AWS VPC Endpoints

This sandbox implements a VPC Interface Endpoint to send messages to a SQS queue from an EC2 instance that runs in a private subnet.

In addition to provisioning the core resources, policies will be configured to use proper conditions.

The SQS queue will only accept sqs:SendMessage operations coming from the configured VPC Endpoint:

"Condition": {
  "StringNotEquals": {
    "aws:sourceVpce": "vpce-1a2b3c4d"
  }
}

Setup

Create the variables file template:

cp config/local.auto.tfvars .auto.tfvars

Create the EC2 instance key pair material:

ssh-keygen -f modules/instance/ec2_id_rsa

To create the environment simply run:

terraform init
terraform apply -auto-approve

Connect to the EC2 instance:

aws ssm start-session --target i-00000000000000000 --region us-east-2

Once the environment is created, connect to the EC2 instance using SSM. Confirm that the name is resolving to a private IP:

$ dig +short sqs.us-east-2.amazonaws.com
10.0.50.54

Confirm that you're authenticated from within the EC2 instance:

aws sts get-caller-identity

Now send a message to the endpoint to the see the results:

aws sqs send-message --queue-url https://sqs.sa-east-1.amazonaws.com/000000000000/my-private-queue --message-body Hello

terraform destroy

Name		Name	Last commit message	Last commit date
Latest commit History 24 Commits
.diagrams		.diagrams
config		config
modules		modules
.gitignore		.gitignore
.terraform.lock.hcl		.terraform.lock.hcl
LICENSE		LICENSE
README.md		README.md
backend.tf		backend.tf
main.tf		main.tf
output.tf		output.tf
variables.tf		variables.tf