feat: adding the ability to configure some private endpoints

README.md

@@ -16,12 +16,15 @@
 
 | Name | Source | Version |
 |------|--------|---------|
+| <a name="module_private_links"></a> [private\_links](#module\_private\_links) | terraform-aws-modules/security-group/aws | 5.1.2 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | aws-ia/vpc/aws | = 4.4.2 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_vpc_endpoint.vpe_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_vpc_ipam_pool.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_ipam_pool) | data source |
 
 ## Inputs
@@ -31,6 +34,7 @@
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The number of availability zone the network should be deployed into | `number` | `2` | no |
 | <a name="input_enable_ipam"></a> [enable\_ipam](#input\_enable\_ipam) | Indicates the cidr block for the network should be assigned from IPAM | `bool` | `true` | no |
 | <a name="input_enable_nat_gateway"></a> [enable\_nat\_gateway](#input\_enable\_nat\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
+| <a name="input_enable_private_endpoints"></a> [enable\_private\_endpoints](#input\_enable\_private\_endpoints) | Indicates the network should provision private endpoints | `list(string)` | `[]` | no |
 | <a name="input_enable_transit_gateway"></a> [enable\_transit\_gateway](#input\_enable\_transit\_gateway) | Indicates the network should provison nat gateways | `bool` | `false` | no |
 | <a name="input_enable_transit_gateway_appliance_mode"></a> [enable\_transit\_gateway\_appliance\_mode](#input\_enable\_transit\_gateway\_appliance\_mode) | Indicates the network should be connected to a transit gateway in appliance mode | `bool` | `false` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | An optional pool id to use for IPAM pool to use | `string` | `""` | no |

main.tf

@@ -2,6 +2,9 @@
 ## Provisions a network within an account
 #
 
+# Get the current region 
+data "aws_region" "current" {}
+
 locals {
   # The id for the transit_gateway_id passed into the module
   transit_gateway_id = var.enable_transit_gateway ? var.transit_gateway_id : null
@@ -98,3 +101,28 @@ module "vpc" {
   transit_gateway_routes  = local.transit_routes
   subnets                 = local.subnets
 }
+
+module "private_links" {
+  source  = "terraform-aws-modules/security-group/aws"
+  version = "5.1.2"
+  count   = length(var.enable_private_endpoints) > 0 ? 1 : 0
+
+  description         = "Provides the security groups for the private links access"
+  ingress_rules       = ["https-443-tcp", "http-80-tcp"]
+  ingress_cidr_blocks = local.private_subnet_cidrs
+  name                = "private-links-${var.name}"
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+
+#
+## Provision any private endpoints
+resource "aws_vpc_endpoint" "vpe_endpoints" {
+  for_each = toset(var.enable_private_endpoints)
+
+  private_dns_enabled = true
+  security_group_ids  = [module.private_links[0].security_group_id]
+  service_name        = "com.amazonaws.${data.aws_region.current.name}.${each.value}"
+  vpc_endpoint_type   = "Interface"
+  vpc_id              = module.vpc.vpc_attributes.id
+}
+

variables.tf

@@ -34,6 +34,12 @@ variable "enable_transit_gateway_appliance_mode" {
   default     = false
 }
 
+variable "enable_private_endpoints" {
+  description = "Indicates the network should provision private endpoints"
+  type        = list(string)
+  default     = []
+}
+
 variable "name" {
   description = "Is the name of the network to provision"
   type        = string