How do I retrieve multiple vpc endpoints?-CodePudding

ERROR: no matching VPC Endpoint found (error referring to data code block)

I am trying to retrieve multiple endpoints from data "aws_vpc_endpoint" resource. I created locals to retrieve service name for multiple endpoints that share the first few characters. Afterwards, the endpoints have unique characters to identify them individually.

I am wanting the data resource to loop through the data and retrieve each endpoint that shares those few characters. Then grab each endpoint id for "aws_route". FYI: The endpoints are being created from resource "aws_networkfirewall_firewall" The main thing to look at in this code snippet is locals, data, and the last line for resource "aws_route" How can I express in locals that the service_name does not end there and the rest of the string is unique to the endpoint without hard coding each service_name?

locals {
  endpoints = {
    service_name = "com.amazonaws.vpce.us-east-1.vpce-svc-"
  }
}

data "aws_vpc_endpoint" "firewall-endpoints" {
  for_each = local.endpoints
  vpc_id   = aws_vpc.vpc.id

  service_name = each.value

  #filter {
  #  name = "tag:AWSNetworkFirewallManaged"
  #  values = [true]
  #}
}

resource "aws_route" "tgw_route" {
  count                  = var.number_azs
  route_table_id         = aws_route_table.tgw_rt[count.index].id
  destination_cidr_block = var.tgw_aws_route[0]
  vpc_endpoint_id        = data.aws_vpc_endpoint.firewall-endpoints["service_name"].id
}

CodePudding user response：

I can't test this, but I think what you want to do is something like this:

resource "aws_route" "tgw_route" {
  for_each = aws_networkfirewall_firewall.firewall_status.sync_states

  route_table_id         = aws_route_table.tgw_rt[???].id
  destination_cidr_block = var.tgw_aws_route[0]
  vpc_endpoint_id        = each.value.attachment.endpoint_id
}

I'm not clear on the structure of the firewall_status output, so that may need to change slightly. The main question is how to get the appropriate route table ID per subnet. Can you access the outputs of the tgw_rt module in some way other than by index? Unfortunately, I have no experience with setting up an AWS firewall, just with Terraform, so I don't know how to solve this part of the puzzle.