Add comprehensive README and update module documentation

2025-11-01 10:19:33 +01:00
6 changed files with 286 additions and 14 deletions
--- a/.gitignore
+++ b/.gitignore
--- a/README.md
+++ b/README.md
@ -1,19 +1,288 @@
-# terraform-aws-vpc_endpoints
+# Terraform AWS VPC Endpoints Module
 Module to enable and configure VPC endpoints
 ## Overview
-Module Usage
+This Terraform module creates VPC endpoints for AWS services, enabling private connectivity between your VPC and AWS services without traversing the public internet. Currently supports S3 gateway endpoints with route table associations.
-```
+## Features
 - S3 Gateway VPC Endpoint creation
 - Automatic route table association
 - Support for both private and public route tables
 - Conditional endpoint creation
 - Cost optimization by keeping traffic within AWS network
 - Improved security by avoiding public internet
 ## Resources Created
 - VPC Endpoint for S3 (Gateway type)
 - VPC Endpoint Route Table Associations (private subnets)
 - VPC Endpoint Route Table Associations (public subnets)
 ## Usage
 ### Basic Example
 ```hcl
 module "vpc_endpoints" {
-  count                  = var.enable_s3_endpoint ? 1 : 0
+  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
-  #source                 = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git?ref=tags/0.18.1"
+
-  source                 = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
+  vpc_id                  = "vpc-12345678"
-  region                 = var.region
+  enable_s3_endpoint      = true
-  name                   = var.name
+  private_route_table_ids = ["rtb-11111111", "rtb-22222222"]
-  vpc_id                 = module.vpc.vpc_id
+  public_route_table_ids  = ["rtb-33333333"]
  private_route_table_id = module.subnets.private_route_table_ids
  public_route_table_id  = module.subnets.public_route_table_ids
  tags                   = local.tags
 }
 ```
 ### With VPC Module
 ```hcl
 module "vpc" {
  source = "cloudposse/vpc/aws"
  cidr_block = "10.0.0.0/16"
  # ... other VPC configuration
 }
 module "subnets" {
  source = "cloudposse/dynamic-subnets/aws"
  vpc_id             = module.vpc.vpc_id
  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
  # ... other subnet configuration
 }
 module "vpc_endpoints" {
  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
  vpc_id                  = module.vpc.vpc_id
  enable_s3_endpoint      = true
  private_route_table_ids = module.subnets.private_route_table_ids
  public_route_table_ids  = module.subnets.public_route_table_ids
 }
 ```
 ### Conditional Creation
 ```hcl
 module "vpc_endpoints" {
  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
  vpc_id                  = module.vpc.vpc_id
  enable_s3_endpoint      = var.environment == "production" ? true : false
  private_route_table_ids = module.subnets.private_route_table_ids
  public_route_table_ids  = module.subnets.public_route_table_ids
 }
 ```
 ## Variables
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|----------|
 | vpc_id | The VPC ID where the endpoint is located | `string` | n/a | yes |
 | enable_s3_endpoint | Should provision an S3 endpoint to the VPC | `bool` | `true` | no |
 | public_route_table_ids | Public route table IDs of the VPC | `list(string)` | n/a | yes |
 | private_route_table_ids | Private route table IDs of the VPC | `list(string)` | n/a | yes |
 ## Outputs
 | Name | Description |
 |------|-------------|
 | vpc_endpoint_s3_id | The ID of VPC endpoint for S3 |
 | vpc_endpoint_s3_pl_id | The prefix list ID for the S3 VPC endpoint |
 ## Requirements
 | Name | Version |
 |------|---------|
 | terraform | >= 0.13 |
 | aws | Latest |
 ## VPC Endpoint Types
 ### Gateway Endpoints
 - S3 (implemented)
 - DynamoDB (can be added)
 - No hourly charges
 - Route table-based routing
 ### Interface Endpoints (future)
 - Most other AWS services
 - Charged per hour and per GB processed
 - ENI-based in subnets
 ## How S3 VPC Endpoints Work
 When you create an S3 VPC endpoint:
 1. AWS creates a route in specified route tables
 2. Routes matching S3 service prefix lists go through the endpoint
 3. Traffic stays within AWS network
 4. No internet gateway traversal required
 5. No NAT gateway charges for S3 access
 ## Benefits
 ### Cost Savings
 - No NAT Gateway data processing charges for S3 traffic
 - No internet egress charges for S3 traffic
 - Especially beneficial for large data transfers
 ### Performance
 - Lower latency by avoiding internet hops
 - Higher throughput within AWS network
 - More consistent performance
 ### Security
 - Traffic never leaves AWS network
 - Reduced attack surface
 - Simplified security group rules
 - No need for public IPs for S3 access
 ## Important Notes
 1. **Gateway Endpoint**: S3 uses a gateway endpoint (no additional charges)
 2. **Route Tables**: Endpoint is associated with specified route tables
 3. **Service Name**: Module automatically retrieves the correct S3 service name for the region
 4. **Prefix Lists**: S3 endpoint uses AWS-managed prefix lists
 5. **Region Specific**: Endpoint service names vary by region
 6. **No Security Groups**: Gateway endpoints don't use security groups
 7. **Policy Support**: Can attach policies to restrict endpoint access (not implemented in this version)
 ## Example Route Table Entry
 After endpoint creation, route tables will have entries like:
 ```
 Destination: pl-12345678 (com.amazonaws.us-east-1.s3)
 Target: vpce-11111111
 ```
 ## Use Cases
 ### Data Lakes
 Store and retrieve large amounts of data in S3 without NAT Gateway costs:
 ```hcl
 module "vpc_endpoints" {
  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
  vpc_id                  = module.data_lake_vpc.vpc_id
  enable_s3_endpoint      = true
  private_route_table_ids = module.data_lake_vpc.private_route_table_ids
  public_route_table_ids  = module.data_lake_vpc.public_route_table_ids
 }
 ```
 ### Container Registries
 Pull container images from ECR (stored in S3) efficiently:
 ```hcl
 module "vpc_endpoints" {
  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
  vpc_id                  = module.eks_vpc.vpc_id
  enable_s3_endpoint      = true
  private_route_table_ids = module.eks_vpc.private_route_table_ids
  public_route_table_ids  = []  # EKS typically doesn't need public route tables
 }
 ```
 ### Backup and Archive
 Efficiently backup data to S3 Glacier:
 ```hcl
 module "vpc_endpoints" {
  source = "git@github.com:webuildyourcloud/terraform-aws-vpc_endpoints.git"
  vpc_id                  = module.backup_vpc.vpc_id
  enable_s3_endpoint      = true
  private_route_table_ids = module.backup_vpc.private_route_table_ids
  public_route_table_ids  = module.backup_vpc.public_route_table_ids
 }
 ```
 ## Cost Analysis
 ### Without VPC Endpoint
 For 1 TB of S3 data transfer via NAT Gateway:
 - NAT Gateway data processing: ~$45 (at $0.045/GB)
 - Data transfer: ~$90 (at $0.09/GB)
 - Total: ~$135
 ### With VPC Endpoint
 For 1 TB of S3 data transfer via VPC Endpoint:
 - VPC Endpoint: $0 (gateway endpoints are free)
 - Data transfer: $0 (within same region)
 - Total: $0
 Savings: ~$135 per TB transferred
 ## Best Practices
 1. **Always Enable**: Enable S3 endpoints in all VPCs that access S3
 2. **All Route Tables**: Associate with both private and public route tables
 3. **Multi-Region**: Create endpoints in each region where you have VPCs
 4. **Endpoint Policies**: Consider implementing endpoint policies for additional security (requires module enhancement)
 5. **Monitoring**: Monitor endpoint usage via VPC Flow Logs
 6. **Documentation**: Document which services use the endpoint
 ## Limitations
 1. **Cross-Region**: VPC endpoints are region-specific
 2. **Service Coverage**: Only S3 gateway endpoint implemented (DynamoDB can be added)
 3. **Policy**: Advanced endpoint policies not implemented in this version
 4. **Interface Endpoints**: Interface endpoints for other services not included
 ## Future Enhancements
 Potential additions to this module:
 - DynamoDB gateway endpoint
 - Interface endpoints (EC2, ECR, ECS, etc.)
 - Endpoint policies for access control
 - Private DNS configuration
 - Security group management for interface endpoints
 - Additional tags and naming
 ## Troubleshooting
 ### S3 access still going through NAT
 - Verify route tables are correctly associated
 - Check VPC endpoint is in "available" state
 - Confirm S3 bucket is in the same region as endpoint
 ### Cannot access S3 from private subnet
 - Verify private route table IDs are correct
 - Check endpoint associations in AWS console
 - Ensure no overlapping routes conflict with endpoint
 ### Endpoint not created
 - Verify `enable_s3_endpoint` is set to `true`
 - Check VPC ID is valid
 - Ensure IAM permissions allow endpoint creation
 ## Monitoring
 Monitor VPC endpoints using:
 ### CloudWatch Metrics
 Currently limited metrics for gateway endpoints
 ### VPC Flow Logs
 Enable VPC Flow Logs to see traffic patterns:
 ```hcl
 resource "aws_flow_log" "vpc_flow_log" {
  vpc_id          = module.vpc.vpc_id
  traffic_type    = "ALL"
  iam_role_arn    = aws_iam_role.flow_log_role.arn
  log_destination = aws_cloudwatch_log_group.flow_log.arn
 }
 ```
 ### Cost Explorer
 Use AWS Cost Explorer to verify NAT Gateway cost reductions after implementing VPC endpoints.
 ## License
 This module is provided as-is for use within your organization.
--- a/main.tf
+++ b/main.tf
@ -3,8 +3,11 @@
 ######################
 data "aws_vpc_endpoint_service" "s3" {
  count = var.enable_s3_endpoint ? 1 : 0
  service = "s3"
  filter {
    name = "vpc_id"
    values = [aws_vpc.this.id]
  }
 }
 resource "aws_vpc_endpoint" "s3" {
--- a/outputs.tf
+++ b/outputs.tf
--- a/variables.tf
+++ b/variables.tf
--- a/versions.tf
+++ b/versions.tf