Adds access to AWS endpoints to the typical host SG

Also updates some old tf11 syntax.

base/standard_vpc/main.tf

@@ -9,15 +9,15 @@ data "aws_availability_zones" "available" {
 module "vpc" {
   source = "terraform-aws-modules/vpc/aws"
   version = "~> v2.0"
-  name = "${local.vpc_name}"
-  cidr = "${var.vpc_info["cidr"]}"
+  name = local.vpc_name
+  cidr = var.vpc_info["cidr"]
 
   azs = slice(data.aws_availability_zones.available.names,0,3)
 
   private_subnets = [
-      "${cidrsubnet(var.vpc_info["cidr"],3,0)}",
-      "${cidrsubnet(var.vpc_info["cidr"],3,1)}",
-      "${cidrsubnet(var.vpc_info["cidr"],3,2)}",
+      cidrsubnet(var.vpc_info["cidr"],3,0),
+      cidrsubnet(var.vpc_info["cidr"],3,1),
+      cidrsubnet(var.vpc_info["cidr"],3,2),
   ]
 
   # Potentially, we could route all accounts through the transit gateway to
@@ -28,9 +28,9 @@ module "vpc" {
   # or a /24 for each subnet (seems wasteful).
   #public_subnets = [ ]
   public_subnets = [ 
-      "${cidrsubnet(var.vpc_info["cidr"],3,4)}",
-      "${cidrsubnet(var.vpc_info["cidr"],3,5)}",
-      "${cidrsubnet(var.vpc_info["cidr"],3,6)}",
+      cidrsubnet(var.vpc_info["cidr"],3,4),
+      cidrsubnet(var.vpc_info["cidr"],3,5),
+      cidrsubnet(var.vpc_info["cidr"],3,6),
   ]
 
   enable_nat_gateway = var.enable_nat_gateway
@@ -46,43 +46,43 @@ module "vpc" {
   # Endpoints with a dns setting
   enable_ec2_endpoint              = true
   ec2_endpoint_private_dns_enabled = true
-  ec2_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ec2_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_ec2messages_endpoint = true
   ec2messages_endpoint_private_dns_enabled = true
-  ec2messages_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ec2messages_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_ecr_api_endpoint = true
   ecr_api_endpoint_private_dns_enabled = true
-  ecr_api_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ecr_api_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_ecr_dkr_endpoint = true
   ecr_dkr_endpoint_private_dns_enabled = true
-  ecr_dkr_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ecr_dkr_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_kms_endpoint = true
   kms_endpoint_private_dns_enabled = true
-  kms_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  kms_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_logs_endpoint = true
   logs_endpoint_private_dns_enabled = true
-  logs_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  logs_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_ssm_endpoint = true
   ssm_endpoint_private_dns_enabled = true
-  ssm_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ssm_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_ssmmessages_endpoint = true
   ssmmessages_endpoint_private_dns_enabled = true
-  ssmmessages_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  ssmmessages_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_sts_endpoint = true
   sts_endpoint_private_dns_enabled = true
-  sts_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  sts_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   enable_monitoring_endpoint = true
   monitoring_endpoint_private_dns_enabled = true
-  monitoring_endpoint_security_group_ids  =  [ "${module.aws_endpoints_sg.this_security_group_id}" ]
+  monitoring_endpoint_security_group_ids  =  [ module.aws_endpoints_sg.this_security_group_id ]
 
   dhcp_options_domain_name = var.dns_info["private"]["zone"]
   dhcp_options_domain_name_servers = var.dns_servers

base/standard_vpc/security-groups.tf

@@ -96,6 +96,7 @@ module "typical_host_security_group" {
   tags = merge(var.standard_tags, var.tags)
   aws_region = var.aws_region
   aws_partition = var.aws_partition
+  aws_endpoints_sg = module.aws_endpoints_sg.this_security_group_id
 }
 
 # CIS 4.3 - Default security group should restrict all traffic

submodules/security_group/typical_host/main.tf

@@ -120,6 +120,27 @@ resource "aws_security_group_rule" "outbound_to_web_servers_443" {
   count = length(var.cidr_map["web"]) > 0 ? 1 : 0
 }
 
+# Systems need to be able to access vpc endpoints on 80/443
+resource "aws_security_group_rule" "outbound_to_local_vpc_80" {
+  security_group_id = aws_security_group.security_group.id
+  type = "egress"
+  description = "Connect to VPC Endpoints"
+  from_port = 80
+  to_port = 80
+  protocol = "tcp"
+  source_security_group_id = var.aws_endpoints_sg
+}
+
+resource "aws_security_group_rule" "outbound_to_local_vpc_443" {
+  security_group_id = aws_security_group.security_group.id
+  type = "egress"
+  description = "Connect to VPC Endpoints"
+  from_port = 443
+  to_port = 443
+  protocol = "tcp"
+  source_security_group_id = var.aws_endpoints_sg
+}
+
 resource "aws_security_group_rule" "outbound_to_mailrelay_25" {
   security_group_id = aws_security_group.security_group.id
   type = "egress"

submodules/security_group/typical_host/vars.tf

@@ -3,3 +3,4 @@ variable "cidr_map" { type = map }
 variable "tags" { type = map }
 variable "aws_region" { type = string }
 variable "aws_partition" { type = string }
+variable "aws_endpoints_sg" { type = string }