Skip to content

aws.ec2-vpc-endpoint resource

Description

VpcEndpoint is a private connection from a VPC to an AWS service or an endpoint service. The VPC, the service it targets, and the endpoint type are fixed when the endpoint is created, so a change to any of them replaces it; everything else is reconciled in place by a single ModifyVpcEndpoint call. CreateVpcEndpoint accepts every input here. After create the endpoint moves through a pending state to available -- or to pending-acceptance for a service that requires the owner to accept the connection, which is also a settled state -- before its DNS entries, network interfaces, and prefix list fill in, so Create waits and then reads to return those settled values.

vpc-endpoint-type is one of Gateway (the server-side default), Interface, or GatewayLoadBalancer. ip-address-type is one of ipv4, dualstack, or ipv6. The route-table, security-group, and subnet id lists are reconciled as set differences against the prior apply, sending only the ids that were added or removed. policy is the endpoint access policy as authored; removing it on a later apply resets the endpoint to the default full-access policy. private-dns-enabled associates a private hosted zone for an interface endpoint and is reconciled in place rather than forcing a replacement.

Source: internal/service/ec2/vpc_endpoint_rsrc.go:38

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.ec2-vpc-endpoint {
    # Set input fields here.
  }
}

Inputs

vpc-id

string

required

service-name

string

required

vpc-endpoint-type

optional(string)

private-dns-enabled

optional(boolean)

ip-address-type

optional(string)

policy

optional(string)

route-table-ids

list(string)

security-group-ids

list(string)

subnet-ids

list(string)

dns-options

optional(object) 
optional(
  object({
    dns-record-ip-type: optional(string)
    private-dns-only-for-inbound-resolver-endpoint: optional(boolean)
  })
)

tags

map(string)

Input Constraints

Vpc endpoint type rules

vpc-endpoint-type must be Gateway, Interface, or GatewayLoadBalancer.

Rule logic
When
input.vpc-endpoint-type != null
Require
input.vpc-endpoint-type == 'Gateway'
|| input.vpc-endpoint-type == 'Interface'
|| input.vpc-endpoint-type == 'GatewayLoadBalancer'

Ip address type rules

ip-address-type must be ipv4, dualstack, or ipv6.

Rule logic
When
input.ip-address-type != null
Require
input.ip-address-type == 'ipv4'
|| input.ip-address-type == 'dualstack'
|| input.ip-address-type == 'ipv6'

Dns options rules

dns-options dns-record-ip-type must be ipv4, dualstack, ipv6, or service-defined.

Rule logic
When
input.dns-options.dns-record-ip-type != null
Require
input.dns-options.dns-record-ip-type == 'ipv4'
|| input.dns-options.dns-record-ip-type == 'dualstack'
|| input.dns-options.dns-record-ip-type == 'ipv6'
|| input.dns-options.dns-record-ip-type == 'service-defined'

Outputs

vpc-endpoint-id

string

state

string

owner-id

string

dns-entries

list(object) 
list(
  object({
    dns-name: string
    hosted-zone-id: string
  })
)

network-interface-ids

list(string)

prefix-list-id

string

cidr-blocks

list(string)

policy

string