test

.pre-commit-config.yaml

@@ -1,10 +1,10 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.7.4
+  rev: v1.8.1
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.0.0
+  rev: v2.1.0
   hooks:
     - id: check-merge-conflict

examples/complete-vpc/README.md

@@ -28,6 +28,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | private\_subnets | List of IDs of private subnets |
 | public\_subnets | List of IDs of public subnets |
 | redshift\_subnets | List of IDs of redshift subnets |
+| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
+| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
+| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |
 | vpc\_id | The ID of the VPC |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/complete-vpc/main.tf

@@ -2,6 +2,11 @@ provider "aws" {
   region = "eu-west-1"
 }
 
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = "${module.vpc.vpc_id}"
+}
+
 module "vpc" {
   source = "../../"
 
@@ -19,18 +24,35 @@ module "vpc" {
 
   create_database_subnet_group = false
 
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
   enable_nat_gateway = true
   single_nat_gateway = true
 
   enable_vpn_gateway = true
 
-  enable_s3_endpoint       = true
-  enable_dynamodb_endpoint = true
-
   enable_dhcp_options              = true
   dhcp_options_domain_name         = "service.consul"
   dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
 
+  # VPC endpoint for S3
+  enable_s3_endpoint = true
+
+  # VPC endpoint for DynamoDB
+  enable_dynamodb_endpoint = true
+
+  # VPC endpoint for SSM
+  enable_ssm_endpoint              = true
+  ssm_endpoint_private_dns_enabled = true
+  ssm_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
+
+  //  ssm_endpoint_subnet_ids = ["..."]
+
+  # VPC Endpoint for EC2
+  enable_ec2_endpoint              = true
+  ec2_endpoint_private_dns_enabled = true
+  ec2_endpoint_security_group_ids  = ["${data.aws_security_group.default.id}"]
   tags = {
     Owner       = "user"
     Environment = "staging"

examples/complete-vpc/outputs.tf

@@ -40,3 +40,37 @@ output "nat_public_ips" {
   description = "List of public Elastic IPs created for AWS NAT Gateway"
   value       = ["${module.vpc.nat_public_ips}"]
 }
+
+# VPC endpoints
+output "vpc_endpoint_ssm_id" {
+  description = "The ID of VPC endpoint for SSM"
+  value       = "${module.vpc.vpc_endpoint_ssm_id}"
+}
+
+output "vpc_endpoint_ssm_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SSM."
+  value       = ["${module.vpc.vpc_endpoint_ssm_network_interface_ids}"]
+}
+
+output "vpc_endpoint_ssm_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SSM."
+  value       = ["${module.vpc.vpc_endpoint_ssm_dns_entry}"]
+}
+
+//
+//# VPC endpoints
+//output "vpc_endpoint_ec2_id" {
+//  description = "The ID of VPC endpoint for EC2"
+//  value       = "${module.vpc.vpc_endpoint_ec2_id}"
+//}
+//
+//output "vpc_endpoint_ec2_network_interface_ids" {
+//  description = "One or more network interfaces for the VPC Endpoint for EC2."
+//  value = ["${module.vpc.vpc_endpoint_ec2_network_interface_ids}"]
+//}
+//
+//output "vpc_endpoint_ec2_dns_entry" {
+//  description = "The DNS entries for the VPC Endpoint for EC2."
+//  value = ["${module.vpc.vpc_endpoint_ec2_dns_entry}"]
+//}
+

examples/simple-vpc/README.md

@@ -21,6 +21,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name | Description |
 |------|-------------|
+| azs | A list of availability zones spefified as argument to this module |
 | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
 | private\_subnets | List of IDs of private subnets |
 | public\_subnets | List of IDs of public subnets |

examples/simple-vpc/outputs.tf

@@ -31,3 +31,9 @@ output "nat_public_ips" {
   description = "List of public Elastic IPs created for AWS NAT Gateway"
   value       = ["${module.vpc.nat_public_ips}"]
 }
+
+# AZs
+output "azs" {
+  description = "A list of availability zones spefified as argument to this module"
+  value       = ["${module.vpc.azs}"]
+}

examples/test_fixture/README.md

@@ -25,7 +25,7 @@ This will destroy any existing test resources, create the resources afresh, run
 
 | Name | Description | Type | Default | Required |
 |------|-------------|:----:|:-----:|:-----:|
-| region | - | string | `eu-west-1` | no |
+| region |  | string | `"eu-west-1"` | no |
 
 ## Outputs
 

main.tf

@@ -122,7 +122,7 @@ resource "aws_route_table" "database" {
 }
 
 resource "aws_route" "database_internet_gateway" {
-  count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route ? 1 : 0}"
+  count = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && var.create_database_internet_gateway_route && !var.create_database_nat_gateway_route ? 1 : 0}"
 
   route_table_id         = "${aws_route_table.database.id}"
   destination_cidr_block = "0.0.0.0/0"
@@ -133,6 +133,17 @@ resource "aws_route" "database_internet_gateway" {
   }
 }
 
+resource "aws_route" "database_nat_gateway" {
+  count                  = "${var.create_vpc && var.create_database_subnet_route_table && length(var.database_subnets) > 0 && !var.create_database_internet_gateway_route && var.create_database_nat_gateway_route && var.enable_nat_gateway ? local.nat_gateway_count : 0}"
+  route_table_id         = "${element(aws_route_table.private.*.id, count.index)}"
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = "${element(aws_nat_gateway.this.*.id, count.index)}"
+
+  timeouts {
+    create = "5m"
+  }
+}
+
 #################
 # Redshift routes
 #################
@@ -230,7 +241,7 @@ resource "aws_subnet" "redshift" {
 }
 
 resource "aws_redshift_subnet_group" "redshift" {
-  count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? 1 : 0}"
+  count = "${var.create_vpc && length(var.redshift_subnets) > 0 && var.create_redshift_subnet_group ? 1 : 0}"
 
   name        = "${lower(var.name)}"
   description = "Redshift subnet group for ${var.name}"
@@ -253,7 +264,7 @@ resource "aws_subnet" "elasticache" {
 }
 
 resource "aws_elasticache_subnet_group" "elasticache" {
-  count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? 1 : 0}"
+  count = "${var.create_vpc && length(var.elasticache_subnets) > 0 && var.create_elasticache_subnet_group ? 1 : 0}"
 
   name        = "${var.name}"
   description = "ElastiCache subnet group for ${var.name}"
@@ -393,6 +404,48 @@ resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
   route_table_id  = "${aws_route_table.public.id}"
 }
 
+######################
+# VPC Endpoint for SSM
+######################
+data "aws_vpc_endpoint_service" "ssm" {
+  count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}"
+
+  service = "ssm"
+}
+
+resource "aws_vpc_endpoint" "ssm" {
+  count = "${var.create_vpc && var.enable_ssm_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ssm.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ssm_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ssm_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ssm_endpoint_private_dns_enabled}"
+}
+
+######################
+# VPC Endpoint for EC2
+######################
+data "aws_vpc_endpoint_service" "ec2" {
+  count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}"
+
+  service = "ec2"
+}
+
+resource "aws_vpc_endpoint" "ec2" {
+  count = "${var.create_vpc && var.enable_ec2_endpoint ? 1 : 0}"
+
+  vpc_id            = "${local.vpc_id}"
+  service_name      = "${data.aws_vpc_endpoint_service.ec2.service_name}"
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = ["${var.ec2_endpoint_security_group_ids}"]
+  subnet_ids          = ["${coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)}"]
+  private_dns_enabled = "${var.ec2_endpoint_private_dns_enabled}"
+}
+
 ##########################
 # Route table association
 ##########################

outputs.tf

@@ -193,31 +193,11 @@ output "igw_id" {
   value       = "${element(concat(aws_internet_gateway.this.*.id, list("")), 0)}"
 }
 
-output "vpc_endpoint_s3_id" {
-  description = "The ID of VPC endpoint for S3"
-  value       = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}"
-}
-
-output "vpc_endpoint_s3_pl_id" {
-  description = "The prefix list for the S3 VPC endpoint."
-  value       = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}"
-}
-
-output "vpc_endpoint_dynamodb_id" {
-  description = "The ID of VPC endpoint for DynamoDB"
-  value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}"
-}
-
 output "vgw_id" {
   description = "The ID of the VPN Gateway"
   value       = "${element(concat(aws_vpn_gateway.this.*.id, aws_vpn_gateway_attachment.this.*.vpn_gateway_id, list("")), 0)}"
 }
 
-output "vpc_endpoint_dynamodb_pl_id" {
-  description = "The prefix list for the DynamoDB VPC endpoint."
-  value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}"
-}
-
 output "default_vpc_id" {
   description = "The ID of the VPC"
   value       = "${element(concat(aws_default_vpc.this.*.id, list("")), 0)}"
@@ -278,3 +258,59 @@ output "default_vpc_main_route_table_id" {
 //  value       = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}"
 //}
 
+# VPC Endpoints
+output "vpc_endpoint_s3_id" {
+  description = "The ID of VPC endpoint for S3"
+  value       = "${element(concat(aws_vpc_endpoint.s3.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_s3_pl_id" {
+  description = "The prefix list for the S3 VPC endpoint."
+  value       = "${element(concat(aws_vpc_endpoint.s3.*.prefix_list_id, list("")), 0)}"
+}
+
+output "vpc_endpoint_dynamodb_id" {
+  description = "The ID of VPC endpoint for DynamoDB"
+  value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_dynamodb_pl_id" {
+  description = "The prefix list for the DynamoDB VPC endpoint."
+  value       = "${element(concat(aws_vpc_endpoint.dynamodb.*.prefix_list_id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ssm_id" {
+  description = "The ID of VPC endpoint for SSM"
+  value       = "${element(concat(aws_vpc_endpoint.ssm.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ssm_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SSM."
+  value       = "${flatten(aws_vpc_endpoint.ssm.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ssm_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SSM."
+  value       = "${flatten(aws_vpc_endpoint.ssm.*.dns_entry)}"
+}
+
+output "vpc_endpoint_ec2_id" {
+  description = "The ID of VPC endpoint for EC2"
+  value       = "${element(concat(aws_vpc_endpoint.ec2.*.id, list("")), 0)}"
+}
+
+output "vpc_endpoint_ec2_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EC2"
+  value       = "${flatten(aws_vpc_endpoint.ec2.*.network_interface_ids)}"
+}
+
+output "vpc_endpoint_ec2_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for EC2."
+  value       = "${flatten(aws_vpc_endpoint.ec2.*.dns_entry)}"
+}
+
+# Static values (arguments)
+output "azs" {
+  description = "A list of availability zones specified as argument to this module"
+  value       = "${var.azs}"
+}