Terraform-provider-aws: AWS PrivateLink now supports Private DNS names for internal and 3rd party services

Created on 7 Jan 2020 · 7Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

You can now access AWS PrivateLink based services privately from within your VPC using Private DNS names.

New or Affected Resource(s)

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

Announcement.
User guide.

RequiresAWS SDK v1.27.1:

https://github.com/terraform-providers/terraform-provider-aws/pull/11501

enhancement servicec2

Source

ewbankkit

👍82

Most helpful comment

is there anyway to get this reviewed and merged in the next release?

bondezbond on 23 May 2020

👍18

All 7 comments

This feature would be a great boon for implementing SSL over private links.

I just tried this on the AWS console, and the process goes like this:

Assuming we have 2 vpcs, vpc1 and vpc2, where
- vpc1 will contain the vpc endpoint service, and
- vpc2 will contain the vpc interface endpoint

In vpc1, enable private DNS name on the vpc endpoint service
- when you create the vpc endpoint service, or
- on an existing endpoint service
Take the generated domain verification name and domain verification value and insert a new TXT value in your DNS server (eg, route53)
Wait for the domain to be verified
In vpc2, create the vpc interface endpoint if not already created
- In vpc1, if endpoint connection acceptance is set to manual, you cannot enable private dns during creation
In vpc1, if endpoint connection acceptance is set to manual, vpc1 must manually accept the interface endpoint connection
In both vpcs, wait for the endpoint connection to connect completely
If endpoint connection acceptance is manual, in vpc2, modify the vpc interface endpoint to enable private dns name
- this step can only needs to be performed if endpoint connection acceptance is manual and after the endpoint connection is accepted
Wait for the endpoint connection to connect after modification completely

isen-ng on 8 Jan 2020

👍3

@ewbankkit I think the affected resource is actually aws_vpc_endpoint_service, no? The aws_vpc_endpoint already has support for private DNS.

mattsawyer77 on 11 Feb 2020

@mattsawyer77 Correct, there's a flag on the VPC Endpoint that determines whether or not Private DNS is enabled but the actual DNS name is specified on the VPC Endpoint Service.
I've updated above.
Thanks.

ewbankkit on 12 Feb 2020

👍1

Have raised a PR for this as it's affecting us too!

craigedmunds on 4 Mar 2020

🎉6

How do we get a review for this PR?

craigedmunds on 31 Mar 2020

is there anyway to get this reviewed and merged in the next release?

bondezbond on 23 May 2020

👍18

Want to 👍 this as well - though, it'd be good to get the attributes from the DNS entry so I can use them with another provider to actually set the DNS record. I did a bit of digging and i wasn't sure what the "right way" to expose those variables were - have done a few things w/ AWS API in golang, but not with terraform. It looks like the ServiceConfiguration struct references PrivateDnsNameConfiguration that has those values. Could I make some variables like private_dns_name_record_{name, type, value} that map to *ec2.PrivateDnsNameConfiguration.{Name,Type,Value} to get that change in?