The material provided in this repository creates a VPC with an S3 Gateway Endpoint, showing that a Lambda Function attached to the VPC can write objects to an S3 bucket without Internet access.
The material explicitly avoids using atomic resources defined in the AWS provider, with the exception of data sources. Instead, it uses exclusively AWS modules and submodules managed by Anton Babenko in the Hashicorp Terraform Registry.
Based on an existing CloudFormation project, updated and rationalised. This work also became an example for the AWS Lambda Terraform module managed by Anton Babenko.
Set up authentication details to your Sandbox (e.g. A Cloud Guru) with:
export AWS_ACCESS_KEY_ID=AKIAZR3FF5EXAMPLEID
export AWS_SECRET_ACCESS_KEY=k9eabHZx0Kq0utFZ2u20Ymo1I7zaWEXAMPLEKEY
Set the default region with:
export AWS_DEFAULT_REGION=us-east-1
Ensure the above are correct by running:
aws sts get-caller-identity
The output should look as per below:
{
"UserId": "AIDAZR3FF5MEXAMPLEID",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/cloud_user"
}
Deploy with:
terraform init
terraform plan
terraform apply -auto-approve
Destroy with:
terraform destroy -auto-approve
The first deployment attempt will fail with:
╷
│ Error: Provider produced inconsistent final plan
│
│ When expanding the plan for module.vpc.aws_vpc.this[0] to include new values learned so far during apply, provider "registry.terraform.io/hashicorp/aws" produced an invalid new value for .tags_all:
│ new element "Name" has appeared.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
Unfortunately, there is no workaround available at the moment, so just issue the apply command again:
terraform apply -auto-approve
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 4.33 |
| random | >= 3.4 |
| Name | Version |
|---|---|
| aws | 4.33.0 |
| random | 3.4.3 |
| Name | Source | Version |
|---|---|---|
| kms | terraform-aws-modules/kms/aws | ~> 1.0 |
| lambda_s3_write | terraform-aws-modules/lambda/aws | ~> 4.0 |
| s3_bucket | terraform-aws-modules/s3-bucket/aws | ~> 3.0 |
| security_group_lambda | terraform-aws-modules/security-group/aws | ~> 4.0 |
| vpc | terraform-aws-modules/vpc/aws | ~> 3.0 |
| vpc_endpoints | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 3.0 |
| Name | Type |
|---|---|
| random_pet.this | resource |
| aws_availability_zones.available | data source |
| aws_iam_policy_document.bucket | data source |
| aws_iam_policy_document.endpoint | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| az_count | Number of availability zones to create VPC subnets in | number |
3 |
no |
| region | Name of the region to deploy to | string |
"us-east-1" |
no |
| tags | Default tags to apply to all resources | map(string) |
{ |
no |
| vpc_cidr | CIDR Block to allocate to the VPC | string |
"10.0.0.0/16" |
no |
No outputs.