Skip to content

Commit

Permalink
Merge pull request #13 from taliesins/get_region_from_vpc
Browse files Browse the repository at this point in the history
Get region from vpc
  • Loading branch information
JamesWoolfenden authored Dec 14, 2021
2 parents c7ad501 + eb26267 commit 416c9a6
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 24 deletions.
5 changes: 2 additions & 3 deletions iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ data "aws_iam_policy_document" "kms_access" {
sid = "CloudWatchLogsEncryption"
principals {
type = "Service"
identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
identifiers = ["logs.${local.region}.amazonaws.com"]
}
actions = [
"kms:Encrypt*",
Expand Down Expand Up @@ -125,11 +125,10 @@ data "aws_iam_policy_document" "ssm_s3_cwl_access" {

resources = [aws_kms_key.ssmkey.arn]
}

}

resource "aws_iam_policy" "ssm_s3_cwl_access" {
name_prefix = "ssm_s3_cwl_access-"
name = "ssm_s3_cwl_access-${local.region}"
path = "/"
policy = data.aws_iam_policy_document.ssm_s3_cwl_access.json
}
Expand Down
12 changes: 12 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,18 @@ variable "vpc_id" {
default = null
}

variable "subnet_ids" {
description = "Subnet Ids to deploy endpoints into"
type = set(string)
default = []
}

variable "vpc_endpoint_private_dns_enabled" {
description = "Enable private dns for endpoints"
type = bool
default = true
}

variable "enable_log_to_s3" {
description = "Enable Session Manager to Log to S3"
type = bool
Expand Down
43 changes: 22 additions & 21 deletions vpce.tf
Original file line number Diff line number Diff line change
@@ -1,67 +1,69 @@

locals {
region = var.vpc_endpoints_enabled && var.vpc_id != null ? split(":",data.aws_vpc.selected[0].arn)[3] : data.aws_region.current.name
subnets = var.vpc_endpoints_enabled ? var.subnet_ids != [] ? var.subnet_ids : data.aws_subnet_ids.selected[0].ids : []
}

data "aws_subnet_ids" "selected" {
count = var.vpc_endpoints_enabled ? 1 : 0
vpc_id = var.vpc_id
}

data "aws_route_table" "selected" {
count = var.vpc_endpoints_enabled ? length(data.aws_subnet_ids.selected[0].ids) : 0
subnet_id = sort(data.aws_subnet_ids.selected[0].ids)[count.index]
count = var.vpc_endpoints_enabled ? length(local.subnets) : 0
subnet_id = sort(local.subnets)[count.index]
}


# SSM, EC2Messages, and SSMMessages endpoints are required for Session Manager
resource "aws_vpc_endpoint" "ssm" {
count = var.vpc_endpoints_enabled ? 1 : 0
vpc_id = var.vpc_id
subnet_ids = data.aws_subnet_ids.selected[0].ids
service_name = "com.amazonaws.${data.aws_region.current.name}.ssm"
subnet_ids = local.subnets
service_name = "com.amazonaws.${local.region}.ssm"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.ssm_sg[0].id
]

private_dns_enabled = true
private_dns_enabled = var.vpc_endpoint_private_dns_enabled
tags = var.tags
}

resource "aws_vpc_endpoint" "ec2messages" {
count = var.vpc_endpoints_enabled ? 1 : 0
vpc_id = var.vpc_id
subnet_ids = data.aws_subnet_ids.selected[0].ids
service_name = "com.amazonaws.${data.aws_region.current.name}.ec2messages"
subnet_ids = local.subnets
service_name = "com.amazonaws.${local.region}.ec2messages"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.ssm_sg[0].id,
]

private_dns_enabled = true
private_dns_enabled = var.vpc_endpoint_private_dns_enabled
tags = var.tags
}

resource "aws_vpc_endpoint" "ssmmessages" {
count = var.vpc_endpoints_enabled ? 1 : 0
vpc_id = var.vpc_id
subnet_ids = data.aws_subnet_ids.selected[0].ids
service_name = "com.amazonaws.${data.aws_region.current.name}.ssmmessages"
subnet_ids = local.subnets
service_name = "com.amazonaws.${local.region}.ssmmessages"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.ssm_sg[0].id,
]

private_dns_enabled = true
private_dns_enabled = var.vpc_endpoint_private_dns_enabled
tags = var.tags
}

# To write session logs to S3, an S3 endpoint is needed:
resource "aws_vpc_endpoint" "s3" {
count = var.vpc_endpoints_enabled && var.enable_log_to_s3 ? 1 : 0
vpc_id = var.vpc_id
service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
service_name = "com.amazonaws.${local.region}.s3"
tags = var.tags
}

Expand All @@ -78,35 +80,34 @@ resource "aws_vpc_endpoint_route_table_association" "private_s3_subnet_route" {
route_table_id = data.aws_route_table.selected[count.index].id
}


# To write session logs to CloudWatch, a CloudWatch endpoint is needed
resource "aws_vpc_endpoint" "logs" {
count = var.vpc_endpoints_enabled && var.enable_log_to_cloudwatch ? 1 : 0
vpc_id = var.vpc_id
subnet_ids = data.aws_subnet_ids.selected[0].ids
service_name = "com.amazonaws.${data.aws_region.current.name}.logs"
subnet_ids = local.subnets
service_name = "com.amazonaws.${local.region}.logs"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.ssm_sg[0].id
]

private_dns_enabled = true
private_dns_enabled = var.vpc_endpoint_private_dns_enabled
tags = var.tags
}

# To Encrypt/Decrypt, a KMS endpoint is needed
resource "aws_vpc_endpoint" "kms" {
count = var.vpc_endpoints_enabled ? 1 : 0
vpc_id = var.vpc_id
subnet_ids = data.aws_subnet_ids.selected[0].ids
service_name = "com.amazonaws.${data.aws_region.current.name}.kms"
subnet_ids = local.subnets
service_name = "com.amazonaws.${local.region}.kms"
vpc_endpoint_type = "Interface"

security_group_ids = [
aws_security_group.ssm_sg[0].id
]

private_dns_enabled = true
private_dns_enabled = var.vpc_endpoint_private_dns_enabled
tags = var.tags
}

0 comments on commit 416c9a6

Please sign in to comment.