feat(vpc-endpoint-consumer): enhance security group configuration and update documentation

maxnovawind · maxnovawind · commit 9e57884b03fe · 2025-10-21T16:55:01.000+02:00
Signed-off-by: Ghislain Cheng &lt;ghislain.cheng@zama.ai&gt;
diff --git a/modules/vpc-endpoint-consumer/README.md b/modules/vpc-endpoint-consumer/README.md
@@ -158,7 +158,10 @@ No modules.
 | Name | Type |
 |------|------|
 | [aws_route53_record.partner_dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
+| [aws_security_group.vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_vpc_endpoint.party_interface_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_security_group_egress_rule.vpc_endpoint_default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_egress_rule) | resource |
+| [aws_vpc_security_group_ingress_rule.vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_security_group_ingress_rule) | resource |
 | [kubernetes_namespace.partner_namespace](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/namespace) | resource |
 | [kubernetes_service.party_services](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/service) | resource |
 | [null_resource.sync_s3_bucket](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
@@ -174,6 +177,7 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the EKS cluster to lookup VPC, subnet, and security group details (Mode 1). If provided, vpc\_id, subnet\_ids, and security\_group\_ids will be ignored. | `string` | `null` | no |
 | <a name="input_create_custom_dns_records"></a> [create\_custom\_dns\_records](#input\_create\_custom\_dns\_records) | Whether to create custom DNS records for the VPC interface endpoints | `bool` | `false` | no |
 | <a name="input_create_namespace"></a> [create\_namespace](#input\_create\_namespace) | Whether to create the namespace if it doesn't exist | `bool` | `false` | no |
+| <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Whether to create a security group for VPC endpoints with default ingress rules | `bool` | `false` | no |
 | <a name="input_default_mpc_ports"></a> [default\_mpc\_ports](#input\_default\_mpc\_ports) | Default port configurations for MPC services. These can be overridden per service in party\_services configuration. | <pre>object({<br/>    grpc = object({<br/>      name        = string<br/>      port        = number<br/>      target_port = number<br/>      protocol    = string<br/>    })<br/>    peer = object({<br/>      name        = string<br/>      port        = number<br/>      target_port = number<br/>      protocol    = string<br/>    })<br/>    metrics = object({<br/>      name        = string<br/>      port        = number<br/>      target_port = number<br/>      protocol    = string<br/>    })<br/>  })</pre> | <pre>{<br/>  "grpc": {<br/>    "name": "grpc",<br/>    "port": 50100,<br/>    "protocol": "TCP",<br/>    "target_port": 50100<br/>  },<br/>  "metrics": {<br/>    "name": "metrics",<br/>    "port": 9646,<br/>    "protocol": "TCP",<br/>    "target_port": 9646<br/>  },<br/>  "peer": {<br/>    "name": "peer",<br/>    "port": 50001,<br/>    "protocol": "TCP",<br/>    "target_port": 50001<br/>  }<br/>}</pre> | no |
 | <a name="input_dns_domain"></a> [dns\_domain](#input\_dns\_domain) | DNS domain for custom DNS records | `string` | `"mpc-partners.local"` | no |
 | <a name="input_enable_grpc_port"></a> [enable\_grpc\_port](#input\_enable\_grpc\_port) | Whether to enable and expose the gRPC port in the load balancer service | `bool` | `true` | no |
@@ -185,7 +189,11 @@ No modules.
 | <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | Whether to enable private DNS for the VPC interface endpoints | `bool` | `false` | no |
 | <a name="input_private_zone_id"></a> [private\_zone\_id](#input\_private\_zone\_id) | Route53 private hosted zone ID for custom DNS records | `string` | `""` | no |
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | List of route table IDs to associate with the VPC interface endpoints | `list(string)` | `[]` | no |
-| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of security group IDs to associate with the VPC interface endpoints (Mode 2). Required if cluster\_name is not provided. | `list(string)` | `null` | no |
+| <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description for the security group | `string` | `"Security group for MPC VPC endpoint consumer"` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | List of security group IDs to associate with the VPC interface endpoints (Mode 2). Required if cluster\_name is not provided and create\_security\_group is false. | `list(string)` | `null` | no |
+| <a name="input_security_group_ingress_cidr_blocks"></a> [security\_group\_ingress\_cidr\_blocks](#input\_security\_group\_ingress\_cidr\_blocks) | CIDR blocks to allow ingress traffic from for MPC ports (when create\_security\_group is true) | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
+| <a name="input_security_group_ingress_source_sg_id"></a> [security\_group\_ingress\_source\_sg\_id](#input\_security\_group\_ingress\_source\_sg\_id) | Source security group ID to allow ingress traffic from for MPC ports (when create\_security\_group is true). If set, this takes precedence over cidr\_blocks. | `string` | `null` | no |
+| <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name of the security group to create (if create\_security\_group is true) | `string` | `"mpc-vpc-endpoint-consumer-sg"` | no |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs where the VPC interface endpoints will be created (Mode 2). Required if cluster\_name is not provided. | `list(string)` | `null` | no |
 | <a name="input_sync_public_bucket"></a> [sync\_public\_bucket](#input\_sync\_public\_bucket) | Sync public bucket between partners | <pre>object({<br/>    enabled        = optional(bool, true)<br/>    configmap_name = optional(string, "mpc-party")<br/>  })</pre> | <pre>{<br/>  "configmap_name": "mpc-party",<br/>  "enabled": true<br/>}</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to VPC interface endpoint resources | `map(string)` | `{}` | no |
@@ -203,6 +211,9 @@ No modules.
 | <a name="output_namespace_name"></a> [namespace\_name](#output\_namespace\_name) | Name of the namespace where partner services are deployed |
 | <a name="output_partner_connection_endpoints"></a> [partner\_connection\_endpoints](#output\_partner\_connection\_endpoints) | Connection endpoints for applications to use when connecting to partner services |
 | <a name="output_partner_service_details"></a> [partner\_service\_details](#output\_partner\_service\_details) | Detailed information about the partner services and their connections |
+| <a name="output_security_group_arn"></a> [security\_group\_arn](#output\_security\_group\_arn) | ARN of the created security group (if create\_security\_group is true) |
+| <a name="output_security_group_id"></a> [security\_group\_id](#output\_security\_group\_id) | ID of the created security group (if create\_security\_group is true) |
+| <a name="output_security_group_name"></a> [security\_group\_name](#output\_security\_group\_name) | Name of the created security group (if create\_security\_group is true) |
 | <a name="output_vpc_interface_endpoint_dns_names"></a> [vpc\_interface\_endpoint\_dns\_names](#output\_vpc\_interface\_endpoint\_dns\_names) | DNS names of the created VPC interface endpoints |
 | <a name="output_vpc_interface_endpoint_hosted_zone_ids"></a> [vpc\_interface\_endpoint\_hosted\_zone\_ids](#output\_vpc\_interface\_endpoint\_hosted\_zone\_ids) | Hosted zone IDs of the created VPC interface endpoints |
 | <a name="output_vpc_interface_endpoint_ids"></a> [vpc\_interface\_endpoint\_ids](#output\_vpc\_interface\_endpoint\_ids) | IDs of the created VPC interface endpoints |
diff --git a/modules/vpc-endpoint-consumer/main.tf b/modules/vpc-endpoint-consumer/main.tf
@@ -49,7 +49,7 @@ resource "aws_vpc_security_group_ingress_rule" "vpc_endpoint" {
   # Use source security group if provided, otherwise use CIDR blocks
   cidr_ipv4                    = var.security_group_ingress_source_sg_id == null ? var.security_group_ingress_cidr_blocks[0] : null
   referenced_security_group_id = var.security_group_ingress_source_sg_id
-  
+
   tags = merge(
     var.tags,
     {
@@ -85,7 +85,7 @@ locals {
     for subnet_id, subnet in data.aws_subnet.cluster_subnets : subnet_id
     if subnet.map_public_ip_on_launch == false
   ]
-  
+
   # Security group IDs logic:
   # 1. If create_security_group is true, use the created security group
   # 2. Otherwise, use provided security_group_ids if available
diff --git a/modules/vpc-endpoint-consumer/variables.tf b/modules/vpc-endpoint-consumer/variables.tf
@@ -26,7 +26,7 @@ variable "security_group_ids" {
 variable "create_security_group" {
   description = "Whether to create a security group for VPC endpoints with default ingress rules"
   type        = bool
-  default     = false
+  default     = true
 }
 
 variable "security_group_name" {
diff --git a/modules/vpc-endpoint-provider/README.md b/modules/vpc-endpoint-provider/README.md
@@ -47,6 +47,7 @@ No modules.
 | <a name="input_enable_grpc_port"></a> [enable\_grpc\_port](#input\_enable\_grpc\_port) | Whether to enable and expose the gRPC port in the load balancer service | `bool` | `true` | no |
 | <a name="input_enable_region_validation"></a> [enable\_region\_validation](#input\_enable\_region\_validation) | Whether to enable region validation | `bool` | `true` | no |
 | <a name="input_kubernetes_nlb_extra_labels"></a> [kubernetes\_nlb\_extra\_labels](#input\_kubernetes\_nlb\_extra\_labels) | Extra labels to add to the Kubernetes NLB | `map(string)` | `{}` | no |
+| <a name="input_lb_additional_labels_selector"></a> [lb\_additional\_labels\_selector](#input\_lb\_additional\_labels\_selector) | Additional labels to add to the Kubernetes service load balancer | `map(string)` | `null` | no |
 | <a name="input_mainnet_supported_regions"></a> [mainnet\_supported\_regions](#input\_mainnet\_supported\_regions) | AWS regions supported by the VPC endpoint service for mainnet | `list(string)` | <pre>[<br/>  "eu-west-1"<br/>]</pre> | no |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | Kubernetes namespace where MPC services will be deployed | `string` | `"kms-decentralized"` | no |
 | <a name="input_network_environment"></a> [network\_environment](#input\_network\_environment) | MPC network environment that determines region constraints | `string` | `"testnet"` | no |

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ variable "security_group_ids" {`
`26`	`26`	`variable "create_security_group" {`
`27`	`27`	`description = "Whether to create a security group for VPC endpoints with default ingress rules"`
`28`	`28`	`type = bool`
`29`		`- default = false`
	`29`	`+ default = true`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`variable "security_group_name" {`