[TEC-56][Added] - VPC endpoints

Author: aswin-vijayan

environments/dev/vpc/main.tf

@@ -2,28 +2,31 @@ terraform {
   backend "s3" {}
 }
 provider "aws" {
-  region = "us-west-2"
+  region = var.region
 }
 
 module "vpc" {
-  source                        = "../../../modules/vpc"
-  region                        = var.region
-  vpc_cidr_block                = var.vpc_cidr_block
-  instance_tenancy              = var.instance_tenancy
-  enable_dns_support            = var.enable_dns_support
-  enable_dns_hostnames          = var.enable_dns_hostnames
-  domain                        = var.domain
-  create_nat_gateway            = var.create_nat_gateway
-  destination_cidr_block        = var.destination_cidr_block
-  map_public_ip_on_launch       = var.map_public_ip_on_launch
-  public_subnet_cidr_blocks     = var.public_subnet_cidr_blocks
-  app_subnet_cidr_blocks        = var.app_subnet_cidr_blocks
-  db_subnet_cidr_blocks         = var.db_subnet_cidr_blocks
-  management_subnet_cidr_blocks = var.management_subnet_cidr_blocks
-  platform_subnet_cidr_blocks   = var.platform_subnet_cidr_blocks
-  availability_zones            = var.availability_zones
-  owner                         = var.owner
-  environment                   = var.environment
-  cost_center                   = var.cost_center
-  application                   = var.application
+  source                          = "../../../modules/vpc"
+  region                          = var.region
+  vpc_cidr_block                  = var.vpc_cidr_block
+  instance_tenancy                = var.instance_tenancy
+  enable_dns_support              = var.enable_dns_support
+  enable_dns_hostnames            = var.enable_dns_hostnames
+  domain                          = var.domain
+  create_nat_gateway              = var.create_nat_gateway
+  destination_cidr_block          = var.destination_cidr_block
+  map_public_ip_on_launch         = var.map_public_ip_on_launch
+  public_subnet_cidr_blocks       = var.public_subnet_cidr_blocks
+  app_subnet_cidr_blocks          = var.app_subnet_cidr_blocks
+  db_subnet_cidr_blocks           = var.db_subnet_cidr_blocks
+  management_subnet_cidr_blocks   = var.management_subnet_cidr_blocks
+  platform_subnet_cidr_blocks     = var.platform_subnet_cidr_blocks
+  availability_zones              = var.availability_zones
+  create_s3_endpoint              = var.create_s3_endpoint
+  create_secrets_manager_endpoint = var.create_secrets_manager_endpoint
+  create_cloudwatch_logs_endpoint = var.create_cloudwatch_logs_endpoint
+  owner                           = var.owner
+  environment                     = var.environment
+  cost_center                     = var.cost_center
+  application                     = var.application
 }

environments/dev/vpc/variables.tf

@@ -105,4 +105,18 @@ variable "map_public_ip_on_launch" {
   description = "whether to map public ip on launch or not"
 }
 
+variable "create_s3_endpoint" {
+  type        = bool
+  description = "whether to create s3 endpoint or not"
+}
+
+variable "create_secrets_manager_endpoint" {
+  type        = bool
+  description = "whether to create secrets-manager endpoint or not"
+}
+
+variable "create_cloudwatch_logs_endpoint" {
+  type        = bool
+  description = "whether to create cloudwatch logs endpoint or not"
+}
 

modules/vpc/endpoint.tf

@@ -1,9 +1,10 @@
 resource "aws_vpc_endpoint" "s3" {
-  vpc_id       = aws_vpc.main.id
-  service_name = "com.amazonaws.${var.region}.s3"
-  vpc_endpoint_type = "Interface"
+  count              = var.create_s3_endpoint ? 1 : 0
+  vpc_id             = aws_vpc.main.id
+  service_name       = "com.amazonaws.${var.region}.s3"
+  vpc_endpoint_type  = "Interface"
 
-  subnet_ids   = concat(
+  subnet_ids         = concat(
     aws_subnet.platform[*].id
   )
   tags = merge(
@@ -19,11 +20,12 @@ resource "aws_vpc_endpoint" "s3" {
 }
 
 resource "aws_vpc_endpoint" "secrets_manager" {
-  vpc_id       = aws_vpc.main.id
-  service_name = "com.amazonaws.${var.region}.secretsmanager"
-  vpc_endpoint_type = "Interface"
+  count              = var.create_secrets_manager_endpoint ? 1 : 0
+  vpc_id             = aws_vpc.main.id
+  service_name       = "com.amazonaws.${var.region}.secretsmanager"
+  vpc_endpoint_type  = "Interface"
 
-  subnet_ids   = concat(
+  subnet_ids         = concat(
     aws_subnet.platform[*].id
   )
   tags = merge(
@@ -39,11 +41,12 @@ resource "aws_vpc_endpoint" "secrets_manager" {
 }
 
 resource "aws_vpc_endpoint" "cloudwatch_logs" {
-  vpc_id       = aws_vpc.main.id
-  service_name = "com.amazonaws.${var.region}.logs"
-  vpc_endpoint_type = "Interface"
+  count              = var.create_cloudwatch_logs_endpoint ? 1 : 0
+  vpc_id             = aws_vpc.main.id
+  service_name       = "com.amazonaws.${var.region}.logs"
+  vpc_endpoint_type  = "Interface"
 
-  subnet_ids   = concat(
+  subnet_ids         = concat(
     aws_subnet.platform[*].id
   )
   tags = merge(
@@ -56,4 +59,4 @@ resource "aws_vpc_endpoint" "cloudwatch_logs" {
   },
   var.tags
   )
-}
+}

modules/vpc/variables.tf

@@ -103,4 +103,19 @@ variable "destination_cidr_block" {
 variable "map_public_ip_on_launch" {
   type        = bool
   description = "whether to map public ip on launch or not"
+}
+
+variable "create_s3_endpoint" {
+  type        = bool
+  description = "whether to create s3 endpoint or not"
+}
+
+variable "create_secrets_manager_endpoint" {
+  type        = bool
+  description = "whether to create secrets-manager endpoint or not"
+}
+
+variable "create_cloudwatch_logs_endpoint" {
+  type        = bool
+  description = "whether to create cloudwatch logs endpoint or not"
 }

vars/dev/vpc.tfvars

@@ -1,30 +1,35 @@
 #vpc
-region                        = "us-west-2"
-vpc_cidr_block                = "10.0.0.0/16"
-instance_tenancy              = "default"
-enable_dns_support            = true
-enable_dns_hostnames          = true
+region                          = "us-west-2"
+vpc_cidr_block                  = "10.0.0.0/16"
+instance_tenancy                = "default"
+enable_dns_support              = true
+enable_dns_hostnames            = true
 
 #elastic ip
-domain                        = "vpc"
+domain                          = "vpc"
 
 #nat-gateway
-create_nat_gateway            = false
+create_nat_gateway              = false
 
 #route-table
-destination_cidr_block        = "0.0.0.0/0"
+destination_cidr_block          = "0.0.0.0/0"
 
 #subnet
-map_public_ip_on_launch       = true
-public_subnet_cidr_blocks     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-app_subnet_cidr_blocks        = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
-db_subnet_cidr_blocks         = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
-management_subnet_cidr_blocks = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
-platform_subnet_cidr_blocks   = ["10.0.13.0/24", "10.0.14.0/24", "10.0.15.0/24"]
-availability_zones            = ["us-west-2a", "us-west-2b", "us-west-2c"]
+map_public_ip_on_launch         = true
+public_subnet_cidr_blocks       = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+app_subnet_cidr_blocks          = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+db_subnet_cidr_blocks           = ["10.0.7.0/24", "10.0.8.0/24", "10.0.9.0/24"]
+management_subnet_cidr_blocks   = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
+platform_subnet_cidr_blocks     = ["10.0.13.0/24", "10.0.14.0/24", "10.0.15.0/24"]
+availability_zones              = ["us-west-2a", "us-west-2b", "us-west-2c"]
+
+#endpoint
+create_s3_endpoint              = true
+create_secrets_manager_endpoint = true
+create_cloudwatch_logs_endpoint = true
 
 #tags
-owner                         = "techiescamp"
-environment                   = "dev"
-cost_center                   = "techiescamp-commerce"
-application                   = "vpc"
+owner                           = "techiescamp"
+environment                     = "dev"
+cost_center                     = "techiescamp-commerce"
+application                     = "vpc"