Reputation: 4569
how to configure a VPC endpoint to access DynamoDB with Terraform?
I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.
I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.
so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.
data "aws_vpc" "default" {
default = true
}
resource "aws_vpc_endpoint" "private-dynamodb" {
vpc_id = "${data.aws_vpc.default.id}"
service_name = "com.amazonaws.${var.region}.dynamodb"
route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
POLICY
}
I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:
- my vpc cidr block --> local
- 0.0.0.0/0 --> internet gw
- com.amazonaws...dynamodb --> vpce-...
so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!
Upvotes: 8
Views: 6289
Answers (1)
Reputation: 51
Instead of creating your own route table, you can just link the endpoint to your default VPC route table, which Terraform exposes via the VPC exported attribute main_route_table_id. You need to associate it to your endpoint like this:
resource "aws_vpc_endpoint_route_table_association" "private-dynamodb" {
vpc_endpoint_id = "${data.aws_vpc.default.id}"
route_table_id = "${data.aws_vpc.default.main_route_table_id}"
}
Upvotes: 5
Related Questions
- How to access Amazon DynamoDB service through a private VPC endpoint from another region?
- Cant connect dynamo Db from my vpc configured lambda function
- Using VPC Endpoint for DynamoDB with Amazon.DynamoDBv2
- How to use endpoint for dynamodb table?
- Terraform - Unable to get default route table ID
- How to configure vpc for a lambda and dynamodb?
- Terraform route table association with VPC Endpoint
- Terraform template for AWS route table
- Do I need an Inbound NACL to allow VPC Endpoint DynamoDB Access?
- uri for aws_api_gateway_integration for type AWS (integration) to DynamoDb