diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f43672..73c71e7 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,8 @@ ENHANCEMENTS:
- terraform-zscc-route53-aws:
- add variable outbound_endpoint_security_group_ids
- remove default security group usage per AWS best practices
+ - terraform-zscc-gwlbendpoint-aws:
+ - add variable byo_endpoint_service_name supporting brownfield deployments using a pre-existing VPC Endpoint Service
## 1.3.3 (August 30, 2024)
ENHANCEMENTS:
diff --git a/examples/cc_gwlb/README.md b/examples/cc_gwlb/README.md
index 701473d..e5ce27f 100644
--- a/examples/cc_gwlb/README.md
+++ b/examples/cc_gwlb/README.md
@@ -89,6 +89,7 @@ From cc_gwlb directory execute:
| [ami\_id](#input\_ami\_id) | AMI ID(s) to be used for deploying Cloud Connector appliances. Ideally all VMs should be on the same AMI ID as templates always pull the latest from AWS Marketplace. This variable is provided if a customer desires to override/retain an old ami for existing deployments rather than upgrading and forcing a replacement. It is also inputted as a list to facilitate if a customer desired to manually upgrade select CCs deployed based on the cc\_count index | `list(string)` | [
""
]
| no |
| [aws\_region](#input\_aws\_region) | The AWS region. | `string` | `"us-west-2"` | no |
| [az\_count](#input\_az\_count) | Default number of subnets to create based on availability zone | `number` | `2` | no |
+| [byo\_endpoint\_service\_name](#input\_byo\_endpoint\_service\_name) | Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format: "com.amazonaws.vpce.." | `string` | `null` | no |
| [byo\_iam](#input\_byo\_iam) | Bring your own IAM Instance Profile for Cloud Connector | `bool` | `false` | no |
| [byo\_iam\_instance\_profile\_id](#input\_byo\_iam\_instance\_profile\_id) | IAM Instance Profile ID for Cloud Connector association | `list(string)` | `null` | no |
| [byo\_igw](#input\_byo\_igw) | Bring your own AWS VPC for Cloud Connector | `bool` | `false` | no |
diff --git a/examples/cc_gwlb/main.tf b/examples/cc_gwlb/main.tf
index 146b2e4..afcb3fb 100755
--- a/examples/cc_gwlb/main.tf
+++ b/examples/cc_gwlb/main.tf
@@ -216,15 +216,16 @@ module "gwlb" {
# per Cloud Connector subnet/availability zone.
################################################################################
module "gwlb_endpoint" {
- source = "../../modules/terraform-zscc-gwlbendpoint-aws"
- name_prefix = var.name_prefix
- resource_tag = random_string.suffix.result
- global_tags = local.global_tags
- vpc_id = module.network.vpc_id
- subnet_ids = module.network.cc_subnet_ids
- gwlb_arn = module.gwlb.gwlb_arn
- acceptance_required = var.acceptance_required
- allowed_principals = var.allowed_principals
+ source = "../../modules/terraform-zscc-gwlbendpoint-aws"
+ name_prefix = var.name_prefix
+ resource_tag = random_string.suffix.result
+ global_tags = local.global_tags
+ vpc_id = module.network.vpc_id
+ subnet_ids = module.network.cc_subnet_ids
+ gwlb_arn = module.gwlb.gwlb_arn
+ acceptance_required = var.acceptance_required
+ allowed_principals = var.allowed_principals
+ byo_endpoint_service_name = var.byo_endpoint_service_name
}
diff --git a/examples/cc_gwlb/terraform.tfvars b/examples/cc_gwlb/terraform.tfvars
index 8f693f9..d8573c5 100755
--- a/examples/cc_gwlb/terraform.tfvars
+++ b/examples/cc_gwlb/terraform.tfvars
@@ -328,3 +328,9 @@
## By uncommenting (setting to false) this assumes that you have an existing VPC/Subnets (byo_subnets = true)
#cc_route_table_enabled = false
+
+## 42. By default, this script will create a new VPC Endpoint Service in all availability zones specifified.
+## Uncomment, and provide your existing GWLB Endpoint Service name to associate new GWLB Endpoints to
+## Example string format: "com.amazonaws.vpce.."
+
+#byo_endpoint_service_name = "endpoint service name"
diff --git a/examples/cc_gwlb/variables.tf b/examples/cc_gwlb/variables.tf
index cb6fda4..4d72c76 100755
--- a/examples/cc_gwlb/variables.tf
+++ b/examples/cc_gwlb/variables.tf
@@ -384,3 +384,9 @@ variable "cc_route_table_enabled" {
description = "For brownfield environments where VPC subnets already exist, set to false to not create a new route table to associate to Cloud Connector subnet(s). Default is true which means module will try to create new route tables"
default = true
}
+
+variable "byo_endpoint_service_name" {
+ type = string
+ description = "Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format: \"com.amazonaws.vpce..\""
+ default = null
+}
diff --git a/examples/zsec b/examples/zsec
index e95024d..8770a32 100755
--- a/examples/zsec
+++ b/examples/zsec
@@ -1468,6 +1468,31 @@ first_run="yes"
esac
done
fi
+ while true; do
+ read -r -p "${CYAN}Do you have an existing VPC Endpoint Service to use? (yes/no): ${RESET}" byo_endpoint_service_response
+ case $byo_endpoint_service_response in
+ yes|y )
+ echo "${GREEN}Terraform will try to associate GWLB Endpoints to an existing Endpoint Service...${RESET}"
+ while true; do
+ read -r -p "${CYAN}Enter the Endpoint Service Name (e.g. com.amazonaws.vpce.$aws_region.): ${RESET}" byo_endpoint_service_name_response
+ case $byo_endpoint_service_name_response in
+ "com.amazonaws.vpce.$aws_region."* )
+ echo "You entered ${GREEN}$byo_endpoint_service_name_response${RESET}"
+ echo "export TF_VAR_byo_endpoint_service_name='$byo_endpoint_service_name_response'" >> .zsecrc
+ break
+ ;;
+ * ) echo "${RED}Invalid Endpoint Service Name. Check formatting and try again...${RESET}";;
+ esac
+ done
+ break
+ ;;
+ no|n )
+ echo "${GREEN}Terraform will create a new Endpoint Service to associate new GWLB Endpoints... ${RESET}"
+ break
+ ;;
+ * ) echo "${RED}Invalid response. Please enter yes or no${RESET}";;
+ esac
+ done
fi
# ZPA/Route 53 configuration
@@ -1511,7 +1536,7 @@ first_run="yes"
echo "export TF_VAR_domain_names=${domain_names_map}" >> .zsecrc
fi
- # IAM Policy cration for Cloud Tagging Integration
+ # IAM Policy creation for Cloud Tagging Integration
while true; do
read -r -p "${CYAN}Enable IAM permissions for cloud workload tagging? (yes/no): ${RESET}" cloud_tags_response
case $cloud_tags_response in
diff --git a/modules/terraform-zscc-gwlbendpoint-aws/README.md b/modules/terraform-zscc-gwlbendpoint-aws/README.md
index 9aab87e..ef29b8a 100644
--- a/modules/terraform-zscc-gwlbendpoint-aws/README.md
+++ b/modules/terraform-zscc-gwlbendpoint-aws/README.md
@@ -28,6 +28,7 @@ No modules.
| [aws_vpc_endpoint_service.gwlb_vpce_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service) | resource |
| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+| [aws_vpc_endpoint_service.gwlb_vpce_service_selected](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
## Inputs
@@ -35,6 +36,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [acceptance\_required](#input\_acceptance\_required) | Whether to require manual acceptance of any VPC Endpoint registration attempts to the Endpoint Service or not. Default is false | `bool` | `false` | no |
| [allowed\_principals](#input\_allowed\_principals) | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. ["arn:aws:iam::1234567890:root"]`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests` | `list(string)` | `[]` | no |
+| [byo\_endpoint\_service\_name](#input\_byo\_endpoint\_service\_name) | Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format: "com.amazonaws.vpce.." | `string` | `null` | no |
| [global\_tags](#input\_global\_tags) | Populate any custom user defined tags from a map | `map(string)` | `{}` | no |
| [gwlb\_arn](#input\_gwlb\_arn) | ARN of GWLB for Endpoint Service to be assigned | `string` | n/a | yes |
| [name\_prefix](#input\_name\_prefix) | A prefix to associate to all the GWLB Endpoint module resources | `string` | `null` | no |
diff --git a/modules/terraform-zscc-gwlbendpoint-aws/main.tf b/modules/terraform-zscc-gwlbendpoint-aws/main.tf
index 7673573..b79ade2 100755
--- a/modules/terraform-zscc-gwlbendpoint-aws/main.tf
+++ b/modules/terraform-zscc-gwlbendpoint-aws/main.tf
@@ -16,6 +16,7 @@ data "aws_partition" "current" {}
# if no explicit principals are configured in var.allowed_principals
################################################################################
resource "aws_vpc_endpoint_service" "gwlb_vpce_service" {
+ count = var.byo_endpoint_service_name != null ? 0 : 1
allowed_principals = coalescelist(var.allowed_principals, ["arn:${data.aws_partition.current.partition}:iam::${data.aws_caller_identity.current.id}:root"])
acceptance_required = var.acceptance_required
gateway_load_balancer_arns = [var.gwlb_arn]
@@ -25,15 +26,22 @@ resource "aws_vpc_endpoint_service" "gwlb_vpce_service" {
)
}
+# Or reference an existing Endpoint Service
+data "aws_vpc_endpoint_service" "gwlb_vpce_service_selected" {
+ count = var.byo_endpoint_service_name != null ? 1 : 0
+ service_name = var.byo_endpoint_service_name
+}
+
+
################################################################################
# Create the GWLB Endpoint ENIs per list of subnet IDs specified
################################################################################
resource "aws_vpc_endpoint" "gwlb_vpce" {
count = length(var.subnet_ids)
- service_name = aws_vpc_endpoint_service.gwlb_vpce_service.service_name
+ service_name = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_name, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_name)
subnet_ids = [element(var.subnet_ids, count.index)]
- vpc_endpoint_type = aws_vpc_endpoint_service.gwlb_vpce_service.service_type
+ vpc_endpoint_type = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_type, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_type)
vpc_id = var.vpc_id
tags = merge(var.global_tags,
diff --git a/modules/terraform-zscc-gwlbendpoint-aws/outputs.tf b/modules/terraform-zscc-gwlbendpoint-aws/outputs.tf
index 67de651..c4e2bce 100755
--- a/modules/terraform-zscc-gwlbendpoint-aws/outputs.tf
+++ b/modules/terraform-zscc-gwlbendpoint-aws/outputs.tf
@@ -5,15 +5,15 @@ output "gwlbe" {
output "vpce_service_name" {
description = "VPC Endpoint Service Name"
- value = aws_vpc_endpoint_service.gwlb_vpce_service.service_name
+ value = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].service_name, aws_vpc_endpoint_service.gwlb_vpce_service[0].service_name)
}
output "vpce_service_id" {
description = "VPC Endpoint Service ID"
- value = aws_vpc_endpoint_service.gwlb_vpce_service.id
+ value = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].id, aws_vpc_endpoint_service.gwlb_vpce_service[0].id)
}
output "vpce_service_arn" {
description = "VPC Endpoint Service ARN"
- value = aws_vpc_endpoint_service.gwlb_vpce_service.arn
+ value = try(data.aws_vpc_endpoint_service.gwlb_vpce_service_selected[0].arn, aws_vpc_endpoint_service.gwlb_vpce_service[0].arn)
}
diff --git a/modules/terraform-zscc-gwlbendpoint-aws/variables.tf b/modules/terraform-zscc-gwlbendpoint-aws/variables.tf
index 580e24c..57748ee 100755
--- a/modules/terraform-zscc-gwlbendpoint-aws/variables.tf
+++ b/modules/terraform-zscc-gwlbendpoint-aws/variables.tf
@@ -42,3 +42,9 @@ variable "allowed_principals" {
description = "List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. E.g. [\"arn:aws:iam::1234567890:root\"]`. See https://docs.aws.amazon.com/vpc/latest/privatelink/configure-endpoint-service.html#accept-reject-connection-requests"
default = []
}
+
+variable "byo_endpoint_service_name" {
+ type = string
+ description = "Exising GWLB Endpoint Service name to associate GWLB Endpoints to. Example string format: \"com.amazonaws.vpce..\""
+ default = null
+}