I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform. I understand I should define a <code>aws_vpc_endpoint</code> in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it. so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the <code>route_table_ids</code> configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB. <pre class="prettyprint"><code> data "aws_vpc" "default" { default = true } resource "aws_vpc_endpoint" "private-dynamodb" { vpc_id = "${data.aws_vpc.default.id}" service_name = "com.amazonaws.${var.region}.dynamodb" route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"] policy = <<POLICY { "Statement": [ { "Action": "*", "Effect": "Allow", "Resource": "*", "Principal": "*" } ] } POLICY } </code></pre> I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings: <ul> <li>my vpc cidr block --> local</li> <li>0.0.0.0/0 --> internet gw</li> <li>com.amazonaws...dynamodb --> vpce-...</li> </ul> so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!

Instead of creating your own route table, you can just link the endpoint to your default VPC route table, which Terraform exposes via the VPC exported attribute <code>main_route_table_id</code>. You need to associate it to your endpoint like this: <pre class="prettyprint"><code> resource "aws_vpc_endpoint_route_table_association" "private-dynamodb" { vpc_endpoint_id = "${data.aws_vpc.default.id}" route_table_id = "${data.aws_vpc.default.main_route_table_id}" } </code></pre>

how to configure a VPC endpoint to access DynamoDB with Terraform?

I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.

I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.

so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.

  data "aws_vpc" "default" {
    default = true
  }

  resource "aws_vpc_endpoint" "private-dynamodb" {
    vpc_id = "${data.aws_vpc.default.id}"
    service_name = "com.amazonaws.${var.region}.dynamodb"
    route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
    policy = <<POLICY
    {
    "Statement": [
        {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
        }
    ]
    }
    POLICY
  }

I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:

my vpc cidr block --> local
0.0.0.0/0 --> internet gw
com.amazonaws...dynamodb --> vpce-...

so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!

How can your VPC talk with DynamoDB directly?

A VPC endpoint for DynamoDB enables Amazon EC2 instances in your VPC to use their private IP addresses to access DynamoDB with no exposure to the public internet. Your EC2 instances do not require public IP addresses, and you don't need an internet gateway, a NAT device, or a virtual private gateway in your VPC.

Can DynamoDB be deployed in a VPC?

VPC Endpoints for DynamoDB enables Amazon EC2 instances in your VPC to access DynamoDB using their private IP addresses, without any exposure to the public Internet. This new DynamoDB feature ensures that traffic between your VPC and DynamoDB doesn't leave the Amazon network.

Instead of creating your own route table, you can just link the endpoint to your default VPC route table, which Terraform exposes via the VPC exported attribute main_route_table_id. You need to associate it to your endpoint like this:

  resource "aws_vpc_endpoint_route_table_association" "private-dynamodb" {
    vpc_endpoint_id = "${data.aws_vpc.default.id}"
    route_table_id  = "${data.aws_vpc.default.main_route_table_id}"
  }

how to configure a VPC endpoint to access DynamoDB with Terraform?

Tags:

amazon-web-services

vpc

terraform

routetable

gru

People also ask

1 Answers

Canjea

Recent Activity

Donate For Us

how to configure a VPC endpoint to access DynamoDB with Terraform?

Tags:

amazon-web-services

vpc

terraform

routetable

gru

People also ask

1 Answers

Canjea

Related questions

Recent Activity

Donate For Us