Add VPC endpoints for SSM

danielbreves · Aug 28, 2023 · 134a55b · 134a55b
1 parent 74390e2
commit 134a55b
Showing 1 changed file with 32 additions and 1 deletion.
diff --git a/terraform/main.tf b/terraform/main.tf
@@ -107,6 +107,7 @@ resource "aws_instance" "bastion_host" {
   }
 }
 
+# See https://repost.aws/knowledge-center/ec2-systems-manager-vpc-endpoints
 resource "aws_iam_role" "ec2_ssm_role" {
   name = "ec2-bastion-ssm-role"
 
@@ -132,6 +133,36 @@ resource "aws_iam_role_policy_attachment" "ec2_ssm_policy_attachment" {
   policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
+resource "aws_vpc_endpoint" "ssm_endpoints" {
+  for_each           = toset(["ssmmessages", "ec2messages", "ssm"])
+  service_name       = "com.amazonaws.${var.aws_region}.${each.key}"
+  vpc_id             = aws_vpc.backend_vpc.id
+  vpc_endpoint_type  = "Interface"
+  subnet_ids         = [aws_subnet.bastion_subnet.id]
+  security_group_ids = [aws_security_group.endpoints_sg.id]
+}
+
+resource "aws_security_group" "endpoints_sg" {
+  name   = "vpc-endpoints-ssm-sg"
+  vpc_id = aws_vpc.backend_vpc.id
+}
+
+resource "aws_vpc_security_group_ingress_rule" "vpc_endpoints_ingress_rule" {
+  security_group_id            = aws_security_group.endpoints_sg.id
+  referenced_security_group_id = aws_security_group.bastion_sg.id
+  from_port                    = 443
+  ip_protocol                  = "tcp"
+  to_port                      = 443
+}
+
+resource "aws_vpc_security_group_egress_rule" "bastion_host_egress_rule" {
+  security_group_id            = aws_security_group.bastion_sg.id
+  referenced_security_group_id = aws_security_group.endpoints_sg.id
+  from_port                    = 443
+  ip_protocol                  = "tcp"
+  to_port                      = 443
+}
+
 ################################################################################
 # RDS
 ################################################################################
@@ -158,7 +189,7 @@ resource "aws_db_instance" "fastapi_db" {
   vpc_security_group_ids = [aws_security_group.db_sg.id]
   db_subnet_group_name   = aws_db_subnet_group.db_subnet_group.id
 
-  multi_az = true # Enable multi-AZ deployment for high availability
+  multi_az = true
 }
 
 ################################################################################