aws_vpc_endpoint
Provides a VPC Endpoint resource.
NOTE on VPC Endpoints and VPC Endpoint Associations: Terraform provides both standalone VPC Endpoint Associations for Route Tables - (an association between a VPC endpoint and a single
route_table_id) and Subnets - (an association between a VPC endpoint and a singlesubnet_id) and a VPC Endpoint resource withroute_table_idsandsubnet_idsattributes. Do not use the same resource ID in both a VPC Endpoint resource and a VPC Endpoint Association resource. Doing so will cause a conflict of associations and will overwrite the association.
Example Usage
Basic usage:
resource "aws_vpc_endpoint" "s3" {
vpc_id = "${aws_vpc.main.id}"
service_name = "com.amazonaws.us-west-2.s3"
}
Interface type usage:
resource "aws_vpc_endpoint" "ec2" {
vpc_id = "${aws_vpc.main.id}"
service_name = "com.amazonaws.us-west-2.ec2"
vpc_endpoint_type = "Interface"
security_group_ids = [
"${aws_security_group.sg1.id}"
]
private_dns_enabled = true
}
Custom Service Usage:
resource "aws_vpc_endpoint" "ptfe_service" {
vpc_id = "${var.vpc_id}"
service_name = "${var.ptfe_service}"
vpc_endpoint_type = "Interface"
security_group_ids = [
"${aws_security_group.ptfe_service.id}",
]
subnet_ids = ["${local.subnet_ids}"]
private_dns_enabled = false
}
data "aws_route53_zone" "internal" {
name = "vpc.internal."
private_zone = true
vpc_id = "${var.vpc_id}"
}
resource "aws_route53_record" "ptfe_service" {
zone_id = "${data.aws_route53_zone.internal.zone_id}"
name = "ptfe.${data.aws_route53_zone.internal.name}"
type = "CNAME"
ttl = "300"
records = ["${lookup(aws_vpc_endpoint.ptfe_service.dns_entry[0], "dns_name")}"]
}
NOTE The
dns_entryoutput is a list of maps: Terraform interpolation support for lists of maps requires thelookupand[]until full support of lists of maps is available
Argument Reference
The following arguments are supported:
-
vpc_id- (Required) The ID of the VPC in which the endpoint will be used. -
vpc_endpoint_type- (Optional) The VPC endpoint type,GatewayorInterface. Defaults toGateway. -
service_name- (Required) The service name, in the formcom.amazonaws.region.servicefor AWS services. -
auto_accept- (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account). -
policy- (Optional) A policy to attach to the endpoint that controls access to the service. Applicable for endpoints of typeGateway. Defaults to full access. -
route_table_ids- (Optional) One or more route table IDs. Applicable for endpoints of typeGateway. -
subnet_ids- (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of typeInterface. -
security_group_ids- (Optional) The ID of one or more security groups to associate with the network interface. Required for endpoints of typeInterface. -
private_dns_enabled- (Optional) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of typeInterface. Defaults tofalse.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
-
id- The ID of the VPC endpoint. -
state- The state of the VPC endpoint. -
prefix_list_id- The prefix list ID of the exposed AWS service. Applicable for endpoints of typeGateway. -
cidr_blocks- The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of typeGateway. -
network_interface_ids- One or more network interfaces for the VPC Endpoint. Applicable for endpoints of typeInterface. -
dns_entry- The DNS entries for the VPC Endpoint. Applicable for endpoints of typeInterface. DNS blocks are documented below.
DNS blocks (for dns_entry) support the following attributes:
-
dns_name- The DNS name. -
hosted_zone_id- The ID of the private hosted zone.
Import
VPC Endpoints can be imported using the vpc endpoint id, e.g.
$ terraform import aws_vpc_endpoint.endpoint1 vpce-3ecf2a57
© 2018 HashiCorpLicensed under the MPL 2.0 License.
https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html