fix: Add new VPC endpoints to satisfy Security Hub.

codeforamerica · Feb 6, 2025 · b2b8c4b · b2b8c4b
1 parent 5c87912
commit b2b8c4b
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 57 deletions.
diff --git a/README.md b/README.md
@@ -5,7 +5,7 @@
 This module sets up a standard VPC with public and private subnets, NAT
 gateway(s), service endpoints, and routing.
 
-Creates endpoints for the following services: EC2, GuardDuty, S3, SSM
+Creates endpoints for the following services: EC2, ECR, GuardDuty, S3, and SSM
 
 ## Usage
 

diff --git a/data.tf b/data.tf
@@ -1,3 +1,25 @@
 data "aws_availability_zones" "available" {
   state = "available"
 }
+
+# VPC endpoints don't have load balancers in every availability zone, so we need
+# to lookup the supported availability zones and use them to filter our subnets.
+data "aws_vpc_endpoint_service" "services" {
+  for_each = local.interface_endpoint_services
+
+  service = each.value
+}
+
+data "aws_subnets" "endpoints" {
+  for_each = data.aws_vpc_endpoint_service.services
+
+  filter {
+    name   = "subnet-id"
+    values = module.vpc.private_subnets
+  }
+
+  filter {
+    name   = "availability-zone"
+    values = each.value.availability_zones
+  }
+}
diff --git a/local.tf b/local.tf
@@ -2,6 +2,27 @@ locals {
   azs    = data.aws_availability_zones.available.names
   prefix = "${var.project}-${var.environment}"
 
+  # Define the set of services that require interface endpoints.
+  interface_endpoint_services = toset([
+    "ec2",
+    "ec2messages",
+    "ecr.api",
+    "ecr.dkr",
+    "guardduty-data",
+    "ssm",
+    "ssm-contacts",
+    "ssm-incidents",
+    "ssmmessages"
+  ])
+  interface_endpoints = {
+    for service in local.interface_endpoint_services : service => {
+      service = service
+      tags    = { Name = "${local.prefix}-${service}" }
+      subnet_ids = data.aws_subnets.endpoints[service].ids
+      private_dns_enabled = true
+    }
+  }
+
   # Define inbound and outbound ACL rules for any peering connections.
   peer_inbound_acls = [
     for peer in var.peers : {

diff --git a/main.tf b/main.tf
@@ -142,66 +142,12 @@ module "endpoints" {
   }
 
   vpc_id = module.vpc.vpc_id
-  endpoints = {
-    ec2 = {
-      service             = "ec2"
-      tags                = { Name = "${local.prefix}-ec2" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ec2messages = {
-      service             = "ec2messages"
-      tags                = { Name = "${local.prefix}-ec2messages" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ecrapi = {
-      service             = "ecr.api"
-      tags                = { Name = "${local.prefix}-ecrapi" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ecrdkr = {
-      service             = "ecr.dkr"
-      tags                = { Name = "${local.prefix}-ecrdrk" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    guardduty = {
-      service             = "guardduty-data"
-      tags                = { Name = "${local.prefix}-guardduty" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
+  endpoints = merge({
     s3 = {
       service = "s3"
       tags    = { Name = "${local.prefix}-s3" }
     }
-    ssm = {
-      service             = "ssm"
-      tags                = { Name = "${local.prefix}-ssm" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ssmcontacts = {
-      service             = "ssm-contacts"
-      tags                = { Name = "${local.prefix}-ssmcontacts" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ssmincidents = {
-      service             = "ssm-incidents"
-      tags                = { Name = "${local.prefix}-ssmincidents" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-    ssmmessages = {
-      service             = "ssmmessages"
-      tags                = { Name = "${local.prefix}-ssmmessages" }
-      subnet_ids          = module.vpc.private_subnets
-      private_dns_enabled = true
-    }
-  }
+  }, local.interface_endpoints)
 
   tags = var.tags
 }