refactor: remove existing vpc endpoint configurations from base module and...

refactor: remove existing vpc endpoint configurations from base module and move into sub-module (#635)

refactor: remove existing vpc endpoint configurations from base module and...
refactor: remove existing vpc endpoint configurations from base module and move into sub-module (#635)
a98422ba · Bryant Biggs · GitHub · 43edd440 · a98422ba · a98422ba
Commit a98422ba authored Apr 26, 2021 by Bryant Biggs Committed by GitHub Apr 26, 2021
61 changed files
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
 repos:
  - repo: git://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.48.0
+    rev: v1.50.0
    hooks:
      - id: terraform_fmt
      - id: terraform_validate

--- a/README.md
+++ b/README.md
--- a/UPGRADE-3.0.md
+++ b/UPGRADE-3.0.md
+# Upgrade from v2.x to v3.x
+If you have any questions regarding this upgrade process, please consult the `examples` directory:
+- [Complete-VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc)
+If you find a bug, please open an issue with supporting configuration to reproduce.
+## List of backwards incompatible changes
+Previously, VPC endpoints were configured as standalone resources with their own set of variables and attributes. Now, this functionality is provided via a module which loops over a map of maps using `for_each` to generate the desired VPC endpoints. Therefore, to maintain the existing set of functionality while upgrading, you will need to perform the following changes:
+1. Move the endpoint resource from the main module to the sub-module. The example state move below is valid for all endpoints you might have configured (reference [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) example for reference), where `ssmmessages` should be updated for and state move performed for each endpoint configured:
+```
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssm[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssm"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ssmmessages[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ssmmessages"]'
+terraform state mv 'module.vpc.aws_vpc_endpoint.ec2[0]' 'module.vpc_endpoints.aws_vpc_endpoint.this["ec2"]'
+...
+```
+2. Remove the gateway endpoint route table association separate resources. The route table associations are now managed in the VPC endpoint resource itself via the map of maps provided to the VPC endpoint sub-module. Perform the necessary removals for each route table association and for S3 and/or DynamoDB depending on your configuration:
+```
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.intra_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.private_dynamodb[0]'
+terraform state rm 'module.vpc.aws_vpc_endpoint_route_table_association.public_dynamodb[0]'
+...
+```
+### Variable and output changes
+1. Removed variables:
+   - `enable_*_endpoint`
+   - `*_endpoint_type`
+   - `*_endpoint_security_group_ids`
+   - `*_endpoint_subnet_ids`
+   - `*_endpoint_private_dns_enabled`
+   - `*_endpoint_policy`
+2. Renamed variables:
+See the [VPC endpoint sub-module](modules/vpc-endpoints) for the more information on the variables to utilize for VPC endpoints
+3. Removed outputs:
+   - `vpc_endpoint_*`
+4. Renamed outputs:
+VPC endpoint outputs are now provided via the VPC endpoint sub-module and can be accessed via lookups. See [`complete-vpc`](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) for further examples of how to access VPC endpoint attributes from outputs
--- a/examples/complete-vpc/README.md
+++ b/examples/complete-vpc/README.md
@@ -21,20 +21,22 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.10 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.10 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15 |
 ## Modules
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ |  |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | ../../modules/vpc-endpoints |  |
+| <a name="module_vpc_endpoints_nocreate"></a> [vpc\_endpoints\_nocreate](#module\_vpc\_endpoints\_nocreate) | ../../modules/vpc-endpoints |  |
 ## Resources
@@ -43,7 +45,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | [aws_iam_policy_document.dynamodb_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.generic_endpoint_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
-| [aws_vpc_endpoint.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source |
+| [aws_vpc_endpoint_service.dynamodb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
 ## Inputs

--- a/examples/complete-vpc/main.tf
+++ b/examples/complete-vpc/main.tf
@@ -2,19 +2,27 @@ provider "aws" {
  region = "eu-west-1"
 }
-data "aws_security_group" "default" {
+locals {
-  name   = "default"
+  name   = "complete-example"
-  vpc_id = module.vpc.vpc_id
+  region = "eu-west-1"
+  tags = {
+    Owner       = "user"
+    Environment = "staging"
+    Name        = "complete"
+  }
 }
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../../"
-  name = "complete-example"
+  name = local.name
  cidr = "20.10.0.0/16" # 10.0.0.0/8 is reserved for EC2-Classic
-  azs                 = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets     = ["20.10.1.0/24", "20.10.2.0/24", "20.10.3.0/24"]
  public_subnets      = ["20.10.11.0/24", "20.10.12.0/24", "20.10.13.0/24"]
  database_subnets    = ["20.10.21.0/24", "20.10.22.0/24", "20.10.23.0/24"]
@@ -53,80 +61,6 @@ module "vpc" {
  dhcp_options_domain_name         = "service.consul"
  dhcp_options_domain_name_servers = ["127.0.0.1", "10.10.0.2"]
-  # VPC endpoint for S3
-  # Note - S3 Interface type support is only available on AWS provider 3.10 and later
-  enable_s3_endpoint              = true
-  s3_endpoint_type                = "Interface"
-  s3_endpoint_private_dns_enabled = false
-  s3_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for DynamoDB
-  enable_dynamodb_endpoint = true
-  dynamodb_endpoint_policy = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
-  # VPC endpoint for SSM
-  enable_ssm_endpoint              = true
-  ssm_endpoint_private_dns_enabled = true
-  ssm_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for Lambda
-  enable_lambda_endpoint              = true
-  lambda_endpoint_private_dns_enabled = true
-  lambda_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for SSMMESSAGES
-  enable_ssmmessages_endpoint              = true
-  ssmmessages_endpoint_private_dns_enabled = true
-  ssmmessages_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC Endpoint for EC2
-  enable_ec2_endpoint              = true
-  ec2_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
-  ec2_endpoint_private_dns_enabled = true
-  ec2_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC Endpoint for EC2MESSAGES
-  enable_ec2messages_endpoint              = true
-  ec2messages_endpoint_private_dns_enabled = true
-  ec2messages_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC Endpoint for ECR API
-  enable_ecr_api_endpoint              = true
-  ecr_api_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
-  ecr_api_endpoint_private_dns_enabled = true
-  ecr_api_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC Endpoint for ECR DKR
-  enable_ecr_dkr_endpoint              = true
-  ecr_dkr_endpoint_policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
-  ecr_dkr_endpoint_private_dns_enabled = true
-  ecr_dkr_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for KMS
-  enable_kms_endpoint              = true
-  kms_endpoint_private_dns_enabled = true
-  kms_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for ECS
-  enable_ecs_endpoint              = true
-  ecs_endpoint_private_dns_enabled = true
-  ecs_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for ECS telemetry
-  enable_ecs_telemetry_endpoint              = true
-  ecs_telemetry_endpoint_private_dns_enabled = true
-  ecs_telemetry_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for CodeDeploy
-  enable_codedeploy_endpoint              = true
-  codedeploy_endpoint_private_dns_enabled = true
-  codedeploy_endpoint_security_group_ids  = [data.aws_security_group.default.id]
-  # VPC endpoint for CodeDeploy Commands Secure
-  enable_codedeploy_commands_secure_endpoint              = true
-  codedeploy_commands_secure_endpoint_private_dns_enabled = true
-  codedeploy_commands_secure_endpoint_security_group_ids  = [data.aws_security_group.default.id]
  # Default security group - ingress/egress rules cleared to deny all
  manage_default_security_group  = true
  default_security_group_ingress = []
@@ -138,22 +72,124 @@ module "vpc" {
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60
-  tags = {
+  tags = local.tags
-    Owner       = "user"
+}
-    Environment = "staging"
-    Name        = "complete"
+################################################################################
+# VPC Endpoints Module
+################################################################################
+module "vpc_endpoints" {
+  source = "../../modules/vpc-endpoints"
+  vpc_id             = module.vpc.vpc_id
+  security_group_ids = [data.aws_security_group.default.id]
+  endpoints = {
+    s3 = {
+      service = "s3"
+      tags    = { Name = "s3-vpc-endpoint" }
+    },
+    dynamodb = {
+      service         = "dynamodb"
+      service_type    = "Gateway"
+      route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
+      policy          = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
+      tags            = { Name = "dynamodb-vpc-endpoint" }
+    },
+    ssm = {
+      service             = "ssm"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ssmmessages = {
+      service             = "ssmmessages"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    lambda = {
+      service             = "lambda"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ecs = {
+      service             = "ecs"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ecs_telemetry = {
+      service             = "ecs-telemetry"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ec2 = {
+      service             = "ec2"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ec2messages = {
+      service             = "ec2messages"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ecr_api = {
+      service             = "ecr.api"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
+    },
+    ecr_dkr = {
+      service             = "ecr.dkr"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+      policy              = data.aws_iam_policy_document.generic_endpoint_policy.json
+    },
+    kms = {
+      service             = "kms"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    codedeploy = {
+      service             = "codedeploy"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    codedeploy_commands_secure = {
+      service             = "codedeploy-commands-secure"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
  }
-  vpc_endpoint_tags = {
+  tags = merge(local.tags, {
    Project  = "Secret"
    Endpoint = "true"
-  }
+  })
 }
-# Data source used to avoid race condition
+module "vpc_endpoints_nocreate" {
-data "aws_vpc_endpoint" "dynamodb" {
+  source = "../../modules/vpc-endpoints"
+  create = false
+}
+################################################################################
+# Supporting Resources
+################################################################################
+data "aws_security_group" "default" {
+  name   = "default"
  vpc_id = module.vpc.vpc_id
-  service_name = "com.amazonaws.eu-west-1.dynamodb"
+}
+# Data source used to avoid race condition
+data "aws_vpc_endpoint_service" "dynamodb" {
+  service = "dynamodb"
+  filter {
+    name   = "service-type"
+    values = ["Gateway"]
+  }
 }
 data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
@@ -171,7 +207,7 @@ data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
      test     = "StringNotEquals"
      variable = "aws:sourceVpce"
-      values = [data.aws_vpc_endpoint.dynamodb.id]
+      values = [data.aws_vpc_endpoint_service.dynamodb.id]
    }
  }
 }
@@ -191,7 +227,7 @@ data "aws_iam_policy_document" "generic_endpoint_policy" {
      test     = "StringNotEquals"
      variable = "aws:sourceVpce"
-      values = [data.aws_vpc_endpoint.dynamodb.id]
+      values = [data.aws_vpc_endpoint_service.dynamodb.id]
    }
  }
 }
--- a/examples/complete-vpc/outputs.tf
+++ b/examples/complete-vpc/outputs.tf
@@ -44,32 +44,32 @@ output "nat_public_ips" {
 # VPC endpoints
 output "vpc_endpoint_ssm_id" {
  description = "The ID of VPC endpoint for SSM"
-  value       = module.vpc.vpc_endpoint_ssm_id
+  value       = module.vpc_endpoints.endpoints["ssm"].id
 }
 output "vpc_endpoint_ssm_network_interface_ids" {
  description = "One or more network interfaces for the VPC Endpoint for SSM."
-  value       = module.vpc.vpc_endpoint_ssm_network_interface_ids
+  value       = module.vpc_endpoints.endpoints["ssm"].network_interface_ids
 }
 output "vpc_endpoint_ssm_dns_entry" {
  description = "The DNS entries for the VPC Endpoint for SSM."
-  value       = module.vpc.vpc_endpoint_ssm_dns_entry
+  value       = module.vpc_endpoints.endpoints["ssm"].dns_entry
 }
 output "vpc_endpoint_lambda_id" {
  description = "The ID of VPC endpoint for Lambda"
-  value       = module.vpc.vpc_endpoint_lambda_id
+  value       = module.vpc_endpoints.endpoints["lambda"].id
 }
 output "vpc_endpoint_lambda_network_interface_ids" {
  description = "One or more network interfaces for the VPC Endpoint for Lambda."
-  value       = module.vpc.vpc_endpoint_lambda_network_interface_ids
+  value       = module.vpc_endpoints.endpoints["lambda"].network_interface_ids
 }
 output "vpc_endpoint_lambda_dns_entry" {
  description = "The DNS entries for the VPC Endpoint for Lambda."
-  value       = module.vpc.vpc_endpoint_lambda_dns_entry
+  value       = module.vpc_endpoints.endpoints["lambda"].dns_entry
 }
 # Customer Gateway

--- a/examples/complete-vpc/versions.tf
+++ b/examples/complete-vpc/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 3.10"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/ipv6/README.md
+++ b/examples/ipv6/README.md
@@ -19,14 +19,12 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers
-| Name | Version |
+No providers.
-|------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.70 |
 ## Modules
@@ -36,9 +34,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 ## Resources
-| Name | Type |
+No resources.
-|------|------|
-| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 ## Inputs

--- a/examples/ipv6/main.tf
+++ b/examples/ipv6/main.tf
 provider "aws" {
+  region = local.region
+}
+locals {
  region = "eu-west-1"
 }
-data "aws_availability_zones" "available" {}
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../.."
  name = "ipv6"
  cidr = "10.0.0.0/16"
-  azs              = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
+  azs              = ["${local.region}a", "${local.region}b"]
  private_subnets  = ["10.0.1.0/24", "10.0.2.0/24"]
  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24"]
  database_subnets = ["10.0.103.0/24", "10.0.104.0/24"]

--- a/examples/ipv6/versions.tf
+++ b/examples/ipv6/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/issue-108-route-already-exists/README.md
+++ b/examples/issue-108-route-already-exists/README.md
-# Issue 108 - VPC
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108#issue-308084655
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102#issuecomment-374877706
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44#issuecomment-378679404
-## Usage
-To run this example you need to execute:
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
-## Providers
-No providers.
-## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ |  |
-## Resources
-No resources.
-## Inputs
-No inputs.
-## Outputs
-| Name | Description |
-|------|-------------|
-| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| <a name="output_elasticache_subnets"></a> [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
-| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
-| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/examples/issue-108-route-already-exists/main.tf
+++ b/examples/issue-108-route-already-exists/main.tf
-provider "aws" {
-  region = "us-east-1"
-}
-module "vpc" {
-  source = "../../"
-  name = "route-already-exists"
-  cidr = "10.0.0.0/16"
-  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
-  private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
-  public_subnets  = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
-  single_nat_gateway = true
-  enable_nat_gateway = true
-  enable_s3_endpoint       = true
-  enable_dynamodb_endpoint = true
-}
--- a/examples/issue-108-route-already-exists/outputs.tf
+++ b/examples/issue-108-route-already-exists/outputs.tf
-# VPC
-output "vpc_id" {
-  description = "The ID of the VPC"
-  value       = module.vpc.vpc_id
-}
-# Subnets
-output "private_subnets" {
-  description = "List of IDs of private subnets"
-  value       = module.vpc.private_subnets
-}
-output "public_subnets" {
-  description = "List of IDs of public subnets"
-  value       = module.vpc.public_subnets
-}
-output "database_subnets" {
-  description = "List of IDs of database subnets"
-  value       = module.vpc.database_subnets
-}
-output "elasticache_subnets" {
-  description = "List of IDs of elasticache subnets"
-  value       = module.vpc.elasticache_subnets
-}
-# NAT gateways
-output "nat_public_ips" {
-  description = "List of public Elastic IPs created for AWS NAT Gateway"
-  value       = module.vpc.nat_public_ips
-}
--- a/examples/issue-44-asymmetric-private-subnets/README.md
+++ b/examples/issue-44-asymmetric-private-subnets/README.md
-# Issue 44 - VPC
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
-## Usage
-To run this example you need to execute:
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
-## Providers
-No providers.
-## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ |  |
-## Resources
-No resources.
-## Inputs
-No inputs.
-## Outputs
-| Name | Description |
-|------|-------------|
-| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| <a name="output_elasticache_subnets"></a> [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
-| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
-| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/examples/issue-44-asymmetric-private-subnets/main.tf
+++ b/examples/issue-44-asymmetric-private-subnets/main.tf
-# List of AZs and private subnets are not of equal length
-#
-# This example creates resources which are not present in all AZs.
-# This should be seldomly needed from architectural point of view,
-# and it can also lead this module to some edge cases.
-#
-# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
-module "vpc" {
-  source = "../../"
-  name = "asymmetrical"
-  cidr = "10.0.0.0/16"
-  azs              = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
-  private_subnets  = ["10.0.1.0/24"]
-  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24"]
-  database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
-  create_database_subnet_group = true
-  enable_nat_gateway           = true
-  tags = {
-    Issue = "44"
-    Name  = "asymmetrical"
-  }
-}
--- a/examples/issue-44-asymmetric-private-subnets/outputs.tf
+++ b/examples/issue-44-asymmetric-private-subnets/outputs.tf
-# VPC
-output "vpc_id" {
-  description = "The ID of the VPC"
-  value       = module.vpc.vpc_id
-}
-# Subnets
-output "private_subnets" {
-  description = "List of IDs of private subnets"
-  value       = module.vpc.private_subnets
-}
-output "public_subnets" {
-  description = "List of IDs of public subnets"
-  value       = module.vpc.public_subnets
-}
-output "database_subnets" {
-  description = "List of IDs of database subnets"
-  value       = module.vpc.database_subnets
-}
-output "elasticache_subnets" {
-  description = "List of IDs of elasticache subnets"
-  value       = module.vpc.elasticache_subnets
-}
-# NAT gateways
-output "nat_public_ips" {
-  description = "List of public Elastic IPs created for AWS NAT Gateway"
-  value       = module.vpc.nat_public_ips
-}
--- a/examples/issue-44-asymmetric-private-subnets/variables.tf
+++ b/examples/issue-44-asymmetric-private-subnets/variables.tf
--- a/examples/issue-46-no-private-subnets/README.md
+++ b/examples/issue-46-no-private-subnets/README.md
-# Issue 46 - VPC
-Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
-* https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
-## Usage
-To run this example you need to execute:
-```bash
-$ terraform init
-$ terraform plan
-$ terraform apply
-```
-Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-## Requirements
-| Name | Version |
-|------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
-## Providers
-No providers.
-## Modules
-| Name | Source | Version |
-|------|--------|---------|
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ |  |
-## Resources
-No resources.
-## Inputs
-No inputs.
-## Outputs
-| Name | Description |
-|------|-------------|
-| <a name="output_database_subnets"></a> [database\_subnets](#output\_database\_subnets) | List of IDs of database subnets |
-| <a name="output_elasticache_subnets"></a> [elasticache\_subnets](#output\_elasticache\_subnets) | List of IDs of elasticache subnets |
-| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
-| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
-| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
-| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/examples/issue-46-no-private-subnets/main.tf
+++ b/examples/issue-46-no-private-subnets/main.tf
-# There are no private subnets in this VPC setup.
-#
-# Github issue: https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
-module "vpc" {
-  source = "../../"
-  name = "no-private-subnets"
-  cidr = "10.0.0.0/16"
-  azs                 = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
-  public_subnets      = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
-  private_subnets     = []
-  database_subnets    = ["10.0.128.0/24", "10.0.129.0/24"]
-  elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"]
-  enable_dns_support   = true
-  enable_dns_hostnames = true
-  enable_nat_gateway   = false
-  tags = {
-    Issue = "46"
-    Name  = "no-private-subnets"
-  }
-}
--- a/examples/issue-46-no-private-subnets/outputs.tf
+++ b/examples/issue-46-no-private-subnets/outputs.tf
-# VPC
-output "vpc_id" {
-  description = "The ID of the VPC"
-  value       = module.vpc.vpc_id
-}
-# Subnets
-output "private_subnets" {
-  description = "List of IDs of private subnets"
-  value       = module.vpc.private_subnets
-}
-output "public_subnets" {
-  description = "List of IDs of public subnets"
-  value       = module.vpc.public_subnets
-}
-output "database_subnets" {
-  description = "List of IDs of database subnets"
-  value       = module.vpc.database_subnets
-}
-output "elasticache_subnets" {
-  description = "List of IDs of elasticache subnets"
-  value       = module.vpc.elasticache_subnets
-}
-# NAT gateways
-output "nat_public_ips" {
-  description = "List of public Elastic IPs created for AWS NAT Gateway"
-  value       = module.vpc.nat_public_ips
-}
--- a/examples/issue-46-no-private-subnets/variables.tf
+++ b/examples/issue-46-no-private-subnets/variables.tf
--- a/examples/issue-46-no-private-subnets/versions.tf
+++ b/examples/issue-46-no-private-subnets/versions.tf
-terraform {
-  required_version = ">= 0.12.21"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 2.70"
-    }
-  }
-}
--- a/examples/issues/README.md
+++ b/examples/issues/README.md
+# Issues
+Configuration in this directory creates set of VPC resources to cover issues reported on GitHub:
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/102
+- https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108
+## Usage
+To run this example you need to execute:
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
+## Providers
+No providers.
+## Modules
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc_issue_108"></a> [vpc\_issue\_108](#module\_vpc\_issue\_108) | ../../ |  |
+| <a name="module_vpc_issue_44"></a> [vpc\_issue\_44](#module\_vpc\_issue\_44) | ../../ |  |
+| <a name="module_vpc_issue_46"></a> [vpc\_issue\_46](#module\_vpc\_issue\_46) | ../../ |  |
+## Resources
+No resources.
+## Inputs
+No inputs.
+## Outputs
+| Name | Description |
+|------|-------------|
+| <a name="output_issue_108_database_subnets"></a> [issue\_108\_database\_subnets](#output\_issue\_108\_database\_subnets) | List of IDs of database subnets |
+| <a name="output_issue_108_elasticache_subnets"></a> [issue\_108\_elasticache\_subnets](#output\_issue\_108\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| <a name="output_issue_108_nat_public_ips"></a> [issue\_108\_nat\_public\_ips](#output\_issue\_108\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| <a name="output_issue_108_private_subnets"></a> [issue\_108\_private\_subnets](#output\_issue\_108\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_issue_108_public_subnets"></a> [issue\_108\_public\_subnets](#output\_issue\_108\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_issue_108_vpc_id"></a> [issue\_108\_vpc\_id](#output\_issue\_108\_vpc\_id) | The ID of the VPC |
+| <a name="output_issue_44_database_subnets"></a> [issue\_44\_database\_subnets](#output\_issue\_44\_database\_subnets) | List of IDs of database subnets |
+| <a name="output_issue_44_elasticache_subnets"></a> [issue\_44\_elasticache\_subnets](#output\_issue\_44\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| <a name="output_issue_44_nat_public_ips"></a> [issue\_44\_nat\_public\_ips](#output\_issue\_44\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| <a name="output_issue_44_private_subnets"></a> [issue\_44\_private\_subnets](#output\_issue\_44\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_issue_44_public_subnets"></a> [issue\_44\_public\_subnets](#output\_issue\_44\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_issue_44_vpc_id"></a> [issue\_44\_vpc\_id](#output\_issue\_44\_vpc\_id) | The ID of the VPC |
+| <a name="output_issue_46_database_subnets"></a> [issue\_46\_database\_subnets](#output\_issue\_46\_database\_subnets) | List of IDs of database subnets |
+| <a name="output_issue_46_elasticache_subnets"></a> [issue\_46\_elasticache\_subnets](#output\_issue\_46\_elasticache\_subnets) | List of IDs of elasticache subnets |
+| <a name="output_issue_46_nat_public_ips"></a> [issue\_46\_nat\_public\_ips](#output\_issue\_46\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| <a name="output_issue_46_private_subnets"></a> [issue\_46\_private\_subnets](#output\_issue\_46\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_issue_46_public_subnets"></a> [issue\_46\_public\_subnets](#output\_issue\_46\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_issue_46_vpc_id"></a> [issue\_46\_vpc\_id](#output\_issue\_46\_vpc\_id) | The ID of the VPC |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/examples/issues/main.tf
+++ b/examples/issues/main.tf
+provider "aws" {
+  region = local.region
+}
+locals {
+  region = "eu-west-1"
+}
+################################################################################
+# Issue 44 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/44
+################################################################################
+module "vpc_issue_44" {
+  source = "../../"
+  name = "asymmetrical"
+  cidr = "10.0.0.0/16"
+  azs              = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  private_subnets  = ["10.0.1.0/24"]
+  public_subnets   = ["10.0.101.0/24", "10.0.102.0/24"]
+  database_subnets = ["10.0.21.0/24", "10.0.22.0/24", "10.0.23.0/24"]
+  create_database_subnet_group = true
+  enable_nat_gateway           = true
+  tags = {
+    Issue = "44"
+    Name  = "asymmetrical"
+  }
+}
+################################################################################
+# Issue 46 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/46
+################################################################################
+module "vpc_issue_46" {
+  source = "../../"
+  name = "no-private-subnets"
+  cidr = "10.0.0.0/16"
+  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  public_subnets      = ["10.0.0.0/22", "10.0.4.0/22", "10.0.8.0/22"]
+  private_subnets     = []
+  database_subnets    = ["10.0.128.0/24", "10.0.129.0/24"]
+  elasticache_subnets = ["10.0.131.0/24", "10.0.132.0/24", "10.0.133.0/24"]
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+  enable_nat_gateway   = false
+  tags = {
+    Issue = "46"
+    Name  = "no-private-subnets"
+  }
+}
+################################################################################
+# Issue 108 - https://github.com/terraform-aws-modules/terraform-aws-vpc/issues/108
+################################################################################
+module "vpc_issue_108" {
+  source = "../../"
+  name = "route-already-exists"
+  cidr = "10.0.0.0/16"
+  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  private_subnets = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets  = ["10.0.254.240/28", "10.0.254.224/28", "10.0.254.208/28"]
+  single_nat_gateway = true
+  enable_nat_gateway = true
+  tags = {
+    Issue = "108"
+    Name  = "route-already-exists"
+  }
+}
--- a/examples/issues/outputs.tf
+++ b/examples/issues/outputs.tf
+################################################################################
+# Issue 44
+################################################################################
+# VPC
+output "issue_44_vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc_issue_44.vpc_id
+}
+# Subnets
+output "issue_44_private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.vpc_issue_44.private_subnets
+}
+output "issue_44_public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc_issue_44.public_subnets
+}
+output "issue_44_database_subnets" {
+  description = "List of IDs of database subnets"
+  value       = module.vpc_issue_44.database_subnets
+}
+output "issue_44_elasticache_subnets" {
+  description = "List of IDs of elasticache subnets"
+  value       = module.vpc_issue_44.elasticache_subnets
+}
+# NAT gateways
+output "issue_44_nat_public_ips" {
+  description = "List of public Elastic IPs created for AWS NAT Gateway"
+  value       = module.vpc_issue_44.nat_public_ips
+}
+################################################################################
+# Issue 46
+################################################################################
+# VPC
+output "issue_46_vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc_issue_46.vpc_id
+}
+# Subnets
+output "issue_46_private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.vpc_issue_46.private_subnets
+}
+output "issue_46_public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc_issue_46.public_subnets
+}
+output "issue_46_database_subnets" {
+  description = "List of IDs of database subnets"
+  value       = module.vpc_issue_46.database_subnets
+}
+output "issue_46_elasticache_subnets" {
+  description = "List of IDs of elasticache subnets"
+  value       = module.vpc_issue_46.elasticache_subnets
+}
+# NAT gateways
+output "issue_46_nat_public_ips" {
+  description = "List of public Elastic IPs created for AWS NAT Gateway"
+  value       = module.vpc_issue_46.nat_public_ips
+}
+################################################################################
+# Issue 108
+################################################################################
+# VPC
+output "issue_108_vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc_issue_108.vpc_id
+}
+# Subnets
+output "issue_108_private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.vpc_issue_108.private_subnets
+}
+output "issue_108_public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc_issue_108.public_subnets
+}
+output "issue_108_database_subnets" {
+  description = "List of IDs of database subnets"
+  value       = module.vpc_issue_108.database_subnets
+}
+output "issue_108_elasticache_subnets" {
+  description = "List of IDs of elasticache subnets"
+  value       = module.vpc_issue_108.elasticache_subnets
+}
+# NAT gateways
+output "issue_108_nat_public_ips" {
+  description = "List of public Elastic IPs created for AWS NAT Gateway"
+  value       = module.vpc_issue_108.nat_public_ips
+}
--- a/examples/issue-108-route-already-exists/variables.tf
+++ b/examples/issue-108-route-already-exists/variables.tf
--- a/examples/issue-108-route-already-exists/versions.tf
+++ b/examples/issue-108-route-already-exists/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/manage-default-vpc/README.md
+++ b/examples/manage-default-vpc/README.md
@@ -21,8 +21,8 @@ Run `terraform destroy` when you don't need these resources.
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers

--- a/examples/manage-default-vpc/main.tf
+++ b/examples/manage-default-vpc/main.tf
 provider "aws" {
+  region = local.region
+}
+locals {
  region = "eu-west-1"
 }
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../../"

--- a/examples/manage-default-vpc/versions.tf
+++ b/examples/manage-default-vpc/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/network-acls/README.md
+++ b/examples/network-acls/README.md
@@ -23,8 +23,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers

--- a/examples/network-acls/main.tf
+++ b/examples/network-acls/main.tf
 provider "aws" {
-  region = "eu-west-1"
+  region = local.region
-}
-module "vpc" {
-  source = "../../"
-  name = "network-acls-example"
-  cidr = "10.0.0.0/16"
-  azs                 = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
-  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets      = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
-  elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
-  public_dedicated_network_acl = true
-  public_inbound_acl_rules = concat(
-    local.network_acls["default_inbound"],
-    local.network_acls["public_inbound"],
-  )
-  public_outbound_acl_rules = concat(
-    local.network_acls["default_outbound"],
-    local.network_acls["public_outbound"],
-  )
-  elasticache_outbound_acl_rules = concat(
-    local.network_acls["default_outbound"],
-    local.network_acls["elasticache_outbound"],
-  )
-  private_dedicated_network_acl     = false
-  elasticache_dedicated_network_acl = true
-  manage_default_network_acl = true
-  enable_ipv6 = true
-  enable_nat_gateway = false
-  single_nat_gateway = true
-  public_subnet_tags = {
-    Name = "overridden-name-public"
-  }
-  tags = {
-    Owner       = "user"
-    Environment = "dev"
-  }
-  vpc_tags = {
-    Name = "vpc-name"
-  }
 }
 locals {
+  region = "eu-west-1"
  network_acls = {
    default_inbound = [
      {
@@ -202,3 +154,47 @@ locals {
    ]
  }
 }
+################################################################################
+# VPC Module
+################################################################################
+module "vpc" {
+  source = "../../"
+  name = "network-acls-example"
+  cidr = "10.0.0.0/16"
+  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
+  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets      = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
+  public_dedicated_network_acl   = true
+  public_inbound_acl_rules       = concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])
+  public_outbound_acl_rules      = concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])
+  elasticache_outbound_acl_rules = concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"])
+  private_dedicated_network_acl     = false
+  elasticache_dedicated_network_acl = true
+  manage_default_network_acl = true
+  enable_ipv6 = true
+  enable_nat_gateway = false
+  single_nat_gateway = true
+  public_subnet_tags = {
+    Name = "overridden-name-public"
+  }
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+  vpc_tags = {
+    Name = "vpc-name"
+  }
+}
--- a/examples/network-acls/versions.tf
+++ b/examples/network-acls/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/outpost/README.md
+++ b/examples/outpost/README.md
@@ -23,14 +23,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.5.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.5.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15 |
 ## Modules

--- a/examples/outpost/main.tf
+++ b/examples/outpost/main.tf
 provider "aws" {
-  region = "us-west-2"
+  region = local.region
  assume_role {
    role_arn = "arn:aws:iam::562806027032:role/outpost-shared-anton"
  }
 }
-data "aws_outposts_outpost" "shared" {
-  name = "SEA19.07"
-}
-data "aws_availability_zones" "available" {}
-module "vpc" {
-  source = "../../"
-  name = "outpost-example"
-  cidr = "10.0.0.0/16"
-  azs = [
-    data.aws_availability_zones.available.names[0],
-    data.aws_availability_zones.available.names[1],
-    data.aws_availability_zones.available.names[2],
-  ]
-  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
-  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
-  # Outpost is using single AZ specified in `outpost_az`
-  outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"]
-  outpost_arn     = data.aws_outposts_outpost.shared.arn
-  outpost_az      = data.aws_outposts_outpost.shared.availability_zone
-  # IPv6
-  enable_ipv6                                    = true
-  outpost_subnet_assign_ipv6_address_on_creation = true
-  outpost_subnet_ipv6_prefixes                   = [2, 3, 4]
-  # NAT Gateway
-  enable_nat_gateway = true
-  single_nat_gateway = true
-  # Network ACLs
-  outpost_dedicated_network_acl = true
-  outpost_inbound_acl_rules     = local.network_acls["outpost_inbound"]
-  outpost_outbound_acl_rules    = local.network_acls["outpost_outbound"]
-  tags = {
-    Owner       = "user"
-    Environment = "dev"
-  }
-}
 locals {
+  region = "eu-west-1"
  network_acls = {
    outpost_inbound = [
      {
@@ -148,3 +104,56 @@ locals {
    ]
  }
 }
+################################################################################
+# Supporting Resources
+################################################################################
+data "aws_outposts_outpost" "shared" {
+  name = "SEA19.07"
+}
+data "aws_availability_zones" "available" {}
+################################################################################
+# VPC Module
+################################################################################
+module "vpc" {
+  source = "../../"
+  name = "outpost-example"
+  cidr = "10.0.0.0/16"
+  azs = [
+    data.aws_availability_zones.available.names[0],
+    data.aws_availability_zones.available.names[1],
+    data.aws_availability_zones.available.names[2],
+  ]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+  # Outpost is using single AZ specified in `outpost_az`
+  outpost_subnets = ["10.0.50.0/24", "10.0.51.0/24"]
+  outpost_arn     = data.aws_outposts_outpost.shared.arn
+  outpost_az      = data.aws_outposts_outpost.shared.availability_zone
+  # IPv6
+  enable_ipv6                                    = true
+  outpost_subnet_assign_ipv6_address_on_creation = true
+  outpost_subnet_ipv6_prefixes                   = [2, 3, 4]
+  # NAT Gateway
+  enable_nat_gateway = true
+  single_nat_gateway = true
+  # Network ACLs
+  outpost_dedicated_network_acl = true
+  outpost_inbound_acl_rules     = local.network_acls["outpost_inbound"]
+  outpost_outbound_acl_rules    = local.network_acls["outpost_outbound"]
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+}
--- a/examples/outpost/versions.tf
+++ b/examples/outpost/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
-    aws = ">= 3.5.0"
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.15"
+    }
  }
 }
--- a/examples/secondary-cidr-blocks/README.md
+++ b/examples/secondary-cidr-blocks/README.md
@@ -21,8 +21,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers

--- a/examples/secondary-cidr-blocks/main.tf
+++ b/examples/secondary-cidr-blocks/main.tf
 provider "aws" {
+  region = local.region
+}
+locals {
  region = "eu-west-1"
 }
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../../"
@@ -10,7 +18,7 @@ module "vpc" {
  cidr                  = "10.0.0.0/16"
  secondary_cidr_blocks = ["10.1.0.0/16", "10.2.0.0/16"]
-  azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets = ["10.0.1.0/24", "10.1.2.0/24", "10.2.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.1.102.0/24", "10.2.103.0/24"]
@@ -32,4 +40,3 @@ module "vpc" {
    Name = "vpc-name"
  }
 }
--- a/examples/secondary-cidr-blocks/versions.tf
+++ b/examples/secondary-cidr-blocks/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/simple-vpc/README.md
+++ b/examples/simple-vpc/README.md
@@ -25,8 +25,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers

--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
 provider "aws" {
+  region = local.region
+}
+locals {
  region = "eu-west-1"
 }
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../../"
  name = "simple-example"
  cidr = "10.0.0.0/16"
-  azs             = ["eu-west-1a", "eu-west-1b", "euw1-az3"]
+  azs             = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
@@ -18,9 +25,6 @@ module "vpc" {
  enable_nat_gateway = false
  single_nat_gateway = true
-  enable_s3_endpoint       = true
-  enable_dynamodb_endpoint = true
  public_subnet_tags = {
    Name = "overridden-name-public"
  }
@@ -34,4 +38,3 @@ module "vpc" {
    Name = "vpc-name"
  }
 }
--- a/examples/simple-vpc/versions.tf
+++ b/examples/simple-vpc/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/examples/vpc-flow-logs/README.md
+++ b/examples/vpc-flow-logs/README.md
@@ -24,14 +24,14 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 2 |
 ## Providers
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 2.70 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 2 |
 ## Modules

--- a/examples/vpc-flow-logs/cloud-watch-logs.tf
+++ b/examples/vpc-flow-logs/cloud-watch-logs.tf
-###########################################################
-# VPC flow logs => Cloudwatch logs (created automatically)
-###########################################################
-module "vpc_with_flow_logs_cloudwatch_logs_default" {
-  source = "../../"
-  name = "vpc-flow-logs-cloudwatch-logs-default"
-  cidr = "10.10.0.0/16"
-  azs            = ["eu-west-1a"]
-  public_subnets = ["10.10.101.0/24"]
-  # Cloudwatch log group and IAM role will be created
-  enable_flow_log                      = true
-  create_flow_log_cloudwatch_log_group = true
-  create_flow_log_cloudwatch_iam_role  = true
-  flow_log_max_aggregation_interval    = 60
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-cloudwatch-logs-default"
-  }
-}
-########################################################
-# VPC flow logs => Cloudwatch logs (CloudWatch Log Group and IAM role created separately)
-########################################################
-module "vpc_with_flow_logs_cloudwatch_logs" {
-  source = "../../"
-  name = "vpc-flow-logs-cloudwatch-logs"
-  cidr = "10.20.0.0/16"
-  azs            = ["eu-west-1a"]
-  public_subnets = ["10.20.101.0/24"]
-  enable_flow_log                  = true
-  flow_log_destination_type        = "cloud-watch-logs"
-  flow_log_destination_arn         = aws_cloudwatch_log_group.flow_log.arn
-  flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-cloudwatch-logs"
-  }
-}
-#######################
-# CloudWatch Log group
-#######################
-resource "aws_cloudwatch_log_group" "flow_log" {
-  name = local.cloudwatch_log_group_name
-}
-###########
-# IAM Role
-###########
-resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
-  name_prefix        = "vpc-flow-log-role-"
-  assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json
-}
-data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
-  statement {
-    principals {
-      type        = "Service"
-      identifiers = ["vpc-flow-logs.amazonaws.com"]
-    }
-    effect = "Allow"
-    actions = ["sts:AssumeRole"]
-  }
-}
-resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
-  role       = aws_iam_role.vpc_flow_log_cloudwatch.name
-  policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch.arn
-}
-resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
-  name_prefix = "vpc-flow-log-cloudwatch-"
-  policy      = data.aws_iam_policy_document.vpc_flow_log_cloudwatch.json
-}
-data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
-  statement {
-    sid = "AWSVPCFlowLogsPushToCloudWatch"
-    effect = "Allow"
-    actions = [
-      "logs:CreateLogGroup",
-      "logs:CreateLogStream",
-      "logs:PutLogEvents",
-      "logs:DescribeLogGroups",
-      "logs:DescribeLogStreams",
-    ]
-    resources = ["*"]
-  }
-}
--- a/examples/vpc-flow-logs/main.tf
+++ b/examples/vpc-flow-logs/main.tf
 provider "aws" {
-  region = "eu-west-1"
+  region = local.region
 }
 locals {
+  region = "eu-west-1"
  s3_bucket_name            = "vpc-flow-logs-to-s3-${random_pet.this.id}"
  cloudwatch_log_group_name = "vpc-flow-logs-to-cloudwatch-${random_pet.this.id}"
 }
+################################################################################
+# VPC Module
+################################################################################
+module "vpc_with_flow_logs_s3_bucket" {
+  source = "../../"
+  name = "vpc-flow-logs-s3-bucket"
+  cidr = "10.30.0.0/16"
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.30.101.0/24"]
+  enable_flow_log           = true
+  flow_log_destination_type = "s3"
+  flow_log_destination_arn  = module.s3_bucket.this_s3_bucket_arn
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-s3-bucket"
+  }
+}
+# CloudWatch Log Group and IAM role created automatically
+module "vpc_with_flow_logs_cloudwatch_logs_default" {
+  source = "../../"
+  name = "vpc-flow-logs-cloudwatch-logs-default"
+  cidr = "10.10.0.0/16"
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.10.101.0/24"]
+  # Cloudwatch log group and IAM role will be created
+  enable_flow_log                      = true
+  create_flow_log_cloudwatch_log_group = true
+  create_flow_log_cloudwatch_iam_role  = true
+  flow_log_max_aggregation_interval    = 60
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-cloudwatch-logs-default"
+  }
+}
+# CloudWatch Log Group and IAM role created separately
+module "vpc_with_flow_logs_cloudwatch_logs" {
+  source = "../../"
+  name = "vpc-flow-logs-cloudwatch-logs"
+  cidr = "10.20.0.0/16"
+  azs            = ["${local.region}a"]
+  public_subnets = ["10.20.101.0/24"]
+  enable_flow_log                  = true
+  flow_log_destination_type        = "cloud-watch-logs"
+  flow_log_destination_arn         = aws_cloudwatch_log_group.flow_log.arn
+  flow_log_cloudwatch_iam_role_arn = aws_iam_role.vpc_flow_log_cloudwatch.arn
+  vpc_flow_log_tags = {
+    Name = "vpc-flow-logs-cloudwatch-logs"
+  }
+}
+################################################################################
+# Supporting Resources
+################################################################################
 resource "random_pet" "this" {
  length = 2
 }
+# S3 Bucket
+module "s3_bucket" {
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "~> 1.0"
+  bucket        = local.s3_bucket_name
+  policy        = data.aws_iam_policy_document.flow_log_s3.json
+  force_destroy = true
+  tags = {
+    Name = "vpc-flow-logs-s3-bucket"
+  }
+}
+data "aws_iam_policy_document" "flow_log_s3" {
+  statement {
+    sid = "AWSLogDeliveryWrite"
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    actions = ["s3:PutObject"]
+    resources = ["arn:aws:s3:::${local.s3_bucket_name}/AWSLogs/*"]
+  }
+  statement {
+    sid = "AWSLogDeliveryAclCheck"
+    principals {
+      type        = "Service"
+      identifiers = ["delivery.logs.amazonaws.com"]
+    }
+    actions = ["s3:GetBucketAcl"]
+    resources = ["arn:aws:s3:::${local.s3_bucket_name}"]
+  }
+}
+# Cloudwatch logs
+resource "aws_cloudwatch_log_group" "flow_log" {
+  name = local.cloudwatch_log_group_name
+}
+resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
+  name_prefix        = "vpc-flow-log-role-"
+  assume_role_policy = data.aws_iam_policy_document.flow_log_cloudwatch_assume_role.json
+}
+data "aws_iam_policy_document" "flow_log_cloudwatch_assume_role" {
+  statement {
+    principals {
+      type        = "Service"
+      identifiers = ["vpc-flow-logs.amazonaws.com"]
+    }
+    actions = ["sts:AssumeRole"]
+  }
+}
+resource "aws_iam_role_policy_attachment" "vpc_flow_log_cloudwatch" {
+  role       = aws_iam_role.vpc_flow_log_cloudwatch.name
+  policy_arn = aws_iam_policy.vpc_flow_log_cloudwatch.arn
+}
+resource "aws_iam_policy" "vpc_flow_log_cloudwatch" {
+  name_prefix = "vpc-flow-log-cloudwatch-"
+  policy      = data.aws_iam_policy_document.vpc_flow_log_cloudwatch.json
+}
+data "aws_iam_policy_document" "vpc_flow_log_cloudwatch" {
+  statement {
+    sid = "AWSVPCFlowLogsPushToCloudWatch"
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+      "logs:DescribeLogGroups",
+      "logs:DescribeLogStreams",
+    ]
+    resources = ["*"]
+  }
+}
--- a/examples/vpc-flow-logs/s3.tf
+++ b/examples/vpc-flow-logs/s3.tf
-#############################
-# VPC flow logs => S3 bucket
-#############################
-module "vpc_with_flow_logs_s3_bucket" {
-  source = "../../"
-  name = "vpc-flow-logs-s3-bucket"
-  cidr = "10.30.0.0/16"
-  azs            = ["eu-west-1a"]
-  public_subnets = ["10.30.101.0/24"]
-  enable_flow_log           = true
-  flow_log_destination_type = "s3"
-  flow_log_destination_arn  = module.s3_bucket.this_s3_bucket_arn
-  vpc_flow_log_tags = {
-    Name = "vpc-flow-logs-s3-bucket"
-  }
-}
-############
-# S3 bucket
-############
-module "s3_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "~> 1.0"
-  bucket        = local.s3_bucket_name
-  policy        = data.aws_iam_policy_document.flow_log_s3.json
-  force_destroy = true
-  tags = {
-    Name = "vpc-flow-logs-s3-bucket"
-  }
-}
-data "aws_iam_policy_document" "flow_log_s3" {
-  statement {
-    sid = "AWSLogDeliveryWrite"
-    principals {
-      type        = "Service"
-      identifiers = ["delivery.logs.amazonaws.com"]
-    }
-    effect = "Allow"
-    actions = [
-      "s3:PutObject",
-    ]
-    resources = ["arn:aws:s3:::${local.s3_bucket_name}/AWSLogs/*"]
-  }
-  statement {
-    sid = "AWSLogDeliveryAclCheck"
-    principals {
-      type        = "Service"
-      identifiers = ["delivery.logs.amazonaws.com"]
-    }
-    effect = "Allow"
-    actions = [
-      "s3:GetBucketAcl",
-    ]
-    resources = ["arn:aws:s3:::${local.s3_bucket_name}"]
-  }
-}
--- a/examples/vpc-flow-logs/versions.tf
+++ b/examples/vpc-flow-logs/versions.tf
@@ -4,7 +4,7 @@ terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
    random = {

--- a/examples/vpc-separate-private-route-tables/README.md
+++ b/examples/vpc-separate-private-route-tables/README.md
@@ -21,8 +21,8 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.21 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 2.70 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
 ## Providers

--- a/examples/vpc-separate-private-route-tables/main.tf
+++ b/examples/vpc-separate-private-route-tables/main.tf
 provider "aws" {
+  region = local.region
+}
+locals {
  region = "eu-west-1"
 }
+################################################################################
+# VPC Module
+################################################################################
 module "vpc" {
  source = "../../"
@@ -9,7 +17,7 @@ module "vpc" {
  cidr = "10.10.0.0/16"
-  azs                 = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+  azs                 = ["${local.region}a", "${local.region}b", "${local.region}c"]
  private_subnets     = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
  public_subnets      = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
  database_subnets    = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
@@ -29,4 +37,3 @@ module "vpc" {
    Name        = "separate-private-route-tables"
  }
 }
--- a/examples/vpc-separate-private-route-tables/versions.tf
+++ b/examples/vpc-separate-private-route-tables/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/main.tf
+++ b/main.tf
--- a/modules/vpc-endpoints/README.md
+++ b/modules/vpc-endpoints/README.md
+# AWS VPC Endpoints Terraform sub-module
+Terraform sub-module which creates VPC endpoint resources on AWS.
+## Usage
+See [`examples`](../../examples) directory for working examples to reference:
+```hcl
+module "endpoints" {
+  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  vpc_id             = "vpc-12345678"
+  security_group_ids = ["sg-12345678"]
+  endpoints = {
+    s3 = {
+      # interface endpoint
+      service             = "s3"
+      private_dns_enabled = true
+      tags                = { Name = "s3-vpc-endpoint" }
+    },
+    dynamodb = {
+      # gateway endpoint
+      service         = "dynamodb"
+      route_table_ids = ["rt-12322456", "rt-43433343", "rt-11223344"]
+      tags            = { Name = "dynamodb-vpc-endpoint" }
+    },
+    sns = {
+      service    = "sns"
+      subnet_ids = ["subnet-12345678", "subnet-87654321"]
+      tags       = { Name = "sns-vpc-endpoint" }
+    },
+    sqs = {
+      service             = "sqs"
+      private_dns_enabled = true
+      security_group_ids  = ["sg-987654321"]
+      subnet_ids          = ["subnet-12345678", "subnet-87654321"]
+      tags                = { Name = "sqs-vpc-endpoint" }
+    },
+  }
+  tags = {
+    Owner       = "user"
+    Environment = "dev"
+  }
+}
+```
+## Examples
+- [Complete-VPC](../../examples/complete-vpc) with VPC Endpoints.
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.26 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.15 |
+## Providers
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.15 |
+## Modules
+No modules.
+## Resources
+| Name | Type |
+|------|------|
+| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+## Inputs
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
+| <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Default subnets IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to use on all resources | `map(string)` | `{}` | no |
+| <a name="input_timeouts"></a> [timeouts](#input\_timeouts) | Define maximum timeout for creating, updating, and deleting VPC endpoint resources | `map(string)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The ID of the VPC in which the endpoint will be used | `string` | `null` | no |
+## Outputs
+| Name | Description |
+|------|-------------|
+| <a name="output_endpoints"></a> [endpoints](#output\_endpoints) | Array containing the full resource object and attributes for all endpoints created |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
--- a/modules/vpc-endpoints/main.tf
+++ b/modules/vpc-endpoints/main.tf
+locals {
+  endpoints = var.create ? var.endpoints : tomap({})
+}
+################################################################################
+# Endpoint(s)
+################################################################################
+data "aws_vpc_endpoint_service" "this" {
+  for_each = local.endpoints
+  service      = lookup(each.value, "service", null)
+  service_name = lookup(each.value, "service_name", null)
+  filter {
+    name   = "service-type"
+    values = [lookup(each.value, "service_type", "Interface")]
+  }
+}
+resource "aws_vpc_endpoint" "this" {
+  for_each = local.endpoints
+  vpc_id            = var.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.this[each.key].service_name
+  vpc_endpoint_type = lookup(each.value, "service_type", "Interface")
+  auto_accept       = lookup(each.value, "auto_accept", null)
+  security_group_ids  = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.security_group_ids, lookup(each.value, "security_group_ids", []))) : null
+  subnet_ids          = lookup(each.value, "service_type", "Interface") == "Interface" ? distinct(concat(var.subnet_ids, lookup(each.value, "subnet_ids", []))) : null
+  route_table_ids     = lookup(each.value, "service_type", "Interface") == "Gateway" ? lookup(each.value, "route_table_ids", null) : null
+  policy              = lookup(each.value, "policy", null)
+  private_dns_enabled = lookup(each.value, "service_type", "Interface") == "Interface" ? lookup(each.value, "private_dns_enabled", null) : null
+  tags = merge(var.tags, lookup(each.value, "tags", {}))
+  timeouts {
+    create = lookup(var.timeouts, "create", "10m")
+    update = lookup(var.timeouts, "update", "10m")
+    delete = lookup(var.timeouts, "delete", "10m")
+  }
+}
--- a/modules/vpc-endpoints/outputs.tf
+++ b/modules/vpc-endpoints/outputs.tf
+output "endpoints" {
+  description = "Array containing the full resource object and attributes for all endpoints created"
+  value       = aws_vpc_endpoint.this
+}
--- a/modules/vpc-endpoints/variables.tf
+++ b/modules/vpc-endpoints/variables.tf
+variable "create" {
+  description = "Determines whether resources will be created"
+  type        = bool
+  default     = true
+}
+variable "vpc_id" {
+  description = "The ID of the VPC in which the endpoint will be used"
+  type        = string
+  default     = null
+}
+variable "endpoints" {
+  description = "A map of interface and/or gateway endpoints containing their properties and configurations"
+  type        = any
+  default     = {}
+}
+variable "security_group_ids" {
+  description = "Default security group IDs to associate with the VPC endpoints"
+  type        = list(string)
+  default     = []
+}
+variable "subnet_ids" {
+  description = "Default subnets IDs to associate with the VPC endpoints"
+  type        = list(string)
+  default     = []
+}
+variable "tags" {
+  description = "A map of tags to use on all resources"
+  type        = map(string)
+  default     = {}
+}
+variable "timeouts" {
+  description = "Define maximum timeout for creating, updating, and deleting VPC endpoint resources"
+  type        = map(string)
+  default     = {}
+}
--- a/examples/issue-44-asymmetric-private-subnets/versions.tf
+++ b/examples/issue-44-asymmetric-private-subnets/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/outputs.tf
+++ b/outputs.tf
--- a/variables.tf
+++ b/variables.tf
--- a/versions.tf
+++ b/versions.tf
 terraform {
-  required_version = ">= 0.12.21"
+  required_version = ">= 0.12.26"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
-      version = ">= 2.70"
+      version = ">= 3.15"
    }
  }
 }
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
--- a/vpc-flow-logs.tf
+++ b/vpc-flow-logs.tf
@@ -9,9 +9,10 @@ locals {
  flow_log_iam_role_arn    = var.flow_log_destination_type != "s3" && local.create_flow_log_cloudwatch_iam_role ? aws_iam_role.vpc_flow_log_cloudwatch[0].arn : var.flow_log_cloudwatch_iam_role_arn
 }
-###################
+################################################################################
 # Flow Log
-###################
+################################################################################
 resource "aws_flow_log" "this" {
  count = local.enable_flow_log ? 1 : 0
@@ -26,9 +27,10 @@ resource "aws_flow_log" "this" {
  tags = merge(var.tags, var.vpc_flow_log_tags)
 }
-#####################
+################################################################################
 # Flow Log CloudWatch
-#####################
+################################################################################
 resource "aws_cloudwatch_log_group" "flow_log" {
  count = local.create_flow_log_cloudwatch_log_group ? 1 : 0
@@ -39,9 +41,6 @@ resource "aws_cloudwatch_log_group" "flow_log" {
  tags = merge(var.tags, var.vpc_flow_log_tags)
 }
-#########################
-# Flow Log CloudWatch IAM
-#########################
 resource "aws_iam_role" "vpc_flow_log_cloudwatch" {
  count = local.create_flow_log_cloudwatch_iam_role ? 1 : 0