feat: allow passing VPC and Subnet names

Author: gberenice

data.tf

@@ -1,6 +1,26 @@
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 
+# VPC lookup by name (when vpc_name is provided)
+data "aws_vpc" "selected" {
+  count = length(var.vpc_name) > 0 ? 1 : 0
+
+  filter {
+    name   = "tag:Name"
+    values = [var.vpc_name]
+  }
+}
+
+# Individual subnet lookup by name (when subnet_names are provided)
+data "aws_subnet" "selected" {
+  for_each = toset(var.subnet_names)
+
+  filter {
+    name   = "tag:Name"
+    values = [each.value]
+  }
+}
+
 # Most recent Amazon Linux 2023 AMI
 data "aws_ami" "amazon_linux_2023" {
   most_recent = true
@@ -33,7 +53,7 @@ data "aws_ami" "amazon_linux_2023" {
 # This rule was introduced in the following PR:
 # https://github.com/masterpointio/terraform-aws-ssm-agent/pull/43.
 #
-# trunk-ignore(trivy/AVD-AWS-0344)
+# trivy:ignore:AVD-AWS-0344
 data "aws_ami" "instance" {
   count = length(var.ami) > 0 ? 1 : 0
 
@@ -44,3 +64,67 @@ data "aws_ami" "instance" {
     values = [var.ami]
   }
 }
+
+# IAM policy document for EC2 instances to assume the SSM Agent role
+data "aws_iam_policy_document" "default" {
+
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+# S3 bucket for session logging (when using existing bucket)
+data "aws_s3_bucket" "logs_bucket" {
+  count  = var.session_logging_enabled ? 1 : 0
+  bucket = try(coalesce(var.session_logging_bucket_name, module.logs_bucket.bucket_id), "")
+}
+
+# https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging
+data "aws_iam_policy_document" "session_logging" {
+  count = var.session_logging_enabled ? 1 : 0
+
+  statement {
+    sid    = "SSMAgentSessionAllowS3Logging"
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = ["${join("", data.aws_s3_bucket.logs_bucket.*.arn)}/*"]
+  }
+
+  statement {
+    sid    = "SSMAgentSessionAllowCloudWatchLogging"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "SSMAgentSessionAllowGetEncryptionConfig"
+    effect = "Allow"
+    actions = [
+      "s3:GetEncryptionConfiguration"
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid    = "SSMAgentSessionAllowKMSDataKey"
+    effect = "Allow"
+    actions = [
+      "kms:GenerateDataKey"
+    ]
+    resources = ["*"]
+  }
+}

examples/with-names/main.tf

@@ -0,0 +1,75 @@
+provider "aws" {
+  region = var.region
+}
+
+# Create VPC and subnets with specific names for demonstration
+module "vpc" {
+  source  = "cloudposse/vpc/aws"
+  version = "2.1.0"
+
+  namespace = var.namespace
+  stage     = var.stage
+  name      = "example-vpc"
+
+  ipv4_primary_cidr_block          = "10.0.0.0/16"
+  assign_generated_ipv6_cidr_block = true
+}
+
+module "subnets" {
+  source    = "cloudposse/dynamic-subnets/aws"
+  version   = "2.3.0"
+  namespace = var.namespace
+  stage     = var.stage
+  name      = "example-subnets"
+
+  availability_zones = var.availability_zones
+  vpc_id             = module.vpc.vpc_id
+  igw_id             = [module.vpc.igw_id]
+  ipv4_cidr_block    = [module.vpc.vpc_cidr_block]
+  ipv6_enabled       = var.ipv6_enabled
+}
+
+# Example 1: Using VPC and subnet IDs (traditional approach)
+module "ssm_agent_with_ids" {
+  source    = "../../"
+  stage     = var.stage
+  namespace = var.namespace
+  name      = "ssm-with-ids"
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.subnets.private_subnet_ids
+}
+
+# Example 2: Using VPC and subnet names (new functionality)
+module "ssm_agent_with_names" {
+  source    = "../../"
+  stage     = var.stage
+  namespace = var.namespace
+  name      = "ssm-with-names"
+
+  vpc_name = module.vpc.vpc_id_tag_name # This would be the Name tag value
+  subnet_names = [
+    # These would be the actual Name tag values of the subnets
+    # In a real scenario, you'd know these names or get them from data sources
+    "example-private-subnet-1",
+    "example-private-subnet-2"
+  ]
+
+  depends_on = [module.subnets]
+}
+
+# Example 3: Mixed configuration (VPC by ID, subnets by name)
+module "ssm_agent_mixed" {
+  source    = "../../"
+  stage     = var.stage
+  namespace = var.namespace
+  name      = "ssm-mixed"
+
+  vpc_id = module.vpc.vpc_id
+  subnet_names = [
+    "example-private-subnet-1",
+    "example-private-subnet-2"
+  ]
+
+  depends_on = [module.subnets]
+}

examples/with-names/outputs.tf

@@ -0,0 +1,14 @@
+output "ssm_agent_with_ids_instance_profile_arn" {
+  description = "ARN of the IAM instance profile for SSM agent (using IDs)"
+  value       = module.ssm_agent_with_ids.iam_instance_profile_arn
+}
+
+output "ssm_agent_with_names_instance_profile_arn" {
+  description = "ARN of the IAM instance profile for SSM agent (using names)"
+  value       = module.ssm_agent_with_names.iam_instance_profile_arn
+}
+
+output "ssm_agent_mixed_instance_profile_arn" {
+  description = "ARN of the IAM instance profile for SSM agent (mixed approach)"
+  value       = module.ssm_agent_mixed.iam_instance_profile_arn
+}

examples/with-names/variables.tf

@@ -0,0 +1,29 @@
+variable "region" {
+  type        = string
+  description = "AWS region"
+  default     = "us-east-1"
+}
+
+variable "namespace" {
+  type        = string
+  description = "Namespace for resource naming"
+  default     = "mp"
+}
+
+variable "stage" {
+  type        = string
+  description = "Stage for resource naming"
+  default     = "test"
+}
+
+variable "availability_zones" {
+  type        = list(string)
+  description = "List of availability zones"
+  default     = ["us-east-1a", "us-east-1b"]
+}
+
+variable "ipv6_enabled" {
+  type        = bool
+  description = "Enable IPv6"
+  default     = false
+}

main.tf

@@ -14,6 +14,10 @@ locals {
     length(var.ami) > 0 ? element(data.aws_ami.instance, 0).root_device_name : "/dev/xvda"
   )
 
+  # VPC and Subnet ID resolution - names take precedence over IDs
+  vpc_id     = length(var.vpc_name) > 0 ? one(data.aws_vpc.selected[*].id) : var.vpc_id
+  subnet_ids = length(var.subnet_names) > 0 ? values(data.aws_subnet.selected)[*].id : var.subnet_ids
+
 }
 
 resource "null_resource" "validate_instance_type" {
@@ -27,6 +31,34 @@ resource "null_resource" "validate_instance_type" {
   }
 }
 
+# Validation using terraform_data to halt execution if requirements aren't met
+resource "terraform_data" "vpc_subnet_validation" {
+  lifecycle {
+    precondition {
+      condition     = length(var.vpc_name) > 0 || length(var.vpc_id) > 0
+      error_message = "Either vpc_name or vpc_id must be provided."
+    }
+
+    precondition {
+      condition     = length(var.subnet_names) > 0 || length(var.subnet_ids) > 0
+      error_message = "Either subnet_names or subnet_ids must be provided."
+    }
+  }
+}
+
+# Warning checks for VPC and subnet configuration (non-blocking)
+check "vpc_subnet_warnings" {
+  assert {
+    condition     = !(length(var.vpc_name) > 0 && length(var.vpc_id) > 0)
+    error_message = "Both vpc_name and vpc_id are provided. When vpc_name is specified, vpc_id will be ignored."
+  }
+
+  assert {
+    condition     = !(length(var.subnet_names) > 0 && length(var.subnet_ids) > 0)
+    error_message = "Both subnet_names and subnet_ids are provided. When subnet_names are specified, subnet_ids will be ignored."
+  }
+}
+
 module "role_label" {
   source  = "cloudposse/label/null"
   version = "0.25.0"
@@ -57,68 +89,6 @@ locals {
 ## SSM AGENT ROLE ##
 ###################
 
-data "aws_iam_policy_document" "default" {
-
-  statement {
-    effect  = "Allow"
-    actions = ["sts:AssumeRole"]
-
-    principals {
-      type        = "Service"
-      identifiers = ["ec2.amazonaws.com"]
-    }
-  }
-}
-
-data "aws_s3_bucket" "logs_bucket" {
-  count  = var.session_logging_enabled ? 1 : 0
-  bucket = try(coalesce(var.session_logging_bucket_name, module.logs_bucket.bucket_id), "")
-}
-
-# https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-logging
-data "aws_iam_policy_document" "session_logging" {
-  count = var.session_logging_enabled ? 1 : 0
-
-  statement {
-    sid    = "SSMAgentSessionAllowS3Logging"
-    effect = "Allow"
-    actions = [
-      "s3:PutObject"
-    ]
-    resources = ["${join("", data.aws_s3_bucket.logs_bucket.*.arn)}/*"]
-  }
-
-  statement {
-    sid    = "SSMAgentSessionAllowCloudWatchLogging"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    sid    = "SSMAgentSessionAllowGetEncryptionConfig"
-    effect = "Allow"
-    actions = [
-      "s3:GetEncryptionConfiguration"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    sid    = "SSMAgentSessionAllowKMSDataKey"
-    effect = "Allow"
-    actions = [
-      "kms:GenerateDataKey"
-    ]
-    resources = ["*"]
-  }
-}
-
 resource "aws_iam_role" "default" {
   name                 = module.role_label.id
   assume_role_policy   = data.aws_iam_policy_document.default.json
@@ -157,19 +127,21 @@ resource "aws_iam_instance_profile" "default" {
 ###################
 
 resource "aws_security_group" "default" {
-  vpc_id      = var.vpc_id
+  vpc_id      = local.vpc_id
   name        = module.this.id
   description = "Allow ALL egress from SSM Agent."
   tags        = module.this.tags
 }
 
+# trivy:ignore:aws-vpc-no-public-egress-sgr SSM Agent requires broad egress to communicate with AWS services
 resource "aws_security_group_rule" "allow_all_egress" {
   type              = "egress"
   from_port         = 0
   to_port           = 0
   protocol          = "-1"
   cidr_blocks       = ["0.0.0.0/0"]
   ipv6_cidr_blocks  = ["::/0"]
+  description       = "Allow all outbound traffic for SSM Agent communication with AWS services"
   security_group_id = aws_security_group.default.id
 }
 
@@ -246,21 +218,15 @@ DOC
 
 module "logs_bucket" {
   source  = "cloudposse/s3-bucket/aws"
-  version = "3.1.2"
+  version = "4.10.0"
 
   enabled = local.logs_bucket_enabled
   context = module.logs_label.context
 
   # Encryption / Security
-  acl                          = "private"
-  sse_algorithm                = "aws:kms"
-  kms_master_key_arn           = local.session_logging_kms_key_arn
-  allow_encrypted_uploads_only = false
-  force_destroy                = true
-
-  # Feature enablement
-  user_enabled       = false
-  versioning_enabled = true
+  sse_algorithm      = "aws:kms"
+  kms_master_key_arn = local.session_logging_kms_key_arn
+  force_destroy      = true
 
   lifecycle_configuration_rules = [{
     enabled                                = true
@@ -385,7 +351,7 @@ resource "aws_autoscaling_group" "default" {
   # By default, we don't care to protect from scale in as we want to roll instances frequently
   protect_from_scale_in = var.protect_from_scale_in
 
-  vpc_zone_identifier = var.subnet_ids
+  vpc_zone_identifier = local.subnet_ids
 
   default_cooldown          = 180
   health_check_grace_period = 180