terraform-aws-modules · polymorcodeus · Jun 4, 2020 · Jun 5, 2020 · Jun 5, 2020 · Jun 5, 2020
diff --git a/README.md b/README.md
@@ -473,6 +473,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | `bool` | `false` | no |
 | intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
+| intra\_route\_table\_id | Used when specifying vpc\_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with a intra route | `string` | `""` | no |
 | intra\_route\_table\_tags | Additional tags for the intra route tables | `map(string)` | `{}` | no |
 | intra\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on intra subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | intra\_subnet\_ipv6\_prefixes | Assigns IPv6 intra subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list` | `[]` | no |
@@ -505,6 +506,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | `bool` | `false` | no |
 | private\_inbound\_acl\_rules | Private subnets inbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | private\_outbound\_acl\_rules | Private subnets outbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
+| private\_route\_table\_ids | Used when specifying vpc\_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with one or more private routes | `list(string)` | `[]` | no |
 | private\_route\_table\_tags | Additional tags for the private route tables | `map(string)` | `{}` | no |
 | private\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on private subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | private\_subnet\_ipv6\_prefixes | Assigns IPv6 private subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list` | `[]` | no |
@@ -518,6 +520,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | `bool` | `false` | no |
 | public\_inbound\_acl\_rules | Public subnets inbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | public\_outbound\_acl\_rules | Public subnets outbound network ACLs | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
+| public\_route\_table\_id | Used when specifying vpc\_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with a public route | `string` | `""` | no |
 | public\_route\_table\_tags | Additional tags for the public route tables | `map(string)` | `{}` | no |
 | public\_subnet\_assign\_ipv6\_address\_on\_creation | Assign IPv6 address on public subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `null` | no |
 | public\_subnet\_ipv6\_prefixes | Assigns IPv6 public subnet id based on the Amazon provided /56 prefix base 10 integer (0-256). Must be of equal length to the corresponding IPv4 subnet list | `list` | `[]` | no |
@@ -594,8 +597,10 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | transferserver\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Transfer Server endpoint | `bool` | `false` | no |
 | transferserver\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Transfer Server endpoint | `list(string)` | `[]` | no |
 | transferserver\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Transfer Server endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| use\_existing\_vpc\_id\_for\_endpoints | Should be set to true if you want to create endpoints with passed varible vpc\_id. Variable create\_vpc must be set to false for this to take effect. | `bool` | `false` | no |
 | vpc\_endpoint\_tags | Additional tags for the VPC Endpoints | `map(string)` | `{}` | no |
 | vpc\_flow\_log\_tags | Additional tags for the VPC Flow Logs | `map(string)` | `{}` | no |
+| vpc\_id | The VPC id used to create endpoints when used in conjuction with use\_existing\_vpc\_id\_for\_endpoints and create\_vpc. | `string` | `""` | no |
 | vpc\_tags | Additional tags for the VPC | `map(string)` | `{}` | no |
 | vpn\_gateway\_az | The Availability Zone for the VPN Gateway | `string` | `null` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | `string` | `""` | no |

diff --git a/examples/endpoint-existing-vpc/README.md b/examples/endpoint-existing-vpc/README.md
@@ -0,0 +1,43 @@
+# Existing VPC and Security Group - create ONLY endpoint
+
+Configuration in this directory creates set of VPC resources which may be sufficient for creating endpoints inside an existing VPC.
+
+This configuration uses a VPC ID and Security Group ID for demonstration purposes.
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| aws | n/a |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| vpc_id | n/a | `string` | `""` | no |
+| sg_id | n/a | `string` | `""` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| vpc\_endpoint\_ec2\_id | The ID of VPC endpoint for EC2 |
+| vpc\_endpoint\_ec2\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/endpoint-existing-vpc/main.tf b/examples/endpoint-existing-vpc/main.tf
@@ -0,0 +1,32 @@
+provider "aws" {
+  region = "ap-southeast-2"
+}
+
+data "aws_vpc" "existing_vpc" {
+  id = "${var.vpc_id}"
+}
+
+data "aws_security_group" "endpoint_sg" {
+  id = "${var.securitygoup_id}"
+}
+
+data "aws_subnet_ids" "subnets" {
+  vpc_id = data.aws_vpc.existing_vpc.id
+}
+
+module "vpc_endpoints" {
+  source = "../../"
+
+  create_vpc                        = false
+  use_existing_vpc_id_for_endpoints = true 
+  vpc_id                            = data.aws_vpc.existing_vpc.id
+
+  enable_ec2_endpoint               = true
+  ec2_endpoint_security_group_ids   = [data.aws_security_group.endpoint_sg.id]
+  ec2_endpoint_subnet_ids           = data.aws_subnet_ids.subnets.ids
+
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+}
diff --git a/examples/endpoint-existing-vpc/outputs.tf b/examples/endpoint-existing-vpc/outputs.tf
@@ -0,0 +1,10 @@
+# Endpoints
+output "vpc_endpoint_ec2_id" {
+  description = "The ID of VPC endpoint for EC2"
+  value       = module.vpc_endpoints.vpc_endpoint_ec2_id
+}
+
+output "vpc_endpoint_ec2_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EC2"
+  value       = module.vpc_endpoints.vpc_endpoint_ec2_network_interface_ids
+}
diff --git a/examples/endpoint-existing-vpc/variables.tf b/examples/endpoint-existing-vpc/variables.tf
@@ -0,0 +1,7 @@
+variable "vpc_id" {
+  default = ""
+}
+
+variable "securitygoup_id" {
+  default = ""
+}
diff --git a/variables.tf b/variables.tf
@@ -10,6 +10,12 @@ variable "name" {
   default     = ""
 }
 
+variable "vpc_id" {
+  description = "The VPC id used to create endpoints when used in conjuction with use_existing_vpc_id_for_endpoints and create_vpc."
+  type        = string
+  default     = ""
+}
+
 variable "cidr" {
   description = "The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden"
   type        = string
@@ -298,6 +304,24 @@ variable "external_nat_ip_ids" {
   default     = []
 }
 
+variable "public_route_table_id" {
+  description = "Used when specifying vpc_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with a public route"
+  type        = string
+  default     = ""
+}
+
+variable "intra_route_table_id" {
+  description = "Used when specifying vpc_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with a intra route"
+  type        = string
+  default     = ""
+}
+
+variable "private_route_table_ids" {
+  description = "Used when specifying vpc_id as a variable to provision a DynamoDB or S3 endpoint to the VPC with one or more private routes"
+  type        = list(string)
+  default     = []
+}
+
 variable "enable_dynamodb_endpoint" {
   description = "Should be true if you want to provision a DynamoDB endpoint to the VPC"
   type        = bool
@@ -1655,6 +1679,12 @@ variable "acm_pca_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "use_existing_vpc_id_for_endpoints" {
+  description = "Should be set to true if you want to create endpoints with passed varible vpc_id. Variable create_vpc must be set to false for this to take effect."
+  default     = false
+}
+
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool