Merge pull request #329 from mdr-engineering/feature/ftd_MSOCI-1974_FlagForOpenVPCEndpoints

Adds a flag to allow wider access to VPC endpoints

base/standard_vpc/security-groups.tf

@@ -3,6 +3,7 @@
 #
 
 locals {
+  endpoint_cidr_blocks = var.allow_any_to_endpoints ? [ "10.0.0.0/8" ] : [ module.vpc.vpc_cidr_block ]
 }
 
 module "aws_endpoints_sg" {
@@ -13,8 +14,8 @@ module "aws_endpoints_sg" {
   tags        = merge(var.standard_tags, var.tags)
   vpc_id      = module.vpc.vpc_id
 
-  ingress_cidr_blocks = [ "10.0.0.0/8" ]
-  egress_cidr_blocks = [ "10.0.0.0/8" ]
+  ingress_cidr_blocks = local.endpoint_cidr_blocks
+  egress_cidr_blocks = local.endpoint_cidr_blocks
   egress_ipv6_cidr_blocks = [ ]
 
   egress_rules = [ "all-all" ]

base/standard_vpc/vars.tf

@@ -1,3 +1,9 @@
+variable "allow_any_to_endpoints" {
+  description = "Whether to accept the transit gateway sharing invitation. Only done once per account."
+  type        = bool
+  default     = false
+}
+
 variable "accept_tgw_invitation" {
   description = "Whether to accept the transit gateway sharing invitation. Only done once per account."
   type        = bool