how to configure a VPC endpoint to access DynamoDB with Terraform?











up vote
0
down vote

favorite












I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.



I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.



so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.



  data "aws_vpc" "default" {
default = true
}

resource "aws_vpc_endpoint" "private-dynamodb" {
vpc_id = "${data.aws_vpc.default.id}"
service_name = "com.amazonaws.${var.region}.dynamodb"
route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
POLICY
}


I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:




  • my vpc cidr block --> local

  • 0.0.0.0/0 --> internet gw

  • com.amazonaws...dynamodb --> vpce-...


so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!










share|improve this question






















  • That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
    – AlexK
    Nov 12 at 14:00

















up vote
0
down vote

favorite












I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.



I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.



so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.



  data "aws_vpc" "default" {
default = true
}

resource "aws_vpc_endpoint" "private-dynamodb" {
vpc_id = "${data.aws_vpc.default.id}"
service_name = "com.amazonaws.${var.region}.dynamodb"
route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
POLICY
}


I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:




  • my vpc cidr block --> local

  • 0.0.0.0/0 --> internet gw

  • com.amazonaws...dynamodb --> vpce-...


so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!










share|improve this question






















  • That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
    – AlexK
    Nov 12 at 14:00















up vote
0
down vote

favorite









up vote
0
down vote

favorite











I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.



I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.



so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.



  data "aws_vpc" "default" {
default = true
}

resource "aws_vpc_endpoint" "private-dynamodb" {
vpc_id = "${data.aws_vpc.default.id}"
service_name = "com.amazonaws.${var.region}.dynamodb"
route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
POLICY
}


I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:




  • my vpc cidr block --> local

  • 0.0.0.0/0 --> internet gw

  • com.amazonaws...dynamodb --> vpce-...


so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!










share|improve this question













I have a Lambda function running in an AWS VPC. This Lambda needs to access both RDS and DynamoDB, so it needs a VPC endpoint configured to reach DynamoDB. I have managed to make it work using a manual configuration, as described on Amazon's blog here but I'm struggling to define the equivalent infrastructure as code using Terraform.



I understand I should define a aws_vpc_endpoint in Terraform (docs here), but I am a bit lost when it comes to configuring the routing table for it.



so far, this is what I've got, I'm not sure this is correct and I've left a question mark in the route_table_ids configuration. For the records, if I don't configure any routing table, the endpoint is created correctly, but the Lambda doesn't get access to DynamoDB.



  data "aws_vpc" "default" {
default = true
}

resource "aws_vpc_endpoint" "private-dynamodb" {
vpc_id = "${data.aws_vpc.default.id}"
service_name = "com.amazonaws.${var.region}.dynamodb"
route_table_ids = ["${WHAT_SHOULD_I_PUT_HERE?}"]
policy = <<POLICY
{
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
POLICY
}


I also checked how the endpoint is created with a manual configuration, and I see it has an associated routing table with the following settings:




  • my vpc cidr block --> local

  • 0.0.0.0/0 --> internet gw

  • com.amazonaws...dynamodb --> vpce-...


so I assume I should replicate an equivalent configuration in my terraform resource, but really don't have a clue on how to do it. Any help appreciated!







amazon-web-services terraform vpc routetable






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 9 at 8:56









gru

4,18911518




4,18911518












  • That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
    – AlexK
    Nov 12 at 14:00




















  • That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
    – AlexK
    Nov 12 at 14:00


















That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
– AlexK
Nov 12 at 14:00






That's a common problem when it comes to using Terraform. AWS does a lot of stuff in the background and when you have to use Terraform you have to provide everything by yourself. As I don't see your entire config I cannot really help you out with code snippet, but what you can do is try to replicate all the changes in the route table using terraform.io/docs/providers/aws/r/route.html or even create an entirely new one so you don't mess something up. Once done, attach that to the list of ids like "${aws_route_table.name.id}"
– AlexK
Nov 12 at 14:00



















active

oldest

votes











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53222544%2fhow-to-configure-a-vpc-endpoint-to-access-dynamodb-with-terraform%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown






























active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes
















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53222544%2fhow-to-configure-a-vpc-endpoint-to-access-dynamodb-with-terraform%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)