Merge pull request #131 from lorengordon/dilemma

plus3it · Feb 9, 2021 · 6078795 · 6078795
2 parents 745a87a + 9d2cb4d
commit 6078795
Show file tree

Hide file tree

Showing 16 changed files with 121 additions and 709 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 5.0.0
+current_version = 6.0.0
 commit = True
 message = Bumps version to {new_version}
 tag = False

diff --git a/.gitignore b/.gitignore
@@ -15,6 +15,8 @@
 .tardigrade-ci
 tardigrade-ci/
 
-# eclint
-.git/
+# terraform lock file
+.terraform.lock.hcl
 
+# terratest packaging
+tests/go.*
diff --git a/Makefile b/Makefile
@@ -1,4 +1,5 @@
 SHELL := /bin/bash
 
--include $(shell curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)
+export TIMEOUT = 40m
 
+-include $(shell curl -sSL -o .tardigrade-ci "https://raw.githubusercontent.com/plus3it/tardigrade-ci/master/bootstrap/Makefile.bootstrap"; echo .tardigrade-ci)
diff --git a/README.md b/README.md
@@ -37,24 +37,25 @@ Then commit the updated files.
 
 | Name | Version |
 |------|---------|
-| terraform | >= 0.12.9 |
+| terraform | >= 0.12.26 |
+| aws | >= 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | n/a |
+| aws | >= 3.0 |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| subnet\_ids | Target Subnet IDs for "Interface" services. Also used to resolve the `vpc_id` for "Gateway" services | `list(string)` | n/a | yes |
+| vpc\_endpoint\_services | List of AWS Endpoint service names and types. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | <pre>list(object({<br>    name = string<br>    type = string<br>  }))</pre> | n/a | yes |
 | create\_sg\_per\_endpoint | Toggle to create a SecurityGroup for each VPC Endpoint. Defaults to using just one for all Interface Endpoints. Note that Gateway Endpoints don't support SecurityGroups. | `bool` | `false` | no |
 | sg\_egress\_rules | Egress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules. | <pre>list(object({<br>    description      = string<br>    prefix_list_ids  = list(string)<br>    from_port        = number<br>    to_port          = number<br>    protocol         = string<br>    cidr_blocks      = list(string)<br>    ipv6_cidr_blocks = list(string)<br>    security_groups  = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": null,<br>    "from_port": 0,<br>    "ipv6_cidr_blocks": null,<br>    "prefix_list_ids": null,<br>    "protocol": "-1",<br>    "security_groups": null,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | sg\_ingress\_rules | Ingress rules for the VPC Endpoint SecurityGroup(s). Set to empty list to disable default rules. | <pre>list(object({<br>    description      = string<br>    prefix_list_ids  = list(string)<br>    from_port        = number<br>    to_port          = number<br>    protocol         = string<br>    cidr_blocks      = list(string)<br>    ipv6_cidr_blocks = list(string)<br>    security_groups  = list(string)<br>  }))</pre> | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": null,<br>    "from_port": 0,<br>    "ipv6_cidr_blocks": null,<br>    "prefix_list_ids": null,<br>    "protocol": "-1",<br>    "security_groups": null,<br>    "to_port": 0<br>  }<br>]</pre> | no |
-| subnet\_ids | Target Subnet ids. | `list(string)` | `[]` | no |
 | tags | A map of tags to add to the VPC Endpoint and to the SecurityGroup(s). | `map(string)` | `{}` | no |
-| vpc\_endpoint\_services | List of AWS Endpoint service names that are used to create VPC Interface Endpoints. Both Gateway and Interface Endpoints are supported. See https://docs.aws.amazon.com/general/latest/gr/rande.html for full list. | `list(string)` | `[]` | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -1,38 +1,46 @@
 data "aws_subnet" "selected" {
-
   id = var.subnet_ids[0]
 }
 
 data "aws_region" "selected" {}
 
 data "aws_vpc_endpoint_service" "this" {
-  for_each = toset(var.vpc_endpoint_services)
+  for_each = { for service in var.vpc_endpoint_services : "${service.name}:${service.type}" => service }
 
   // If we get a "common name" (like "kms") we must generate a fully qualified name.
   // If the name contains the current region we trust the user to have provided a valid fully qualified name.
   // This handles all _current_ services.
   // * Simple ones like "s3" or "sns".
   // * Complex common names like "ecr.dkr" and "ecr.api".
   // * Non-standard services like sagemeaker where the fully qualified name is like "aws.sagemaker.us-east-1.notebook".
-  service_name = length(regexall(data.aws_region.selected.name, each.key)) == 1 ? each.key : "com.amazonaws.${data.aws_region.selected.name}.${each.key}"
+  service_name = length(regexall(data.aws_region.selected.name, each.value.name)) == 1 ? each.value.name : "com.amazonaws.${data.aws_region.selected.name}.${each.value.name}"
+  service_type = title(each.value.type)
 }
 
 locals {
-  vpc_id = join("", data.aws_subnet.selected.*.vpc_id)
+  vpc_id = data.aws_subnet.selected.vpc_id
 
   # Split Endpoints by their type
   gateway_endpoints   = toset([for e in data.aws_vpc_endpoint_service.this : e.service_name if e.service_type == "Gateway"])
   interface_endpoints = toset([for e in data.aws_vpc_endpoint_service.this : e.service_name if e.service_type == "Interface"])
 
   # Only Interface Endpoints support SGs
-  security_groups = toset(var.create_sg_per_endpoint ? local.interface_endpoints : ["shared"])
+  security_groups = toset(
+    length(local.interface_endpoints) > 0 ? (
+      var.create_sg_per_endpoint ? local.interface_endpoints : ["shared"]
+    ) : []
+  )
+
+  # Regex of Interface services that do not support Private DNS
+  no_private_dns = "s3"
 }
 
 resource "aws_security_group" "this" {
   for_each = local.security_groups
 
   description = var.create_sg_per_endpoint ? "VPC Interface ${each.key} Endpoint" : "VPC Interface Endpoints"
   vpc_id      = local.vpc_id
+  tags        = var.tags
 
   dynamic "egress" {
     for_each = var.sg_egress_rules
@@ -62,8 +70,6 @@ resource "aws_security_group" "this" {
     }
   }
 
-  tags = var.tags
-
   lifecycle {
     create_before_destroy = true
   }
@@ -72,27 +78,26 @@ resource "aws_security_group" "this" {
 resource "aws_vpc_endpoint" "interface_services" {
   for_each = local.interface_endpoints
 
-  vpc_id            = local.vpc_id
+  auto_accept       = true
   service_name      = each.key
+  tags              = var.tags
   vpc_endpoint_type = "Interface"
-  auto_accept       = true
+  vpc_id            = local.vpc_id
 
   subnet_ids = var.subnet_ids
 
   security_group_ids = var.create_sg_per_endpoint ? [aws_security_group.this[each.key].id] : [aws_security_group.this["shared"].id]
 
-  private_dns_enabled = true # https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns
-
-  tags = var.tags
+  # https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-private-dns
+  private_dns_enabled = length(regexall(local.no_private_dns, each.key)) == 0 ? true : false
 }
 
 resource "aws_vpc_endpoint" "gateway_services" {
   for_each = local.gateway_endpoints
 
-  vpc_id            = local.vpc_id
+  auto_accept       = true
   service_name      = each.key
+  tags              = var.tags
   vpc_endpoint_type = "Gateway"
-  auto_accept       = true
-
-  tags = var.tags
+  vpc_id            = local.vpc_id
 }
diff --git a/tests/config_endpoint/main.tf b/tests/config_endpoint/main.tf
@@ -10,10 +10,7 @@ resource "random_string" "this" {
 }
 
 module "vpc" {
-  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.15.0"
-  providers = {
-    aws = aws
-  }
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.70.0"
 
   name                 = "tardigrade-vpc-endpoints-${random_string.this.result}"
   cidr                 = "10.0.0.0/16"
@@ -25,10 +22,13 @@ module "vpc" {
 
 module "config_endpoint" {
   source = "../../"
-  providers = {
-    aws = aws
-  }
 
-  vpc_endpoint_services = ["config"]
-  subnet_ids            = module.vpc.private_subnets
+  vpc_endpoint_services = [
+    {
+      name = "config"
+      type = "Interface"
+    },
+  ]
+
+  subnet_ids = module.vpc.private_subnets
 }
diff --git a/tests/custom_sg_rules/main.tf b/tests/custom_sg_rules/main.tf
@@ -10,10 +10,7 @@ resource "random_string" "this" {
 }
 
 module "vpc" {
-  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.15.0"
-  providers = {
-    aws = aws
-  }
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.70.0"
 
   name                 = "tardigrade-vpc-endpoints-${random_string.this.result}"
   cidr                 = "10.0.0.0/16"
@@ -43,11 +40,14 @@ locals {
 
 module "custom_sg_rules" {
   source = "../../"
-  providers = {
-    aws = aws
-  }
 
-  vpc_endpoint_services = ["config"]
-  subnet_ids            = module.vpc.private_subnets
-  sg_ingress_rules      = local.sg_ingress_rules
+  vpc_endpoint_services = [
+    {
+      name = "config"
+      type = "Interface"
+    },
+  ]
+
+  subnet_ids       = module.vpc.private_subnets
+  sg_ingress_rules = local.sg_ingress_rules
 }
diff --git a/tests/fully_qualified_name_endpoint/main.tf b/tests/fully_qualified_name_endpoint/main.tf
@@ -10,7 +10,7 @@ resource "random_string" "this" {
 }
 
 module "vpc" {
-  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.15.0"
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.70.0"
   providers = {
     aws = aws
   }
@@ -29,6 +29,12 @@ module "fully_qualified_name_endpoint" {
     aws = aws
   }
 
-  vpc_endpoint_services = ["aws.sagemaker.us-east-1.notebook"]
-  subnet_ids            = module.vpc.private_subnets
+  vpc_endpoint_services = [
+    {
+      name = "aws.sagemaker.us-east-1.notebook"
+      type = "Interface"
+    },
+  ]
+
+  subnet_ids = module.vpc.private_subnets
 }
diff --git a/tests/gateway_type_endpoint/main.tf b/tests/gateway_type_endpoint/main.tf
@@ -10,10 +10,7 @@ resource "random_string" "this" {
 }
 
 module "vpc" {
-  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.15.0"
-  providers = {
-    aws = aws
-  }
+  source = "github.com/terraform-aws-modules/terraform-aws-vpc?ref=v2.70.0"
 
   name                 = "tardigrade-vpc-endpoints-${random_string.this.result}"
   cidr                 = "10.0.0.0/16"
@@ -25,10 +22,13 @@ module "vpc" {
 
 module "gateway_type_endpoint" {
   source = "../../"
-  providers = {
-    aws = aws
-  }
 
-  vpc_endpoint_services = ["s3"]
-  subnet_ids            = module.vpc.private_subnets
+  vpc_endpoint_services = [
+    {
+      name = "s3"
+      type = "Gateway"
+    },
+  ]
+
+  subnet_ids = module.vpc.private_subnets
 }
diff --git a/tests/go.mod b/tests/go.mod