aws-vpc: make VPC Endpoints Gateways for S3 & DynamoDB services optio…

…nal. (#6)

* associate network ACLs using aws_network_acl_association resource, so the network ACLs can be
associated further outside the module.

README.md

@@ -65,6 +65,7 @@
 | <a name="input_empty_network_acls"></a> [empty\_network\_acls](#input\_empty\_network\_acls) | Do not create default allow all traffic rule in network ACLs. | `bool` | `false` | no |
 | <a name="input_nat_gateway_setup"></a> [nat\_gateway\_setup](#input\_nat\_gateway\_setup) | NAT Gateway setup. Available options: one-az, failover, ha | `string` | `"ha"` | no |
 | <a name="input_force_internet_gateway"></a> [force\_internet\_gateway](#input\_force\_internet\_gateway) | Force creation of an Internet Gateway for a VPC with only private subnets. Required if an AWS Global Accelerator is pointing to a private resource in the VPC. | `bool` | `false` | no |
+| <a name="input_create_vpc_gateway_endpoints"></a> [create\_vpc\_gateway\_endpoints](#input\_create\_vpc\_gateway\_endpoints) | Create VPC Endpoints (Gateway) for S3 & DynamoDB services. | `bool` | `true` | no |
 | <a name="input_flow_logs_config"></a> [flow\_logs\_config](#input\_flow\_logs\_config) | Config block for VPC Flow Logs. It must be a map with the following optional keys: destination, retention, aggregation\_interval, kms\_key\_id.<br><br>Properties allowed values:<br>  destination          => "cloud-watch-logs" or "s3"<br>                          Default: "cloud-watch-logs"<br>  retention            => 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, 0 (indefinetely)<br>                          Default: 30 (days)<br>                          Valid only for CloudWatch destination<br>  aggregation\_interval => 60 or 600<br>                          Default: 600<br>  log\_format           => Check AWS documentation<br>  kms\_key\_id           => ARN of a CMK in AWS KMS<br>                          Default: AWS managed key<br>  s3\_tiering           => configuration for S3 Intelligent-Tiering<br>                          Default: Archive access after 90 days & Deep Archive Access after 180 days<br>                          Pass this as `null` or with both properties set to 0 to disable S3 Intelligent-Tiering<br>    archive\_access       => Days after which data is tiered to ARCHIVE\_ACCESS<br>                            Default: 90<br>                            Pass as 0 to disable ARCHIVE\_ACCESS tiering<br>    deep\_archive\_access  => Days after which data is tiered to DEEP\_ARCHIVE\_ACCESS<br>                            Default: 180<br>                            Pass as 0 to disable DEEP\_ARCHIVE\_ACCESS tiering<br><br>Pass the variable as null to disable flow logs. | `any` | `{}` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Common tags for all resources created by this module. Reserved tag keys: Name, net/type | `map(string)` | n/a | yes |
 

main.tf

@@ -24,7 +24,7 @@ locals {
     id  = rtb.id
   }]
 
-  service_gateway_endpoints = toset(["s3", "dynamodb"])
+  service_gateway_endpoints = toset(var.create_vpc_gateway_endpoints ? ["s3", "dynamodb"] : [])
 
   vpc_gateway_endpoints = [for svc, endpoint in aws_vpc_endpoint.gateway : {
     service = svc

module-test/main.tf

@@ -43,10 +43,11 @@ module "vpc_frankfurt" {
   main_cidr_block          = "10.0.2.0/24"
   availability_zones_count = 6
 
-  subnetting_algorithm = var.subnetting_algorithm
-  private_subnets_only = var.private_subnets_only
-  nat_gateway_setup    = var.nat_gateway_setup
-  flow_logs_config     = var.flow_logs_config
+  subnetting_algorithm         = var.subnetting_algorithm
+  private_subnets_only         = var.private_subnets_only
+  nat_gateway_setup            = var.nat_gateway_setup
+  create_vpc_gateway_endpoints = var.create_vpc_gateway_endpoints
+  flow_logs_config             = var.flow_logs_config
 
   subnets = {
     private = ["10.0.2.0/27", "10.0.2.32/27", "10.0.2.64/27"]

module-test/variables.tf

@@ -13,6 +13,11 @@ variable "nat_gateway_setup" {
   default = "ha"
 }
 
+variable "create_vpc_gateway_endpoints" {
+  type    = bool
+  default = true
+}
+
 variable "flow_logs_config" {
   type    = any
   default = {}

modules/public-infra/network_acl.tf

@@ -1,12 +1,18 @@
 resource "aws_network_acl" "public" {
   count = var.mode != "public" ? 0 : 1
 
-  vpc_id     = var.vpc.id
-  subnet_ids = [for subnet in aws_subnet.public : subnet.id]
+  vpc_id = var.vpc.id
 
   tags = merge(var.tags, { Name = "${var.vpc.name}-public" })
 }
 
+resource "aws_network_acl_association" "public" {
+  for_each = aws_subnet.public
+
+  subnet_id      = each.value.id
+  network_acl_id = aws_network_acl.public[0].id
+}
+
 resource "aws_network_acl_rule" "public" {
   for_each = toset(var.mode != "public" || var.empty_network_acl ? [] : ["ingress", "egress"])
 

network_acls.tf

@@ -1,10 +1,16 @@
 resource "aws_network_acl" "private" {
-  vpc_id     = local.vpc_id
-  subnet_ids = [for subnet in aws_subnet.private : subnet.id]
+  vpc_id = local.vpc_id
 
   tags = merge(var.tags, { Name = "${var.name}-private" })
 }
 
+resource "aws_network_acl_association" "private" {
+  for_each = aws_subnet.private
+
+  subnet_id      = each.value.id
+  network_acl_id = aws_network_acl.private.id
+}
+
 resource "aws_network_acl_rule" "private" {
   for_each = toset(var.empty_network_acls ? [] : ["ingress", "egress"])
 

variables.tf

@@ -126,6 +126,13 @@ variable "force_internet_gateway" {
   default     = false
 }
 
+# VPC Endpoints
+variable "create_vpc_gateway_endpoints" {
+  type        = bool
+  description = "Create VPC Endpoints (Gateway) for S3 & DynamoDB services."
+  default     = true
+}
+
 # VPC Flow Logs
 variable "flow_logs_config" {
   # type        = object({