feat: adding s3 and dynamodb gateway endpoints by default

Author: gambol99

README.md

@@ -138,6 +138,8 @@ module "vpc" {
 }
 ```
 
+Note, by default `Gateway` endpoints are automatically created for S3 and DynamoDB, though these can be controlled by the `enable_s3_endpoint` and `enable_dynamodb_endpoint` variables.
+
 You can use `enable_ssm` as a shortcut to enable the SSM endpoints.
 
 ```hcl
@@ -338,8 +340,10 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_default_route_table_association"></a> [enable\_default\_route\_table\_association](#input\_enable\_default\_route\_table\_association) | Indicates the transit gateway default route table should be associated with the subnets | `bool` | `true` | no |
 | <a name="input_enable_default_route_table_propagation"></a> [enable\_default\_route\_table\_propagation](#input\_enable\_default\_route\_table\_propagation) | Indicates the transit gateway default route table should be propagated to the subnets | `bool` | `true` | no |
 | <a name="input_enable_dns_request_logging"></a> [enable\_dns\_request\_logging](#input\_enable\_dns\_request\_logging) | Enable logging of DNS requests | `bool` | `false` | no |
+| <a name="input_enable_dynamodb_endpoint"></a> [enable\_dynamodb\_endpoint](#input\_enable\_dynamodb\_endpoint) | Enable DynamoDB VPC Gateway endpoint | `bool` | `false` | no |
 | <a name="input_enable_private_endpoints"></a> [enable\_private\_endpoints](#input\_enable\_private\_endpoints) | Indicates the network should provision private endpoints | `list(string)` | `[]` | no |
 | <a name="input_enable_route53_resolver_rules"></a> [enable\_route53\_resolver\_rules](#input\_enable\_route53\_resolver\_rules) | Automatically associates any shared route53 resolver rules with the VPC | `bool` | `true` | no |
+| <a name="input_enable_s3_endpoint"></a> [enable\_s3\_endpoint](#input\_enable\_s3\_endpoint) | Enable S3 VPC Gateway endpoint | `bool` | `false` | no |
 | <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Indicates we should provision SSM private endpoints | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_subnet_natgw"></a> [enable\_transit\_gateway\_subnet\_natgw](#input\_enable\_transit\_gateway\_subnet\_natgw) | Indicates if the transit gateway subnets should be connected to a nat gateway | `bool` | `false` | no |

dns.tf

@@ -0,0 +1,34 @@
+## Related to the DNS request logging and resolver rules
+
+## Enable DNS request logging if required
+resource "aws_cloudwatch_log_group" "dns_query_logs" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  name              = "/aws/route53/${var.name}/dns-query-logs"
+  retention_in_days = var.dns_query_log_retention
+  tags              = local.tags
+}
+
+## Create the DNS query log config
+resource "aws_route53_resolver_query_log_config" "dns_query_log_config" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  name            = "${var.name}-dns-query-logs"
+  destination_arn = aws_cloudwatch_log_group.dns_query_logs[0].arn
+}
+
+## Associate the DNS query log config with the VPC
+resource "aws_route53_resolver_query_log_config_association" "dns_query_log_association" {
+  count = var.enable_dns_request_logging ? 1 : 0
+
+  resolver_query_log_config_id = aws_route53_resolver_query_log_config.dns_query_log_config[0].id
+  resource_id                  = module.vpc.vpc_attributes.id
+}
+
+## Associate any resolver rules with the vpc if required
+resource "aws_route53_resolver_rule_association" "vpc_associations" {
+  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : []
+
+  resolver_rule_id = each.value
+  vpc_id           = module.vpc.vpc_attributes.id
+}

endpoints.tf

@@ -0,0 +1,49 @@
+
+## Provision the S3 endpoint
+resource "aws_vpc_endpoint" "s3" {
+  count = var.enable_s3_endpoint ? 1 : 0
+
+  route_table_ids   = local.public_route_table_ids
+  service_name      = "com.amazonaws.${local.region}.s3"
+  tags              = merge(local.tags, { Name = "vpce-s3-${var.name}" })
+  vpc_endpoint_type = "Gateway"
+  vpc_id            = module.vpc.vpc_attributes.id
+}
+
+## Provision the DynamoDB endpoint
+resource "aws_vpc_endpoint" "dynamodb" {
+  count = var.enable_dynamodb_endpoint ? 1 : 0
+
+  route_table_ids   = local.public_route_table_ids
+  service_name      = "com.amazonaws.${local.region}.dynamodb"
+  tags              = merge(local.tags, { Name = "vpce-dynamodb-${var.name}" })
+  vpc_endpoint_type = "Gateway"
+  vpc_id            = module.vpc.vpc_attributes.id
+}
+
+## Provision the security groups for the private links
+module "private_links" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.3.0"
+  count   = length(local.enabled_endpoints) > 0 ? 1 : 0
+
+  description         = "Provides the security groups for the private links access"
+  ingress_rules       = ["https-443-tcp"]
+  ingress_cidr_blocks = local.private_subnet_cidrs
+  name                = "vpce-${var.name}"
+  tags                = local.tags
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+## Provision any private endpoints
+resource "aws_vpc_endpoint" "vpe_endpoints" {
+  for_each = toset(local.enabled_endpoints)
+
+  private_dns_enabled = true
+  security_group_ids  = [module.private_links[0].security_group_id]
+  service_name        = "com.amazonaws.${local.region}.${each.value}"
+  subnet_ids          = local.private_subnet_ids
+  tags                = merge(local.tags, { Name = "vpce-${each.value}-${var.name}" })
+  vpc_endpoint_type   = "Interface"
+  vpc_id              = module.vpc.vpc_attributes.id
+}

locals.tf

@@ -42,6 +42,8 @@ locals {
     }
   } : null
 
+  ## A collection of all the tags for all the resources 
+  tags = merge(var.tags, {})
   # A map of all the subnets by name i.e. private/us-east-1a, public/us-east-1a, etc.
   all_subnets = merge(module.vpc.private_subnet_attributes_by_az, module.vpc.public_subnet_attributes_by_az)
   ## A list of all the names of the subnets

main.tf

@@ -7,7 +7,7 @@ module "vpc" {
   az_count                 = var.availability_zones
   cidr_block               = var.vpc_cidr
   subnets                  = local.subnets
-  tags                     = var.tags
+  tags                     = local.tags
   transit_gateway_id       = local.transit_gateway_id
   transit_gateway_routes   = local.transit_routes
   vpc_instance_tenancy     = var.vpc_instance_tenancy
@@ -27,69 +27,8 @@ module "nacls" {
   outbound_rules = var.nacl_rules[each.key].outbound_rules
   subnet_count   = var.availability_zones
   subnet_ids     = local.all_subnets_by_name[each.key].ids
-  tags           = var.tags
+  tags           = local.tags
   vpc_id         = module.vpc.vpc_attributes.id
 
   depends_on = [module.vpc]
 }
-
-## Enable DNS request logging if required
-resource "aws_cloudwatch_log_group" "dns_query_logs" {
-  count = var.enable_dns_request_logging ? 1 : 0
-
-  name              = "/aws/route53/${var.name}/dns-query-logs"
-  retention_in_days = var.dns_query_log_retention
-  tags              = var.tags
-}
-
-## Create the DNS query log config
-resource "aws_route53_resolver_query_log_config" "dns_query_log_config" {
-  count = var.enable_dns_request_logging ? 1 : 0
-
-  name            = "${var.name}-dns-query-logs"
-  destination_arn = aws_cloudwatch_log_group.dns_query_logs[0].arn
-}
-
-## Associate the DNS query log config with the VPC
-resource "aws_route53_resolver_query_log_config_association" "dns_query_log_association" {
-  count = var.enable_dns_request_logging ? 1 : 0
-
-  resolver_query_log_config_id = aws_route53_resolver_query_log_config.dns_query_log_config[0].id
-  resource_id                  = module.vpc.vpc_attributes.id
-}
-
-## Associate any resolver rules with the vpc if required
-resource "aws_route53_resolver_rule_association" "vpc_associations" {
-  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : []
-
-  resolver_rule_id = each.value
-  vpc_id           = module.vpc.vpc_attributes.id
-}
-
-## Provision the security groups for the private links
-module "private_links" {
-  source  = "terraform-aws-modules/security-group/aws"
-  version = "5.3.0"
-  count   = length(local.enabled_endpoints) > 0 ? 1 : 0
-
-  description         = "Provides the security groups for the private links access"
-  ingress_rules       = ["https-443-tcp"]
-  ingress_cidr_blocks = local.private_subnet_cidrs
-  name                = "private-links-${var.name}"
-  tags                = var.tags
-  vpc_id              = module.vpc.vpc_attributes.id
-}
-
-## Provision any private endpoints
-resource "aws_vpc_endpoint" "vpe_endpoints" {
-  for_each = toset(local.enabled_endpoints)
-
-  private_dns_enabled = true
-  security_group_ids  = [module.private_links[0].security_group_id]
-  service_name        = "com.amazonaws.${local.region}.${each.value}"
-  subnet_ids          = local.private_subnet_ids
-  tags                = merge(var.tags, { Name = "vpe-${each.value}-${var.name}" })
-  vpc_endpoint_type   = "Interface"
-  vpc_id              = module.vpc.vpc_attributes.id
-}
-

variables.tf

@@ -187,3 +187,15 @@ variable "nacl_rules" {
   }))
   default = {}
 }
+
+variable "enable_s3_endpoint" {
+  description = "Enable S3 VPC Gateway endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_dynamodb_endpoint" {
+  description = "Enable DynamoDB VPC Gateway endpoint"
+  type        = bool
+  default     = false
+}