fix: Correct for_each map on VPC endpoints to propagate endpoint maps correctly (#729)

bryantbiggs · web-flow · commit 19fcf0d68027 · 2022-01-11T21:37:51.000+01:00
diff --git a/examples/complete-vpc/README.md b/examples/complete-vpc/README.md
@@ -42,6 +42,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name | Type |
 |------|------|
+| [aws_security_group.vpc_tls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
diff --git a/examples/complete-vpc/main.tf b/examples/complete-vpc/main.tf
@@ -102,6 +102,7 @@ module "vpc_endpoints" {
       service             = "ssm"
       private_dns_enabled = true
       subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
     },
     ssmmessages = {
       service             = "ssmmessages"
@@ -127,6 +128,7 @@ module "vpc_endpoints" {
       service             = "ec2"
       private_dns_enabled = true
       subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
     },
     ec2messages = {
       service             = "ec2messages"
@@ -149,6 +151,7 @@ module "vpc_endpoints" {
       service             = "kms"
       private_dns_enabled = true
       subnet_ids          = module.vpc.private_subnets
+      security_group_ids  = [aws_security_group.vpc_tls.id]
     },
     codedeploy = {
       service             = "codedeploy"
@@ -232,3 +235,19 @@ data "aws_iam_policy_document" "generic_endpoint_policy" {
     }
   }
 }
+
+resource "aws_security_group" "vpc_tls" {
+  name_prefix = "${local.name}-vpc_tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  tags = local.tags
+}
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
@@ -1,13 +1,9 @@
-locals {
-  endpoints = var.create ? var.endpoints : tomap({})
-}
-
 ################################################################################
 # Endpoint(s)
 ################################################################################
 
 data "aws_vpc_endpoint_service" "this" {
-  for_each = local.endpoints
+  for_each = { for k, v in var.endpoints : k => v if var.create }
 
   service      = lookup(each.value, "service", null)
   service_name = lookup(each.value, "service_name", null)
@@ -19,7 +15,7 @@ data "aws_vpc_endpoint_service" "this" {
 }
 
 resource "aws_vpc_endpoint" "this" {
-  for_each = local.endpoints
+  for_each = { for k, v in var.endpoints : k => v if var.create }
 
   vpc_id            = var.vpc_id
   service_name      = data.aws_vpc_endpoint_service.this[each.key].service_name
diff --git a/outputs.tf b/outputs.tf
