chore: update based on PR feedback

bryantbiggs · bryantbiggs · commit 5c6a2313e49d · 2021-04-19T15:41:53.000-04:00
diff --git a/UPGRADE-3.0.md b/UPGRADE-3.0.md
@@ -13,18 +13,18 @@ Previously, VPC endpoints were configured as standalone resources with their own
 1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured:
 
 ```
-tf state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]'
-tf state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]'
-tf state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]'
 ...
 ```
 
 2. Remove the gateway endpoint route table association separate resources. The route table associations are now managed in the VPC endpoint resource itself via the map of maps provided to the VPC endpoint sub-module. Perform the necessary removals for each route table association and for S3 and/or DynamoDB depending on your configuration:
 
 ```
-tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]'
-tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]'
-tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]'
 ...
 ```
 
@@ -43,14 +43,10 @@ tf state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb
 
 See the [VPC endpoint sub-module](modules/vpc-endpoints) for the more information on the variables to utilize for VPC endpoints
 
-   - None
-
 3. Removed outputs:
 
    - `vpc_endpoint_*`
 
 4. Renamed outputs:
 
-VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs.
-
-   - None
+VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs
diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md
@@ -36,6 +36,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 |------|--------|---------|
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ |  |
 | <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | ../../modules/vpc-endpoints |  |
+| <a name="module_vpc_endpoints_nocreate"></a> [vpc\_endpoints\_nocreate](#module\_vpc\_endpoints\_nocreate) | ../../modules/vpc-endpoints |  |
 
 ## Resources
 
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
@@ -12,65 +12,6 @@ locals {
   }
 }
 
-################################################################################
-# Supporting Resources
-################################################################################
-
-data "aws_security_group" "default" {
-  name   = "default"
-  vpc_id = module.vpc.vpc_id
-}
-
-# Data source used to avoid race condition
-data "aws_vpc_endpoint_service" "dynamodb" {
-  service = "dynamodb"
-
-  filter {
-    name   = "service-type"
-    values = ["Gateway"]
-  }
-}
-
-data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
-  statement {
-    effect    = "Deny"
-    actions   = ["dynamodb:*"]
-    resources = ["*"]
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "aws:sourceVpce"
-
-      values = [data.aws_vpc_endpoint_service.dynamodb.id]
-    }
-  }
-}
-
-data "aws_iam_policy_document" "generic_endpoint_policy" {
-  statement {
-    effect    = "Deny"
-    actions   = ["*"]
-    resources = ["*"]
-
-    principals {
-      type        = "*"
-      identifiers = ["*"]
-    }
-
-    condition {
-      test     = "StringNotEquals"
-      variable = "aws:sourceVpce"
-
-      values = [data.aws_vpc_endpoint_service.dynamodb.id]
-    }
-  }
-}
-
 ################################################################################
 # VPC Module
 ################################################################################
@@ -225,3 +166,68 @@ module "vpc_endpoints" {
     Endpoint = "true"
   })
 }
+
+module "vpc_endpoints_nocreate" {
+  source = "../../modules/vpc-endpoints"
+
+  create = false
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = module.vpc.vpc_id
+}
+
+# Data source used to avoid race condition
+data "aws_vpc_endpoint_service" "dynamodb" {
+  service = "dynamodb"
+
+  filter {
+    name   = "service-type"
+    values = ["Gateway"]
+  }
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["dynamodb:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint_service.dynamodb.id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint_service.dynamodb.id]
+    }
+  }
+}
diff --git a/examples/vpc-flow-logs/main.tf b/examples/vpc-flow-logs/main.tf
@@ -9,6 +9,69 @@ locals {
   cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
 }
 
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc_with_flow_logs_s3_bucket" {
+  source = "../../"
+
+  name = "vpc-flow-logs-s3-bucket"
+  cidr = "10.30.0.0/16"
+
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.30.101.0/24"]
+
+  enable_flow_log           = true
+  flow_log_destination_type = "s3"
+  flow_log_destination_arn  = module.s3_bucket.this_s3_bucket_arn
+
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-s3-bucket"
+  }
+}
+
+# CloudWatch Log Group and IAM role created automatically
+module "vpc_with_flow_logs_cloudwatch_logs_default" {
+  source = "../../"
+
+  name = "vpc-flow-logs-cloudwatch-logs-default"
+  cidr = "10.10.0.0/16"
+
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.10.101.0/24"]
+
+  # Cloudwatch log group and IAM role will be created
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-cloudwatch-logs-default"
+  }
+}
+
+# CloudWatch Log Group and IAM role created separately
+module "vpc_with_flow_logs_cloudwatch_logs" {
+  source = "../../"
+
+  name = "vpc-flow-logs-cloudwatch-logs"
+  cidr = "10.20.0.0/16"
+
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.20.101.0/24"]
+
+  enable_flow_log                  = true
+  flow_log_destination_type        = "cloud-watch-logs"
+  flow_log_destination_arn         = aws_cloudwatch_log_group.flow_log.arn
+  flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
+
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-cloudwatch-logs"
+  }
+}
+
 ################################################################################
 # Supporting Resources
 ################################################################################
@@ -105,66 +168,3 @@ data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
     resources = ["*"]
   }
 }
-
-################################################################################
-# VPC Module
-################################################################################
-
-module "vpc_with_flow_logs_s3_bucket" {
-  source = "../../"
-
-  name = "vpc-flow-logs-s3-bucket"
-  cidr = "10.30.0.0/16"
-
-  azs            = ["${local.region}a"]
-  public_subnets = ["10.30.101.0/24"]
-
-  enable_flow_log           = true
-  flow_log_destination_type = "s3"
-  flow_log_destination_arn  = module.s3_bucket.this_s3_bucket_arn
-
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-s3-bucket"
-  }
-}
-
-# CloudWatch Log Group and IAM role created automatically
-module "vpc_with_flow_logs_cloudwatch_logs_default" {
-  source = "../../"
-
-  name = "vpc-flow-logs-cloudwatch-logs-default"
-  cidr = "10.10.0.0/16"
-
-  azs            = ["${local.region}a"]
-  public_subnets = ["10.10.101.0/24"]
-
-  # Cloudwatch log group and IAM role will be created
-  enable_flow_log                      = true
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-cloudwatch-logs-default"
-  }
-}
-
-# CloudWatch Log Group and IAM role created separately
-module "vpc_with_flow_logs_cloudwatch_logs" {
-  source = "../../"
-
-  name = "vpc-flow-logs-cloudwatch-logs"
-  cidr = "10.20.0.0/16"
-
-  azs            = ["${local.region}a"]
-  public_subnets = ["10.20.101.0/24"]
-
-  enable_flow_log                  = true
-  flow_log_destination_type        = "cloud-watch-logs"
-  flow_log_destination_arn         = aws_cloudwatch_log_group.flow_log.arn
-  flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
-
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-cloudwatch-logs"
-  }
-}
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
@@ -2,36 +2,30 @@
 
 Terraform sub-module which creates VPC endpoint resources on AWS.
 
-The following resources are supported:
-
-- [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint)
-
 ## Usage
 
 See [`examples`](./examples) directory for working examples to reference:
 
 ```hcl
 module "endpoints" {
-  source = "terraform-aws-modules/vpc/aws//vpc-endpoints"
+  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
 
   vpc_id             = "vpc-12345678"
   security_group_ids = ["sg-12345678"]
 
-  gateway_endpoints = {
+  endpoints = {
     s3 = {
+      # interface endpoint
       service             = "s3"
       private_dns_enabled = true
-      route_table_ids     = ["rt-12322456", "rt-43433343", "rt-11223344"]
       tags                = { Name = "s3-vpc-endpoint" }
     },
     dynamodb = {
+      # gateway endpoint
       service         = "dynamodb"
       route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"]
       tags            = { Name = "dynamodb-vpc-endpoint" }
-    }
-  }
-
-  interface_endpoints = {
+    },
     sns = {
       service    = "sns"
       subnet_ids = ["subnet-12345678", "subnet-87654321"]
@@ -86,12 +80,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
 | <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Default subnets IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
 | <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | `map(string)` | `{}` | no |
-| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | `null` | no |
 
 ## Outputs
 
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
