fix: use filter for getting service type for S3 endpoint and update to allow...

fix: use filter for getting service type for S3 endpoint and update to allow s3 to use interface endpoint types (#597)

examples/complete-vpc/main.tf

@@ -51,7 +51,11 @@ module "vpc" {
   dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
 
   # VPC endpoint for S3
-  enable_s3_endpoint = true
+  # Note - S3 Interface type support is only available on AWS provider 3.10 and later
+  enable_s3_endpoint              = true
+  s3_endpoint_type                = "Interface"
+  s3_endpoint_private_dns_enabled = false
+  s3_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
   # VPC endpoint for DynamoDB
   enable_dynamodb_endpoint = true

examples/ipv6/README.md

@@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Modules
 
@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
 
 ## Inputs
 

examples/ipv6/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-108-route-already-exists/README.md

@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-108-route-already-exists/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-44-asymmetric-private-subnets/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-44-asymmetric-private-subnets/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-46-no-private-subnets/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-46-no-private-subnets/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/manage-default-vpc/README.md

@@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/manage-default-vpc/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/network-acls/README.md

@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/network-acls/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/secondary-cidr-blocks/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/secondary-cidr-blocks/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/simple-vpc/README.md

@@ -26,7 +26,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/simple-vpc/main.tf

@@ -18,8 +18,6 @@ module "vpc" {
   enable_nat_gateway = false
   single_nat_gateway = true
 
-  #  s3_endpoint_type = "Interface"
-
   enable_s3_endpoint       = true
   enable_dynamodb_endpoint = true
 

examples/simple-vpc/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/vpc-flow-logs/README.md

@@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 
 ## Modules
@@ -47,11 +47,11 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
 | [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
 
 ## Inputs

examples/vpc-flow-logs/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
 
     random = {

examples/vpc-separate-private-route-tables/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 2.68 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/vpc-separate-private-route-tables/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.21"
 
   required_providers {
-    aws = ">= 2.68"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.70"
+    }
   }
 }

variables.tf

@@ -317,11 +317,29 @@ variable "enable_dynamodb_endpoint" {
 }
 
 variable "dynamodb_endpoint_type" {
-  description = "DynamoDB VPC endpoint type"
+  description = "DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available"
   type        = string
   default     = "Gateway"
 }
 
+variable "dynamodb_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "enable_s3_endpoint" {
   description = "Should be true if you want to provision an S3 endpoint to the VPC"
   type        = bool
@@ -329,11 +347,29 @@ variable "enable_s3_endpoint" {
 }
 
 variable "s3_endpoint_type" {
-  description = "S3 VPC endpoint type"
+  description = "S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later"
   type        = string
   default     = "Gateway"
 }
 
+variable "s3_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for S3 interface endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "s3_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "s3_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "enable_codeartifact_api_endpoint" {
   description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
   type        = bool

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

vpc-endpoints.tf

@@ -4,8 +4,13 @@
 data "aws_vpc_endpoint_service" "s3" {
   count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
 
-  service_type = var.s3_endpoint_type
-  service      = "s3"
+  service = "s3"
+
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.s3_endpoint_type]
+  }
 }
 
 resource "aws_vpc_endpoint" "s3" {
@@ -15,25 +20,29 @@ resource "aws_vpc_endpoint" "s3" {
   service_name      = data.aws_vpc_endpoint_service.s3[0].service_name
   vpc_endpoint_type = var.s3_endpoint_type
 
+  security_group_ids  = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_security_group_ids : null
+  subnet_ids          = var.s3_endpoint_type == "Interface" ? coalescelist(var.s3_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_private_dns_enabled : null
+
   tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.s3_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "intra_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "public_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = aws_route_table.public[0].id
@@ -45,36 +54,45 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
 data "aws_vpc_endpoint_service" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  service_type = var.dynamodb_endpoint_type
-  service      = "dynamodb"
+  service = "dynamodb"
+
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.dynamodb_endpoint_type]
+  }
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
   vpc_id            = local.vpc_id
-  vpc_endpoint_type = var.dynamodb_endpoint_type
   service_name      = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+  vpc_endpoint_type = var.dynamodb_endpoint_type
+
+  security_group_ids  = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_security_group_ids : null
+  subnet_ids          = var.dynamodb_endpoint_type == "Interface" ? coalescelist(var.dynamodb_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_private_dns_enabled : null
 
   tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && var.dynamodb_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = aws_route_table.public[0].id