refactor: add byo endpoint service support

CHANGELOG.md

@@ -11,6 +11,8 @@ ENHANCEMENTS:
     - terraform-zscc-route53-aws:
         - add variable outbound_endpoint_security_group_ids
         - remove default security group usage per AWS best practices
+    - terraform-zscc-gwlbendpoint-aws:
+        - add variable byo_endpoint_service_name supporting brownfield deployments using a pre-existing VPC Endpoint Service
 
 ## 1.3.3 (August 30, 2024)
 ENHANCEMENTS:

examples/cc_gwlb/README.md

@@ -89,6 +89,7 @@ From cc_gwlb directory execute:
 | <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | <pre>[<br>  ""<br>]</pre> | no |
 | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
 | <a name="input_az_count"></a> [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
+| <a name="input_byo_endpoint_service_name"></a> [byo\_endpoint\_service\_name](#input\_byo\_endpoint\_service\_name) | Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format:  "com.amazonaws.vpce.<region>.<service id>" | `string` | `null` | no |
 | <a name="input_byo_iam"></a> [byo\_iam](#input\_byo\_iam) | Bring your own IAM Instance Profile for Cloud Connector | `bool` | `false` | no |
 | <a name="input_byo_iam_instance_profile_id"></a> [byo\_iam\_instance\_profile\_id](#input\_byo\_iam\_instance\_profile\_id) | IAM Instance Profile ID for Cloud Connector association | `list(string)` | `null` | no |
 | <a name="input_byo_igw"></a> [byo\_igw](#input\_byo\_igw) | Bring your own AWS VPC for Cloud Connector | `bool` | `false` | no |

examples/cc_gwlb/main.tf

@@ -216,15 +216,16 @@ module "gwlb" {
 #    per Cloud Connector subnet/availability zone.
 ################################################################################
 module "gwlb_endpoint" {
-  source              = "../../modules/terraform-zscc-gwlbendpoint-aws"
-  name_prefix         = var.name_prefix
-  resource_tag        = random_string.suffix.result
-  global_tags         = local.global_tags
-  vpc_id              = module.network.vpc_id
-  subnet_ids          = module.network.cc_subnet_ids
-  gwlb_arn            = module.gwlb.gwlb_arn
-  acceptance_required = var.acceptance_required
-  allowed_principals  = var.allowed_principals
+  source                    = "../../modules/terraform-zscc-gwlbendpoint-aws"
+  name_prefix               = var.name_prefix
+  resource_tag              = random_string.suffix.result
+  global_tags               = local.global_tags
+  vpc_id                    = module.network.vpc_id
+  subnet_ids                = module.network.cc_subnet_ids
+  gwlb_arn                  = module.gwlb.gwlb_arn
+  acceptance_required       = var.acceptance_required
+  allowed_principals        = var.allowed_principals
+  byo_endpoint_service_name = var.byo_endpoint_service_name
 }
 
 

examples/cc_gwlb/terraform.tfvars

@@ -328,3 +328,9 @@
 ##     By uncommenting (setting to false) this assumes that you have an existing VPC/Subnets (byo_subnets = true)
 
 #cc_route_table_enabled                     = false
+
+## 42. By default, this script will create a new VPC Endpoint Service in all availability zones specifified.
+##     Uncomment, and provide your existing GWLB Endpoint Service name to associate new GWLB Endpoints to 
+##     Example string format: "com.amazonaws.vpce.<region>.<service id>"
+
+#byo_endpoint_service_name                  = "endpoint service name"

examples/cc_gwlb/variables.tf

@@ -384,3 +384,9 @@ variable "cc_route_table_enabled" {
   description = "For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to Cloud Connector subnet(s). Default is true which means module will try to create new route tables"
   default     = true
 }
+
+variable "byo_endpoint_service_name" {
+  type        = string
+  description = "Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format:  \"com.amazonaws.vpce.<region>.<service id>\""
+  default     = null
+}

examples/zsec

@@ -1468,6 +1468,31 @@ first_run="yes"
                     esac
                 done
             fi
+            while true; do
+                read -r -p "${CYAN}Do you have an existing VPC Endpoint Service to use? (yes/no): ${RESET}" byo_endpoint_service_response
+                case $byo_endpoint_service_response in 
+                yes|y ) 
+                    echo "${GREEN}Terraform will try to associate GWLB Endpoints to an existing Endpoint Service...${RESET}"
+                    while true; do
+                        read -r -p "${CYAN}Enter the Endpoint Service Name (e.g. com.amazonaws.vpce.$aws_region.<service id>): ${RESET}" byo_endpoint_service_name_response
+                        case $byo_endpoint_service_name_response in
+                        "com.amazonaws.vpce.$aws_region."* )
+                            echo "You entered ${GREEN}$byo_endpoint_service_name_response${RESET}"
+                            echo "export TF_VAR_byo_endpoint_service_name='$byo_endpoint_service_name_response'" >> .zsecrc
+                        break
+                        ;;
+                        * ) echo "${RED}Invalid Endpoint Service Name. Check formatting and try again...${RESET}";;
+                        esac
+                    done
+                break
+                ;;
+                no|n ) 
+                    echo "${GREEN}Terraform will create a new Endpoint Service to associate new GWLB Endpoints... ${RESET}"
+                break
+                ;;
+                * ) echo "${RED}Invalid response. Please enter yes or no${RESET}";;
+                esac
+            done
         fi
 
         # ZPA/Route 53 configuration
@@ -1511,7 +1536,7 @@ first_run="yes"
             echo "export TF_VAR_domain_names=${domain_names_map}" >> .zsecrc
         fi
 
-        # IAM Policy cration for Cloud Tagging Integration
+        # IAM Policy creation for Cloud Tagging Integration
         while true; do
             read -r -p "${CYAN}Enable IAM permissions for cloud workload tagging? (yes/no): ${RESET}" cloud_tags_response
             case $cloud_tags_response in 

modules/terraform-zscc-gwlbendpoint-aws/README.md

@@ -28,13 +28,15 @@ No modules.
 | [aws_vpc_endpoint_service.gwlb_vpce_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_vpc_endpoint_service.gwlb_vpce_service_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_acceptance_required"></a> [acceptance\_required](#input\_acceptance\_required) | Whether to require manual acceptance of any VPC Endpoint registration attempts to the Endpoint Service or not. Default is false | `bool` | `false` | no |
 | <a name="input_allowed_principals"></a> [allowed\_principals](#input\_allowed\_principals) | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. ["arn:aws:iam::1234567890:root"]`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests` | `list(string)` | `[]` | no |
+| <a name="input_byo_endpoint_service_name"></a> [byo\_endpoint\_service\_name](#input\_byo\_endpoint\_service\_name) | Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format:  "com.amazonaws.vpce.<region>.<service id>" | `string` | `null` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
 | <a name="input_gwlb_arn"></a> [gwlb\_arn](#input\_gwlb\_arn) | ARN of GWLB for Endpoint Service to be assigned | `string` | n/a | yes |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the GWLB Endpoint module resources | `string` | `null` | no |

modules/terraform-zscc-gwlbendpoint-aws/main.tf

@@ -16,6 +16,7 @@ data "aws_partition" "current" {}
 # if no explicit principals are configured in var.allowed_principals
 ################################################################################
 resource "aws_vpc_endpoint_service" "gwlb_vpce_service" {
+  count                      = var.byo_endpoint_service_name != null ? 0 : 1
   allowed_principals         = coalescelist(var.allowed_principals, ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.id}:root"])
   acceptance_required        = var.acceptance_required
   gateway_load_balancer_arns = [var.gwlb_arn]
@@ -25,15 +26,22 @@ resource "aws_vpc_endpoint_service" "gwlb_vpce_service" {
   )
 }
 
+# Or reference an existing Endpoint Service
+data "aws_vpc_endpoint_service" "gwlb_vpce_service_selected" {
+  count        = var.byo_endpoint_service_name != null ? 1 : 0
+  service_name = var.byo_endpoint_service_name
+}
+
+
 
 ################################################################################
 # Create the GWLB Endpoint ENIs per list of subnet IDs specified
 ################################################################################
 resource "aws_vpc_endpoint" "gwlb_vpce" {
   count             = length(var.subnet_ids)
-  service_name      = aws_vpc_endpoint_service.gwlb_vpce_service.service_name
+  service_name      = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_name, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_name)
   subnet_ids        = [element(var.subnet_ids, count.index)]
-  vpc_endpoint_type = aws_vpc_endpoint_service.gwlb_vpce_service.service_type
+  vpc_endpoint_type = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_type, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_type)
   vpc_id            = var.vpc_id
 
   tags = merge(var.global_tags,

modules/terraform-zscc-gwlbendpoint-aws/outputs.tf

@@ -5,15 +5,15 @@ output "gwlbe" {
 
 output "vpce_service_name" {
   description = "VPC Endpoint Service Name"
-  value       = aws_vpc_endpoint_service.gwlb_vpce_service.service_name
+  value       = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_name, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_name)
 }
 
 output "vpce_service_id" {
   description = "VPC Endpoint Service ID"
-  value       = aws_vpc_endpoint_service.gwlb_vpce_service.id
+  value       = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].id, aws_vpc_endpoint_service.gwlb_vpce_service[0].id)
 }
 
 output "vpce_service_arn" {
   description = "VPC Endpoint Service ARN"
-  value       = aws_vpc_endpoint_service.gwlb_vpce_service.arn
+  value       = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].arn, aws_vpc_endpoint_service.gwlb_vpce_service[0].arn)
 }

modules/terraform-zscc-gwlbendpoint-aws/variables.tf

@@ -42,3 +42,9 @@ variable "allowed_principals" {
   description = "List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. [\"arn:aws:iam::1234567890:root\"]`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
   default     = []
 }
+
+variable "byo_endpoint_service_name" {
+  type        = string
+  description = "Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format:  \"com.amazonaws.vpce.<region>.<service id>\""
+  default     = null
+}