how to configure a VPC endpoint to access DynamoDB with Terraform?

7
votes

I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.

I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.

so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB. 

  data "aws_vpc" "default" {
    default = true
  }

  resource "aws_vpc_endpoint" "private-dynamodb" {
    vpc_id = "${data.aws_vpc.default.id}"
    service_name = "com.amazonaws.${var.region}.dynamodb"
    route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
    policy = <<POLICY
    {
    "Statement": [
        {
        "Action": "*",
        "Effect": "Allow",
        "Resource": "*",
        "Principal": "*"
        }
    ]
    }
    POLICY
  }

I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:

  • my vpc cidr block --> local
  • 0.0.0.0/0 --> internet gw
  • com.amazonaws...dynamodb --> vpce-...

so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!

1
amazon-web-servicesterraformvpcroutetable
That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"AlexK

1 Answers

4
votes

Instead of creating your own route table, you can just link the endpoint to your default VPC route table, which Terraform exposes via the VPC exported attribute main_route_table_id. You need to associate it to your endpoint like this: 

  resource "aws_vpc_endpoint_route_table_association" "private-dynamodb" {
    vpc_endpoint_id = "${data.aws_vpc.default.id}"
    route_table_id  = "${data.aws_vpc.default.main_route_table_id}"
  }