime"
+  value       = concat(aws_vpc_endpoint.sagemaker_runtime.*.id, [""])[0]
+}
+
+output "vpc_endpoint_sagemaker_runtime_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SageMaker Runtime."
+  value       = flatten(aws_vpc_endpoint.sagemaker_runtime.*.network_interface_ids)
+}
+
+output "vpc_endpoint_sagemaker_runtime_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SageMaker Runtime."
+  value       = flatten(aws_vpc_endpoint.sagemaker_runtime.*.dns_entry)
+}
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"

variables.tf

@@ -993,6 +993,191 @@ variable "sts_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_cloudformation_endpoint" {
+  description = "Should be true if you want to provision a Cloudformation endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "cloudformation_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Cloudformation endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "cloudformation_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "cloudformation_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_codepipeline_endpoint" {
+  description = "Should be true if you want to provision a CodePipeline endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "codepipeline_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for CodePipeline endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "codepipeline_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for CodePipeline endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "codepipeline_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for CodePipeline endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_appmesh_envoy_management_endpoint" {
+  description = "Should be true if you want to provision a AppMesh endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "appmesh_envoy_management_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for AppMesh endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "appmesh_envoy_management_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for AppMesh endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "appmesh_envoy_management_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for AppMesh endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_servicecatalog_endpoint" {
+  description = "Should be true if you want to provision a Service Catalog endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "servicecatalog_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Service Catalog endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "servicecatalog_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Service Catalog endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "servicecatalog_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Service Catalog endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_storagegateway_endpoint" {
+  description = "Should be true if you want to provision a Storage Gateway endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "storagegateway_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "storagegateway_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "storagegateway_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_transfer_endpoint" {
+  description = "Should be true if you want to provision a Transfer endpoint tothe VPC"
+  type        = bool
+  default     = false
+}
+
+variable "transfer_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Transfer endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "transfer_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Transfer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "transfer_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Transfer endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_sagemaker_api_endpoint" {
+  description = "Should be true if you want to provision a SageMaker API endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "sagemaker_api_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SageMaker API endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "sagemaker_api_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "sagemaker_api_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint"
+  type        = bool
+  default     = false
+}
+variable "enable_sagemaker_runtime_endpoint" {
+  description = "Should be true if you want to provision a SageMaker Runtime endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "sagemaker_runtime_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "sagemaker_runtime_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "sagemaker_runtime_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool

vpc-endpoints.tf

@@ -722,3 +722,172 @@ resource "aws_vpc_endpoint" "sts" {
   private_dns_enabled = var.sts_endpoint_private_dns_enabled
   tags                = local.vpce_tags
 }
+
+#############################
+# VPC Endpoint for Cloudformation
+#############################
+data "aws_vpc_endpoint_service" "cloudformation" {
+  count = var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0
+
+  service = "cloudformation"
+}
+
+resource "aws_vpc_endpoint" "cloudformation" {
+  count = var.create_vpc && var.enable_cloudformation_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.cloudformation[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.cloudformation_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.cloudformation_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.cloudformation_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for CodePipeline
+#############################
+data "aws_vpc_endpoint_service" "codepipeline" {
+  count = var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0
+
+  service = "codepipeline"
+}
+
+resource "aws_vpc_endpoint" "codepipeline" {
+  count = var.create_vpc && var.enable_codepipeline_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.codepipeline[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.codepipeline_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.codepipeline_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.codepipeline_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for AppMesh
+#############################
+data "aws_vpc_endpoint_service" "appmesh_envoy_management" {
+  count = var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1 : 0
+
+  service = "appmesh-envoy-management"
+}
+
+resource "aws_vpc_endpoint" "appmesh_envoy_management" {
+  count = var.create_vpc && var.enable_appmesh_envoy_management_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.appmesh_envoy_management[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.appmesh_envoy_management_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.appmesh_envoy_management_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.appmesh_envoy_management_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for Service Catalog
+#############################
+data "aws_vpc_endpoint_service" "servicecatalog" {
+  count = var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0
+
+  service = "servicecatalog"
+}
+
+resource "aws_vpc_endpoint" "servicecatalog" {
+  count = var.create_vpc && var.enable_servicecatalog_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.servicecatalog[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.servicecatalog_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.servicecatalog_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.servicecatalog_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for Storage Gateway
+#############################
+data "aws_vpc_endpoint_service" "storagegateway" {
+  count = var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0
+
+  service = "storagegateway"
+}
+
+resource "aws_vpc_endpoint" "storagegateway" {
+  count = var.create_vpc && var.enable_storagegateway_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.storagegateway[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.storagegateway_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.storagegateway_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.storagegateway_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for Transfer
+#############################
+data "aws_vpc_endpoint_service" "transfer" {
+  count = var.create_vpc && var.enable_transfer_endpoint ? 1 : 0
+
+  service = "transfer"
+}
+
+resource "aws_vpc_endpoint" "transfer" {
+  count = var.create_vpc && var.enable_transfer_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.transfer[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.transfer_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.transfer_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.transfer_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for SageMaker API
+#############################
+data "aws_vpc_endpoint_service" "sagemaker_api" {
+  count = var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0
+
+  service = "sagemaker.api"
+}
+
+resource "aws_vpc_endpoint" "sagemaker_api" {
+  count = var.create_vpc && var.enable_sagemaker_api_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.sagemaker_api[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.sagemaker_api_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.sagemaker_api_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.sagemaker_api_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}
+#############################
+# VPC Endpoint for SageMaker Runtime
+#############################
+data "aws_vpc_endpoint_service" "sagemaker_runtime" {
+  count = var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0
+
+  service = "sagemaker.runtime"
+}
+
+resource "aws_vpc_endpoint" "sagemaker_runtime" {
+  count = var.create_vpc && var.enable_sagemaker_runtime_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.sagemaker_runtime[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.sagemaker_runtime_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.sagemaker_runtime_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.sagemaker_runtime_endpoint_private_dns_enabled
+  tags                = local.vpce_tags
+}