From 8581ad42c93cb0ef999f79c315d897544c616f49 Mon Sep 17 00:00:00 2001 From: Aleksei Lisikhin Date: Thu, 29 Aug 2024 11:13:42 +0700 Subject: [PATCH] [#286] Create VPC endpoint properly --- templates/addons/aws/modules/vpc/locals.tf | 5 ++ templates/addons/aws/modules/vpc/main.tf | 72 ++++++++++++++++++++-- templates/addons/aws/providers.tf | 2 +- 3 files changed, 72 insertions(+), 7 deletions(-) create mode 100644 templates/addons/aws/modules/vpc/locals.tf diff --git a/templates/addons/aws/modules/vpc/locals.tf b/templates/addons/aws/modules/vpc/locals.tf new file mode 100644 index 00000000..f7430413 --- /dev/null +++ b/templates/addons/aws/modules/vpc/locals.tf @@ -0,0 +1,5 @@ +locals { + cidr = "10.0.0.0/16" + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] +} diff --git a/templates/addons/aws/modules/vpc/main.tf b/templates/addons/aws/modules/vpc/main.tf index a4a20c02..4fa91099 100644 --- a/templates/addons/aws/modules/vpc/main.tf +++ b/templates/addons/aws/modules/vpc/main.tf @@ -3,13 +3,13 @@ data "aws_availability_zones" "available" {} # trivy:ignore:AVD-AWS-0178 trivy:ignore:AVD-AWS-0164 module "vpc" { source = "terraform-aws-modules/vpc/aws" - version = "3.0.0" + version = "5.13.0" name = "${var.env_namespace}-vpc" - cidr = "10.0.0.0/16" + cidr = local.cidr azs = data.aws_availability_zones.available.names - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"] + private_subnets = local.private_subnets + public_subnets = local.public_subnets enable_nat_gateway = true single_nat_gateway = true one_nat_gateway_per_az = false @@ -25,12 +25,72 @@ data "aws_route_tables" "private_route_table" { } } -resource "aws_vpc_endpoint" "logs" { +resource "aws_security_group" "vpc_endpoints" { + name_prefix = "${var.env_namespace}-vpc-endpoints" + description = "Associated to ECR/s3 VPC Endpoints" + vpc_id = module.vpc.vpc_id + + ingress { + description = "Allow Nodes to pull images from ECR via VPC endpoints" + protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_blocks = local.private_subnets + } +} + +# allow ECS to connect to S3 via VPC Endpoint instead of NAT Gateway +resource "aws_vpc_endpoint" "s3" { vpc_id = module.vpc.vpc_id - service_name = "com.amazonaws.${var.region}.logs" + service_name = "com.amazonaws.${var.region}.s3" route_table_ids = data.aws_route_tables.private_route_table.ids + tags = { + Name = "${var.env_namespace}-vpc-endpoint-s3" + } +} + +# allow ECS to push logs to cloudwatch via VPC Endpoint instead of NAT Gateway +resource "aws_vpc_endpoint" "logs" { + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.region}.logs" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + + security_group_ids = [aws_security_group.vpc_endpoints.id] + subnet_ids = module.vpc.private_subnets + tags = { Name = "${var.env_namespace}-vpc-endpoint-logs" } } + +# allow ECS to pull/push images to ECR DKR via VPC Endpoint instead of NAT Gateway +resource "aws_vpc_endpoint" "ecr_dkr" { + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.region}.ecr.dkr" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + + security_group_ids = [aws_security_group.vpc_endpoints.id] + subnet_ids = module.vpc.private_subnets + + tags = { + Name = "${var.env_namespace}-vpc-endpoint-ecr-dkr" + } +} + +# allow ECS to pull/push images to ECR API via VPC Endpoint instead of NAT Gateway +resource "aws_vpc_endpoint" "ecr_api" { + vpc_id = module.vpc.vpc_id + service_name = "com.amazonaws.${var.region}.ecr.api" + vpc_endpoint_type = "Interface" + private_dns_enabled = true + + security_group_ids = [aws_security_group.vpc_endpoints.id] + subnet_ids = module.vpc.private_subnets + + tags = { + Name = "${var.env_namespace}-vpc-endpoint-ecr-api" + } +} diff --git a/templates/addons/aws/providers.tf b/templates/addons/aws/providers.tf index 7b684241..4ea26c84 100644 --- a/templates/addons/aws/providers.tf +++ b/templates/addons/aws/providers.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4.0" + version = "5.64.0" } } }