feat: add vpc endpoint policies to supported services (#601)

* feat: add vpc endpoint policies to supported services * chore: empty commit to re-run * chore: Run pre-commit terraform_docs hook Co-authored-by: Anton Babenko <anton@antonbabenko.com>

feat: add vpc endpoint policies to supported services (#601)
* feat: add vpc endpoint policies to supported services * chore: empty commit to re-run * chore: Run pre-commit terraform_docs hook Co-authored-by: Anton Babenko <anton@antonbabenko.com>
93a6f40d · Bryant Biggs · GitHub · bbfd33e4 · 93a6f40d · 93a6f40d
Commit 93a6f40d authored Feb 23, 2021 by Bryant Biggs Committed by GitHub Feb 23, 2021
7 changed files
--- a/README.md
+++ b/README.md
@@ -245,51 +245,54 @@ No Modules.

 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
-| [aws_customer_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/customer_gateway) |
-| [aws_db_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/db_subnet_group) |
-| [aws_default_network_acl](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_network_acl) |
-| [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_security_group) |
-| [aws_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/default_vpc) |
-| [aws_egress_only_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/egress_only_internet_gateway) |
-| [aws_eip](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/eip) |
-| [aws_elasticache_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/elasticache_subnet_group) |
-| [aws_flow_log](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/flow_log) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
-| [aws_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/internet_gateway) |
-| [aws_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/nat_gateway) |
-| [aws_network_acl_rule](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/network_acl_rule) |
-| [aws_network_acl](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/network_acl) |
-| [aws_redshift_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/redshift_subnet_group) |
-| [aws_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route_table_association) |
-| [aws_route_table](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route_table) |
-| [aws_route](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/route) |
-| [aws_subnet](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/subnet) |
-| [aws_vpc_dhcp_options_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_dhcp_options_association) |
-| [aws_vpc_dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_dhcp_options) |
-| [aws_vpc_endpoint_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_endpoint_route_table_association) |
-| [aws_vpc_endpoint_service](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/vpc_endpoint_service) |
-| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_endpoint) |
-| [aws_vpc_ipv4_cidr_block_association](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc_ipv4_cidr_block_association) |
-| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpc) |
-| [aws_vpn_gateway_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway_attachment) |
-| [aws_vpn_gateway_route_propagation](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway_route_propagation) |
-| [aws_vpn_gateway](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/vpn_gateway) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
+| [aws_customer_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) |
+| [aws_db_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_subnet_group) |
+| [aws_default_network_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) |
+| [aws_default_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) |
+| [aws_default_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) |
+| [aws_egress_only_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) |
+| [aws_eip](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) |
+| [aws_elasticache_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) |
+| [aws_flow_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
+| [aws_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/internet_gateway) |
+| [aws_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) |
+| [aws_network_acl](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) |
+| [aws_network_acl_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) |
+| [aws_redshift_subnet_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/redshift_subnet_group) |
+| [aws_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) |
+| [aws_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) |
+| [aws_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) |
+| [aws_subnet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet) |
+| [aws_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc) |
+| [aws_vpc_dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options) |
+| [aws_vpc_dhcp_options_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_dhcp_options_association) |
+| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) |
+| [aws_vpc_endpoint_route_table_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) |
+| [aws_vpc_endpoint_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) |
+| [aws_vpc_ipv4_cidr_block_association](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_ipv4_cidr_block_association) |
+| [aws_vpn_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway) |
+| [aws_vpn_gateway_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_attachment) |
+| [aws_vpn_gateway_route_propagation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_gateway_route_propagation) |

 ## Inputs

 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| access\_analyzer\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | access\_analyzer\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint | `bool` | `false` | no |
 | access\_analyzer\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Access Analyzer endpoint | `list(string)` | `[]` | no |
 | access\_analyzer\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Access Analyzer endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| acm\_pca\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | acm\_pca\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint | `bool` | `false` | no |
 | acm\_pca\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ACM PCA endpoint | `list(string)` | `[]` | no |
 | acm\_pca\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ACM PCA endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | amazon\_side\_asn | The Autonomous System Number (ASN) for the Amazon side of the gateway. By default the virtual private gateway is created with the current default Amazon ASN. | `string` | `"64512"` | no |
+| apigw\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | apigw\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint | `bool` | `false` | no |
 | apigw\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for API GW  endpoint | `list(string)` | `[]` | no |
 | apigw\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for API GW endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -303,14 +306,17 @@ No Modules.
 | appstream\_streaming\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for AppStream Streaming endpoint | `list(string)` | `[]` | no |
 | appstream\_streaming\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for AppStream Streaming endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | assign\_ipv6\_address\_on\_creation | Assign IPv6 address on subnet, must be disabled to change IPv6 CIDRs. This is the IPv6 equivalent of map\_public\_ip\_on\_launch | `bool` | `false` | no |
+| athena\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | athena\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint | `bool` | `false` | no |
 | athena\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Athena endpoint | `list(string)` | `[]` | no |
 | athena\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Athena endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| auto\_scaling\_plans\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | auto\_scaling\_plans\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint | `bool` | `false` | no |
 | auto\_scaling\_plans\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Auto Scaling Plans endpoint | `list(string)` | `[]` | no |
 | auto\_scaling\_plans\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
 | azs | A list of availability zones names or ids in the region | `list(string)` | `[]` | no |
 | cidr | The CIDR block for the VPC. Default value is a valid CIDR, but not acceptable by AWS and should be overridden | `string` | `"0.0.0.0/0"` | no |
+| cloud\_directory\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | cloud\_directory\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint | `bool` | `false` | no |
 | cloud\_directory\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Cloud Directory endpoint | `list(string)` | `[]` | no |
 | cloud\_directory\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Cloud Directory endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -326,9 +332,11 @@ No Modules.
 | codeartifact\_repositories\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codeartifact repositories endpoint | `bool` | `false` | no |
 | codeartifact\_repositories\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codeartifact repositories endpoint | `list(string)` | `[]` | no |
 | codeartifact\_repositories\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| codebuild\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | codebuild\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint | `bool` | `false` | no |
 | codebuild\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codebuild endpoint | `list(string)` | `[]` | no |
 | codebuild\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codebuilt endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| codecommit\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | codecommit\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint | `bool` | `false` | no |
 | codecommit\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Codecommit endpoint | `list(string)` | `[]` | no |
 | codecommit\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Codecommit endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -395,6 +403,7 @@ No Modules.
 | dms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint | `bool` | `false` | no |
 | dms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DMS endpoint | `list(string)` | `[]` | no |
 | dms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| dynamodb\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | dynamodb\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DynamoDB interface endpoint | `bool` | `false` | no |
 | dynamodb\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DynamoDB interface endpoint | `list(string)` | `[]` | no |
 | dynamodb\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DynamoDB interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -402,18 +411,22 @@ No Modules.
 | ebs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no |
 | ebs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no |
 | ebs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| ec2\_autoscaling\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | ec2\_autoscaling\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint | `bool` | `false` | no |
 | ec2\_autoscaling\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 Autoscaling endpoint | `list(string)` | `[]` | no |
 | ec2\_autoscaling\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 Autoscaling endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| ec2\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | ec2\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint | `bool` | `false` | no |
 | ec2\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2 endpoint | `list(string)` | `[]` | no |
 | ec2\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | ec2messages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EC2MESSAGES endpoint | `bool` | `false` | no |
 | ec2messages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EC2MESSAGES endpoint | `list(string)` | `[]` | no |
 | ec2messages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EC2MESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| ecr\_api\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | ecr\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint | `bool` | `false` | no |
 | ecr\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR API endpoint | `list(string)` | `[]` | no |
 | ecr\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR api endpoint. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| ecr\_dkr\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | `bool` | `false` | no |
 | ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | `list(string)` | `[]` | no |
 | ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -426,6 +439,7 @@ No Modules.
 | ecs\_telemetry\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECS Telemetry endpoint | `bool` | `false` | no |
 | ecs\_telemetry\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECS Telemetry endpoint | `list(string)` | `[]` | no |
 | ecs\_telemetry\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| efs\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | efs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint | `bool` | `false` | no |
 | efs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EFS endpoint | `list(string)` | `[]` | no |
 | efs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EFS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -442,15 +456,18 @@ No Modules.
 | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
 | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
 | elasticache\_subnets | A list of elasticache subnets | `list(string)` | `[]` | no |
+| elasticbeanstalk\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | elasticbeanstalk\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint | `bool` | `false` | no |
 | elasticbeanstalk\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk endpoint | `list(string)` | `[]` | no |
 | elasticbeanstalk\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | elasticbeanstalk\_health\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk Health endpoint | `bool` | `false` | no |
 | elasticbeanstalk\_health\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Beanstalk Health endpoint | `list(string)` | `[]` | no |
 | elasticbeanstalk\_health\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| elasticloadbalancing\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | elasticloadbalancing\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint | `bool` | `false` | no |
 | elasticloadbalancing\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Elastic Load Balancing endpoint | `list(string)` | `[]` | no |
 | elasticloadbalancing\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| emr\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | emr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint | `bool` | `false` | no |
 | emr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EMR endpoint | `list(string)` | `[]` | no |
 | emr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EMR endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -533,6 +550,7 @@ No Modules.
 | enable\_transferserver\_endpoint | Should be true if you want to provision a Transfer Server endpoint to the VPC | `bool` | `false` | no |
 | enable\_vpn\_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | `bool` | `false` | no |
 | enable\_workspaces\_endpoint | Should be true if you want to provision an Workspaces endpoint to the VPC | `bool` | `false` | no |
+| events\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | events\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint | `bool` | `false` | no |
 | events\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Events endpoint | `list(string)` | `[]` | no |
 | events\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -565,18 +583,22 @@ No Modules.
 | intra\_subnet\_suffix | Suffix to append to intra subnets name | `string` | `"intra"` | no |
 | intra\_subnet\_tags | Additional tags for the intra subnets | `map(string)` | `{}` | no |
 | intra\_subnets | A list of intra subnets | `list(string)` | `[]` | no |
+| kinesis\_firehose\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | kinesis\_firehose\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint | `bool` | `false` | no |
 | kinesis\_firehose\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Firehose endpoint | `list(string)` | `[]` | no |
 | kinesis\_firehose\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Firehose endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| kinesis\_streams\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | kinesis\_streams\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint | `bool` | `false` | no |
 | kinesis\_streams\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Kinesis Streams endpoint | `list(string)` | `[]` | no |
 | kinesis\_streams\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| kms\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | kms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint | `bool` | `false` | no |
 | kms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for KMS endpoint | `list(string)` | `[]` | no |
 | kms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for KMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | lambda\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Lambda endpoint | `bool` | `false` | no |
 | lambda\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Lambda endpoint | `list(string)` | `[]` | no |
 | lambda\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| logs\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | logs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint | `bool` | `false` | no |
 | logs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Logs endpoint | `list(string)` | `[]` | no |
 | logs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -584,6 +606,7 @@ No Modules.
 | manage\_default\_security\_group | Should be true to adopt and manage default security group | `bool` | `false` | no |
 | manage\_default\_vpc | Should be true to adopt and manage Default VPC | `bool` | `false` | no |
 | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | `bool` | `true` | no |
+| monitoring\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | monitoring\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint | `bool` | `false` | no |
 | monitoring\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for CloudWatch Monitoring endpoint | `list(string)` | `[]` | no |
 | monitoring\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -631,25 +654,31 @@ No Modules.
 | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
 | redshift\_subnet\_tags | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
 | redshift\_subnets | A list of redshift subnets | `list(string)` | `[]` | no |
+| rekognition\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | rekognition\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint | `bool` | `false` | no |
 | rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | `list(string)` | `[]` | no |
 | rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
+| s3\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | s3\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for S3 interface endpoint | `bool` | `false` | no |
 | s3\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for S3 interface endpoint | `list(string)` | `[]` | no |
 | s3\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for S3 interface endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | s3\_endpoint\_type | S3 VPC endpoint type. Note - S3 Interface type support is only available on AWS provider 3.10 and later | `string` | `"Gateway"` | no |
+| sagemaker\_api\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | `bool` | `false` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | `list(string)` | `[]` | no |
 | sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| sagemaker\_notebook\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sagemaker\_notebook\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint | `bool` | `false` | no |
 | sagemaker\_notebook\_endpoint\_region | Region to use for Sagemaker Notebook endpoint | `string` | `""` | no |
 | sagemaker\_notebook\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Sagemaker Notebook endpoint | `list(string)` | `[]` | no |
 | sagemaker\_notebook\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Sagemaker Notebook endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| sagemaker\_runtime\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sagemaker\_runtime\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint | `bool` | `false` | no |
 | sagemaker\_runtime\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker Runtime endpoint | `list(string)` | `[]` | no |
 | sagemaker\_runtime\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | secondary\_cidr\_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
+| secretsmanager\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | secretsmanager\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint | `bool` | `false` | no |
 | secretsmanager\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Secrets Manager endpoint | `list(string)` | `[]` | no |
 | secretsmanager\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -663,9 +692,11 @@ No Modules.
 | sms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SMS endpoint | `bool` | `false` | no |
 | sms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SMS endpoint | `list(string)` | `[]` | no |
 | sms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SMS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
+| sns\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sns\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint | `bool` | `false` | no |
 | sns\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SNS endpoint | `list(string)` | `[]` | no |
 | sns\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SNS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| sqs\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sqs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint | `bool` | `false` | no |
 | sqs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SQS endpoint | `list(string)` | `[]` | no |
 | sqs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SQS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -675,12 +706,14 @@ No Modules.
 | ssmmessages\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SSMMESSAGES endpoint | `bool` | `false` | no |
 | ssmmessages\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SSMMESSAGES endpoint | `list(string)` | `[]` | no |
 | ssmmessages\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SSMMESSAGES endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| states\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | states\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint | `bool` | `false` | no |
 | states\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Step Function endpoint | `list(string)` | `[]` | no |
 | states\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Step Function endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | storagegateway\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Storage Gateway endpoint | `bool` | `false` | no |
 | storagegateway\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Storage Gateway endpoint | `list(string)` | `[]` | no |
 | storagegateway\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Storage Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| sts\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | sts\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for STS endpoint | `bool` | `false` | no |
 | sts\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for STS endpoint | `list(string)` | `[]` | no |
 | sts\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for STS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -701,6 +734,7 @@ No Modules.
 | vpn\_gateway\_az | The Availability Zone for the VPN Gateway | `string` | `null` | no |
 | vpn\_gateway\_id | ID of VPN Gateway to attach to the VPC | `string` | `""` | no |
 | vpn\_gateway\_tags | Additional tags for the VPN gateway | `map(string)` | `{}` | no |
+| workspaces\_endpoint\_policy | A policy to attach to the endpoint that controls access to the service. Defaults to full access | `string` | `null` | no |
 | workspaces\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint | `bool` | `false` | no |
 | workspaces\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Workspaces endpoint | `list(string)` | `[]` | no |
 | workspaces\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Workspaces endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |

--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -40,7 +40,9 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/3.10/docs/data-sources/security_group) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_security_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) |
+| [aws_vpc_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) |

 ## Inputs


--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -59,6 +59,7 @@ module "vpc" {

  # VPC endpoint for DynamoDB
  enable_dynamodb_endpoint = true
+  dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json

  # VPC endpoint for SSM
  enable_ssm_endpoint              = true
@@ -77,6 +78,7 @@ module "vpc" {

  # VPC Endpoint for EC2
  enable_ec2_endpoint              = true
+  ec2_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ec2_endpoint_private_dns_enabled = true
  ec2_endpoint_security_group_ids  = [data.aws_security_group.default.id]

@@ -87,11 +89,13 @@ module "vpc" {

  # VPC Endpoint for ECR API
  enable_ecr_api_endpoint              = true
+  ecr_api_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ecr_api_endpoint_private_dns_enabled = true
  ecr_api_endpoint_security_group_ids  = [data.aws_security_group.default.id]

  # VPC Endpoint for ECR DKR
  enable_ecr_dkr_endpoint              = true
+  ecr_dkr_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
  ecr_dkr_endpoint_private_dns_enabled = true
  ecr_dkr_endpoint_security_group_ids  = [data.aws_security_group.default.id]

@@ -142,3 +146,49 @@ module "vpc" {
    Endpoint = "true"
  }
 }
+
+# Data source used to avoid race condition
+data "aws_vpc_endpoint" "dynamodb" {
+  vpc_id       = module.vpc.vpc_id
+  service_name = "com.amazonaws.eu-west-1.dynamodb"
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["dynamodb:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [data.aws_vpc_endpoint.dynamodb.id]
+    }
+  }
+}
--- a/examples/ipv6/README.md
+++ b/examples/ipv6/README.md
@@ -38,7 +38,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/availability_zones) |
+| [aws_availability_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) |

 ## Inputs


--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -47,12 +47,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP

 | Name |
 |------|
-| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/cloudwatch_log_group) |
-| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/data-sources/iam_policy_document) |
-| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_policy) |
-| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role_policy_attachment) |
-| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/2.70/docs/resources/iam_role) |
-| [random_pet](https://registry.terraform.io/providers/hashicorp/random/2/docs/resources/pet) |
+| [aws_cloudwatch_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) |
+| [aws_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) |
+| [aws_iam_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) |
+| [aws_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) |
+| [aws_iam_role_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) |
+| [random_pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) |

 ## Inputs


--- a/variables.tf
+++ b/variables.tf
@@ -340,6 +340,12 @@ variable "dynamodb_endpoint_private_dns_enabled" {
  default     = false
 }

+variable "dynamodb_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "enable_s3_endpoint" {
  description = "Should be true if you want to provision an S3 endpoint to the VPC"
  type        = bool
@@ -370,6 +376,12 @@ variable "s3_endpoint_private_dns_enabled" {
  default     = false
 }

+variable "s3_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "enable_codeartifact_api_endpoint" {
  description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
  type        = bool
@@ -436,6 +448,12 @@ variable "codebuild_endpoint_subnet_ids" {
  default     = []
 }

+variable "codebuild_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "codebuild_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Codebuild endpoint"
  type        = bool
@@ -460,6 +478,12 @@ variable "codecommit_endpoint_subnet_ids" {
  default     = []
 }

+variable "codecommit_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "codecommit_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Codecommit endpoint"
  type        = bool
@@ -532,6 +556,12 @@ variable "sqs_endpoint_subnet_ids" {
  default     = []
 }

+variable "sqs_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sqs_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for SQS endpoint"
  type        = bool
@@ -604,6 +634,12 @@ variable "secretsmanager_endpoint_subnet_ids" {
  default     = []
 }

+variable "secretsmanager_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "secretsmanager_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Secrets Manager endpoint"
  type        = bool
@@ -622,6 +658,12 @@ variable "apigw_endpoint_security_group_ids" {
  default     = []
 }

+variable "apigw_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "apigw_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for API GW endpoint"
  type        = bool
@@ -719,6 +761,12 @@ variable "ec2_endpoint_security_group_ids" {
  default     = []
 }

+variable "ec2_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "ec2_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 endpoint"
  type        = bool
@@ -768,6 +816,12 @@ variable "ec2_autoscaling_endpoint_security_group_ids" {
  default     = []
 }

+variable "ec2_autoscaling_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "ec2_autoscaling_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for EC2 Autoscaling endpoint"
  type        = bool
@@ -792,6 +846,12 @@ variable "ecr_api_endpoint_subnet_ids" {
  default     = []
 }

+variable "ecr_api_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "ecr_api_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for ECR API endpoint"
  type        = bool
@@ -816,6 +876,12 @@ variable "ecr_dkr_endpoint_subnet_ids" {
  default     = []
 }

+variable "ecr_dkr_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "ecr_dkr_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint"
  type        = bool
@@ -846,6 +912,12 @@ variable "kms_endpoint_subnet_ids" {
  default     = []
 }

+variable "kms_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "kms_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for KMS endpoint"
  type        = bool
@@ -942,6 +1014,12 @@ variable "sns_endpoint_subnet_ids" {
  default     = []
 }

+variable "sns_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sns_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for SNS endpoint"
  type        = bool
@@ -966,6 +1044,12 @@ variable "monitoring_endpoint_subnet_ids" {
  default     = []
 }

+variable "monitoring_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "monitoring_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Monitoring endpoint"
  type        = bool
@@ -990,6 +1074,12 @@ variable "elasticloadbalancing_endpoint_subnet_ids" {
  default     = []
 }

+variable "elasticloadbalancing_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "elasticloadbalancing_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Load Balancing endpoint"
  type        = bool
@@ -1014,6 +1104,12 @@ variable "events_endpoint_subnet_ids" {
  default     = []
 }

+variable "events_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "events_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Events endpoint"
  type        = bool
@@ -1038,6 +1134,12 @@ variable "logs_endpoint_subnet_ids" {
  default     = []
 }

+variable "logs_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "logs_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for CloudWatch Logs endpoint"
  type        = bool
@@ -1086,6 +1188,12 @@ variable "kinesis_streams_endpoint_subnet_ids" {
  default     = []
 }

+variable "kinesis_streams_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "kinesis_streams_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Streams endpoint"
  type        = bool
@@ -1110,6 +1218,12 @@ variable "kinesis_firehose_endpoint_subnet_ids" {
  default     = []
 }

+variable "kinesis_firehose_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "kinesis_firehose_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Kinesis Firehose endpoint"
  type        = bool
@@ -1164,6 +1278,12 @@ variable "sagemaker_notebook_endpoint_subnet_ids" {
  default     = []
 }

+variable "sagemaker_notebook_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sagemaker_notebook_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Sagemaker Notebook endpoint"
  type        = bool
@@ -1188,6 +1308,12 @@ variable "sts_endpoint_subnet_ids" {
  default     = []
 }

+variable "sts_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sts_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for STS endpoint"
  type        = bool
@@ -1350,6 +1476,12 @@ variable "sagemaker_api_endpoint_subnet_ids" {
  default     = []
 }

+variable "sagemaker_api_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sagemaker_api_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint"
  type        = bool
@@ -1373,6 +1505,12 @@ variable "sagemaker_runtime_endpoint_subnet_ids" {
  default     = []
 }

+variable "sagemaker_runtime_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "sagemaker_runtime_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for SageMaker Runtime endpoint"
  type        = bool
@@ -1445,6 +1583,12 @@ variable "athena_endpoint_subnet_ids" {
  default     = []
 }

+variable "athena_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "athena_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Athena endpoint"
  type        = bool
@@ -1469,6 +1613,12 @@ variable "rekognition_endpoint_subnet_ids" {
  default     = []
 }

+variable "rekognition_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "rekognition_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Rekognition endpoint"
  type        = bool
@@ -1493,6 +1643,12 @@ variable "efs_endpoint_subnet_ids" {
  default     = []
 }

+variable "efs_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "efs_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for EFS endpoint"
  type        = bool
@@ -1517,6 +1673,12 @@ variable "cloud_directory_endpoint_subnet_ids" {
  default     = []
 }

+variable "cloud_directory_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "cloud_directory_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Cloud Directory endpoint"
  type        = bool
@@ -1559,6 +1721,12 @@ variable "auto_scaling_plans_endpoint_subnet_ids" {
  default     = []
 }

+variable "auto_scaling_plans_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "auto_scaling_plans_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Auto Scaling Plans endpoint"
  type        = bool
@@ -1589,6 +1757,12 @@ variable "workspaces_endpoint_subnet_ids" {
  default     = []
 }

+variable "workspaces_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "workspaces_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Workspaces endpoint"
  type        = bool
@@ -1613,6 +1787,12 @@ variable "access_analyzer_endpoint_subnet_ids" {
  default     = []
 }

+variable "access_analyzer_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "access_analyzer_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Access Analyzer endpoint"
  type        = bool
@@ -1733,6 +1913,12 @@ variable "emr_endpoint_subnet_ids" {
  default     = []
 }

+variable "emr_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "emr_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for EMR endpoint"
  type        = bool
@@ -1781,6 +1967,12 @@ variable "elasticbeanstalk_endpoint_subnet_ids" {
  default     = []
 }

+variable "elasticbeanstalk_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "elasticbeanstalk_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for Elastic Beanstalk endpoint"
  type        = bool
@@ -1829,14 +2021,14 @@ variable "states_endpoint_subnet_ids" {
  default     = []
 }

-variable "states_endpoint_private_dns_enabled" {
-  description = "Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint"
-  type        = bool
-  default     = false
+variable "states_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
 }

-variable "enable_acm_pca_endpoint" {
-  description = "Should be true if you want to provision an ACM PCA endpoint to the VPC"
+variable "states_endpoint_private_dns_enabled" {
+  description = "Whether or not to associate a private hosted zone with the specified VPC for Step Function endpoint"
  type        = bool
  default     = false
 }
@@ -1913,6 +2105,12 @@ variable "codedeploy_commands_secure_endpoint_private_dns_enabled" {
  default     = false
 }

+variable "enable_acm_pca_endpoint" {
+  description = "Should be true if you want to provision an ACM PCA endpoint to the VPC"
+  type        = bool
+  default     = false
+}
+
 variable "acm_pca_endpoint_security_group_ids" {
  description = "The ID of one or more security groups to associate with the network interface for ACM PCA endpoint"
  type        = list(string)
@@ -1925,6 +2123,12 @@ variable "acm_pca_endpoint_subnet_ids" {
  default     = []
 }

+variable "acm_pca_endpoint_policy" {
+  description = "A policy to attach to the endpoint that controls access to the service. Defaults to full access"
+  type        = string
+  default     = null
+}
+
 variable "acm_pca_endpoint_private_dns_enabled" {
  description = "Whether or not to associate a private hosted zone with the specified VPC for ACM PCA endpoint"
  type        = bool

--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -22,6 +22,7 @@ resource "aws_vpc_endpoint" "s3" {

  security_group_ids  = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_security_group_ids : null
  subnet_ids          = var.s3_endpoint_type == "Interface" ? coalescelist(var.s3_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  policy              = var.s3_endpoint_policy
  private_dns_enabled = var.s3_endpoint_type == "Interface" ? var.s3_endpoint_private_dns_enabled : null

  tags = local.vpce_tags
@@ -72,6 +73,7 @@ resource "aws_vpc_endpoint" "dynamodb" {

  security_group_ids  = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_security_group_ids : null
  subnet_ids          = var.dynamodb_endpoint_type == "Interface" ? coalescelist(var.dynamodb_endpoint_subnet_ids, aws_subnet.private.*.id) : null
+  policy              = var.dynamodb_endpoint_policy
  private_dns_enabled = var.dynamodb_endpoint_type == "Interface" ? var.dynamodb_endpoint_private_dns_enabled : null

  tags = local.vpce_tags
@@ -117,6 +119,7 @@ resource "aws_vpc_endpoint" "codebuild" {

  security_group_ids  = var.codebuild_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codebuild_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.codebuild_endpoint_policy
  private_dns_enabled = var.codebuild_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -139,6 +142,7 @@ resource "aws_vpc_endpoint" "codecommit" {

  security_group_ids  = var.codecommit_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codecommit_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.codecommit_endpoint_policy
  private_dns_enabled = var.codecommit_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -205,6 +209,7 @@ resource "aws_vpc_endpoint" "sqs" {

  security_group_ids  = var.sqs_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sqs_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sqs_endpoint_policy
  private_dns_enabled = var.sqs_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -248,6 +253,7 @@ resource "aws_vpc_endpoint" "secretsmanager" {

  security_group_ids  = var.secretsmanager_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.secretsmanager_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.secretsmanager_endpoint_policy
  private_dns_enabled = var.secretsmanager_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -314,6 +320,7 @@ resource "aws_vpc_endpoint" "ec2" {

  security_group_ids  = var.ec2_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ec2_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.ec2_endpoint_policy
  private_dns_enabled = var.ec2_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -358,6 +365,7 @@ resource "aws_vpc_endpoint" "ec2_autoscaling" {

  security_group_ids  = var.ec2_autoscaling_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ec2_autoscaling_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.ec2_autoscaling_endpoint_policy
  private_dns_enabled = var.ec2_autoscaling_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -403,6 +411,7 @@ resource "aws_vpc_endpoint" "ecr_api" {

  security_group_ids  = var.ecr_api_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ecr_api_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.ecr_api_endpoint_policy
  private_dns_enabled = var.ecr_api_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -425,6 +434,7 @@ resource "aws_vpc_endpoint" "ecr_dkr" {

  security_group_ids  = var.ecr_dkr_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ecr_dkr_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.ecr_dkr_endpoint_policy
  private_dns_enabled = var.ecr_dkr_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -447,6 +457,7 @@ resource "aws_vpc_endpoint" "apigw" {

  security_group_ids  = var.apigw_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.apigw_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.apigw_endpoint_policy
  private_dns_enabled = var.apigw_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -469,6 +480,7 @@ resource "aws_vpc_endpoint" "kms" {

  security_group_ids  = var.kms_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.kms_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.kms_endpoint_policy
  private_dns_enabled = var.kms_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -560,6 +572,7 @@ resource "aws_vpc_endpoint" "sns" {

  security_group_ids  = var.sns_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sns_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sns_endpoint_policy
  private_dns_enabled = var.sns_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -583,6 +596,7 @@ resource "aws_vpc_endpoint" "monitoring" {

  security_group_ids  = var.monitoring_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.monitoring_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.monitoring_endpoint_policy
  private_dns_enabled = var.monitoring_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -606,6 +620,7 @@ resource "aws_vpc_endpoint" "logs" {

  security_group_ids  = var.logs_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.logs_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.logs_endpoint_policy
  private_dns_enabled = var.logs_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -629,6 +644,7 @@ resource "aws_vpc_endpoint" "events" {

  security_group_ids  = var.events_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.events_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.events_endpoint_policy
  private_dns_enabled = var.events_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -652,6 +668,7 @@ resource "aws_vpc_endpoint" "elasticloadbalancing" {

  security_group_ids  = var.elasticloadbalancing_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.elasticloadbalancing_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.elasticloadbalancing_endpoint_policy
  private_dns_enabled = var.elasticloadbalancing_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -698,6 +715,7 @@ resource "aws_vpc_endpoint" "kinesis_streams" {

  security_group_ids  = var.kinesis_streams_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.kinesis_streams_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.kinesis_streams_endpoint_policy
  private_dns_enabled = var.kinesis_streams_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -721,6 +739,7 @@ resource "aws_vpc_endpoint" "kinesis_firehose" {

  security_group_ids  = var.kinesis_firehose_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.kinesis_firehose_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.kinesis_firehose_endpoint_policy
  private_dns_enabled = var.kinesis_firehose_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -765,6 +784,7 @@ resource "aws_vpc_endpoint" "sagemaker_notebook" {

  security_group_ids  = var.sagemaker_notebook_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sagemaker_notebook_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sagemaker_notebook_endpoint_policy
  private_dns_enabled = var.sagemaker_notebook_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -787,6 +807,7 @@ resource "aws_vpc_endpoint" "sts" {

  security_group_ids  = var.sts_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sts_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sts_endpoint_policy
  private_dns_enabled = var.sts_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -935,6 +956,7 @@ resource "aws_vpc_endpoint" "sagemaker_api" {

  security_group_ids  = var.sagemaker_api_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sagemaker_api_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sagemaker_api_endpoint_policy
  private_dns_enabled = var.sagemaker_api_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -956,6 +978,7 @@ resource "aws_vpc_endpoint" "sagemaker_runtime" {

  security_group_ids  = var.sagemaker_runtime_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sagemaker_runtime_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.sagemaker_runtime_endpoint_policy
  private_dns_enabled = var.sagemaker_runtime_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -1022,6 +1045,7 @@ resource "aws_vpc_endpoint" "athena" {

  security_group_ids  = var.athena_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.athena_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.athena_endpoint_policy
  private_dns_enabled = var.athena_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -1044,6 +1068,7 @@ resource "aws_vpc_endpoint" "rekognition" {

  security_group_ids  = var.rekognition_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.rekognition_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.rekognition_endpoint_policy
  private_dns_enabled = var.rekognition_endpoint_private_dns_enabled
  tags                = local.vpce_tags
 }
@@ -1066,9 +1091,9 @@ resource "aws_vpc_endpoint" "efs" {

  security_group_ids  = var.efs_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.efs_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.efs_endpoint_policy
  private_dns_enabled = var.efs_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1089,9 +1114,9 @@ resource "aws_vpc_endpoint" "cloud_directory" {

  security_group_ids  = var.cloud_directory_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.cloud_directory_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.cloud_directory_endpoint_policy
  private_dns_enabled = var.cloud_directory_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1112,9 +1137,9 @@ resource "aws_vpc_endpoint" "auto_scaling_plans" {

  security_group_ids  = var.auto_scaling_plans_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.auto_scaling_plans_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.auto_scaling_plans_endpoint_policy
  private_dns_enabled = var.auto_scaling_plans_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1135,9 +1160,9 @@ resource "aws_vpc_endpoint" "workspaces" {

  security_group_ids  = var.workspaces_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.workspaces_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.workspaces_endpoint_policy
  private_dns_enabled = var.workspaces_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1158,9 +1183,9 @@ resource "aws_vpc_endpoint" "access_analyzer" {

  security_group_ids  = var.access_analyzer_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.access_analyzer_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.access_analyzer_endpoint_policy
  private_dns_enabled = var.access_analyzer_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1182,8 +1207,7 @@ resource "aws_vpc_endpoint" "ebs" {
  security_group_ids  = var.ebs_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ebs_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.ebs_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1205,8 +1229,7 @@ resource "aws_vpc_endpoint" "datasync" {
  security_group_ids  = var.datasync_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.datasync_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.datasync_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1228,8 +1251,7 @@ resource "aws_vpc_endpoint" "elastic_inference_runtime" {
  security_group_ids  = var.elastic_inference_runtime_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.elastic_inference_runtime_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.elastic_inference_runtime_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1251,8 +1273,7 @@ resource "aws_vpc_endpoint" "sms" {
  security_group_ids  = var.sms_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.sms_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.sms_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1273,9 +1294,9 @@ resource "aws_vpc_endpoint" "emr" {

  security_group_ids  = var.emr_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.emr_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.emr_endpoint_policy
  private_dns_enabled = var.emr_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1297,8 +1318,7 @@ resource "aws_vpc_endpoint" "qldb_session" {
  security_group_ids  = var.qldb_session_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.qldb_session_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.qldb_session_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################
@@ -1319,9 +1339,9 @@ resource "aws_vpc_endpoint" "states" {

  security_group_ids  = var.states_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.states_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.states_endpoint_policy
  private_dns_enabled = var.states_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################
@@ -1342,9 +1362,9 @@ resource "aws_vpc_endpoint" "elasticbeanstalk" {

  security_group_ids  = var.elasticbeanstalk_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.elasticbeanstalk_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.elasticbeanstalk_endpoint_policy
  private_dns_enabled = var.elasticbeanstalk_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################
@@ -1366,8 +1386,7 @@ resource "aws_vpc_endpoint" "elasticbeanstalk_health" {
  security_group_ids  = var.elasticbeanstalk_health_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.elasticbeanstalk_health_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.elasticbeanstalk_health_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################
@@ -1388,9 +1407,9 @@ resource "aws_vpc_endpoint" "acm_pca" {

  security_group_ids  = var.acm_pca_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.acm_pca_endpoint_subnet_ids, aws_subnet.private.*.id)
+  policy              = var.acm_pca_endpoint_policy
  private_dns_enabled = var.acm_pca_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #######################
@@ -1412,8 +1431,7 @@ resource "aws_vpc_endpoint" "ses" {
  security_group_ids  = var.ses_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.ses_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.ses_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 ######################
@@ -1435,8 +1453,7 @@ resource "aws_vpc_endpoint" "rds" {
  security_group_ids  = var.rds_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.rds_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.rds_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################
@@ -1458,8 +1475,7 @@ resource "aws_vpc_endpoint" "codedeploy" {
  security_group_ids  = var.codedeploy_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codedeploy_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.codedeploy_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################################
@@ -1481,8 +1497,7 @@ resource "aws_vpc_endpoint" "codedeploy_commands_secure" {
  security_group_ids  = var.codedeploy_commands_secure_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codedeploy_commands_secure_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.codedeploy_commands_secure_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################################
@@ -1504,8 +1519,7 @@ resource "aws_vpc_endpoint" "textract" {
  security_group_ids  = var.textract_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.textract_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.textract_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################################
@@ -1527,8 +1541,7 @@ resource "aws_vpc_endpoint" "codeartifact_api" {
  security_group_ids  = var.codeartifact_api_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codeartifact_api_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.codeartifact_api_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }

 #############################################
@@ -1550,8 +1563,7 @@ resource "aws_vpc_endpoint" "codeartifact_repositories" {
  security_group_ids  = var.codeartifact_repositories_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.codeartifact_repositories_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.codeartifact_repositories_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }


@@ -1574,6 +1586,5 @@ resource "aws_vpc_endpoint" "dms" {
  security_group_ids  = var.dms_endpoint_security_group_ids
  subnet_ids          = coalescelist(var.dms_endpoint_subnet_ids, aws_subnet.private.*.id)
  private_dns_enabled = var.dms_endpoint_private_dns_enabled
-
-  tags = local.vpce_tags
+  tags                = local.vpce_tags
 }