BATIAI-528 - Updating vpc module to add s3 endpoint (#27)

* updating vpc module to add s3 endpoint

* Update main.tf

Co-authored-by: Charles Bushong <charles.bushong@cms.hhs.gov>

* moving vpc resource back

* updating endpoint to use all non public route tables

* adding conditional statement for s3 vpc endpoint creating

---------

Co-authored-by: Shanawaze <shanawaze.shaik@revacomm.com>
Co-authored-by: Charles Bushong <charles.bushong@cms.hhs.gov>

Author: 3 people

main.tf

@@ -119,13 +119,19 @@ data "aws_ec2_managed_prefix_list" "cmscloud_public_pl" {
 data "aws_ec2_managed_prefix_list" "zscaler_pl" {
   count = var.zscaler_pl_exists ? 1 : 0
   name  = "zscaler"
+
 }
 
 data "aws_route_table" "shared" {
   for_each  = toset(try(data.aws_subnets.shared[0].ids, []))
   subnet_id = each.key
 }
 
+data "aws_route_table" "all_non_public_route_tables" {
+  for_each  = toset(local.all_non_public_subnet_ids)
+  subnet_id = each.key
+}
+
 
 locals {
   # shared subnet route table ids
@@ -163,6 +169,29 @@ locals {
     var.data_subnets_exist ? { "data" = data.aws_subnet.data } : {},
     var.transport_subnets_exist ? { "transport" = data.aws_subnet.transport } : {},
   )
+
+  all_non_public_subnets = merge({
+    "private"   = data.aws_subnet.private
+    "container" = data.aws_subnet.container
+    },
+    var.shared_subnets_exist ? { "shared" = data.aws_subnet.shared } : {},
+    var.data_subnets_exist ? { "data" = data.aws_subnet.data } : {},
+    var.transport_subnets_exist ? { "transport" = data.aws_subnet.transport } : {},
+  )
+
+  all_non_public_subnet_ids = flatten([for subnet_group in local.all_non_public_subnets : [for subnet in subnet_group : subnet.id]])
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  count = var.create_s3_vpc_endpoint ? 1 : 0
+
+  vpc_id          = data.aws_vpc.batcave_vpc.id
+  service_name    = "com.amazonaws.${var.aws_region}.s3"
+  route_table_ids = [for route_table in data.aws_route_table.all_non_public_route_tables : route_table.id]
+
+  tags = {
+    Name = "${var.project}-${var.env}-s3-endpoint"
+  }
 }
 
 data "aws_eips" "nat_gateways" {

variables.tf

@@ -6,6 +6,10 @@ variable "project" {
   default = "batcave"
 }
 
+variable "aws_region" {
+  default = "us-east-1"
+}
+
 variable "transport_subnets_exist" {
   description = "Transport subnets are used to house the NLB in situations where a service is required to be exposed to VDI users"
   default     = false
@@ -53,3 +57,9 @@ variable "subnet_lookup_overrides" {
   default     = {}
   type        = map(string)
 }
+
+variable "create_s3_vpc_endpoint" {
+  type        = bool
+  description = "toggle on/off the creation of s3 vpc endpoint"
+  default     = true
+}