Skip to main content
VPC Modules 0.27.0Last updated in version 0.27.0

Interface VPC Endpoint

View Source Release Notes

By default, if code running within your VPCs makes API calls to AWS (e.g., to fetch data from S3 or trigger a Lambda function), those API calls leave the VPC, and are routed via the public Internet. This Terraform Module launches VPC endpoints that allow code running within your VPCs to privately connect to AWS services and APIs without the traffic leaving the VPC and without going over the public Internet. Although all API calls to AWS are encrypted with TLS, VPC endpoints give you one extra layer of security by keeping your API calls within the AWS network.

If your code only needs to talk to AWS APIs, and nothing else in the public Internet, VPC Endpoints remove the need for running an internet gateway, NAT device, or VPN connection. Under the hood, the VPC Endpoints created by this module are powered by AWS PrivateLink, which costs $0.01/hour and $0.01 per GB data processed - in comparison, NAT Gateway costs $0.045/hour and $0.45 per GB data processed.

Using AWS service endpoints

Once you've created VPC endpoints using this module, this section describes how code running in your VPC can make use of those endpoints.

For all AWS services except STS

For almost all AWS Service endpoints, except STS (which is described in the next section), if you enable the endpoint for it in this module, any resources you have running in the VPC will automatically start using that endpoint immediately—so there's really nothing else you need to do!

For example, let's say you created the EC2 endpoint as follows:

module "example" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v1.0.8"

# Create the EC2 endpoint
enable_ec2_endpoint = true

vpc_id = "<YOUR_VPC_ID>"
subnet_ids = ["<YOUR_SUBNET_IDS>"]
security_group_ids = [aws_security_group.vpc_endpoint.id]
}

resource "aws_security_group" "vpc_endpoint" {
vpc_id = module.vpc_app_example.vpc_id

# Allow inbound HTTPS for AWS API calls
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}

If you have an EC2 instance running in the subnets passed to var.subnet_ids, then any code on that EC2 instance that uses the AWS SDK will now automatically use a private endpoint for taking to the EC2 API endpoint! For example, if you were running in eu-west-1 and you used the AWS CLI to make the following API call:

aws ec2 describe-instances \
--region eu-west-1 \
--debug

You would see in the log output something like:

POST
content-type:application/x-www-form-urlencoded; charset=utf-8
host:ec2.eu-west-1.amazonaws.com

You can see that the code is using a regional endpoint to talk to the EC2 service: ec2.eu-west-1.amazonaws.com. You can use dig to get info about this endpoint:

dig +short ec2.eu-west-1.amazonaws.com

This should return private IPs from within your VPC. E.g., If your VPC used the CIDR block 10.0.0.0/16, this might return something like:

10.0.0.24
10.0.0.25
10.0.0.26

This tells you that, to talk to the EC2 service, your code is using a regional endpoint that is private to your VPC, rather than routing out via the public Internet.

Special behavior for the STS service

The behavior explained in the previous section applies to all AWS services except the Security Token Service (STS). Per the AWS docs, for backwards compatibility reasons, all AWS STS requests go to a single global endpoint at https://sts.amazonaws.com. That means that, even if you create a private endpoint for STS, it won't get used unless you follow the steps below.

First, use this module to create the STS endpoint:

module "example" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v1.0.8"

# Create the STS endpoint
enable_sts_endpoint = true

vpc_id = "<YOUR_VPC_ID>"
subnet_ids = ["<YOUR_SUBNET_IDS>"]
security_group_ids = [aws_security_group.vpc_endpoint.id]
}

resource "aws_security_group" "vpc_endpoint" {
vpc_id = module.vpc_app_example.vpc_id

# Allow inbound HTTPS for AWS API calls
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}

Next, any time you have code that needs to talk to STS—e.g., to assume an IAM role or use get-caller-identity to look up its own identity—you need to configure that code to use a regional endpoint. You can do this using the sts_regional_endpoints configuration.

You can either set this parameter in the AWS CLI config file at ~/.aws/config:

sts_regional_endpoints = regional

Or you can set it as the environment variable AWS_STS_REGIONAL_ENDPOINTS:

export AWS_STS_REGIONAL_ENDPOINTS=regional

This should work for most AWS SDK/CLI tools. Example:

aws sts get-caller-identity \
--region eu-west-1 \
--debug

Should show in the logs:

POST
content-type:application/x-www-form-urlencoded; charset=utf-8
host:sts.eu-west-1.amazonaws.com

Which confirms that a regional endpoint is being used, which should be routed to your private endpoint.

If your SDK does not support the sts_regional_endpoints parameter, you may have to set the region and endpoint parameter in your code explicitly. Here's an example with the AWS Java SDK:

EndpointConfiguration regionEndpointConfig = new EndpointConfiguration("https://sts.eu-west-1.amazonaws.com", "eu-west-1");
AWSSecurityTokenService stsRegionalClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(credentials)
.withEndpointConfiguration(regionEndpointConfig)
.build();

What's the difference between a Gateway VPC Endpoint and an Interface Endpoint?

The vpc-app module automatically creates VPC Endpoints for S3 and DynamoDB, as these use the older Gateway Endpoints service, which is free. Under the hood, Gateway Endpoints work by adding route table entries to your VPC.

For all other AWS APIs and services, you must use Interface Endpoints, which are powered by the newer AWS PrivateLink. Under the hood, these create an Elastic Network Interface (ENI) with a private IP address from one of your subnets. Please note that Interface Endpoints and AWS PrivateLink are NOT free: the pricing for AWS PrivateLink is $0.01 per AZ per hour and $0.01 per GB data processed.

Security Groups for VPC Endpoints

You need to specify a Security Group to control the traffic through the endpoint. AWS uses port 443 as default for it's requests and if 443 is not allowed the requests will timeout and fail.

Not specifying a rule allows all traffic.

Other VPC Core Concepts

Learn about Other VPC Core Concepts like subnets and NAT Gateways.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-INTERFACE-ENDPOINT MODULE
# ------------------------------------------------------------------------------------------------------

module "vpc_interface_endpoint" {

source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v0.27.0"

# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------

# A list of IDs of the subnets for all endpoints. Each endpoint will create
# one ENI (Elastic Network Interface) per subnet.
subnet_ids = <list(string)>

# The ID of the VPC for all modules
vpc_id = <string>

# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
access_analyzer_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Access Analyzer endpoint
access_analyzer_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Access Analyzer endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
access_analyzer_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Access
# Analyzer endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Access Analyzer
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
access_analyzer_endpoint_subnet_ids = []

# Tags for the Access Analyzer endpoint
access_analyzer_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
acm_pca_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ACM PCA endpoint
acm_pca_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ACM PCA endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
acm_pca_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ACM PCA
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, ACM PCA endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
acm_pca_endpoint_subnet_ids = []

# Tags for the ACM PCA endpoint
acm_pca_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
api_gateway_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the API Gateway endpoint
api_gateway_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the API Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
api_gateway_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the API
# Gateway endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
api_gateway_endpoint_subnet_ids = []

# Tags for the API Gateway endpoint
api_gateway_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appmesh_envoy_management_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppMesh endpoint
appmesh_envoy_management_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the AppMesh endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
appmesh_envoy_management_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the AppMesh
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, AppMesh endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appmesh_envoy_management_endpoint_subnet_ids = []

# Tags for the AppMesh endpoint
appmesh_envoy_management_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_api_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream API endpoint
appstream_api_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the AppStream API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
appstream_api_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the AppStream
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, AppStream API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appstream_api_endpoint_subnet_ids = []

# Tags for the AppStream API endpoint
appstream_api_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_streaming_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream STREAMING endpoint
appstream_streaming_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the AppStream STREAMING endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
appstream_streaming_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the AppStream
# STREAMING endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, AppStream STREAMING
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
appstream_streaming_endpoint_subnet_ids = []

# Tags for the AppStream STREAMING endpoint
appstream_streaming_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
athena_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Athena endpoint
athena_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Athena endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
athena_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Athena
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Athena endpoint is not supported
# in all the AZs, so this variable helps to overcome this issue.
athena_endpoint_subnet_ids = []

# Tags for the Athena endpoint
athena_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
auto_scaling_plans_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Auto Scaling Plans endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
auto_scaling_plans_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Auto
# Scaling Plans endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Auto Scaling Plans
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
auto_scaling_plans_endpoint_subnet_ids = []

# Tags for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloud_directory_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloud Directory endpoint
cloud_directory_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Cloud Directory endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloud_directory_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Cloud
# Directory endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Cloud Directory
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
cloud_directory_endpoint_subnet_ids = []

# Tags for the Cloud Directory endpoint
cloud_directory_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudformation_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloudformation endpoint
cloudformation_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Cloudformation endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudformation_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# theCloudformation endpoint. Only a single subnet within an AZ is supported.
# If omitted, only subnet_ids will be used.
cloudformation_endpoint_subnet_ids = []

# Tags for the CloudFormation endpoint
cloudformation_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudtrail_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudTrail endpoint
cloudtrail_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CloudTrail endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudtrail_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CloudTrail
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
cloudtrail_endpoint_subnet_ids = []

# Tags for the CloudTrail endpoint
cloudtrail_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_events_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Events endpoint
cloudwatch_events_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Events endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_events_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CloudWatch
# Events endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_events_endpoint_subnet_ids = []

# Tags for the CloudWatch Events endpoint
cloudwatch_events_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_logs_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Logs endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_logs_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CloudWatch
# Logs endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_logs_endpoint_subnet_ids = []

# Tags for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_monitoring_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Monitoring endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
cloudwatch_monitoring_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CloudWatch
# Monitoring endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
cloudwatch_monitoring_endpoint_subnet_ids = []

# Tags for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_api_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeArtifact API endpoint
codeartifact_api_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Codeartifact API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codeartifact_api_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# Codeartifact API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Codeartifact
# API endpoint is not supported in all the AZs, so this variable helps to
# overcome this issue.
codeartifact_api_endpoint_subnet_ids = []

# Tags for the CodeArtifact API endpoint
codeartifact_api_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_repositories_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Codeartifact repositories endpoint
codeartifact_repositories_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Codeartifact repositories endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codeartifact_repositories_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# Codeartifact repositories endpoint. Only a single subnet within an AZ is
# supported. When defined, it overrides var.subnet_ids. For some regions,
# Codeartifact repositories endpoint is not supported in all the AZs, so this
# variable helps to overcome this issue.
codeartifact_repositories_endpoint_subnet_ids = []

# Tags for the CodeArtifact API endpoint
codeartifact_repositories_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codebuild_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeBuild endpoint
codebuild_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CodeBuild endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codebuild_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CodeBuild
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeBuild endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codebuild_endpoint_subnet_ids = []

# Tags for the CodeBuild endpoint
codebuild_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codecommit_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeCommit endpoint
codecommit_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codecommit_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CodeCommit
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, CodeCommit endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codecommit_endpoint_subnet_ids = []

# Tags for the CodeCommit endpoint
codecommit_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_commands_secure_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy Commands Secure endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codedeploy_commands_secure_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CodeDeploy
# Commands Secure endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, CodeDeploy
# Commands Secure endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
codedeploy_commands_secure_endpoint_subnet_ids = []

# Tags for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy endpoint
codedeploy_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codedeploy_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the CodeDeploy
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeDeploy endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codedeploy_endpoint_subnet_ids = []

# Tags for the CodeDeploy endpoint
codedeploy_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codepipeline_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodePipeline endpoint
codepipeline_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the CodePipeline endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codepipeline_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# CodePipeline endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, CodePipeline
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
codepipeline_endpoint_subnet_ids = []

# Tags for the CodePipeline endpoint
codepipeline_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
config_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the config endpoint
config_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the config endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
config_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the config
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
config_endpoint_subnet_ids = []

# Tags for the Config endpoint
config_endpoint_tags = {}

# If true, creates a security group that allows ingress on port 443 and
# applies it to all endpoints. Must set this to true or supply
# security_group_ids.
create_https_security_group = false

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
datasync_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Data Sync endpoint
datasync_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Data Sync endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
datasync_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Data Sync
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Data Sync endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
datasync_endpoint_subnet_ids = []

# Tags for the Data Sync endpoint
datasync_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ebs_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EBS endpoint.
ebs_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EBS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ebs_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the EBS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ebs_endpoint_subnet_ids = []

# Tags for the EBS endpoint
ebs_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_autoscaling_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2-Autoscaling endpoint
ec2_autoscaling_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EC2-Autoscaling endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2_autoscaling_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# EC2-Autoscaling endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, EC2-Autoscaling
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
ec2_autoscaling_endpoint_subnet_ids = []

# Tags for the CodeArtifact API endpoint
ec2_autoscaling_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 endpoint
ec2_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EC2 endpoint
ec2_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the EC2
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ec2_endpoint_subnet_ids = []

# Tags for the EC2 endpoint
ec2_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2messages_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 Messages endpoint
ec2messages_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EC2 Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2messages_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the EC2
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ec2messages_endpoint_subnet_ids = []

# Tags for the EC2 Messages endpoint
ec2messages_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_api_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECR API endpoint
ecr_api_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ECR API endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_api_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ECR api
# endpoint. If omitted, only subnet_ids will be used.
ecr_api_endpoint_subnet_ids = []

# Tags for the ECR API endpoint
ecr_api_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_dkr_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for ECR DKR endpoint
ecr_dkr_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ECR DKR endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_dkr_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ECR dkr
# endpoint. If omitted, only subnet_ids will be used.
ecr_dkr_endpoint_subnet_ids = []

# Tags for the ECR DKR endpoint
ecr_dkr_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_agent_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Agent endpoint
ecs_agent_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ECS Agent endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_agent_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ECS Agent
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_agent_endpoint_subnet_ids = []

# Tags for the ECS Agent endpoint
ecs_agent_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS endpoint
ecs_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ECS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ecs_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ECS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_endpoint_subnet_ids = []

# Tags for the ECS endpoint
ecs_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_telemetry_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Telemetry endpoint
ecs_telemetry_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the ECS Telemetry endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_telemetry_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the ECS
# Telemetry endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ecs_telemetry_endpoint_subnet_ids = []

# Tags for the ECS Telemetry endpoint
ecs_telemetry_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
efs_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EFS endpoint.
efs_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EFS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
efs_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the EFS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
efs_endpoint_subnet_ids = []

# Tags for the EFS endpoint
efs_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elastic_inference_runtime_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Elastic Inference Runtime endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elastic_inference_runtime_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Elastic
# Inference Runtime endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Inference Runtime endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elastic_inference_runtime_endpoint_subnet_ids = []

# Tags for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
elasticbeanstalk_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Elastic Beanstalk
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
elasticbeanstalk_endpoint_subnet_ids = []

# Tags for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_health_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk Health endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elasticbeanstalk_health_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk Health endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Beanstalk Health endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elasticbeanstalk_health_endpoint_subnet_ids = []

# Tags for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elb_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Load Balancing endpoint
elb_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Elastic Load Balancing endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
elb_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Elastic
# Load Balancing endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
elb_endpoint_subnet_ids = []

# Tags for the Elastic Load Balancing endpoint
elb_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
emr_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EMR endpoint
emr_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the EMR endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
emr_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the EMR
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, EMR endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
emr_endpoint_subnet_ids = []

# Tags for the EMR endpoint
emr_endpoint_tags = {}

# Set to true if you want to provision a Access Analyzer Endpoint within the
# VPC
enable_access_analyzer_endpoint = false

# Set to true if you want to provision a ACM PCA Endpoint within the VPC
enable_acm_pca_endpoint = false

# Set to true if you want to provision an API Gateway within the VPC
enable_api_gateway_endpoint = false

# Set to true if you want to provision a AppMesh Endpoint within the VPC
enable_appmesh_envoy_management_endpoint = false

# Set to true if you want to provision a AppStream API Endpoint within the VPC
enable_appstream_api_endpoint = false

# Set to true if you want to provision a AppStream STREAMING Endpoint within
# the VPC
enable_appstream_streaming_endpoint = false

# Set to true if you want to provision a Athena Endpoint within the VPC
enable_athena_endpoint = false

# Set to true if you want to provision a Auto Scaling Plans Endpoint within
# the VPC
enable_auto_scaling_plans_endpoint = false

# Set to true if you want to provision a Cloud Directory Endpoint within the
# VPC
enable_cloud_directory_endpoint = false

# Set to true if you want to provision a Cloudformation within the VPC
enable_cloudformation_endpoint = false

# Set to true if you want to provision a CloudTrail within the VPC
enable_cloudtrail_endpoint = false

# Set to true if you want to provision a CloudWatch Events within the VPC
enable_cloudwatch_events_endpoint = false

# Set to true if you want to provision a CloudWatch Logs within the VPC
enable_cloudwatch_logs_endpoint = false

# Set to true if you want to provision a Codeartifact API Endpoint within the
# VPC
enable_codeartifact_api_endpoint = false

# Set to true if you want to provision a Codeartifact repositories Endpoint
# within the VPC
enable_codeartifact_repositories_endpoint = false

# Set to true if you want to provision a CodeBuild Endpoint within the VPC
enable_codebuild_endpoint = false

# Set to true if you want to provision a CodeCommit Endpoint within the VPC
enable_codecommit_endpoint = false

# Set to true if you want to provision a CodeDeploy Commands Secure Endpoint
# within the VPC
enable_codedeploy_commands_secure_endpoint = false

# Set to true if you want to provision a CodeDeploy Endpoint within the VPC
enable_codedeploy_endpoint = false

# Set to true if you want to provision a CodePipeline Endpoint within the VPC
enable_codepipeline_endpoint = false

# Set to true if you want to provision a config within the VPC
enable_config_endpoint = false

# Set to true if you want to provision a Data Sync Endpoint within the VPC
enable_datasync_endpoint = false

# Set to true if you want to provision a EBS endpoint within the VPC.
enable_ebs_endpoint = false

# Set to true if you want to provision a EC2-Autoscaling Endpoint within the
# VPC
enable_ec2_autoscaling_endpoint = false

# Set to true if you want to provision an EC2 within the VPC
enable_ec2_endpoint = false

# Set to true if you want to provision an EC2 Messages endpoint within the VPC
enable_ec2messages_endpoint = false

# Set to true if you want to provision an ECR API within the VPC
enable_ecr_api_endpoint = false

# Set to true if you want to provision an ECR DKR within the VPC
enable_ecr_dkr_endpoint = false

# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_agent_endpoint = false

# Set to true if you want to provision an ECS within the VPC
enable_ecs_endpoint = false

# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_telemetry_endpoint = false

# Set to true if you want to provision a EFS endpoint within the VPC.
enable_efs_endpoint = false

# Set to true if you want to provision a Elastic Inference Runtime Endpoint
# within the VPC
enable_elastic_inference_runtime_endpoint = false

# Set to true if you want to provision a Elastic Beanstalk Endpoint within the
# VPC
enable_elasticbeanstalk_endpoint = false

# Set to true if you want to provision a Elastic Beanstalk Health Endpoint
# within the VPC
enable_elasticbeanstalk_health_endpoint = false

# Set to true if you want to provision an Elastic Load Balancing within the
# VPC
enable_elb_endpoint = false

# Set to true if you want to provision a EMR Endpoint within the VPC
enable_emr_endpoint = false

# Set to true if you want to provision a Git CodeCommit Endpoint within the
# VPC
enable_git_codecommit_endpoint = false

# Set to true if you want to provision a Glue endpoint within the VPC.
enable_glue_endpoint = false

# Set to true if you want to provision a KINESIS Firehose Endpoint within the
# VPC
enable_kinesis_firehose_endpoint = false

# Set to true if you want to provision a Kinesis Streams within the VPC
enable_kinesis_streams_endpoint = false

# Set to true if you want to provision a KMS within the VPC
enable_kms_endpoint = false

# Set to true if you want to provision a Lambda endpoint within the VPC.
enable_lambda_endpoint = false

# Set to true if you want to provision a QLDB Session Endpoint within the VPC
enable_qldb_session_endpoint = false

# Set to true if you want to provision a RDS Endpoint within the VPC
enable_rds_endpoint = false

# Set to true if you want to provision a Redshift within the VPC
enable_redshift_data_endpoint = false

# Set to true if you want to provision a Rekognition Endpoint within the VPC
enable_rekognition_endpoint = false

# Set to true if you want to provision a SageMaker API Endpoint within the VPC
enable_sagemaker_api_endpoint = false

# Set to true if you want to provision a SageMaker Runtime Endpoint within the
# VPC
enable_sagemaker_runtime_endpoint = false

# Set to true if you want to provision a Secrets Manager within the VPC
enable_secretsmanager_endpoint = false

# Set to true if you want to provision a Service Catalog Endpoint within the
# VPC
enable_servicecatalog_endpoint = false

# Set to true if you want to provision a Simple Email Service within the VPC
enable_ses_endpoint = false

# Set to true if you want to provision a SMS Endpoint within the VPC
enable_sms_endpoint = false

# Set to true if you want to provision a SNS within the VPC
enable_sns_endpoint = false

# Set to true if you want to provision a SQS within the VPC
enable_sqs_endpoint = false

# Set to true if you want to provision an SSM endpoint within the VPC
enable_ssm_endpoint = false

# Set to true if you want to provision an SSM Messages endpoint within the VPC
enable_ssmmessages_endpoint = false

# Set to true if you want to provision a Step Function Endpoint within the VPC
enable_states_endpoint = false

# Set to true if you want to provision a Storage Gateway Endpoint within the
# VPC
enable_storagegateway_endpoint = false

# Set to true if you want to provision a STS within the VPC
enable_sts_endpoint = false

# Set to true if you want to provision a Textract Endpoint within the VPC
enable_textract_endpoint = false

# Set to true if you want to provision a Transfer Endpoint within the VPC
enable_transfer_endpoint = false

# Set to true if you want to provision a Transfer Server Endpoint within the
# VPC
enable_transferserver_endpoint = false

# Set to true if you want to provision a CloudWatch Monitoring within the VPC
enable_vpc_cloudwatch_monitoring_endpoint = false

# Set to true if you want to provision a VPC lattice endpoint within the VPC.
enable_vpc_lattice_endpoint = false

# Set to true if you want to provision a Workspaces Endpoint within the VPC
enable_workspaces_endpoint = false

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
git_codecommit_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Git CodeCommit API endpoint
git_codecommit_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Git CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
git_codecommit_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Git
# CodeCommit API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Git CodeCommit
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
git_codecommit_endpoint_subnet_ids = []

# Tags for the Git CodeCommit endpoint
git_codecommit_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
glue_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Glue endpoint.
glue_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the glue endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
glue_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the glue
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
glue_endpoint_subnet_ids = []

# Tags for the Glue endpoint
glue_endpoint_tags = {}

# List of CIDR blocks where HTTPS ingress should be allowed from. Defaults to
# the VPC's CIDR if left empty. Only used if create_https_security_group is
# true.
https_security_group_cidr_blocks = []

# Name prefix to use on the created SG. A random string will be appended.
https_security_group_name_prefix = "allow-https-"

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_firehose_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the KINESIS Firehose endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_firehose_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the KINESIS
# Firehose endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, KINESIS Firehose
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
kinesis_firehose_endpoint_subnet_ids = []

# Tags for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_streams_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Kinesis Streams endpoint
kinesis_streams_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Kinesis Streams endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_streams_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Kinesis
# Streams endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
kinesis_streams_endpoint_subnet_ids = []

# Tags for the Kinesis endpoint
kinesis_streams_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kms_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KMS endpoint
kms_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the KMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
kms_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the KMS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
kms_endpoint_subnet_ids = []

# Tags for the KMS endpoint
kms_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
lambda_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Lambda endpoint.
lambda_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Lambda endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
lambda_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Lambda
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
lambda_endpoint_subnet_ids = []

# Tags for the Lambda endpoint
lambda_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
qldb_session_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the QLDB Session endpoint
qldb_session_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the QLDB Session endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
qldb_session_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the QLDB
# Session endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, QLDB Session
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
qldb_session_endpoint_subnet_ids = []

# Tags for the QLDB Session endpoint
qldb_session_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rds_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the RDS endpoint
rds_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the RDS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
rds_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the RDS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, RDS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
rds_endpoint_subnet_ids = []

# Tags for the RDS endpoint
rds_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
redshift_data_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Redshift endpoint
redshift_data_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Redshift endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
redshift_data_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Redshift
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
redshift_data_endpoint_subnet_ids = []

# Tags for the Redshift endpoint
redshift_data_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rekognition_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Rekognition endpoint
rekognition_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Rekognition endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
rekognition_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the
# Rekognition endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Rekognition endpoint
# is not supported in all the AZs, so this variable helps to overcome this
# issue.
rekognition_endpoint_subnet_ids = []

# Tags for the Rekognition endpoint
rekognition_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_api_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker API endpoint
sagemaker_api_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SageMaker API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_api_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SageMaker
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, SageMaker API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
sagemaker_api_endpoint_subnet_ids = []

# Tags for the SageMaker API endpoint
sagemaker_api_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_runtime_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SageMaker Runtime endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_runtime_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SageMaker
# Runtime endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SageMaker Runtime
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
sagemaker_runtime_endpoint_subnet_ids = []

# Tags for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
secretsmanager_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Secrets Manager endpoint
secretsmanager_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Secrets Manager endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
secretsmanager_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Secrets
# Manager endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
secretsmanager_endpoint_subnet_ids = []

# Tags for the Secrets Manager endpoint
secretsmanager_endpoint_tags = {}

# A list of IDs of the security groups which will apply for all endpoints.
# Must supply this or create_https_security_group = true.
security_group_ids = []

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
servicecatalog_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Service Catalog endpoint
servicecatalog_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Service Catalog endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
servicecatalog_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Service
# Catalog endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Service Catalog
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
servicecatalog_endpoint_subnet_ids = []

# Tags for the Service Catalog endpoint
servicecatalog_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ses_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Simple Email Service endpoint
ses_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Simple Email Service endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
ses_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Simple
# Email Service endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SES is not supported
# in all the AZs, so this variable helps to overcome this issue.
ses_endpoint_subnet_ids = []

# Tags for the Simple Email Service endpoint
ses_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sms_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SMS endpoint
sms_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sms_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SMS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, SMS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
sms_endpoint_subnet_ids = []

# Tags for the SMS endpoint
sms_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sns_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SNS endpoint
sns_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SNS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sns_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SNS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sns_endpoint_subnet_ids = []

# Tags for the SNS endpoint
sns_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sqs_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SQS endpoint
sqs_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SQS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sqs_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SQS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sqs_endpoint_subnet_ids = []

# Tags for the SQS endpoint
sqs_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssm_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Endpoint endpoint
ssm_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SSM Endpoint endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssm_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SSM
# Endpoint endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssm_endpoint_subnet_ids = []

# Tags for the SSM Endpoint endpoint
ssm_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssmmessages_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Messages endpoint
ssmmessages_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the SSM Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssmmessages_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the SSM
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssmmessages_endpoint_subnet_ids = []

# Tags for the SSM Messages endpoint
ssmmessages_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
states_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Step Function endpoint
states_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Step Function endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
states_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Step
# Function endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Step Function
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
states_endpoint_subnet_ids = []

# Tags for the Step Function endpoint
states_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
storagegateway_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Storage Gateway endpoint
storagegateway_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Storage Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
storagegateway_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Storage
# Gateway endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Storage Gateway
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
storagegateway_endpoint_subnet_ids = []

# Tags for the Storage Gateway endpoint
storagegateway_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sts_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the STS endpoint
sts_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the STS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sts_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the STS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sts_endpoint_subnet_ids = []

# Tags for the STS endpoint
sts_endpoint_tags = {}

# A map of tags to apply to all endpoints.
tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
textract_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Textract endpoint
textract_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Textract endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
textract_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Textract
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Textract endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
textract_endpoint_subnet_ids = []

# Tags for the Textract endpoint
textract_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transfer_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer endpoint
transfer_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Transfer endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
transfer_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Transfer
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Transfer endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
transfer_endpoint_subnet_ids = []

# Tags for the Transfer endpoint
transfer_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transferserver_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer Server endpoint
transferserver_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Transfer Server endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
transferserver_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Transfer
# Server endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Transfer Server
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
transferserver_endpoint_subnet_ids = []

# Tags for the Transfer Server endpoint
transferserver_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
vpc_lattice_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the VPC lattice endpoint.
vpc_lattice_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the VPC lattice endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
vpc_lattice_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the VPC
# lattice endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
vpc_lattice_endpoint_subnet_ids = []

# Tags for the VPC lattice endpoint
vpc_lattice_endpoint_tags = {}

# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
workspaces_endpoint_policy = null

# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Workspaces endpoint
workspaces_endpoint_private_dns_enabled = true

# The ID of one or more security groups to associate with the network
# interface for the Workspaces endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
workspaces_endpoint_security_group_ids = []

# The IDs of subnets in which to create a network interface for the Workspaces
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Workspaces endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
workspaces_endpoint_subnet_ids = []

# Tags for the Workspaces endpoint
workspaces_endpoint_tags = {}

}


Reference

Required

subnet_idslist(string)required

A list of IDs of the subnets for all endpoints. Each endpoint will create one ENI (Elastic Network Interface) per subnet.

vpc_idstringrequired

The ID of the VPC for all modules

Optional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Access Analyzer endpoint

true

The ID of one or more security groups to associate with the network interface for the Access Analyzer endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Access Analyzer endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Access Analyzer endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Access Analyzer endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the ACM PCA endpoint

true

The ID of one or more security groups to associate with the network interface for the ACM PCA endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
acm_pca_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the ACM PCA endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, ACM PCA endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
acm_pca_endpoint_tagsmap(string)optional

Tags for the ACM PCA endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the API Gateway endpoint

true

The ID of one or more security groups to associate with the network interface for the API Gateway endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the API Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
api_gateway_endpoint_tagsmap(string)optional

Tags for the API Gateway endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppMesh endpoint

true

The ID of one or more security groups to associate with the network interface for the AppMesh endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the AppMesh endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, AppMesh endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the AppMesh endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppStream API endpoint

true

The ID of one or more security groups to associate with the network interface for the AppStream API endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the AppStream API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, AppStream API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
appstream_api_endpoint_tagsmap(string)optional

Tags for the AppStream API endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppStream STREAMING endpoint

true

The ID of one or more security groups to associate with the network interface for the AppStream STREAMING endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the AppStream STREAMING endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, AppStream STREAMING endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the AppStream STREAMING endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Athena endpoint

true

The ID of one or more security groups to associate with the network interface for the Athena endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
athena_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Athena endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Athena endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
athena_endpoint_tagsmap(string)optional

Tags for the Athena endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Auto Scaling Plans endpoint

true

The ID of one or more security groups to associate with the network interface for the Auto Scaling Plans endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Auto Scaling Plans endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Auto Scaling Plans endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Cloud Directory endpoint

true

The ID of one or more security groups to associate with the network interface for the Cloud Directory endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Cloud Directory endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Cloud Directory endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Cloud Directory endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Cloudformation endpoint

true

The ID of one or more security groups to associate with the network interface for the Cloudformation endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the theCloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
cloudformation_endpoint_tagsmap(string)optional

Tags for the CloudFormation endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudTrail endpoint

true

The ID of one or more security groups to associate with the network interface for the CloudTrail endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
cloudtrail_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
cloudtrail_endpoint_tagsmap(string)optional

Tags for the CloudTrail endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Events endpoint

true

The ID of one or more security groups to associate with the network interface for the CloudWatch Events endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]

Tags for the CloudWatch Events endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Logs endpoint

true

The ID of one or more security groups to associate with the network interface for the CloudWatch Logs endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]

Tags for the CloudWatch Logs endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Monitoring endpoint

true

The ID of one or more security groups to associate with the network interface for the CloudWatch Monitoring endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]

Tags for the CloudWatch Monitoring endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeArtifact API endpoint

true

The ID of one or more security groups to associate with the network interface for the Codeartifact API endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Codeartifact API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Codeartifact API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the CodeArtifact API endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Codeartifact repositories endpoint

true

The ID of one or more security groups to associate with the network interface for the Codeartifact repositories endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Codeartifact repositories endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the CodeArtifact API endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeBuild endpoint

true

The ID of one or more security groups to associate with the network interface for the CodeBuild endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
codebuild_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the CodeBuild endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, CodeBuild endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
codebuild_endpoint_tagsmap(string)optional

Tags for the CodeBuild endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeCommit endpoint

true

The ID of one or more security groups to associate with the network interface for the CodeCommit endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
codecommit_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the CodeCommit API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, CodeCommit endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
codecommit_endpoint_tagsmap(string)optional

Tags for the CodeCommit endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeDeploy Commands Secure endpoint

true

The ID of one or more security groups to associate with the network interface for the CodeDeploy Commands Secure endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, CodeDeploy Commands Secure endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the CodeDeploy Commands Secure endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeDeploy endpoint

true

The ID of one or more security groups to associate with the network interface for the CodeDeploy endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
codedeploy_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the CodeDeploy endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, CodeDeploy endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
codedeploy_endpoint_tagsmap(string)optional

Tags for the CodeDeploy endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodePipeline endpoint

true

The ID of one or more security groups to associate with the network interface for the CodePipeline endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the CodePipeline endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, CodePipeline endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
codepipeline_endpoint_tagsmap(string)optional

Tags for the CodePipeline endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the config endpoint

true

The ID of one or more security groups to associate with the network interface for the config endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
config_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the config endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
config_endpoint_tagsmap(string)optional

Tags for the Config endpoint

{}

If true, creates a security group that allows ingress on port 443 and applies it to all endpoints. Must set this to true or supply security_group_ids.

false

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Data Sync endpoint

true

The ID of one or more security groups to associate with the network interface for the Data Sync endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
datasync_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Data Sync endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Data Sync endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
datasync_endpoint_tagsmap(string)optional

Tags for the Data Sync endpoint

{}
ebs_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EBS endpoint.

true

The ID of one or more security groups to associate with the network interface for the EBS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ebs_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the EBS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ebs_endpoint_tagsmap(string)optional

Tags for the EBS endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2-Autoscaling endpoint

true

The ID of one or more security groups to associate with the network interface for the EC2-Autoscaling endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the EC2-Autoscaling endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, EC2-Autoscaling endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the CodeArtifact API endpoint

{}
ec2_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2 endpoint

true

The ID of one or more security groups to associate with the network interface for the EC2 endpoint

[]
ec2_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ec2_endpoint_tagsmap(string)optional

Tags for the EC2 endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2 Messages endpoint

true

The ID of one or more security groups to associate with the network interface for the EC2 Messages endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the EC2 Messages endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ec2messages_endpoint_tagsmap(string)optional

Tags for the EC2 Messages endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECR API endpoint

true

The ID of one or more security groups to associate with the network interface for the ECR API endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ecr_api_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the ECR api endpoint. If omitted, only subnet_ids will be used.

[]
ecr_api_endpoint_tagsmap(string)optional

Tags for the ECR API endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for ECR DKR endpoint

true

The ID of one or more security groups to associate with the network interface for the ECR DKR endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ecr_dkr_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the ECR dkr endpoint. If omitted, only subnet_ids will be used.

[]
ecr_dkr_endpoint_tagsmap(string)optional

Tags for the ECR DKR endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS Agent endpoint

true

The ID of one or more security groups to associate with the network interface for the ECS Agent endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ecs_agent_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ecs_agent_endpoint_tagsmap(string)optional

Tags for the ECS Agent endpoint

{}
ecs_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS endpoint

true

The ID of one or more security groups to associate with the network interface for the ECS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ecs_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the ECS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ecs_endpoint_tagsmap(string)optional

Tags for the ECS endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS Telemetry endpoint

true

The ID of one or more security groups to associate with the network interface for the ECS Telemetry endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ecs_telemetry_endpoint_tagsmap(string)optional

Tags for the ECS Telemetry endpoint

{}
efs_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EFS endpoint.

true

The ID of one or more security groups to associate with the network interface for the EFS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
efs_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the EFS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
efs_endpoint_tagsmap(string)optional

Tags for the EFS endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Inference Runtime endpoint

true

The ID of one or more security groups to associate with the network interface for the Elastic Inference Runtime endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Elastic Inference Runtime endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Elastic Inference Runtime endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Beanstalk endpoint

true

The ID of one or more security groups to associate with the network interface for the Elastic Beanstalk endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Elastic Beanstalk endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Elastic Beanstalk endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Beanstalk Health endpoint

true

The ID of one or more security groups to associate with the network interface for the Elastic Beanstalk Health endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Elastic Beanstalk Health endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the Elastic Beanstalk Health endpoint

{}
elb_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Load Balancing endpoint

true

The ID of one or more security groups to associate with the network interface for the Elastic Load Balancing endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
elb_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
elb_endpoint_tagsmap(string)optional

Tags for the Elastic Load Balancing endpoint

{}
emr_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the EMR endpoint

true

The ID of one or more security groups to associate with the network interface for the EMR endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
emr_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the EMR endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, EMR endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
emr_endpoint_tagsmap(string)optional

Tags for the EMR endpoint

{}

Set to true if you want to provision a Access Analyzer Endpoint within the VPC

false

Set to true if you want to provision a ACM PCA Endpoint within the VPC

false

Set to true if you want to provision an API Gateway within the VPC

false

Set to true if you want to provision a AppMesh Endpoint within the VPC

false

Set to true if you want to provision a AppStream API Endpoint within the VPC

false

Set to true if you want to provision a AppStream STREAMING Endpoint within the VPC

false

Set to true if you want to provision a Athena Endpoint within the VPC

false

Set to true if you want to provision a Auto Scaling Plans Endpoint within the VPC

false

Set to true if you want to provision a Cloud Directory Endpoint within the VPC

false

Set to true if you want to provision a Cloudformation within the VPC

false

Set to true if you want to provision a CloudTrail within the VPC

false

Set to true if you want to provision a CloudWatch Events within the VPC

false

Set to true if you want to provision a CloudWatch Logs within the VPC

false

Set to true if you want to provision a Codeartifact API Endpoint within the VPC

false

Set to true if you want to provision a Codeartifact repositories Endpoint within the VPC

false

Set to true if you want to provision a CodeBuild Endpoint within the VPC

false

Set to true if you want to provision a CodeCommit Endpoint within the VPC

false

Set to true if you want to provision a CodeDeploy Commands Secure Endpoint within the VPC

false

Set to true if you want to provision a CodeDeploy Endpoint within the VPC

false

Set to true if you want to provision a CodePipeline Endpoint within the VPC

false

Set to true if you want to provision a config within the VPC

false

Set to true if you want to provision a Data Sync Endpoint within the VPC

false

Set to true if you want to provision a EBS endpoint within the VPC.

false

Set to true if you want to provision a EC2-Autoscaling Endpoint within the VPC

false

Set to true if you want to provision an EC2 within the VPC

false

Set to true if you want to provision an EC2 Messages endpoint within the VPC

false

Set to true if you want to provision an ECR API within the VPC

false

Set to true if you want to provision an ECR DKR within the VPC

false

Set to true if you want to provision an ECS Agent within the VPC

false

Set to true if you want to provision an ECS within the VPC

false

Set to true if you want to provision an ECS Agent within the VPC

false

Set to true if you want to provision a EFS endpoint within the VPC.

false

Set to true if you want to provision a Elastic Inference Runtime Endpoint within the VPC

false

Set to true if you want to provision a Elastic Beanstalk Endpoint within the VPC

false

Set to true if you want to provision a Elastic Beanstalk Health Endpoint within the VPC

false

Set to true if you want to provision an Elastic Load Balancing within the VPC

false

Set to true if you want to provision a EMR Endpoint within the VPC

false

Set to true if you want to provision a Git CodeCommit Endpoint within the VPC

false

Set to true if you want to provision a Glue endpoint within the VPC.

false

Set to true if you want to provision a KINESIS Firehose Endpoint within the VPC

false

Set to true if you want to provision a Kinesis Streams within the VPC

false

Set to true if you want to provision a KMS within the VPC

false

Set to true if you want to provision a Lambda endpoint within the VPC.

false

Set to true if you want to provision a QLDB Session Endpoint within the VPC

false

Set to true if you want to provision a RDS Endpoint within the VPC

false

Set to true if you want to provision a Redshift within the VPC

false

Set to true if you want to provision a Rekognition Endpoint within the VPC

false

Set to true if you want to provision a SageMaker API Endpoint within the VPC

false

Set to true if you want to provision a SageMaker Runtime Endpoint within the VPC

false

Set to true if you want to provision a Secrets Manager within the VPC

false

Set to true if you want to provision a Service Catalog Endpoint within the VPC

false

Set to true if you want to provision a Simple Email Service within the VPC

false

Set to true if you want to provision a SMS Endpoint within the VPC

false

Set to true if you want to provision a SNS within the VPC

false

Set to true if you want to provision a SQS within the VPC

false

Set to true if you want to provision an SSM endpoint within the VPC

false

Set to true if you want to provision an SSM Messages endpoint within the VPC

false

Set to true if you want to provision a Step Function Endpoint within the VPC

false

Set to true if you want to provision a Storage Gateway Endpoint within the VPC

false

Set to true if you want to provision a STS within the VPC

false

Set to true if you want to provision a Textract Endpoint within the VPC

false

Set to true if you want to provision a Transfer Endpoint within the VPC

false

Set to true if you want to provision a Transfer Server Endpoint within the VPC

false

Set to true if you want to provision a CloudWatch Monitoring within the VPC

false

Set to true if you want to provision a VPC lattice endpoint within the VPC.

false

Set to true if you want to provision a Workspaces Endpoint within the VPC

false

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Git CodeCommit API endpoint

true

The ID of one or more security groups to associate with the network interface for the Git CodeCommit endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Git CodeCommit API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Git CodeCommit endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
git_codecommit_endpoint_tagsmap(string)optional

Tags for the Git CodeCommit endpoint

{}
glue_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Glue endpoint.

true

The ID of one or more security groups to associate with the network interface for the glue endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
glue_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the glue endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
glue_endpoint_tagsmap(string)optional

Tags for the Glue endpoint

{}

List of CIDR blocks where HTTPS ingress should be allowed from. Defaults to the VPC's CIDR if left empty. Only used if create_https_security_group is true.

[]

Name prefix to use on the created SG. A random string will be appended.

"allow-https-"

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the KINESIS Firehose endpoint

true

The ID of one or more security groups to associate with the network interface for the KINESIS Firehose endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the KINESIS Firehose endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, KINESIS Firehose endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the KINESIS Firehose endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Kinesis Streams endpoint

true

The ID of one or more security groups to associate with the network interface for the Kinesis Streams endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]

Tags for the Kinesis endpoint

{}
kms_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the KMS endpoint

true

The ID of one or more security groups to associate with the network interface for the KMS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
kms_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the KMS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
kms_endpoint_tagsmap(string)optional

Tags for the KMS endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Lambda endpoint.

true

The ID of one or more security groups to associate with the network interface for the Lambda endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
lambda_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
lambda_endpoint_tagsmap(string)optional

Tags for the Lambda endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the QLDB Session endpoint

true

The ID of one or more security groups to associate with the network interface for the QLDB Session endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the QLDB Session endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, QLDB Session endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
qldb_session_endpoint_tagsmap(string)optional

Tags for the QLDB Session endpoint

{}
rds_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the RDS endpoint

true

The ID of one or more security groups to associate with the network interface for the RDS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
rds_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the RDS endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, RDS endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
rds_endpoint_tagsmap(string)optional

Tags for the RDS endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Redshift endpoint

true

The ID of one or more security groups to associate with the network interface for the Redshift endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Redshift endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
redshift_data_endpoint_tagsmap(string)optional

Tags for the Redshift endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Rekognition endpoint

true

The ID of one or more security groups to associate with the network interface for the Rekognition endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Rekognition endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Rekognition endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
rekognition_endpoint_tagsmap(string)optional

Tags for the Rekognition endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SageMaker API endpoint

true

The ID of one or more security groups to associate with the network interface for the SageMaker API endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the SageMaker API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, SageMaker API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
sagemaker_api_endpoint_tagsmap(string)optional

Tags for the SageMaker API endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SageMaker Runtime endpoint

true

The ID of one or more security groups to associate with the network interface for the SageMaker Runtime endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, SageMaker Runtime endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]

Tags for the SageMaker Runtime endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Secrets Manager endpoint

true

The ID of one or more security groups to associate with the network interface for the Secrets Manager endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
secretsmanager_endpoint_tagsmap(string)optional

Tags for the Secrets Manager endpoint

{}
security_group_idslist(string)optional

A list of IDs of the security groups which will apply for all endpoints. Must supply this or create_https_security_group = true.

[]

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Service Catalog endpoint

true

The ID of one or more security groups to associate with the network interface for the Service Catalog endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Service Catalog endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Service Catalog endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
servicecatalog_endpoint_tagsmap(string)optional

Tags for the Service Catalog endpoint

{}
ses_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Simple Email Service endpoint

true

The ID of one or more security groups to associate with the network interface for the Simple Email Service endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ses_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Simple Email Service endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, SES is not supported in all the AZs, so this variable helps to overcome this issue.

[]
ses_endpoint_tagsmap(string)optional

Tags for the Simple Email Service endpoint

{}
sms_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SMS endpoint

true

The ID of one or more security groups to associate with the network interface for the SMS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
sms_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the SMS endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, SMS endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
sms_endpoint_tagsmap(string)optional

Tags for the SMS endpoint

{}
sns_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SNS endpoint

true

The ID of one or more security groups to associate with the network interface for the SNS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
sns_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the SNS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
sns_endpoint_tagsmap(string)optional

Tags for the SNS endpoint

{}
sqs_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SQS endpoint

true

The ID of one or more security groups to associate with the network interface for the SQS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
sqs_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the SQS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
sqs_endpoint_tagsmap(string)optional

Tags for the SQS endpoint

{}
ssm_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SSM Endpoint endpoint

true

The ID of one or more security groups to associate with the network interface for the SSM Endpoint endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
ssm_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the SSM Endpoint endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ssm_endpoint_tagsmap(string)optional

Tags for the SSM Endpoint endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the SSM Messages endpoint

true

The ID of one or more security groups to associate with the network interface for the SSM Messages endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the SSM Messages endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
ssmmessages_endpoint_tagsmap(string)optional

Tags for the SSM Messages endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Step Function endpoint

true

The ID of one or more security groups to associate with the network interface for the Step Function endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
states_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Step Function endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Step Function endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
states_endpoint_tagsmap(string)optional

Tags for the Step Function endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Storage Gateway endpoint

true

The ID of one or more security groups to associate with the network interface for the Storage Gateway endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Storage Gateway endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Storage Gateway endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
storagegateway_endpoint_tagsmap(string)optional

Tags for the Storage Gateway endpoint

{}
sts_endpoint_policystringoptional

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the STS endpoint

true

The ID of one or more security groups to associate with the network interface for the STS endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
sts_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the STS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
sts_endpoint_tagsmap(string)optional

Tags for the STS endpoint

{}
tagsmap(string)optional

A map of tags to apply to all endpoints.

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Textract endpoint

true

The ID of one or more security groups to associate with the network interface for the Textract endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
textract_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Textract endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Textract endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
textract_endpoint_tagsmap(string)optional

Tags for the Textract endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Transfer endpoint

true

The ID of one or more security groups to associate with the network interface for the Transfer endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
transfer_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Transfer endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Transfer endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
transfer_endpoint_tagsmap(string)optional

Tags for the Transfer endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Transfer Server endpoint

true

The ID of one or more security groups to associate with the network interface for the Transfer Server endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the Transfer Server endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Transfer Server endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
transferserver_endpoint_tagsmap(string)optional

Tags for the Transfer Server endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the VPC lattice endpoint.

true

The ID of one or more security groups to associate with the network interface for the VPC lattice endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]

The IDs of subnets in which to create a network interface for the VPC lattice endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.

[]
vpc_lattice_endpoint_tagsmap(string)optional

Tags for the VPC lattice endpoint

{}

IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.

null

Set to false if you don't want to associate a private hosted zone with the specified VPC for the Workspaces endpoint

true

The ID of one or more security groups to associate with the network interface for the Workspaces endpoint. If none is provided, AWS will associate the default security group for the VPC.

[]
workspaces_endpoint_subnet_idslist(string)optional

The IDs of subnets in which to create a network interface for the Workspaces endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids. For some regions, Workspaces endpoint is not supported in all the AZs, so this variable helps to overcome this issue.

[]
workspaces_endpoint_tagsmap(string)optional

Tags for the Workspaces endpoint

{}