feat(internet-gateways): add better tagging for naming visibility (#157)

oycyc · gberenice · web-flow · commit 71b422fa81b8 · 2025-08-13T16:08:16.000+03:00
* feat(internet-gateways): add better tagging for naming visibility

* fix tests

* fix tests and tofu fmt

* fix tests and tofu fmt

* goddamn why is there multiple things not maintained in test

* goddamn why is there multiple things not maintained in test

* goddamn why is there multiple things not maintained in test

* these tests are sooooo PITA

* fix: add a dependency chain for security group associations

* fix: use native provider retry logic

* feat: add time_sleep to resolve race condition

* fix: serialize all operations

* feat: replace with aws_vpc_endpoint_security_group_association security_group_ids

* chore: try out default provider configuragion

* fix: support previously implemented logic with the default SG

---------

Co-authored-by: Veronika Gnilitska &lt;veronika.gnilitska@gmail.com&gt;
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -1,13 +1,16 @@
 output "public_subnet_cidrs" {
-  value = module.subnets.public_subnet_cidrs
+  value       = module.subnets.public_subnet_cidrs
+  description = "The CIDR blocks for the public subnets"
 }
 
 output "private_subnet_cidrs" {
-  value = module.subnets.private_subnet_cidrs
+  value       = module.subnets.private_subnet_cidrs
+  description = "The CIDR blocks for the private subnets"
 }
 
 output "vpc_cidr" {
-  value = module.vpc.vpc_cidr_block
+  value       = module.vpc.vpc_cidr_block
+  description = "The CIDR block for the VPC"
 }
 
 output "additional_cidr_blocks" {
diff --git a/examples/complete/variables.tf b/examples/complete/variables.tf
@@ -1,23 +1,29 @@
 variable "region" {
-  type = string
+  type        = string
+  description = "The region to use for the VPC"
 }
 
 variable "availability_zones" {
-  type = list(string)
+  type        = list(string)
+  description = "The availability zones to use for the VPC"
 }
 
 variable "default_security_group_deny_all" {
-  type = bool
+  type        = bool
+  description = "Whether to deny all ingress and egress traffic on the default security group"
 }
 
 variable "default_route_table_no_routes" {
-  type = bool
+  type        = bool
+  description = "Whether to remove all routes from the default route table"
 }
 
 variable "default_network_acl_deny_all" {
-  type = bool
+  type        = bool
+  description = "Whether to deny all ingress and egress traffic on the default network ACL"
 }
 
 variable "network_address_usage_metrics_enabled" {
-  type = bool
+  type        = bool
+  description = "Whether to enable network address usage metrics"
 }
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.9.0, < 6.0"
     }
   }
 }
diff --git a/examples/deprecated/outputs.tf b/examples/deprecated/outputs.tf
@@ -1,11 +1,14 @@
 output "public_subnet_cidrs" {
-  value = module.subnets.public_subnet_cidrs
+  description = "The CIDR blocks for the public subnets"
+  value       = module.subnets.public_subnet_cidrs
 }
 
 output "private_subnet_cidrs" {
-  value = module.subnets.private_subnet_cidrs
+  description = "The CIDR blocks for the private subnets"
+  value       = module.subnets.private_subnet_cidrs
 }
 
 output "vpc_cidr" {
-  value = module.vpc.vpc_cidr_block
+  description = "The CIDR block for the VPC"
+  value       = module.vpc.vpc_cidr_block
 }
diff --git a/examples/deprecated/variables.tf b/examples/deprecated/variables.tf
@@ -1,7 +1,9 @@
 variable "region" {
-  type = string
+  type        = string
+  description = "The region to use for the VPC"
 }
 
 variable "availability_zones" {
-  type = list(string)
+  type        = list(string)
+  description = "The availability zones to use for the VPC"
 }
diff --git a/examples/deprecated/versions.tf b/examples/deprecated/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.0"
+      version = ">= 3.0, < 6.0"
     }
   }
 }
diff --git a/examples/vpc-endpoints/versions.tf b/examples/vpc-endpoints/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.9.0, < 6.0"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/main.tf b/main.tf
@@ -27,6 +27,24 @@ module "label" {
   context = module.this.context
 }
 
+module "igw_label" {
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  enabled    = local.internet_gateway_enabled
+  attributes = ["igw"]
+  context    = module.this.context
+}
+
+module "eigw_label" {
+  source  = "cloudposse/label/null"
+  version = "0.25.0"
+
+  enabled    = local.ipv6_egress_only_internet_gateway_enabled
+  attributes = ["eigw"]
+  context    = module.this.context
+}
+
 resource "aws_vpc" "default" {
   count = local.enabled ? 1 : 0
 
@@ -77,14 +95,14 @@ resource "aws_internet_gateway" "default" {
   count = local.internet_gateway_enabled ? 1 : 0
 
   vpc_id = aws_vpc.default[0].id
-  tags   = module.label.tags
+  tags   = module.igw_label.tags
 }
 
 resource "aws_egress_only_internet_gateway" "default" {
   count = local.ipv6_egress_only_internet_gateway_enabled ? 1 : 0
 
   vpc_id = aws_vpc.default[0].id
-  tags   = module.label.tags
+  tags   = module.eigw_label.tags
 }
 
 resource "aws_vpc_ipv4_cidr_block_association" "default" {
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
@@ -32,10 +32,8 @@ Submodule for provisioning Gateway and/or Interface VPC Endpoints to the VPC cre
 | [aws_vpc_endpoint.gateway_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_vpc_endpoint.interface_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
 | [aws_vpc_endpoint_route_table_association.gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource |
-| [aws_vpc_endpoint_security_group_association.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_security_group_association) | resource |
 | [aws_vpc_endpoint_subnet_association.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_subnet_association) | resource |
 | [time_sleep.creation](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_vpc_endpoint.gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source |
 | [aws_vpc_endpoint.interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source |
 | [aws_vpc_endpoint_service.gateway_endpoint_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
@@ -23,34 +23,6 @@ locals {
 
   subnet_associations_map = { for v in local.subnet_associations_list : v.key => v }
 
-  # Because security group ID may not be known at plan time, we cannot use it as a key
-  security_group_associations_list = flatten([for k, v in var.interface_vpc_endpoints : [
-    for i, s in v.security_group_ids : {
-      key               = "${k}[${i}]"
-      index             = i
-      interface         = k
-      security_group_id = s
-    }
-  ]])
-
-  security_group_associations_map = { for v in local.security_group_associations_list : v.key => v }
-}
-
-# Unfortunately, the AWS provider makes us jump through hoops to deal with the
-# association of an endpoint interface with the default VPC security group.
-# See https://github.com/hashicorp/terraform-provider-aws/issues/27100
-data "aws_security_group" "default" {
-  count = local.enabled ? 1 : 0
-
-  filter {
-    name   = "group-name"
-    values = ["default"]
-  }
-
-  filter {
-    name   = "vpc-id"
-    values = [var.vpc_id]
-  }
 }
 
 data "aws_vpc_endpoint_service" "gateway_endpoint_service" {
@@ -110,6 +82,8 @@ resource "aws_vpc_endpoint" "interface_endpoint" {
   vpc_id              = var.vpc_id
   private_dns_enabled = var.interface_vpc_endpoints[each.key].private_dns_enabled
 
+  security_group_ids = length(var.interface_vpc_endpoints[each.key].security_group_ids) > 0 ? var.interface_vpc_endpoints[each.key].security_group_ids : null
+
   tags = module.interface_endpoint_label[each.key].tags
 }
 
@@ -119,16 +93,3 @@ resource "aws_vpc_endpoint_subnet_association" "interface" {
   subnet_id       = each.value.subnet_id
   vpc_endpoint_id = aws_vpc_endpoint.interface_endpoint[each.value.interface].id
 }
-
-resource "aws_vpc_endpoint_security_group_association" "interface" {
-  for_each = local.enabled ? local.security_group_associations_map : {}
-
-  # It is an error to replace the default association with the default security group
-  # See https://github.com/hashicorp/terraform-provider-aws/issues/27100
-  replace_default_association = each.value.index == 0 && each.value.security_group_id != data.aws_security_group.default[0].id
-
-  security_group_id = each.value.security_group_id
-  vpc_endpoint_id   = aws_vpc_endpoint.interface_endpoint[each.value.interface].id
-
-  depends_on = [aws_vpc_endpoint_subnet_association.interface]
-}
diff --git a/modules/vpc-endpoints/outputs.tf b/modules/vpc-endpoints/outputs.tf
@@ -14,7 +14,6 @@ resource "time_sleep" "creation" {
     aws_vpc_endpoint_route_table_association.gateway,
     aws_vpc_endpoint.interface_endpoint,
     aws_vpc_endpoint_subnet_association.interface,
-    aws_vpc_endpoint_security_group_association.interface,
   ]
 
   create_duration = var.post_creation_refresh_delay
diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
@@ -33,10 +33,10 @@ variable "interface_vpc_endpoints" {
     - `name`: Simple name of the service, like "ec2" or "redshift"
     - `policy`: A policy (as JSON string) to attach to the endpoint that controls access to the service. May be `null` for full access.
     - `private_dns_enabled`: Set `true` to associate a private hosted zone with the specified VPC
-    - `security_group_ids`: The ID of one or more security groups to associate with the network interface. The first
-      security group will replace the default association with the VPC's default security group. If you want
-      to maintain the association with the default security group, either leave `security_group_ids` empty or
-      include the default security group ID in the list.
+    - `security_group_ids`: The ID of one or more security groups to associate with the network interface.
+      If empty list `[]` is provided, the VPC's default security group will be used automatically.
+      If specific security group IDs are provided, they will replace the default security group association.
+      To use both custom and default security groups, include both in the list.
     - `subnet_ids`: List of subnet in which to install the endpoints.
    EOT
   default     = {}
diff --git a/modules/vpc-endpoints/versions.tf b/modules/vpc-endpoints/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9.0"
+      version = ">= 4.9.0, < 6.0"
     }
     time = {
       source  = "hashicorp/time"

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,16 @@`
`1`	`1`	`output "public_subnet_cidrs" {`
`2`		`- value = module.subnets.public_subnet_cidrs`
	`2`	`+ value = module.subnets.public_subnet_cidrs`
	`3`	`+ description = "The CIDR blocks for the public subnets"`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`output "private_subnet_cidrs" {`
`6`		`- value = module.subnets.private_subnet_cidrs`
	`7`	`+ value = module.subnets.private_subnet_cidrs`
	`8`	`+ description = "The CIDR blocks for the private subnets"`
`7`	`9`	`}`
`8`	`10`
`9`	`11`	`output "vpc_cidr" {`
`10`		`- value = module.vpc.vpc_cidr_block`
	`12`	`+ value = module.vpc.vpc_cidr_block`
	`13`	`+ description = "The CIDR block for the VPC"`
`11`	`14`	`}`
`12`	`15`
`13`	`16`	`output "additional_cidr_blocks" {`
Original file line number	Diff line number	Diff line change
`@@ -1,23 +1,29 @@`
`1`	`1`	`variable "region" {`
`2`		`- type = string`
	`2`	`+ type = string`
	`3`	`+ description = "The region to use for the VPC"`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`variable "availability_zones" {`
`6`		`- type = list(string)`
	`7`	`+ type = list(string)`
	`8`	`+ description = "The availability zones to use for the VPC"`
`7`	`9`	`}`
`8`	`10`
`9`	`11`	`variable "default_security_group_deny_all" {`
`10`		`- type = bool`
	`12`	`+ type = bool`
	`13`	`+ description = "Whether to deny all ingress and egress traffic on the default security group"`
`11`	`14`	`}`
`12`	`15`
`13`	`16`	`variable "default_route_table_no_routes" {`
`14`		`- type = bool`
	`17`	`+ type = bool`
	`18`	`+ description = "Whether to remove all routes from the default route table"`
`15`	`19`	`}`
`16`	`20`
`17`	`21`	`variable "default_network_acl_deny_all" {`
`18`		`- type = bool`
	`22`	`+ type = bool`
	`23`	`+ description = "Whether to deny all ingress and egress traffic on the default network ACL"`
`19`	`24`	`}`
`20`	`25`
`21`	`26`	`variable "network_address_usage_metrics_enabled" {`
`22`		`- type = bool`
	`27`	`+ type = bool`
	`28`	`+ description = "Whether to enable network address usage metrics"`
`23`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 4.9.0"`
	`7`	`+ version = ">= 4.9.0, < 6.0"`
`8`	`8`	`}`
`9`	`9`	`}`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,14 @@`
`1`	`1`	`output "public_subnet_cidrs" {`
`2`		`- value = module.subnets.public_subnet_cidrs`
	`2`	`+ description = "The CIDR blocks for the public subnets"`
	`3`	`+ value = module.subnets.public_subnet_cidrs`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`output "private_subnet_cidrs" {`
`6`		`- value = module.subnets.private_subnet_cidrs`
	`7`	`+ description = "The CIDR blocks for the private subnets"`
	`8`	`+ value = module.subnets.private_subnet_cidrs`
`7`	`9`	`}`
`8`	`10`
`9`	`11`	`output "vpc_cidr" {`
`10`		`- value = module.vpc.vpc_cidr_block`
	`12`	`+ description = "The CIDR block for the VPC"`
	`13`	`+ value = module.vpc.vpc_cidr_block`
`11`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,9 @@`
`1`	`1`	`variable "region" {`
`2`		`- type = string`
	`2`	`+ type = string`
	`3`	`+ description = "The region to use for the VPC"`
`3`	`4`	`}`
`4`	`5`
`5`	`6`	`variable "availability_zones" {`
`6`		`- type = list(string)`
	`7`	`+ type = list(string)`
	`8`	`+ description = "The availability zones to use for the VPC"`
`7`	`9`	`}`