feat: adding the enable_ssm toggle to adding ssm endpoints

appvia · Mar 21, 2024 · 0e6121b · 0e6121b
1 parent 5f76258
commit 0e6121b
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@
 | <a name="input_enable_ipam"></a> [enable\_ipam](#input\_enable\_ipam) | Indicates the cidr block for the network should be assigned from IPAM | `bool` | `true` | no |
 | <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_private_endpoints"></a> [enable\_private\_endpoints](#input\_enable\_private\_endpoints) | Indicates the network should provision private endpoints | `list(string)` | `[]` | no |
+| <a name="input_enable_ssm"></a> [enable\_ssm](#input\_enable\_ssm) | Indicates we should provision SSM private endpoints | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | An optional pool id to use for IPAM pool to use | `string` | `""` | no |

diff --git a/main.tf b/main.tf
@@ -70,6 +70,11 @@ locals {
     local.public_subnet,
     local.transit_subnet,
   )
+
+  # A list of the private endpoints to enable ssm
+  ssm_endpoints = var.enable_ssm ? ["ssmmessages", "ssm", "ec2messages"] : []
+  # enabled_endpotints is a list of all the private endpoints to enable 
+  enabled_endpoints = concat(var.enable_private_endpoints, local.ssm_endpoints)
 }
 
 #
@@ -117,7 +122,7 @@ module "vpc" {
 module "private_links" {
   source  = "terraform-aws-modules/security-group/aws"
   version = "5.1.2"
-  count   = length(var.enable_private_endpoints) > 0 ? 1 : 0
+  count   = length(local.enabled_endpoints) > 0 ? 1 : 0
 
   description         = "Provides the security groups for the private links access"
   ingress_rules       = ["https-443-tcp", "http-80-tcp"]
@@ -129,7 +134,7 @@ module "private_links" {
 #
 ## Provision any private endpoints
 resource "aws_vpc_endpoint" "vpe_endpoints" {
-  for_each = toset(var.enable_private_endpoints)
+  for_each = toset(local.enabled_endpoints)
 
   private_dns_enabled = true
   security_group_ids  = [module.private_links[0].security_group_id]

diff --git a/variables.tf b/variables.tf
@@ -10,18 +10,6 @@ variable "enable_ipam" {
   default     = true
 }
 
-variable "ipam_pool_id" {
-  description = "An optional pool id to use for IPAM pool to use"
-  type        = string
-  default     = ""
-}
-
-variable "ipam_pool_name" {
-  description = "An optional pool name to use for IPAM pool to use"
-  type        = string
-  default     = ""
-}
-
 variable "enable_nat_gateway" {
   description = "Indicates the network should provison nat gateways"
   type        = bool
@@ -46,6 +34,24 @@ variable "enable_private_endpoints" {
   default     = []
 }
 
+variable "enable_ssm" {
+  description = "Indicates we should provision SSM private endpoints"
+  type        = bool
+  default     = false
+}
+
+variable "ipam_pool_name" {
+  description = "An optional pool name to use for IPAM pool to use"
+  type        = string
+  default     = ""
+}
+
+variable "ipam_pool_id" {
+  description = "An optional pool id to use for IPAM pool to use"
+  type        = string
+  default     = ""
+}
+
 variable "name" {
   description = "Is the name of the network to provision"
   type        = string