fix: use filter for getting service type for S3 endpoint and update to allow...

fix: use filter for getting service type for S3 endpoint and update to allow s3 to use interface endpoint types (#597)

README.md

@@ -229,13 +229,13 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Modules
 
@@ -245,39 +245,39 @@ No Modules.
 
 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/cloudwatch_log_group) |
-| [aws_customer_gateway](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/customer_gateway) |
-| [aws_db_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/db_subnet_group) |
-| [aws_default_network_acl](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/default_network_acl) |
-| [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/default_security_group) |
-| [aws_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/default_vpc) |
-| [aws_egress_only_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/egress_only_internet_gateway) |
-| [aws_eip](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/eip) |
-| [aws_elasticache_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/elasticache_subnet_group) |
-| [aws_flow_log](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/flow_log) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role) |
-| [aws_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/internet_gateway) |
-| [aws_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/nat_gateway) |
-| [aws_network_acl_rule](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/network_acl_rule) |
-| [aws_network_acl](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/network_acl) |
-| [aws_redshift_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/redshift_subnet_group) |
-| [aws_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/route_table_association) |
-| [aws_route_table](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/route_table) |
-| [aws_route](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/route) |
-| [aws_subnet](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/subnet) |
-| [aws_vpc_dhcp_options_association](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc_dhcp_options_association) |
-| [aws_vpc_dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc_dhcp_options) |
-| [aws_vpc_endpoint_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc_endpoint_route_table_association) |
-| [aws_vpc_endpoint_service](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/vpc_endpoint_service) |
-| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc_endpoint) |
-| [aws_vpc_ipv4_cidr_block_association](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc_ipv4_cidr_block_association) |
-| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpc) |
-| [aws_vpn_gateway_attachment](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpn_gateway_attachment) |
-| [aws_vpn_gateway_route_propagation](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpn_gateway_route_propagation) |
-| [aws_vpn_gateway](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/vpn_gateway) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
+| [aws_customer_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/customer_gateway) |
+| [aws_db_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/db_subnet_group) |
+| [aws_default_network_acl](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_network_acl) |
+| [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_security_group) |
+| [aws_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_vpc) |
+| [aws_egress_only_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/egress_only_internet_gateway) |
+| [aws_eip](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/eip) |
+| [aws_elasticache_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/elasticache_subnet_group) |
+| [aws_flow_log](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/flow_log) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
+| [aws_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/internet_gateway) |
+| [aws_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/nat_gateway) |
+| [aws_network_acl_rule](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/network_acl_rule) |
+| [aws_network_acl](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/network_acl) |
+| [aws_redshift_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/redshift_subnet_group) |
+| [aws_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route_table_association) |
+| [aws_route_table](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route_table) |
+| [aws_route](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route) |
+| [aws_subnet](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/subnet) |
+| [aws_vpc_dhcp_options_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_dhcp_options_association) |
+| [aws_vpc_dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_dhcp_options) |
+| [aws_vpc_endpoint_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_endpoint_route_table_association) |
+| [aws_vpc_endpoint_service](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/vpc_endpoint_service) |
+| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_endpoint) |
+| [aws_vpc_ipv4_cidr_block_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_ipv4_cidr_block_association) |
+| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc) |
+| [aws_vpn_gateway_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway_attachment) |
+| [aws_vpn_gateway_route_propagation](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway_route_propagation) |
+| [aws_vpn_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway) |
 
 ## Inputs
 
@@ -395,7 +395,10 @@ No Modules.
 | dms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint | `bool` | `false` | no |
 | dms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DMS endpoint | `list(string)` | `[]` | no |
 | dms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
-| dynamodb\_endpoint\_type | DynamoDB VPC endpoint type | `string` | `"Gateway"` | no |
+| dynamodb\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint | `bool` | `false` | no |
+| dynamodb\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint | `list(string)` | `[]` | no |
+| dynamodb\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| dynamodb\_endpoint\_type | DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available | `string` | `"Gateway"` | no |
 | ebs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no |
 | ebs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no |
 | ebs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -632,7 +635,10 @@ No Modules.
 | rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | `list(string)` | `[]` | no |
 | rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
-| s3\_endpoint\_type | S3 VPC endpoint type | `string` | `"Gateway"` | no |
+| s3\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint | `bool` | `false` | no |
+| s3\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for S3 interface endpoint | `list(string)` | `[]` | no |
+| s3\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| s3\_endpoint\_type | S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later | `string` | `"Gateway"` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | `bool` | `false` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | `list(string)` | `[]` | no |
 | sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |

examples/complete-vpc/main.tf

@@ -51,7 +51,11 @@ module "vpc" {
   dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
 
   # VPC endpoint for S3
+  # Note - S3 Interface type support is only available on AWS provider 3.10 and later
   enable_s3_endpoint              = true
+  s3_endpoint_type                = "Interface"
+  s3_endpoint_private_dns_enabled = false
+  s3_endpoint_security_group_ids  = [data.aws_security_group.default.id]
 
   # VPC endpoint for DynamoDB
   enable_dynamodb_endpoint = true

examples/ipv6/README.md

@@ -20,13 +20,13 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Modules
 
@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
 
 ## Inputs
 

examples/ipv6/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-108-route-already-exists/README.md

@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-108-route-already-exists/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-44-asymmetric-private-subnets/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-44-asymmetric-private-subnets/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/issue-46-no-private-subnets/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/issue-46-no-private-subnets/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/manage-default-vpc/README.md

@@ -22,7 +22,7 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/manage-default-vpc/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/network-acls/README.md

@@ -24,7 +24,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/network-acls/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/secondary-cidr-blocks/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/secondary-cidr-blocks/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/simple-vpc/README.md

@@ -26,7 +26,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/simple-vpc/main.tf

@@ -18,8 +18,6 @@ module "vpc" {
   enable_nat_gateway = false
   single_nat_gateway = true
 
-  #  s3_endpoint_type = "Interface"
-
   enable_s3_endpoint       = true
   enable_dynamodb_endpoint = true
 

examples/simple-vpc/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

examples/vpc-flow-logs/README.md

@@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| aws | >= 3.10 |
+| aws | >= 2.70 |
 | random | >= 2 |
 
 ## Modules
@@ -47,11 +47,11 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 
 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/resources/iam_role) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
 | [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
 
 ## Inputs

examples/vpc-flow-logs/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
 
     random = {

examples/vpc-separate-private-route-tables/README.md

@@ -22,7 +22,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | terraform | >= 0.12.21 |
-| aws | >= 2.68 |
+| aws | >= 2.70 |
 
 ## Providers
 

examples/vpc-separate-private-route-tables/versions.tf

@@ -2,6 +2,9 @@ terraform {
   required_version = ">= 0.12.21"
 
   required_providers {
-    aws = ">= 2.68"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 2.70"
+    }
   }
 }

variables.tf

@@ -317,11 +317,29 @@ variable "enable_dynamodb_endpoint" {
 }
 
 variable "dynamodb_endpoint_type" {
-  description = "DynamoDB VPC endpoint type"
+  description = "DynamoDB VPC endpoint type. Note - DynamoDB Interface type support is not yet available"
   type        = string
   default     = "Gateway"
 }
 
+variable "dynamodb_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "dynamodb_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "enable_s3_endpoint" {
   description = "Should be true if you want to provision an S3 endpoint to the VPC"
   type        = bool
@@ -329,11 +347,29 @@ variable "enable_s3_endpoint" {
 }
 
 variable "s3_endpoint_type" {
-  description = "S3 VPC endpoint type"
+  description = "S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later"
   type        = string
   default     = "Gateway"
 }
 
+variable "s3_endpoint_security_group_ids" {
+  description = "The ID of one or more security groups to associate with the network interface for S3 interface endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "s3_endpoint_subnet_ids" {
+  description = "The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used."
+  type        = list(string)
+  default     = []
+}
+
+variable "s3_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint"
+  type        = bool
+  default     = false
+}
+
 variable "enable_codeartifact_api_endpoint" {
   description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
   type        = bool

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 2.70"
     }
   }
 }

vpc-endpoints.tf

@@ -4,8 +4,13 @@
 data "aws_vpc_endpoint_service" "s3" {
   count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
 
-  service_type = var.s3_endpoint_type
   service = "s3"
+
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.s3_endpoint_type]
+  }
 }
 
 resource "aws_vpc_endpoint" "s3" {
@@ -15,25 +20,29 @@ resource "aws_vpc_endpoint" "s3" {
   service_name      = data.aws_vpc_endpoint_service.s3[0].service_name
   vpc_endpoint_type = var.s3_endpoint_type
 
+  security_group_ids  = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_security_group_ids : null
+  subnet_ids          = var.s3_endpoint_type == "Interface" ? coalescelist(var.s3_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_private_dns_enabled : null
+
   tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.s3_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "intra_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && length(var.intra_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "public_s3" {
-  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint && var.enable_public_s3_endpoint && length(var.public_subnets) > 0 && var.s3_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.s3[0].id
   route_table_id  = aws_route_table.public[0].id
@@ -45,36 +54,45 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
 data "aws_vpc_endpoint_service" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  service_type = var.dynamodb_endpoint_type
   service = "dynamodb"
+
+  # Used for backwards compatability where `service_type` is not yet available in the provider used
+  filter {
+    name   = "service-type"
+    values = [var.dynamodb_endpoint_type]
+  }
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
   vpc_id            = local.vpc_id
-  vpc_endpoint_type = var.dynamodb_endpoint_type
   service_name      = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+  vpc_endpoint_type = var.dynamodb_endpoint_type
+
+  security_group_ids  = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_security_group_ids : null
+  subnet_ids          = var.dynamodb_endpoint_type == "Interface" ? coalescelist(var.dynamodb_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  private_dns_enabled = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_private_dns_enabled : null
 
   tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint ? local.nat_gateway_count : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && var.dynamodb_endpoint_type == "Gateway" ? local.nat_gateway_count : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = element(aws_route_table.private.*.id, count.index)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "intra_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.intra_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = element(aws_route_table.intra.*.id, 0)
 }
 
 resource "aws_vpc_endpoint_route_table_association" "public_dynamodb" {
-  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 ? 1 : 0
+  count = var.create_vpc && var.enable_dynamodb_endpoint && length(var.public_subnets) > 0 && var.dynamodb_endpoint_type == "Gateway" ? 1 : 0
 
   vpc_endpoint_id = aws_vpc_endpoint.dynamodb[0].id
   route_table_id  = aws_route_table.public[0].id