feat: Added support for more VPC endpoints (#369)

1e030af6 · Ilia Lazebnik · GitHub · 86adc424 · 1e030af6 · 1e030af6
Commit 1e030af6 authored May 25, 2020 by Ilia Lazebnik Committed by GitHub May 25, 2020
Show whitespace changes
Inline Side-by-side

Showing with 895 additions and 2 deletions

README.md README.md +94 -1

outputs.tf outputs.tf +195 -1

variables.tf variables.tf +307 -0

vpc-endpoints.tf vpc-endpoints.tf +299 -0

No files found.
--- a/README.md
+++ b/README.md
@@ -24,7 +24,9 @@ ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs,
 Elastic Load Balancing, CloudTrail, Secrets Manager, Config, CodeBuild, CodeCommit, 
 Git-Codecommit, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API), 
 CloudFormation, CodePipeline, Storage Gateway, AppMesh, Transfer, Service Catalog, AppStream,
-Athena, Rekognition, Elastic File System (EFS), Cloud Directory
+Athena, Rekognition, Elastic File System (EFS), Cloud Directory, Elastic Beanstalk (+ Health), Elastic Map Reduce(EMR),
+DataSync, EBS, SMS, Elastic Inference Runtime, QLDB Session, Step Functions, Access Analyzer, Auto Scaling Plans,
+Application Auto Scaling, Workspaces, ACM PCA. 

 * [RDS DB Subnet Group](https://www.terraform.io/docs/providers/aws/r/db_subnet_group.html)
 * [ElastiCache Subnet Group](https://www.terraform.io/docs/providers/aws/r/elasticache_subnet_group.html)
@@ -235,6 +237,12 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway

 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_analyzer\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint | `bool` | `false` | no |
+| access\_analyzer\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint | `list(string)` | `[]` | no |
+| access\_analyzer\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| acm\_pca\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint | `bool` | `false` | no |
+| acm\_pca\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint | `list` | `[]` | no |
+| acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list` | `[]` | no |
 | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
 | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | `bool` | `false` | no |
 | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW  endpoint | `list(string)` | `[]` | no |
@@ -249,6 +257,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | athena\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint | `bool` | `false` | no |
 | athena\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Athena endpoint | `list(string)` | `[]` | no |
 | athena\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| auto\_scaling\_plans\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint | `bool` | `false` | no |
+| auto\_scaling\_plans\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint | `list(string)` | `[]` | no |
+| auto\_scaling\_plans\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | azs | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
 | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | `string` | `"0.0.0.0/0"` | no |
 | cloud\_directory\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint | `bool` | `false` | no |
@@ -296,6 +307,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | database\_subnet\_suffix | Suffix to append to database subnets name | `string` | `"db"` | no |
 | database\_subnet\_tags | Additional tags for the database subnets | `map(string)` | `{}` | no |
 | database\_subnets | A list of database subnets | `list(string)` | `[]` | no |
+| datasync\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Data Sync endpoint | `bool` | `false` | no |
+| datasync\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Data Sync endpoint | `list(string)` | `[]` | no |
+| datasync\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Data Sync endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br>  {<br>    "action": "allow",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_no": 100,<br>    "to_port": 0<br>  },<br>  {<br>    "action": "allow",<br>    "from_port": 0,<br>    "ipv6_cidr_block": "::/0",<br>    "protocol": "-1",<br>    "rule_no": 101,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br>  {<br>    "action": "allow",<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_no": 100,<br>    "to_port": 0<br>  },<br>  {<br>    "action": "allow",<br>    "from_port": 0,<br>    "ipv6_cidr_block": "::/0",<br>    "protocol": "-1",<br>    "rule_no": 101,<br>    "to_port": 0<br>  }<br>]</pre> | no |
 | default\_network\_acl\_name | Name to be used on the Default Network ACL | `string` | `""` | no |
@@ -311,6 +325,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | dhcp\_options\_netbios\_node\_type | Specify netbios node\_type for DHCP options set (requires enable\_dhcp\_options set to true) | `string` | `""` | no |
 | dhcp\_options\_ntp\_servers | Specify a list of NTP servers for DHCP options set (requires enable\_dhcp\_options set to true) | `list(string)` | `[]` | no |
 | dhcp\_options\_tags | Additional tags for the DHCP option set (requires enable\_dhcp\_options set to true) | `map(string)` | `{}` | no |
+| ebs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no |
+| ebs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no |
+| ebs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | ec2\_autoscaling\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint | `bool` | `false` | no |
 | ec2\_autoscaling\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 Autoscaling endpoint | `list(string)` | `[]` | no |
 | ec2\_autoscaling\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 Autoscaling endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -338,6 +355,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | efs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint | `bool` | `false` | no |
 | efs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EFS endpoint | `list(string)` | `[]` | no |
 | efs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| elastic\_inference\_runtime\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Inference Runtime endpoint | `bool` | `false` | no |
+| elastic\_inference\_runtime\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Inference Runtime endpoint | `list(string)` | `[]` | no |
+| elastic\_inference\_runtime\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | `map(string)` | `{}` | no |
 | elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | `bool` | `false` | no |
 | elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
@@ -348,13 +368,25 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
 | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
 | elasticache\_subnets | A list of elasticache subnets | `list(string)` | `[]` | no |
+| elasticbeanstalk\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint | `bool` | `false` | no |
+| elasticbeanstalk\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint | `list(string)` | `[]` | no |
+| elasticbeanstalk\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| elasticbeanstalk\_health\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint | `bool` | `false` | no |
+| elasticbeanstalk\_health\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint | `list(string)` | `[]` | no |
+| elasticbeanstalk\_health\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | `bool` | `false` | no |
 | elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | `list(string)` | `[]` | no |
 | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| emr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint | `bool` | `false` | no |
+| emr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EMR endpoint | `list(string)` | `[]` | no |
+| emr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| enable\_access\_analyzer\_endpoint | Should be true if you want to provision an Access Analyzer endpoint to the VPC | `bool` | `false` | no |
+| enable\_acm\_pca\_endpoint | Should be true if you want to provision an ACM PCA endpoint to the VPC | `bool` | `false` | no |
 | enable\_apigw\_endpoint | Should be true if you want to provision an api gateway endpoint to the VPC | `bool` | `false` | no |
 | enable\_appmesh\_envoy\_management\_endpoint | Should be true if you want to provision a AppMesh endpoint to the VPC | `bool` | `false` | no |
 | enable\_appstream\_endpoint | Should be true if you want to provision a AppStream endpoint to the VPC | `bool` | `false` | no |
 | enable\_athena\_endpoint | Should be true if you want to provision a Athena endpoint to the VPC | `bool` | `false` | no |
+| enable\_auto\_scaling\_plans\_endpoint | Should be true if you want to provision an Auto Scaling Plans endpoint to the VPC | `bool` | `false` | no |
 | enable\_classiclink | Should be true to enable ClassicLink for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
 | enable\_classiclink\_dns\_support | Should be true to enable ClassicLink DNS Support for the VPC. Only valid in regions and accounts that support EC2 Classic. | `bool` | `null` | no |
 | enable\_cloud\_directory\_endpoint | Should be true if you want to provision an Cloud Directory endpoint to the VPC | `bool` | `false` | no |
@@ -364,10 +396,12 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | enable\_codecommit\_endpoint | Should be true if you want to provision an Codecommit endpoint to the VPC | `bool` | `false` | no |
 | enable\_codepipeline\_endpoint | Should be true if you want to provision a CodePipeline endpoint to the VPC | `bool` | `false` | no |
 | enable\_config\_endpoint | Should be true if you want to provision an config endpoint to the VPC | `bool` | `false` | no |
+| enable\_datasync\_endpoint | Should be true if you want to provision an Data Sync endpoint to the VPC | `bool` | `false` | no |
 | enable\_dhcp\_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no |
 | enable\_dns\_hostnames | Should be true to enable DNS hostnames in the VPC | `bool` | `false` | no |
 | enable\_dns\_support | Should be true to enable DNS support in the VPC | `bool` | `true` | no |
 | enable\_dynamodb\_endpoint | Should be true if you want to provision a DynamoDB endpoint to the VPC | `bool` | `false` | no |
+| enable\_ebs\_endpoint | Should be true if you want to provision an EBS endpoint to the VPC | `bool` | `false` | no |
 | enable\_ec2\_autoscaling\_endpoint | Should be true if you want to provision an EC2 Autoscaling endpoint to the VPC | `bool` | `false` | no |
 | enable\_ec2\_endpoint | Should be true if you want to provision an EC2 endpoint to the VPC | `bool` | `false` | no |
 | enable\_ec2messages\_endpoint | Should be true if you want to provision an EC2MESSAGES endpoint to the VPC | `bool` | `false` | no |
@@ -377,7 +411,11 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | enable\_ecs\_endpoint | Should be true if you want to provision a ECS endpoint to the VPC | `bool` | `false` | no |
 | enable\_ecs\_telemetry\_endpoint | Should be true if you want to provision a ECS Telemetry endpoint to the VPC | `bool` | `false` | no |
 | enable\_efs\_endpoint | Should be true if you want to provision an EFS endpoint to the VPC | `bool` | `false` | no |
+| enable\_elastic\_inference\_runtime\_endpoint | Should be true if you want to provision an Elastic Inference Runtime endpoint to the VPC | `bool` | `false` | no |
+| enable\_elasticbeanstalk\_endpoint | Should be true if you want to provision a Elastic Beanstalk endpoint to the VPC | `bool` | `false` | no |
+| enable\_elasticbeanstalk\_health\_endpoint | Should be true if you want to provision a Elastic Beanstalk Health endpoint to the VPC | `bool` | `false` | no |
 | enable\_elasticloadbalancing\_endpoint | Should be true if you want to provision a Elastic Load Balancing endpoint to the VPC | `bool` | `false` | no |
+| enable\_emr\_endpoint | Should be true if you want to provision an EMR endpoint to the VPC | `bool` | `false` | no |
 | enable\_events\_endpoint | Should be true if you want to provision a CloudWatch Events endpoint to the VPC | `bool` | `false` | no |
 | enable\_flow\_log | Whether or not to enable VPC Flow Logs | `bool` | `false` | no |
 | enable\_git\_codecommit\_endpoint | Should be true if you want to provision an Git Codecommit endpoint to the VPC | `bool` | `false` | no |
@@ -390,6 +428,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | enable\_monitoring\_endpoint | Should be true if you want to provision a CloudWatch Monitoring endpoint to the VPC | `bool` | `false` | no |
 | enable\_nat\_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | `bool` | `false` | no |
 | enable\_public\_redshift | Controls if redshift should have public routing table | `bool` | `false` | no |
+| enable\_qldb\_session\_endpoint | Should be true if you want to provision an QLDB Session endpoint to the VPC | `bool` | `false` | no |
 | enable\_rekognition\_endpoint | Should be true if you want to provision a Rekognition endpoint to the VPC | `bool` | `false` | no |
 | enable\_s3\_endpoint | Should be true if you want to provision an S3 endpoint to the VPC | `bool` | `false` | no |
 | enable\_sagemaker\_api\_endpoint | Should be true if you want to provision a SageMaker API endpoint to the VPC | `bool` | `false` | no |
@@ -398,15 +437,18 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | enable\_secretsmanager\_endpoint | Should be true if you want to provision an Secrets Manager endpoint to the VPC | `bool` | `false` | no |
 | enable\_servicecatalog\_endpoint | Should be true if you want to provision a Service Catalog endpoint to the VPC | `bool` | `false` | no |
 | enable\_ses\_endpoint | Should be true if you want to provision an SES endpoint to the VPC | `bool` | `false` | no |
+| enable\_sms\_endpoint | Should be true if you want to provision an SMS endpoint to the VPC | `bool` | `false` | no |
 | enable\_sns\_endpoint | Should be true if you want to provision a SNS endpoint to the VPC | `bool` | `false` | no |
 | enable\_sqs\_endpoint | Should be true if you want to provision an SQS endpoint to the VPC | `bool` | `false` | no |
 | enable\_ssm\_endpoint | Should be true if you want to provision an SSM endpoint to the VPC | `bool` | `false` | no |
 | enable\_ssmmessages\_endpoint | Should be true if you want to provision a SSMMESSAGES endpoint to the VPC | `bool` | `false` | no |
+| enable\_states\_endpoint | Should be true if you want to provision a Step Function endpoint to the VPC | `bool` | `false` | no |
 | enable\_storagegateway\_endpoint | Should be true if you want to provision a Storage Gateway endpoint to the VPC | `bool` | `false` | no |
 | enable\_sts\_endpoint | Should be true if you want to provision a STS endpoint to the VPC | `bool` | `false` | no |
 | enable\_transfer\_endpoint | Should be true if you want to provision a Transfer endpoint to the VPC | `bool` | `false` | no |
 | enable\_transferserver\_endpoint | Should be true if you want to provision a Transfer Server endpoint to the VPC | `bool` | `false` | no |
 | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no |
+| enable\_workspaces\_endpoint | Should be true if you want to provision an Workspaces endpoint to the VPC | `bool` | `false` | no |
 | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | `bool` | `false` | no |
 | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | `list(string)` | `[]` | no |
 | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -482,6 +524,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | public\_subnet\_suffix | Suffix to append to public subnets name | `string` | `"public"` | no |
 | public\_subnet\_tags | Additional tags for the public subnets | `map(string)` | `{}` | no |
 | public\_subnets | A list of public subnets inside the VPC | `list(string)` | `[]` | no |
+| qldb\_session\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint | `bool` | `false` | no |
+| qldb\_session\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for QLDB Session endpoint | `list(string)` | `[]` | no |
+| qldb\_session\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no |
 | redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | `bool` | `false` | no |
 | redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | `list(map(string))` | <pre>[<br>  {<br>    "cidr_block": "0.0.0.0/0",<br>    "from_port": 0,<br>    "protocol": "-1",<br>    "rule_action": "allow",<br>    "rule_number": 100,<br>    "to_port": 0<br>  }<br>]</pre> | no |
@@ -518,6 +563,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | ses\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SES endpoint | `list(string)` | `[]` | no |
 | ses\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | single\_nat\_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |
+| sms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint | `bool` | `false` | no |
+| sms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SMS endpoint | `list(string)` | `[]` | no |
+| sms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | `bool` | `false` | no |
 | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | `list(string)` | `[]` | no |
 | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -530,6 +578,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | `bool` | `false` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | `list(string)` | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| states\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint | `bool` | `false` | no |
+| states\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Step Function endpoint | `list(string)` | `[]` | no |
+| states\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | storagegateway\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint | `bool` | `false` | no |
 | storagegateway\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint | `list(string)` | `[]` | no |
 | storagegateway\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -549,6 +600,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpn\_gateway\_az | The Availability Zone for the VPN Gateway | `string` | `null` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | `string` | `""` | no |
 | vpn\_gateway\_tags | Additional tags for the VPN gateway | `map(string)` | `{}` | no |
+| workspaces\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint | `bool` | `false` | no |
+| workspaces\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Workspaces endpoint | `list(string)` | `[]` | no |
+| workspaces\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |

 ## Outputs

@@ -634,6 +688,12 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_cidr\_block | The CIDR block of the VPC |
 | vpc\_enable\_dns\_hostnames | Whether or not the VPC has DNS hostname support |
 | vpc\_enable\_dns\_support | Whether or not the VPC has DNS support |
+| vpc\_endpoint\_access\_analyzer\_dns\_entry | The DNS entries for the VPC Endpoint for Access Analyzer. |
+| vpc\_endpoint\_access\_analyzer\_id | The ID of VPC endpoint for Access Analyzer |
+| vpc\_endpoint\_access\_analyzer\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Access Analyzer. |
+| vpc\_endpoint\_acm\_pca\_dns\_entry | The DNS entries for the VPC Endpoint for ACM PCA. |
+| vpc\_endpoint\_acm\_pca\_id | The ID of VPC endpoint for ACM PCA |
+| vpc\_endpoint\_acm\_pca\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for ACM PCA. |
 | vpc\_endpoint\_apigw\_dns\_entry | The DNS entries for the VPC Endpoint for APIGW. |
 | vpc\_endpoint\_apigw\_id | The ID of VPC endpoint for APIGW |
 | vpc\_endpoint\_apigw\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for APIGW. |
@@ -646,6 +706,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_athena\_dns\_entry | The DNS entries for the VPC Endpoint for Athena. |
 | vpc\_endpoint\_athena\_id | The ID of VPC endpoint for Athena |
 | vpc\_endpoint\_athena\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Athena. |
+| vpc\_endpoint\_auto\_scaling\_plans\_dns\_entry | The DNS entries for the VPC Endpoint for Auto Scaling Plans. |
+| vpc\_endpoint\_auto\_scaling\_plans\_id | The ID of VPC endpoint for Auto Scaling Plans |
+| vpc\_endpoint\_auto\_scaling\_plans\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Auto Scaling Plans. |
 | vpc\_endpoint\_cloud\_directory\_dns\_entry | The DNS entries for the VPC Endpoint for Cloud Directory. |
 | vpc\_endpoint\_cloud\_directory\_id | The ID of VPC endpoint for Cloud Directory |
 | vpc\_endpoint\_cloud\_directory\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Cloud Directory. |
@@ -667,8 +730,14 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_config\_dns\_entry | The DNS entries for the VPC Endpoint for config. |
 | vpc\_endpoint\_config\_id | The ID of VPC endpoint for config |
 | vpc\_endpoint\_config\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for config. |
+| vpc\_endpoint\_datasync\_dns\_entry | The DNS entries for the VPC Endpoint for DataSync. |
+| vpc\_endpoint\_datasync\_id | The ID of VPC endpoint for DataSync |
+| vpc\_endpoint\_datasync\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for DataSync. |
 | vpc\_endpoint\_dynamodb\_id | The ID of VPC endpoint for DynamoDB |
 | vpc\_endpoint\_dynamodb\_pl\_id | The prefix list for the DynamoDB VPC endpoint. |
+| vpc\_endpoint\_ebs\_dns\_entry | The DNS entries for the VPC Endpoint for EBS. |
+| vpc\_endpoint\_ebs\_id | The ID of VPC endpoint for EBS |
+| vpc\_endpoint\_ebs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EBS. |
 | vpc\_endpoint\_ec2\_autoscaling\_dns\_entry | The DNS entries for the VPC Endpoint for EC2 Autoscaling. |
 | vpc\_endpoint\_ec2\_autoscaling\_id | The ID of VPC endpoint for EC2 Autoscaling |
 | vpc\_endpoint\_ec2\_autoscaling\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EC2 Autoscaling |
@@ -696,9 +765,21 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_efs\_dns\_entry | The DNS entries for the VPC Endpoint for EFS. |
 | vpc\_endpoint\_efs\_id | The ID of VPC endpoint for EFS |
 | vpc\_endpoint\_efs\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EFS. |
+| vpc\_endpoint\_elastic\_inference\_runtime\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Inference Runtime. |
+| vpc\_endpoint\_elastic\_inference\_runtime\_id | The ID of VPC endpoint for Elastic Inference Runtime |
+| vpc\_endpoint\_elastic\_inference\_runtime\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Inference Runtime. |
+| vpc\_endpoint\_elasticbeanstalk\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Beanstalk. |
+| vpc\_endpoint\_elasticbeanstalk\_health\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Beanstalk Health. |
+| vpc\_endpoint\_elasticbeanstalk\_health\_id | The ID of VPC endpoint for Elastic Beanstalk Health |
+| vpc\_endpoint\_elasticbeanstalk\_health\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk Health. |
+| vpc\_endpoint\_elasticbeanstalk\_id | The ID of VPC endpoint for Elastic Beanstalk |
+| vpc\_endpoint\_elasticbeanstalk\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Beanstalk. |
 | vpc\_endpoint\_elasticloadbalancing\_dns\_entry | The DNS entries for the VPC Endpoint for Elastic Load Balancing. |
 | vpc\_endpoint\_elasticloadbalancing\_id | The ID of VPC endpoint for Elastic Load Balancing |
 | vpc\_endpoint\_elasticloadbalancing\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Elastic Load Balancing. |
+| vpc\_endpoint\_elasticmapreduce\_dns\_entry | The DNS entries for the VPC Endpoint for EMR. |
+| vpc\_endpoint\_elasticmapreduce\_id | The ID of VPC endpoint for EMR |
+| vpc\_endpoint\_elasticmapreduce\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for EMR. |
 | vpc\_endpoint\_events\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Events. |
 | vpc\_endpoint\_events\_id | The ID of VPC endpoint for CloudWatch Events |
 | vpc\_endpoint\_events\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Events. |
@@ -723,6 +804,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_monitoring\_dns\_entry | The DNS entries for the VPC Endpoint for CloudWatch Monitoring. |
 | vpc\_endpoint\_monitoring\_id | The ID of VPC endpoint for CloudWatch Monitoring |
 | vpc\_endpoint\_monitoring\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for CloudWatch Monitoring. |
+| vpc\_endpoint\_qldb\_session\_dns\_entry | The DNS entries for the VPC Endpoint for QLDB Session. |
+| vpc\_endpoint\_qldb\_session\_id | The ID of VPC endpoint for QLDB Session |
+| vpc\_endpoint\_qldb\_session\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for QLDB Session. |
 | vpc\_endpoint\_rekognition\_dns\_entry | The DNS entries for the VPC Endpoint for Rekognition. |
 | vpc\_endpoint\_rekognition\_id | The ID of VPC endpoint for Rekognition |
 | vpc\_endpoint\_rekognition\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Rekognition. |
@@ -743,6 +827,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_ses\_dns\_entry | The DNS entries for the VPC Endpoint for SES. |
 | vpc\_endpoint\_ses\_id | The ID of VPC endpoint for SES |
 | vpc\_endpoint\_ses\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SES. |
+| vpc\_endpoint\_sms\_dns\_entry | The DNS entries for the VPC Endpoint for SMS. |
+| vpc\_endpoint\_sms\_id | The ID of VPC endpoint for SMS |
+| vpc\_endpoint\_sms\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SMS. |
 | vpc\_endpoint\_sns\_dns\_entry | The DNS entries for the VPC Endpoint for SNS. |
 | vpc\_endpoint\_sns\_id | The ID of VPC endpoint for SNS |
 | vpc\_endpoint\_sns\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SNS. |
@@ -755,6 +842,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_ssmmessages\_dns\_entry | The DNS entries for the VPC Endpoint for SSMMESSAGES. |
 | vpc\_endpoint\_ssmmessages\_id | The ID of VPC endpoint for SSMMESSAGES |
 | vpc\_endpoint\_ssmmessages\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for SSMMESSAGES. |
+| vpc\_endpoint\_states\_dns\_entry | The DNS entries for the VPC Endpoint for Step Function. |
+| vpc\_endpoint\_states\_id | The ID of VPC endpoint for Step Function |
+| vpc\_endpoint\_states\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Step Function. |
 | vpc\_endpoint\_storagegateway\_dns\_entry | The DNS entries for the VPC Endpoint for Storage Gateway. |
 | vpc\_endpoint\_storagegateway\_id | The ID of VPC endpoint for Storage Gateway |
 | vpc\_endpoint\_storagegateway\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Storage Gateway. |
@@ -767,6 +857,9 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | vpc\_endpoint\_transferserver\_dns\_entry | The DNS entries for the VPC Endpoint for transferserver. |
 | vpc\_endpoint\_transferserver\_id | The ID of VPC endpoint for transferserver |
 | vpc\_endpoint\_transferserver\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for transferserver |
+| vpc\_endpoint\_workspaces\_dns\_entry | The DNS entries for the VPC Endpoint for Workspaces. |
+| vpc\_endpoint\_workspaces\_id | The ID of VPC endpoint for Workspaces |
+| vpc\_endpoint\_workspaces\_network\_interface\_ids | One or more network interfaces for the VPC Endpoint for Workspaces. |
 | vpc\_flow\_log\_cloudwatch\_iam\_role\_arn | The ARN of the IAM role used when pushing logs to Cloudwatch log group |
 | vpc\_flow\_log\_destination\_arn | The ARN of the destination for VPC Flow Logs |
 | vpc\_flow\_log\_destination\_type | The type of the destination for VPC Flow Logs |

--- a/outputs.tf
+++ b/outputs.tf
@@ -1087,6 +1087,201 @@ output "vpc_endpoint_cloud_directory_dns_entry" {
  value       = flatten(aws_vpc_endpoint.cloud_directory.*.dns_entry)
 }

+output "vpc_endpoint_elasticmapreduce_id" {
+  description = "The ID of VPC endpoint for EMR"
+  value       = concat(aws_vpc_endpoint.emr.*.id, [""])[0]
+}
+
+output "vpc_endpoint_elasticmapreduce_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EMR."
+  value       = flatten(aws_vpc_endpoint.emr.*.network_interface_ids)
+}
+
+output "vpc_endpoint_elasticmapreduce_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for EMR."
+  value       = flatten(aws_vpc_endpoint.emr.*.dns_entry)
+}
+
+output "vpc_endpoint_sms_id" {
+  description = "The ID of VPC endpoint for SMS"
+  value       = concat(aws_vpc_endpoint.sms.*.id, [""])[0]
+}
+
+output "vpc_endpoint_sms_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for SMS."
+  value       = flatten(aws_vpc_endpoint.sms.*.network_interface_ids)
+}
+
+output "vpc_endpoint_sms_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for SMS."
+  value       = flatten(aws_vpc_endpoint.sms.*.dns_entry)
+}
+
+output "vpc_endpoint_states_id" {
+  description = "The ID of VPC endpoint for Step Function"
+  value       = concat(aws_vpc_endpoint.states.*.id, [""])[0]
+}
+
+output "vpc_endpoint_states_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Step Function."
+  value       = flatten(aws_vpc_endpoint.states.*.network_interface_ids)
+}
+
+output "vpc_endpoint_states_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Step Function."
+  value       = flatten(aws_vpc_endpoint.states.*.dns_entry)
+}
+
+output "vpc_endpoint_elastic_inference_runtime_id" {
+  description = "The ID of VPC endpoint for Elastic Inference Runtime"
+  value       = concat(aws_vpc_endpoint.elastic_inference_runtime.*.id, [""])[0]
+}
+
+output "vpc_endpoint_elastic_inference_runtime_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Elastic Inference Runtime."
+  value       = flatten(aws_vpc_endpoint.elastic_inference_runtime.*.network_interface_ids)
+}
+
+output "vpc_endpoint_elastic_inference_runtime_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Elastic Inference Runtime."
+  value       = flatten(aws_vpc_endpoint.elastic_inference_runtime.*.dns_entry)
+}
+
+output "vpc_endpoint_elasticbeanstalk_id" {
+  description = "The ID of VPC endpoint for Elastic Beanstalk"
+  value       = concat(aws_vpc_endpoint.elasticbeanstalk.*.id, [""])[0]
+}
+
+output "vpc_endpoint_elasticbeanstalk_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Elastic Beanstalk."
+  value       = flatten(aws_vpc_endpoint.elasticbeanstalk.*.network_interface_ids)
+}
+
+output "vpc_endpoint_elasticbeanstalk_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Elastic Beanstalk."
+  value       = flatten(aws_vpc_endpoint.elasticbeanstalk.*.dns_entry)
+}
+
+output "vpc_endpoint_elasticbeanstalk_health_id" {
+  description = "The ID of VPC endpoint for Elastic Beanstalk Health"
+  value       = concat(aws_vpc_endpoint.elasticbeanstalk_health.*.id, [""])[0]
+}
+
+output "vpc_endpoint_elasticbeanstalk_health_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Elastic Beanstalk Health."
+  value       = flatten(aws_vpc_endpoint.elasticbeanstalk_health.*.network_interface_ids)
+}
+
+output "vpc_endpoint_elasticbeanstalk_health_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Elastic Beanstalk Health."
+  value       = flatten(aws_vpc_endpoint.elasticbeanstalk_health.*.dns_entry)
+}
+
+output "vpc_endpoint_workspaces_id" {
+  description = "The ID of VPC endpoint for Workspaces"
+  value       = concat(aws_vpc_endpoint.workspaces.*.id, [""])[0]
+}
+
+output "vpc_endpoint_workspaces_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Workspaces."
+  value       = flatten(aws_vpc_endpoint.workspaces.*.network_interface_ids)
+}
+
+output "vpc_endpoint_workspaces_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Workspaces."
+  value       = flatten(aws_vpc_endpoint.workspaces.*.dns_entry)
+}
+
+output "vpc_endpoint_auto_scaling_plans_id" {
+  description = "The ID of VPC endpoint for Auto Scaling Plans"
+  value       = concat(aws_vpc_endpoint.auto_scaling_plans.*.id, [""])[0]
+}
+
+output "vpc_endpoint_auto_scaling_plans_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Auto Scaling Plans."
+  value       = flatten(aws_vpc_endpoint.auto_scaling_plans.*.network_interface_ids)
+}
+
+output "vpc_endpoint_auto_scaling_plans_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Auto Scaling Plans."
+  value       = flatten(aws_vpc_endpoint.auto_scaling_plans.*.dns_entry)
+}
+
+output "vpc_endpoint_ebs_id" {
+  description = "The ID of VPC endpoint for EBS"
+  value       = concat(aws_vpc_endpoint.ebs.*.id, [""])[0]
+}
+
+output "vpc_endpoint_ebs_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for EBS."
+  value       = flatten(aws_vpc_endpoint.ebs.*.network_interface_ids)
+}
+
+output "vpc_endpoint_ebs_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for EBS."
+  value       = flatten(aws_vpc_endpoint.ebs.*.dns_entry)
+}
+
+output "vpc_endpoint_qldb_session_id" {
+  description = "The ID of VPC endpoint for QLDB Session"
+  value       = concat(aws_vpc_endpoint.qldb_session.*.id, [""])[0]
+}
+
+output "vpc_endpoint_qldb_session_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for QLDB Session."
+  value       = flatten(aws_vpc_endpoint.qldb_session.*.network_interface_ids)
+}
+
+output "vpc_endpoint_qldb_session_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for QLDB Session."
+  value       = flatten(aws_vpc_endpoint.qldb_session.*.dns_entry)
+}
+
+output "vpc_endpoint_datasync_id" {
+  description = "The ID of VPC endpoint for DataSync"
+  value       = concat(aws_vpc_endpoint.datasync.*.id, [""])[0]
+}
+
+output "vpc_endpoint_datasync_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for DataSync."
+  value       = flatten(aws_vpc_endpoint.datasync.*.network_interface_ids)
+}
+
+output "vpc_endpoint_datasync_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for DataSync."
+  value       = flatten(aws_vpc_endpoint.datasync.*.dns_entry)
+}
+
+output "vpc_endpoint_access_analyzer_id" {
+  description = "The ID of VPC endpoint for Access Analyzer"
+  value       = concat(aws_vpc_endpoint.access_analyzer.*.id, [""])[0]
+}
+
+output "vpc_endpoint_access_analyzer_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for Access Analyzer."
+  value       = flatten(aws_vpc_endpoint.access_analyzer.*.network_interface_ids)
+}
+
+output "vpc_endpoint_access_analyzer_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for Access Analyzer."
+  value       = flatten(aws_vpc_endpoint.access_analyzer.*.dns_entry)
+}
+
+output "vpc_endpoint_acm_pca_id" {
+  description = "The ID of VPC endpoint for ACM PCA"
+  value       = concat(aws_vpc_endpoint.access_analyzer.*.id, [""])[0]
+}
+
+output "vpc_endpoint_acm_pca_network_interface_ids" {
+  description = "One or more network interfaces for the VPC Endpoint for ACM PCA."
+  value       = flatten(aws_vpc_endpoint.acm_pca.*.network_interface_ids)
+}
+
+output "vpc_endpoint_acm_pca_dns_entry" {
+  description = "The DNS entries for the VPC Endpoint for ACM PCA."
+  value       = flatten(aws_vpc_endpoint.acm_pca.*.dns_entry)
+}
+
 output "vpc_endpoint_ses_id" {
  description = "The ID of VPC endpoint for SES"
  value       = concat(aws_vpc_endpoint.ses.*.id, [""])[0]
@@ -1102,7 +1297,6 @@ output "vpc_endpoint_ses_dns_entry" {
  value       = flatten(aws_vpc_endpoint.ses.*.dns_entry)
 }

-
 # VPC flow log
 output "vpc_flow_log_id" {
  description = "The ID of the Flow Log resource"

--- a/variables.tf
+++ b/variables.tf
@@ -1341,12 +1341,319 @@ variable "ses_endpoint_subnet_ids" {
  default     = []
 }

+variable "enable_auto_scaling_plans_endpoint" {
+  description = "Should be true if you want to provision an Auto Scaling Plans endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "auto_scaling_plans_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "auto_scaling_plans_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "auto_scaling_plans_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "ses_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for SES endpoint"
  type        = bool
  default     = false
 }

+variable "enable_workspaces_endpoint" {
+  description = "Should be true if you want to provision an Workspaces endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "workspaces_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Workspaces endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "workspaces_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "workspaces_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_access_analyzer_endpoint" {
+  description = "Should be true if you want to provision an Access Analyzer endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "access_analyzer_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "access_analyzer_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "access_analyzer_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_ebs_endpoint" {
+  description = "Should be true if you want to provision an EBS endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "ebs_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for EBS endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "ebs_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "ebs_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_datasync_endpoint" {
+  description = "Should be true if you want to provision an Data Sync endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "datasync_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Data Sync endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "datasync_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Data Sync endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "datasync_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Data Sync endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_elastic_inference_runtime_endpoint" {
+  description = "Should be true if you want to provision an Elastic Inference Runtime endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "elastic_inference_runtime_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Elastic Inference Runtime endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "elastic_inference_runtime_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "elastic_inference_runtime_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Inference Runtime endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_sms_endpoint" {
+  description = "Should be true if you want to provision an SMS endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "sms_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for SMS endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "sms_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "sms_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_emr_endpoint" {
+  description = "Should be true if you want to provision an EMR endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "emr_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for EMR endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "emr_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "emr_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_qldb_session_endpoint" {
+  description = "Should be true if you want to provision an QLDB Session endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "qldb_session_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for QLDB Session endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "qldb_session_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for QLDB Session endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "qldb_session_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for QLDB Session endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_elasticbeanstalk_endpoint" {
+  description = "Should be true if you want to provision a Elastic Beanstalk endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "elasticbeanstalk_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "elasticbeanstalk_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "elasticbeanstalk_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_elasticbeanstalk_health_endpoint" {
+  description = "Should be true if you want to provision a Elastic Beanstalk Health endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "elasticbeanstalk_health_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "elasticbeanstalk_health_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "elasticbeanstalk_health_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_states_endpoint" {
+  description = "Should be true if you want to provision a Step Function endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
+variable "states_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for Step Function endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "states_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "states_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "enable_acm_pca_endpoint" {
+  description = "Should be true if you want to provision an ACM PCA endpoint to the VPC"
+  default     = false
+}
+
+variable "acm_pca_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint"
+  default     = []
+}
+
+variable "acm_pca_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  default     = []
+}
+
+variable "acm_pca_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint"
+  default     = false
+}

 variable "map_public_ip_on_launch" {
  description = "Should be false if you do not want to auto-assign public IP on launch"

--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -1027,6 +1027,305 @@ resource "aws_vpc_endpoint" "cloud_directory" {
  tags = local.vpce_tags
 }

+#######################
+# VPC Endpoint for Auto Scaling Plans
+#######################
+data "aws_vpc_endpoint_service" "auto_scaling_plans" {
+  count = var.create_vpc && var.enable_auto_scaling_plans_endpoint ? 1 : 0
+
+  service = "autoscaling-plans"
+}
+
+resource "aws_vpc_endpoint" "auto_scaling_plans" {
+  count = var.create_vpc && var.enable_auto_scaling_plans_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.auto_scaling_plans[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.auto_scaling_plans_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.auto_scaling_plans_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.auto_scaling_plans_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for Workspaces
+#######################
+data "aws_vpc_endpoint_service" "workspaces" {
+  count = var.create_vpc && var.enable_workspaces_endpoint ? 1 : 0
+
+  service = "workspaces"
+}
+
+resource "aws_vpc_endpoint" "workspaces" {
+  count = var.create_vpc && var.enable_workspaces_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.workspaces[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.workspaces_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.workspaces_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.workspaces_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for Access Analyzer
+#######################
+data "aws_vpc_endpoint_service" "access_analyzer" {
+  count = var.create_vpc && var.enable_access_analyzer_endpoint ? 1 : 0
+
+  service = "access-analyzer"
+}
+
+resource "aws_vpc_endpoint" "access_analyzer" {
+  count = var.create_vpc && var.enable_access_analyzer_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.access_analyzer[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.access_analyzer_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.access_analyzer_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.access_analyzer_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for EBS
+#######################
+data "aws_vpc_endpoint_service" "ebs" {
+  count = var.create_vpc && var.enable_ebs_endpoint ? 1 : 0
+
+  service = "ebs"
+}
+
+resource "aws_vpc_endpoint" "ebs" {
+  count = var.create_vpc && var.enable_ebs_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.ebs[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.ebs_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.ebs_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.ebs_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for Data Sync
+#######################
+data "aws_vpc_endpoint_service" "datasync" {
+  count = var.create_vpc && var.enable_datasync_endpoint ? 1 : 0
+
+  service = "datasync"
+}
+
+resource "aws_vpc_endpoint" "datasync" {
+  count = var.create_vpc && var.enable_datasync_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.datasync[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.datasync_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.datasync_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.datasync_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for Elastic Inference Runtime
+#######################
+data "aws_vpc_endpoint_service" "elastic_inference_runtime" {
+  count = var.create_vpc && var.enable_elastic_inference_runtime_endpoint ? 1 : 0
+
+  service = "elastic-inference.runtime"
+}
+
+resource "aws_vpc_endpoint" "elastic_inference_runtime" {
+  count = var.create_vpc && var.enable_elastic_inference_runtime_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.elastic_inference_runtime[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.elastic_inference_runtime_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.elastic_inference_runtime_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.elastic_inference_runtime_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for SMS
+#######################
+data "aws_vpc_endpoint_service" "sms" {
+  count = var.create_vpc && var.enable_sms_endpoint ? 1 : 0
+
+  service = "sms"
+}
+
+resource "aws_vpc_endpoint" "sms" {
+  count = var.create_vpc && var.enable_sms_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.sms[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.sms_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.sms_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.sms_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for EMR
+#######################
+data "aws_vpc_endpoint_service" "emr" {
+  count = var.create_vpc && var.enable_emr_endpoint ? 1 : 0
+
+  service = "elasticmapreduce"
+}
+
+resource "aws_vpc_endpoint" "emr" {
+  count = var.create_vpc && var.enable_emr_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.emr[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.emr_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.emr_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.emr_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#######################
+# VPC Endpoint for QLDB Session
+#######################
+data "aws_vpc_endpoint_service" "qldb_session" {
+  count = var.create_vpc && var.enable_qldb_session_endpoint ? 1 : 0
+
+  service = "qldb.session"
+}
+
+resource "aws_vpc_endpoint" "qldb_session" {
+  count = var.create_vpc && var.enable_qldb_session_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.qldb_session[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.qldb_session_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.qldb_session_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.qldb_session_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for Step Function
+#############################
+data "aws_vpc_endpoint_service" "states" {
+  count = var.create_vpc && var.enable_states_endpoint ? 1 : 0
+
+  service = "states"
+}
+
+resource "aws_vpc_endpoint" "states" {
+  count = var.create_vpc && var.enable_states_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.states[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.states_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.states_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.states_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for Elastic Beanstalk
+#############################
+data "aws_vpc_endpoint_service" "elasticbeanstalk" {
+  count = var.create_vpc && var.enable_elasticbeanstalk_endpoint ? 1 : 0
+
+  service = "elasticbeanstalk"
+}
+
+resource "aws_vpc_endpoint" "elasticbeanstalk" {
+  count = var.create_vpc && var.enable_elasticbeanstalk_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.elasticbeanstalk[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.elasticbeanstalk_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.elasticbeanstalk_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.elasticbeanstalk_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for Elastic Beanstalk Health
+#############################
+data "aws_vpc_endpoint_service" "elasticbeanstalk_health" {
+  count = var.create_vpc && var.enable_elasticbeanstalk_health_endpoint ? 1 : 0
+
+  service = "elasticbeanstalk.health"
+}
+
+resource "aws_vpc_endpoint" "elasticbeanstalk_health" {
+  count = var.create_vpc && var.enable_elasticbeanstalk_health_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.elasticbeanstalk_health[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.elasticbeanstalk_health_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.elasticbeanstalk_health_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.elasticbeanstalk_health_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
+#############################
+# VPC Endpoint for ACM PCA
+#############################
+data "aws_vpc_endpoint_service" "acm_pca" {
+  count = var.create_vpc && var.enable_acm_pca_endpoint ? 1 : 0
+
+  service = "acm-pca"
+}
+
+resource "aws_vpc_endpoint" "acm_pca" {
+  count = var.create_vpc && var.enable_acm_pca_endpoint ? 1 : 0
+
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.acm_pca[0].service_name
+  vpc_endpoint_type = "Interface"
+
+  security_group_ids  = var.acm_pca_endpoint_security_group_ids
+  subnet_ids          = coalescelist(var.acm_pca_endpoint_subnet_ids, aws_subnet.private.*.id)
+  private_dns_enabled = var.acm_pca_endpoint_private_dns_enabled
+
+  tags = local.vpce_tags
+}
+
 #######################
 # VPC Endpoint for SES
 #######################