feat: add vpc endpoint policies to supported services (#601)

* feat: add vpc endpoint policies to supported services

* chore: empty commit to re-run

* chore: Run pre-commit terraform_docs hook

Co-authored-by: Anton Babenko <[email protected]>

Author: bryantbiggs

README.md

@@ -40,7 +40,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/security_group) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) |
+| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) |
 
 ## Inputs
 

examples/complete-vpc/README.md

@@ -59,6 +59,7 @@ module "vpc" {
 
   # VPC endpoint for DynamoDB
   enable_dynamodb_endpoint = true
+  dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
 
   # VPC endpoint for SSM
   enable_ssm_endpoint              = true
@@ -77,6 +78,7 @@ module "vpc" {
 
   # VPC Endpoint for EC2
   enable_ec2_endpoint              = true
+  ec2_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
   ec2_endpoint_private_dns_enabled = true
   ec2_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
@@ -87,11 +89,13 @@ module "vpc" {
 
   # VPC Endpoint for ECR API
   enable_ecr_api_endpoint              = true
+  ecr_api_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
   ecr_api_endpoint_private_dns_enabled = true
   ecr_api_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
   # VPC Endpoint for ECR DKR
   enable_ecr_dkr_endpoint              = true
+  ecr_dkr_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
   ecr_dkr_endpoint_private_dns_enabled = true
   ecr_dkr_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
@@ -142,3 +146,49 @@ module "vpc" {
     Endpoint = "true"
   }
 }
+
+# Data source used to avoid race condition
+data "aws_vpc_endpoint" "dynamodb" {
+  vpc_id       = module.vpc.vpc_id
+  service_name = "com.amazonaws.eu-west-1.dynamodb"
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["dynamodb:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}

examples/complete-vpc/main.tf

@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) |
 
 ## Inputs
 

examples/ipv6/README.md

@@ -47,12 +47,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
-| [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
+| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) |
 
 ## Inputs