Browse Source

feat: Lambda VPC Endpoint (#534)

tags/v2.63.0
Larry Aiello GitHub 1 month ago
parent
commit
cacc2b01c5
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 90 additions and 1 deletions
  1. +7
    -0
      README.md
  2. +3
    -0
      examples/complete-vpc/README.md
  3. +5
    -1
      examples/complete-vpc/main.tf
  4. +15
    -0
      examples/complete-vpc/outputs.tf
  5. +15
    -0
      outputs.tf
  6. +24
    -0
      variables.tf
  7. +21
    -0
      vpc-endpoints.tf

+ 7
- 0
README.md View File

@@ -450,6 +450,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
| enable\_kinesis\_firehose\_endpoint | Should be true if you want to provision a Kinesis Firehose endpoint to the VPC | `bool` | `false` | no |
| enable\_kinesis\_streams\_endpoint | Should be true if you want to provision a Kinesis Streams endpoint to the VPC | `bool` | `false` | no |
| enable\_kms\_endpoint | Should be true if you want to provision a KMS endpoint to the VPC | `bool` | `false` | no |
| enable\_lambda\_endpoint | Should be true if you want to provision a Lambda endpoint to the VPC | `bool` | `false` | no |
| enable\_logs\_endpoint | Should be true if you want to provision a CloudWatch Logs endpoint to the VPC | `bool` | `false` | no |
| enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | `bool` | `false` | no |
| enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
@@ -519,6 +520,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
| kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | `bool` | `false` | no |
| kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | `list(string)` | `[]` | no |
| kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
| lambda\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint | `bool` | `false` | no |
| lambda\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Lambda endpoint | `list(string)` | `[]` | no |
| lambda\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
| logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | `bool` | `false` | no |
| logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | `list(string)` | `[]` | no |
| logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -855,6 +859,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
| vpc\_endpoint\_kms\_dns\_entry | The DNS entries for the VPC Endpoint for KMS. |
| vpc\_endpoint\_kms\_id | The ID of VPC endpoint for KMS |
| vpc\_endpoint\_kms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for KMS. |
| vpc\_endpoint\_lambda\_dns\_entry | The DNS entries for the VPC Endpoint for Lambda. |
| vpc\_endpoint\_lambda\_id | The ID of VPC endpoint for Lambda |
| vpc\_endpoint\_lambda\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Lambda. |
| vpc\_endpoint\_logs\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Logs. |
| vpc\_endpoint\_logs\_id | The ID of VPC endpoint for CloudWatch Logs |
| vpc\_endpoint\_logs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Logs. |


+ 3
- 0
examples/complete-vpc/README.md View File

@@ -47,6 +47,9 @@ No input.
| public\_subnets | List of IDs of public subnets |
| redshift\_subnets | List of IDs of redshift subnets |
| this\_customer\_gateway | Map of Customer Gateway attributes |
| vpc\_endpoint\_lambda\_dns\_entry | The DNS entries for the VPC Endpoint for Lambda. |
| vpc\_endpoint\_lambda\_id | The ID of VPC endpoint for Lambda |
| vpc\_endpoint\_lambda\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Lambda. |
| vpc\_endpoint\_ssm\_dns\_entry | The DNS entries for the VPC Endpoint for SSM. |
| vpc\_endpoint\_ssm\_id | The ID of VPC endpoint for SSM |
| vpc\_endpoint\_ssm\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSM. |


+ 5
- 1
examples/complete-vpc/main.tf View File

@@ -61,6 +61,11 @@ module "vpc" {
ssm_endpoint_private_dns_enabled = true
ssm_endpoint_security_group_ids = [data.aws_security_group.default.id]

# VPC endpoint for Lambda
enable_lambda_endpoint = true
lambda_endpoint_private_dns_enabled = true
lambda_endpoint_security_group_ids = [data.aws_security_group.default.id]

# VPC endpoint for SSMMESSAGES
enable_ssmmessages_endpoint = true
ssmmessages_endpoint_private_dns_enabled = true
@@ -133,4 +138,3 @@ module "vpc" {
Endpoint = "true"
}
}


+ 15
- 0
examples/complete-vpc/outputs.tf View File

@@ -57,6 +57,21 @@ output "vpc_endpoint_ssm_dns_entry" {
value = module.vpc.vpc_endpoint_ssm_dns_entry
}

output "vpc_endpoint_lambda_id" {
description = "The ID of VPC endpoint for Lambda"
value = module.vpc.vpc_endpoint_lambda_id
}

output "vpc_endpoint_lambda_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for Lambda."
value = module.vpc.vpc_endpoint_lambda_network_interface_ids
}

output "vpc_endpoint_lambda_dns_entry" {
description = "The DNS entries for the VPC Endpoint for Lambda."
value = module.vpc.vpc_endpoint_lambda_dns_entry
}

# Customer Gateway
output "cgw_ids" {
description = "List of IDs of Customer Gateway"


+ 15
- 0
outputs.tf View File

@@ -513,6 +513,21 @@ output "vpc_endpoint_sqs_dns_entry" {
value = flatten(aws_vpc_endpoint.sqs.*.dns_entry)
}

output "vpc_endpoint_lambda_id" {
description = "The ID of VPC endpoint for Lambda"
value = concat(aws_vpc_endpoint.lambda.*.id, [""])[0]
}

output "vpc_endpoint_lambda_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for Lambda."
value = flatten(aws_vpc_endpoint.lambda.*.network_interface_ids)
}

output "vpc_endpoint_lambda_dns_entry" {
description = "The DNS entries for the VPC Endpoint for Lambda."
value = flatten(aws_vpc_endpoint.lambda.*.dns_entry)
}

output "vpc_endpoint_codebuild_id" {
description = "The ID of VPC endpoint for codebuild"
value = concat(aws_vpc_endpoint.codebuild.*.id, [""])[0]


+ 24
- 0
variables.tf View File

@@ -490,6 +490,30 @@ variable "sqs_endpoint_private_dns_enabled" {
default = false
}

variable "enable_lambda_endpoint" {
description = "Should be true if you want to provision a Lambda endpoint to the VPC"
type = bool
default = false
}

variable "lambda_endpoint_security_group_ids" {
description = "The ID of one or more security groups to associate with the network interface for Lambda endpoint"
type = list(string)
default = []
}

variable "lambda_endpoint_subnet_ids" {
description = "The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
type = list(string)
default = []
}

variable "lambda_endpoint_private_dns_enabled" {
description = "Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint"
type = bool
default = false
}

variable "enable_ssm_endpoint" {
description = "Should be true if you want to provision an SSM endpoint to the VPC"
type = bool


+ 21
- 0
vpc-endpoints.tf View File

@@ -185,6 +185,27 @@ resource "aws_vpc_endpoint" "sqs" {
tags = local.vpce_tags
}

#########################
# VPC Endpoint for Lambda
#########################
data "aws_vpc_endpoint_service" "lambda" {
count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0

service = "lambda"
}
resource "aws_vpc_endpoint" "lambda" {
count = var.create_vpc && var.enable_lambda_endpoint ? 1 : 0

vpc_id = local.vpc_id
service_name = data.aws_vpc_endpoint_service.lambda[0].service_name
vpc_endpoint_type = "Interface"

security_group_ids = var.lambda_endpoint_security_group_ids
subnet_ids = coalescelist(var.lambda_endpoint_subnet_ids, aws_subnet.private.*.id)
private_dns_enabled = var.lambda_endpoint_private_dns_enabled
tags = local.vpce_tags
}

###################################
# VPC Endpoint for Secrets Manager
###################################


Loading…
Cancel
Save