Open
Description
When provisioning ROSA HCP clusters in private subnets using the Terraform RHCS provider, the required VPC Interface Endpoints (e.g., ec2, elasticloadbalancing, and elasticfilesystem) are not automatically created by the provider — this remains the client's responsibility.
I was able to successfully extend the VPC module by adding the following resource blocks for dynamic VPC interface endpoint creation.
After applying the changes, I tested the module and confirmed that the VPC and the corresponding interface endpoints (with the associated security group) were created as expected.
Here's the snippet I used:
resource "aws_vpc_endpoint" "dynamic_endpoints" {
for_each = var.vpc_endpoints
vpc_id = aws_vpc.vpc.id
service_name = "com.amazonaws.${data.aws_region.current.name}.${each.key}"
vpc_endpoint_type = each.value
subnet_ids = each.value == "Interface" ? [for subnet in aws_subnet.private_subnet : subnet.id] : null
security_group_ids = each.value == "Interface" ? [aws_security_group.vpce.id] : null
route_table_ids = each.value == "Gateway" ? [for rt in aws_route_table.private_route_table : rt.id] : null
private_dns_enabled = each.value == "Interface" ? true : null
tags = merge(
{
Name = "${var.name_prefix}-vpce-${each.key}"
},
local.tags
)
}
resource "aws_security_group" "vpce" {
name = "${var.name_prefix}-vpce-sg"
description = "Security group for VPC interface endpoints"
vpc_id = aws_vpc.vpc.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = [var.vpc_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = merge(
{
Name = "${var.name_prefix}-vpce-sg"
},
local.tags
)
}
variable "vpc_endpoints" {
type = map(string)
description = "Map of service name to endpoint type (Interface or Gateway)"
default = {
ec2 = "Interface"
elasticloadbalancing = "Interface"
elasticfilesystem = "Interface"
s3 = "Gateway"
}
}
Metadata
Metadata
Assignees
Labels
No labels