Add Elastic File System & Cloud Directory VPC Endpoints (#355)

DrFaust92 · antonbabenko · commit ec49d4334dec · 2019-11-27T16:01:32.000+01:00
diff --git a/README.md b/README.md
@@ -21,7 +21,7 @@ ECS, ECS Agent, ECS Telemetry, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Even
 Elastic Load Balancing, CloudTrail, Secrets Manager, Config, CodeBuild, CodeCommit, 
 Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), 
 CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream,
-Athena, Rekognition
+Athena, Rekognition, Elastic File System (EFS), Cloud Directory
 
 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
@@ -226,6 +226,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | athena\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
 | azs | A list of availability zones in the region | list(string) | `[]` | no |
 | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | string | `"0.0.0.0/0"` | no |
+| cloud\_directory\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint | bool | `"false"` | no |
+| cloud\_directory\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint | list(string) | `[]` | no |
+| cloud\_directory\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | list(string) | `[]` | no |
 | cloudformation\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloudformation endpoint | bool | `"false"` | no |
 | cloudformation\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Cloudformation endpoint | list(string) | `[]` | no |
 | cloudformation\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Cloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
@@ -300,6 +303,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | bool | `"false"` | no |
 | ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | list(string) | `[]` | no |
 | ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | list(string) | `[]` | no |
+| efs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint | bool | `"false"` | no |
+| efs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EFS endpoint | list(string) | `[]` | no |
+| efs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | list(string) | `[]` | no |
 | elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map(string) | `{}` | no |
 | elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | bool | `"false"` | no |
 | elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list(map(string)) | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no |
@@ -319,6 +325,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | enable\_athena\_endpoint | Should be true if you want to provision a Athena endpoint to the VPC | bool | `"false"` | no |
 | enable\_classiclink | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool | `"null"` | no |
 | enable\_classiclink\_dns\_support | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | bool | `"null"` | no |
+| enable\_cloud\_directory\_endpoint | Should be true if you want to provision an Cloud Directory endpoint to the VPC | bool | `"false"` | no |
 | enable\_cloudformation\_endpoint | Should be true if you want to provision a Cloudformation endpoint to the VPC | bool | `"false"` | no |
 | enable\_cloudtrail\_endpoint | Should be true if you want to provision a CloudTrail endpoint to the VPC | bool | `"false"` | no |
 | enable\_codebuild\_endpoint | Should be true if you want to provision an Codebuild endpoint to the VPC | string | `"false"` | no |
@@ -336,6 +343,7 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | enable\_ecs\_agent\_endpoint | Should be true if you want to provision a ECS Agent endpoint to the VPC | bool | `"false"` | no |
 | enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | bool | `"false"` | no |
 | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | bool | `"false"` | no |
+| enable\_efs\_endpoint | Should be true if you want to provision an EFS endpoint to the VPC | bool | `"false"` | no |
 | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | bool | `"false"` | no |
 | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | bool | `"false"` | no |
 | enable\_git\_codecommit\_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC | string | `"false"` | no |
@@ -573,6 +581,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | vpc\_endpoint\_athena\_dns\_entry | The DNS entries for the VPC Endpoint for Athena. |
 | vpc\_endpoint\_athena\_id | The ID of VPC endpoint for Athena |
 | vpc\_endpoint\_athena\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Athena. |
+| vpc\_endpoint\_cloud\_directory\_dns\_entry | The DNS entries for the VPC Endpoint for Cloud Directory. |
+| vpc\_endpoint\_cloud\_directory\_id | The ID of VPC endpoint for Cloud Directory |
+| vpc\_endpoint\_cloud\_directory\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Cloud Directory. |
 | vpc\_endpoint\_cloudformation\_dns\_entry | The DNS entries for the VPC Endpoint for Cloudformation. |
 | vpc\_endpoint\_cloudformation\_id | The ID of VPC endpoint for Cloudformation |
 | vpc\_endpoint\_cloudformation\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Cloudformation. |
@@ -614,6 +625,9 @@ Sometimes it is handy to have public access to Redshift clusters (for example if
 | vpc\_endpoint\_ecs\_telemetry\_dns\_entry | The DNS entries for the VPC Endpoint for ECS Telemetry. |
 | vpc\_endpoint\_ecs\_telemetry\_id | The ID of VPC endpoint for ECS Telemetry |
 | vpc\_endpoint\_ecs\_telemetry\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ECS Telemetry. |
+| vpc\_endpoint\_efs\_dns\_entry | The DNS entries for the VPC Endpoint for EFS. |
+| vpc\_endpoint\_efs\_id | The ID of VPC endpoint for EFS |
+| vpc\_endpoint\_efs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EFS. |
 | vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. |
 | vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing |
 | vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. |
diff --git a/outputs.tf b/outputs.tf
@@ -962,6 +962,37 @@ output "vpc_endpoint_rekognition_dns_entry" {
   value       = flatten(aws_vpc_endpoint.rekognition.*.dns_entry)
 }
 
+output "vpc_endpoint_efs_id" {
+  description = "The ID of VPC endpoint for EFS"
+  value       = concat(aws_vpc_endpoint.efs.*.id, [""])[0]
+}
+
+output "vpc_endpoint_efs_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EFS."
+  value       = flatten(aws_vpc_endpoint.efs.*.network_interface_ids)
+}
+
+output "vpc_endpoint_efs_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for EFS."
+  value       = flatten(aws_vpc_endpoint.efs.*.dns_entry)
+}
+
+output "vpc_endpoint_cloud_directory_id" {
+  description = "The ID of VPC endpoint for Cloud Directory"
+  value       = concat(aws_vpc_endpoint.cloud_directory.*.id, [""])[0]
+}
+
+output "vpc_endpoint_cloud_directory_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Cloud Directory."
+  value       = flatten(aws_vpc_endpoint.cloud_directory.*.network_interface_ids)
+}
+
+output "vpc_endpoint_cloud_directory_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Cloud Directory."
+  value       = flatten(aws_vpc_endpoint.cloud_directory.*.dns_entry)
+}
+
+
 # Static values (arguments)
 output "azs" {
   description = "A list of availability zones specified as argument to this module"
diff --git a/variables.tf b/variables.tf
@@ -1250,6 +1250,55 @@ variable "rekognition_endpoint_private_dns_enabled" {
   default     = false
 }
 
+variable "enable_efs_endpoint" {
+  description = "Should be true if you want to provision an EFS endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "efs_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for EFS endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "efs_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "efs_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_cloud_directory_endpoint" {
+  description = "Should be true if you want to provision an Cloud Directory endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "cloud_directory_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "cloud_directory_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "cloud_directory_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint"
+  type        = bool
+  default     = false
+}
+
+
 variable "map_public_ip_on_launch" {
   description = "Should be false if you do not want to auto-assign public IP on launch"
   type        = bool
diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf
@@ -957,3 +957,49 @@ resource "aws_vpc_endpoint" "rekognition" {
   private_dns_enabled = var.rekognition_endpoint_private_dns_enabled
   tags                = local.vpce_tags
 }
+
+#######################
+# VPC Endpoint for EFS
+#######################
+data "aws_vpc_endpoint_service" "efs" {
+  count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0
+
+  service = "elasticfilesystem"
+}
+
+resource "aws_vpc_endpoint" "efs" {
+  count = var.create_vpc && var.enable_efs_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.efs.service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.efs_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.efs_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.efs_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for Cloud Directory
+#######################
+data "aws_vpc_endpoint_service" "cloud_directory" {
+  count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0
+
+  service = "clouddirectory"
+}
+
+resource "aws_vpc_endpoint" "cloud_directory" {
+  count = var.create_vpc && var.enable_cloud_directory_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.cloud_directory.service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.cloud_directory_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.cloud_directory_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.cloud_directory_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
