Interface VPC Endpoint
By default, if code running within your VPCs makes API calls to AWS (e.g., to fetch data from S3 or trigger a Lambda function), those API calls leave the VPC, and are routed via the public Internet. This Terraform Module launches VPC endpoints that allow code running within your VPCs to privately connect to AWS services and APIs without the traffic leaving the VPC and without going over the public Internet. Although all API calls to AWS are encrypted with TLS, VPC endpoints give you one extra layer of security by keeping your API calls within the AWS network.
If your code only needs to talk to AWS APIs, and nothing else in the public Internet, VPC Endpoints remove the need for running an internet gateway, NAT device, or VPN connection. Under the hood, the VPC Endpoints created by this module are powered by AWS PrivateLink, which costs $0.01/hour and $0.01 per GB data processed - in comparison, NAT Gateway costs $0.045/hour and $0.45 per GB data processed.
Using AWS service endpoints
Once you've created VPC endpoints using this module, this section describes how code running in your VPC can make use of those endpoints.
For all AWS services except STS
For almost all AWS Service endpoints, except STS (which is described in the next section), if you enable the endpoint for it in this module, any resources you have running in the VPC will automatically start using that endpoint immediately—so there's really nothing else you need to do!
For example, let's say you created the EC2 endpoint as follows:
module "example" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v1.0.8"
# Create the EC2 endpoint
enable_ec2_endpoint = true
vpc_id = "<YOUR_VPC_ID>"
subnet_ids = ["<YOUR_SUBNET_IDS>"]
security_group_ids = [aws_security_group.vpc_endpoint.id]
}
resource "aws_security_group" "vpc_endpoint" {
vpc_id = module.vpc_app_example.vpc_id
# Allow inbound HTTPS for AWS API calls
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
If you have an EC2 instance running in the subnets passed to var.subnet_ids
, then any code on that EC2 instance that
uses the AWS SDK will now automatically use a private endpoint for taking to the EC2 API endpoint! For example, if you
were running in eu-west-1
and you used the AWS CLI to make the following API call:
aws ec2 describe-instances \
--region eu-west-1 \
--debug
You would see in the log output something like:
POST
content-type:application/x-www-form-urlencoded; charset=utf-8
host:ec2.eu-west-1.amazonaws.com
You can see that the code is using a regional
endpoint to talk to the EC2 service:
ec2.eu-west-1.amazonaws.com
. You can use dig
to get info about this endpoint:
dig +short ec2.eu-west-1.amazonaws.com
This should return private IPs from within your VPC. E.g., If your VPC used the CIDR block 10.0.0.0/16
, this might
return something like:
10.0.0.24
10.0.0.25
10.0.0.26
This tells you that, to talk to the EC2 service, your code is using a regional endpoint that is private to your VPC, rather than routing out via the public Internet.
Special behavior for the STS service
The behavior explained in the previous section applies to all AWS services except the Security Token Service (STS).
Per the AWS docs, for
backwards compatibility reasons, all AWS STS requests go to a single global endpoint at https://sts.amazonaws.com
.
That means that, even if you create a private endpoint for STS, it won't get used unless you follow the steps below.
First, use this module to create the STS endpoint:
module "example" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v1.0.8"
# Create the STS endpoint
enable_sts_endpoint = true
vpc_id = "<YOUR_VPC_ID>"
subnet_ids = ["<YOUR_SUBNET_IDS>"]
security_group_ids = [aws_security_group.vpc_endpoint.id]
}
resource "aws_security_group" "vpc_endpoint" {
vpc_id = module.vpc_app_example.vpc_id
# Allow inbound HTTPS for AWS API calls
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
}
Next, any time you have code that needs to talk to STS—e.g., to assume an IAM role or use get-caller-identity
to
look up its own identity—you need to configure that code to use a regional endpoint. You can do this using the
sts_regional_endpoints
configuration.
You can either set this parameter in the AWS CLI config file at ~/.aws/config
:
sts_regional_endpoints = regional
Or you can set it as the environment variable AWS_STS_REGIONAL_ENDPOINTS
:
export AWS_STS_REGIONAL_ENDPOINTS=regional
This should work for most AWS SDK/CLI tools. Example:
aws sts get-caller-identity \
--region eu-west-1 \
--debug
Should show in the logs:
POST
content-type:application/x-www-form-urlencoded; charset=utf-8
host:sts.eu-west-1.amazonaws.com
Which confirms that a regional endpoint is being used, which should be routed to your private endpoint.
If your SDK does not support the sts_regional_endpoints
parameter, you may have to set the region and endpoint
parameter in your code explicitly. Here's an example with the AWS Java SDK:
EndpointConfiguration regionEndpointConfig = new EndpointConfiguration("https://sts.eu-west-1.amazonaws.com", "eu-west-1");
AWSSecurityTokenService stsRegionalClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(credentials)
.withEndpointConfiguration(regionEndpointConfig)
.build();
What's the difference between a Gateway VPC Endpoint and an Interface Endpoint?
The vpc-app
module automatically creates VPC Endpoints for S3 and DynamoDB, as these use the older Gateway Endpoints service, which is free. Under the hood, Gateway Endpoints work by adding route table entries to your VPC.
For all other AWS APIs and services, you must use Interface Endpoints, which are powered by the newer AWS PrivateLink. Under the hood, these create an Elastic Network Interface (ENI) with a private IP address from one of your subnets. Please note that Interface Endpoints and AWS PrivateLink are NOT free: the pricing for AWS PrivateLink is $0.01 per AZ per hour and $0.01 per GB data processed.
Security Groups for VPC Endpoints
You need to specify a Security Group to control the traffic through the endpoint. AWS uses port 443 as default for it's requests and if 443 is not allowed the requests will timeout and fail.
Not specifying a rule allows all traffic.
Other VPC Core Concepts
Learn about Other VPC Core Concepts like subnets and NAT Gateways.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-INTERFACE-ENDPOINT MODULE
# ------------------------------------------------------------------------------------------------------
module "vpc_interface_endpoint" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v0.28.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A list of IDs of the subnets for all endpoints. Each endpoint will create
# one ENI (Elastic Network Interface) per subnet.
subnet_ids = <list(string)>
# The ID of the VPC for all modules
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
access_analyzer_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Access Analyzer endpoint
access_analyzer_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Access Analyzer endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
access_analyzer_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Access
# Analyzer endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Access Analyzer
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
access_analyzer_endpoint_subnet_ids = []
# Tags for the Access Analyzer endpoint
access_analyzer_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
acm_pca_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ACM PCA endpoint
acm_pca_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ACM PCA endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
acm_pca_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ACM PCA
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, ACM PCA endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
acm_pca_endpoint_subnet_ids = []
# Tags for the ACM PCA endpoint
acm_pca_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
api_gateway_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the API Gateway endpoint
api_gateway_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the API Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
api_gateway_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the API
# Gateway endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
api_gateway_endpoint_subnet_ids = []
# Tags for the API Gateway endpoint
api_gateway_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appmesh_envoy_management_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppMesh endpoint
appmesh_envoy_management_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppMesh endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
appmesh_envoy_management_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppMesh
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, AppMesh endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appmesh_envoy_management_endpoint_subnet_ids = []
# Tags for the AppMesh endpoint
appmesh_envoy_management_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream API endpoint
appstream_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppStream API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
appstream_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppStream
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, AppStream API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appstream_api_endpoint_subnet_ids = []
# Tags for the AppStream API endpoint
appstream_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_streaming_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream STREAMING endpoint
appstream_streaming_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppStream STREAMING endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
appstream_streaming_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppStream
# STREAMING endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, AppStream STREAMING
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
appstream_streaming_endpoint_subnet_ids = []
# Tags for the AppStream STREAMING endpoint
appstream_streaming_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
athena_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Athena endpoint
athena_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Athena endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
athena_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Athena
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Athena endpoint is not supported
# in all the AZs, so this variable helps to overcome this issue.
athena_endpoint_subnet_ids = []
# Tags for the Athena endpoint
athena_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
auto_scaling_plans_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Auto Scaling Plans endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
auto_scaling_plans_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Auto
# Scaling Plans endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Auto Scaling Plans
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
auto_scaling_plans_endpoint_subnet_ids = []
# Tags for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloud_directory_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloud Directory endpoint
cloud_directory_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Cloud Directory endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloud_directory_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Cloud
# Directory endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Cloud Directory
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
cloud_directory_endpoint_subnet_ids = []
# Tags for the Cloud Directory endpoint
cloud_directory_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudformation_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloudformation endpoint
cloudformation_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Cloudformation endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudformation_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# theCloudformation endpoint. Only a single subnet within an AZ is supported.
# If omitted, only subnet_ids will be used.
cloudformation_endpoint_subnet_ids = []
# Tags for the CloudFormation endpoint
cloudformation_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudtrail_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudTrail endpoint
cloudtrail_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudTrail endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudtrail_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudTrail
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
cloudtrail_endpoint_subnet_ids = []
# Tags for the CloudTrail endpoint
cloudtrail_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_events_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Events endpoint
cloudwatch_events_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Events endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_events_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Events endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_events_endpoint_subnet_ids = []
# Tags for the CloudWatch Events endpoint
cloudwatch_events_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_logs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Logs endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_logs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Logs endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_logs_endpoint_subnet_ids = []
# Tags for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_monitoring_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Monitoring endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
cloudwatch_monitoring_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Monitoring endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
cloudwatch_monitoring_endpoint_subnet_ids = []
# Tags for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeArtifact API endpoint
codeartifact_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Codeartifact API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codeartifact_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Codeartifact API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Codeartifact
# API endpoint is not supported in all the AZs, so this variable helps to
# overcome this issue.
codeartifact_api_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
codeartifact_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_repositories_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Codeartifact repositories endpoint
codeartifact_repositories_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Codeartifact repositories endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codeartifact_repositories_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Codeartifact repositories endpoint. Only a single subnet within an AZ is
# supported. When defined, it overrides var.subnet_ids. For some regions,
# Codeartifact repositories endpoint is not supported in all the AZs, so this
# variable helps to overcome this issue.
codeartifact_repositories_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
codeartifact_repositories_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codebuild_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeBuild endpoint
codebuild_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeBuild endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codebuild_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeBuild
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeBuild endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codebuild_endpoint_subnet_ids = []
# Tags for the CodeBuild endpoint
codebuild_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codecommit_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeCommit endpoint
codecommit_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codecommit_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeCommit
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, CodeCommit endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codecommit_endpoint_subnet_ids = []
# Tags for the CodeCommit endpoint
codecommit_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_commands_secure_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy Commands Secure endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codedeploy_commands_secure_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeDeploy
# Commands Secure endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, CodeDeploy
# Commands Secure endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
codedeploy_commands_secure_endpoint_subnet_ids = []
# Tags for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy endpoint
codedeploy_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codedeploy_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeDeploy
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeDeploy endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codedeploy_endpoint_subnet_ids = []
# Tags for the CodeDeploy endpoint
codedeploy_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codepipeline_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodePipeline endpoint
codepipeline_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodePipeline endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codepipeline_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# CodePipeline endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, CodePipeline
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
codepipeline_endpoint_subnet_ids = []
# Tags for the CodePipeline endpoint
codepipeline_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
config_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the config endpoint
config_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the config endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
config_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the config
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
config_endpoint_subnet_ids = []
# Tags for the Config endpoint
config_endpoint_tags = {}
# If true, creates a security group that allows ingress on port 443 and
# applies it to all endpoints. Must set this to true or supply
# security_group_ids.
create_https_security_group = false
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
datasync_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Data Sync endpoint
datasync_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Data Sync endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
datasync_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Data Sync
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Data Sync endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
datasync_endpoint_subnet_ids = []
# Tags for the Data Sync endpoint
datasync_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ebs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EBS endpoint.
ebs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EBS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ebs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EBS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ebs_endpoint_subnet_ids = []
# Tags for the EBS endpoint
ebs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_autoscaling_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2-Autoscaling endpoint
ec2_autoscaling_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2-Autoscaling endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2_autoscaling_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# EC2-Autoscaling endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, EC2-Autoscaling
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
ec2_autoscaling_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
ec2_autoscaling_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 endpoint
ec2_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2 endpoint
ec2_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EC2
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ec2_endpoint_subnet_ids = []
# Tags for the EC2 endpoint
ec2_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2messages_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 Messages endpoint
ec2messages_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2 Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2messages_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EC2
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ec2messages_endpoint_subnet_ids = []
# Tags for the EC2 Messages endpoint
ec2messages_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECR API endpoint
ecr_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECR API endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECR api
# endpoint. If omitted, only subnet_ids will be used.
ecr_api_endpoint_subnet_ids = []
# Tags for the ECR API endpoint
ecr_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_dkr_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for ECR DKR endpoint
ecr_dkr_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECR DKR endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_dkr_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECR dkr
# endpoint. If omitted, only subnet_ids will be used.
ecr_dkr_endpoint_subnet_ids = []
# Tags for the ECR DKR endpoint
ecr_dkr_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_agent_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Agent endpoint
ecs_agent_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS Agent endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_agent_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS Agent
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_agent_endpoint_subnet_ids = []
# Tags for the ECS Agent endpoint
ecs_agent_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS endpoint
ecs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ecs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_endpoint_subnet_ids = []
# Tags for the ECS endpoint
ecs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_telemetry_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Telemetry endpoint
ecs_telemetry_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS Telemetry endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_telemetry_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS
# Telemetry endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ecs_telemetry_endpoint_subnet_ids = []
# Tags for the ECS Telemetry endpoint
ecs_telemetry_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
efs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EFS endpoint.
efs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EFS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
efs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EFS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
efs_endpoint_subnet_ids = []
# Tags for the EFS endpoint
efs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elastic_inference_runtime_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Inference Runtime endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elastic_inference_runtime_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Inference Runtime endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Inference Runtime endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elastic_inference_runtime_endpoint_subnet_ids = []
# Tags for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
elasticbeanstalk_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Elastic Beanstalk
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
elasticbeanstalk_endpoint_subnet_ids = []
# Tags for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_health_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk Health endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elasticbeanstalk_health_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk Health endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Beanstalk Health endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elasticbeanstalk_health_endpoint_subnet_ids = []
# Tags for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elb_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Load Balancing endpoint
elb_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Load Balancing endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
elb_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Load Balancing endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
elb_endpoint_subnet_ids = []
# Tags for the Elastic Load Balancing endpoint
elb_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
emr_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EMR endpoint
emr_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EMR endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
emr_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EMR
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, EMR endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
emr_endpoint_subnet_ids = []
# Tags for the EMR endpoint
emr_endpoint_tags = {}
# Set to true if you want to provision a Access Analyzer Endpoint within the
# VPC
enable_access_analyzer_endpoint = false
# Set to true if you want to provision a ACM PCA Endpoint within the VPC
enable_acm_pca_endpoint = false
# Set to true if you want to provision an API Gateway within the VPC
enable_api_gateway_endpoint = false
# Set to true if you want to provision a AppMesh Endpoint within the VPC
enable_appmesh_envoy_management_endpoint = false
# Set to true if you want to provision a AppStream API Endpoint within the VPC
enable_appstream_api_endpoint = false
# Set to true if you want to provision a AppStream STREAMING Endpoint within
# the VPC
enable_appstream_streaming_endpoint = false
# Set to true if you want to provision a Athena Endpoint within the VPC
enable_athena_endpoint = false
# Set to true if you want to provision a Auto Scaling Plans Endpoint within
# the VPC
enable_auto_scaling_plans_endpoint = false
# Set to true if you want to provision a Cloud Directory Endpoint within the
# VPC
enable_cloud_directory_endpoint = false
# Set to true if you want to provision a Cloudformation within the VPC
enable_cloudformation_endpoint = false
# Set to true if you want to provision a CloudTrail within the VPC
enable_cloudtrail_endpoint = false
# Set to true if you want to provision a CloudWatch Events within the VPC
enable_cloudwatch_events_endpoint = false
# Set to true if you want to provision a CloudWatch Logs within the VPC
enable_cloudwatch_logs_endpoint = false
# Set to true if you want to provision a Codeartifact API Endpoint within the
# VPC
enable_codeartifact_api_endpoint = false
# Set to true if you want to provision a Codeartifact repositories Endpoint
# within the VPC
enable_codeartifact_repositories_endpoint = false
# Set to true if you want to provision a CodeBuild Endpoint within the VPC
enable_codebuild_endpoint = false
# Set to true if you want to provision a CodeCommit Endpoint within the VPC
enable_codecommit_endpoint = false
# Set to true if you want to provision a CodeDeploy Commands Secure Endpoint
# within the VPC
enable_codedeploy_commands_secure_endpoint = false
# Set to true if you want to provision a CodeDeploy Endpoint within the VPC
enable_codedeploy_endpoint = false
# Set to true if you want to provision a CodePipeline Endpoint within the VPC
enable_codepipeline_endpoint = false
# Set to true if you want to provision a config within the VPC
enable_config_endpoint = false
# Set to true if you want to provision a Data Sync Endpoint within the VPC
enable_datasync_endpoint = false
# Set to true if you want to provision a EBS endpoint within the VPC.
enable_ebs_endpoint = false
# Set to true if you want to provision a EC2-Autoscaling Endpoint within the
# VPC
enable_ec2_autoscaling_endpoint = false
# Set to true if you want to provision an EC2 within the VPC
enable_ec2_endpoint = false
# Set to true if you want to provision an EC2 Messages endpoint within the VPC
enable_ec2messages_endpoint = false
# Set to true if you want to provision an ECR API within the VPC
enable_ecr_api_endpoint = false
# Set to true if you want to provision an ECR DKR within the VPC
enable_ecr_dkr_endpoint = false
# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_agent_endpoint = false
# Set to true if you want to provision an ECS within the VPC
enable_ecs_endpoint = false
# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_telemetry_endpoint = false
# Set to true if you want to provision a EFS endpoint within the VPC.
enable_efs_endpoint = false
# Set to true if you want to provision a Elastic Inference Runtime Endpoint
# within the VPC
enable_elastic_inference_runtime_endpoint = false
# Set to true if you want to provision a Elastic Beanstalk Endpoint within the
# VPC
enable_elasticbeanstalk_endpoint = false
# Set to true if you want to provision a Elastic Beanstalk Health Endpoint
# within the VPC
enable_elasticbeanstalk_health_endpoint = false
# Set to true if you want to provision an Elastic Load Balancing within the
# VPC
enable_elb_endpoint = false
# Set to true if you want to provision a EMR Endpoint within the VPC
enable_emr_endpoint = false
# Set to true if you want to provision a Git CodeCommit Endpoint within the
# VPC
enable_git_codecommit_endpoint = false
# Set to true if you want to provision a Glue endpoint within the VPC.
enable_glue_endpoint = false
# Set to true if you want to provision a KINESIS Firehose Endpoint within the
# VPC
enable_kinesis_firehose_endpoint = false
# Set to true if you want to provision a Kinesis Streams within the VPC
enable_kinesis_streams_endpoint = false
# Set to true if you want to provision a KMS within the VPC
enable_kms_endpoint = false
# Set to true if you want to provision a Lambda endpoint within the VPC.
enable_lambda_endpoint = false
# Set to true if you want to provision a QLDB Session Endpoint within the VPC
enable_qldb_session_endpoint = false
# Set to true if you want to provision a RDS Endpoint within the VPC
enable_rds_endpoint = false
# Set to true if you want to provision a Redshift within the VPC
enable_redshift_data_endpoint = false
# Set to true if you want to provision a Rekognition Endpoint within the VPC
enable_rekognition_endpoint = false
# Set to true if you want to provision a SageMaker API Endpoint within the VPC
enable_sagemaker_api_endpoint = false
# Set to true if you want to provision a SageMaker Runtime Endpoint within the
# VPC
enable_sagemaker_runtime_endpoint = false
# Set to true if you want to provision a Secrets Manager within the VPC
enable_secretsmanager_endpoint = false
# Set to true if you want to provision a Service Catalog Endpoint within the
# VPC
enable_servicecatalog_endpoint = false
# Set to true if you want to provision a Simple Email Service within the VPC
enable_ses_endpoint = false
# Set to true if you want to provision a SMS Endpoint within the VPC
enable_sms_endpoint = false
# Set to true if you want to provision a SNS within the VPC
enable_sns_endpoint = false
# Set to true if you want to provision a SQS within the VPC
enable_sqs_endpoint = false
# Set to true if you want to provision an SSM endpoint within the VPC
enable_ssm_endpoint = false
# Set to true if you want to provision an SSM Messages endpoint within the VPC
enable_ssmmessages_endpoint = false
# Set to true if you want to provision a Step Function Endpoint within the VPC
enable_states_endpoint = false
# Set to true if you want to provision a Storage Gateway Endpoint within the
# VPC
enable_storagegateway_endpoint = false
# Set to true if you want to provision a STS within the VPC
enable_sts_endpoint = false
# Set to true if you want to provision a Textract Endpoint within the VPC
enable_textract_endpoint = false
# Set to true if you want to provision a Transfer Endpoint within the VPC
enable_transfer_endpoint = false
# Set to true if you want to provision a Transfer Server Endpoint within the
# VPC
enable_transferserver_endpoint = false
# Set to true if you want to provision a CloudWatch Monitoring within the VPC
enable_vpc_cloudwatch_monitoring_endpoint = false
# Set to true if you want to provision a VPC lattice endpoint within the VPC.
enable_vpc_lattice_endpoint = false
# Set to true if you want to provision a Workspaces Endpoint within the VPC
enable_workspaces_endpoint = false
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
git_codecommit_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Git CodeCommit API endpoint
git_codecommit_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Git CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
git_codecommit_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Git
# CodeCommit API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Git CodeCommit
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
git_codecommit_endpoint_subnet_ids = []
# Tags for the Git CodeCommit endpoint
git_codecommit_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
glue_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Glue endpoint.
glue_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the glue endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
glue_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the glue
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
glue_endpoint_subnet_ids = []
# Tags for the Glue endpoint
glue_endpoint_tags = {}
# List of CIDR blocks where HTTPS ingress should be allowed from. Defaults to
# the VPC's CIDR if left empty. Only used if create_https_security_group is
# true.
https_security_group_cidr_blocks = []
# Name prefix to use on the created SG. A random string will be appended.
https_security_group_name_prefix = "allow-https-"
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_firehose_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the KINESIS Firehose endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_firehose_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the KINESIS
# Firehose endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, KINESIS Firehose
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
kinesis_firehose_endpoint_subnet_ids = []
# Tags for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_streams_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Kinesis Streams endpoint
kinesis_streams_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Kinesis Streams endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_streams_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Kinesis
# Streams endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
kinesis_streams_endpoint_subnet_ids = []
# Tags for the Kinesis endpoint
kinesis_streams_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kms_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KMS endpoint
kms_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the KMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
kms_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the KMS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
kms_endpoint_subnet_ids = []
# Tags for the KMS endpoint
kms_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
lambda_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Lambda endpoint.
lambda_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Lambda endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
lambda_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Lambda
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
lambda_endpoint_subnet_ids = []
# Tags for the Lambda endpoint
lambda_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
qldb_session_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the QLDB Session endpoint
qldb_session_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the QLDB Session endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
qldb_session_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the QLDB
# Session endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, QLDB Session
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
qldb_session_endpoint_subnet_ids = []
# Tags for the QLDB Session endpoint
qldb_session_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rds_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the RDS endpoint
rds_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the RDS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
rds_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the RDS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, RDS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
rds_endpoint_subnet_ids = []
# Tags for the RDS endpoint
rds_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
redshift_data_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Redshift endpoint
redshift_data_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Redshift endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
redshift_data_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Redshift
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
redshift_data_endpoint_subnet_ids = []
# Tags for the Redshift endpoint
redshift_data_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rekognition_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Rekognition endpoint
rekognition_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Rekognition endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
rekognition_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Rekognition endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Rekognition endpoint
# is not supported in all the AZs, so this variable helps to overcome this
# issue.
rekognition_endpoint_subnet_ids = []
# Tags for the Rekognition endpoint
rekognition_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker API endpoint
sagemaker_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SageMaker API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SageMaker
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, SageMaker API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
sagemaker_api_endpoint_subnet_ids = []
# Tags for the SageMaker API endpoint
sagemaker_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_runtime_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SageMaker Runtime endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_runtime_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SageMaker
# Runtime endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SageMaker Runtime
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
sagemaker_runtime_endpoint_subnet_ids = []
# Tags for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
secretsmanager_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Secrets Manager endpoint
secretsmanager_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Secrets Manager endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
secretsmanager_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Secrets
# Manager endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
secretsmanager_endpoint_subnet_ids = []
# Tags for the Secrets Manager endpoint
secretsmanager_endpoint_tags = {}
# A list of IDs of the security groups which will apply for all endpoints.
# Must supply this or create_https_security_group = true.
security_group_ids = []
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
servicecatalog_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Service Catalog endpoint
servicecatalog_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Service Catalog endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
servicecatalog_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Service
# Catalog endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Service Catalog
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
servicecatalog_endpoint_subnet_ids = []
# Tags for the Service Catalog endpoint
servicecatalog_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ses_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Simple Email Service endpoint
ses_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Simple Email Service endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
ses_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Simple
# Email Service endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SES is not supported
# in all the AZs, so this variable helps to overcome this issue.
ses_endpoint_subnet_ids = []
# Tags for the Simple Email Service endpoint
ses_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sms_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SMS endpoint
sms_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sms_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SMS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, SMS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
sms_endpoint_subnet_ids = []
# Tags for the SMS endpoint
sms_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sns_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SNS endpoint
sns_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SNS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sns_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SNS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sns_endpoint_subnet_ids = []
# Tags for the SNS endpoint
sns_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sqs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SQS endpoint
sqs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SQS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sqs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SQS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sqs_endpoint_subnet_ids = []
# Tags for the SQS endpoint
sqs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssm_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Endpoint endpoint
ssm_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SSM Endpoint endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssm_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SSM
# Endpoint endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssm_endpoint_subnet_ids = []
# Tags for the SSM Endpoint endpoint
ssm_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssmmessages_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Messages endpoint
ssmmessages_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SSM Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssmmessages_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SSM
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssmmessages_endpoint_subnet_ids = []
# Tags for the SSM Messages endpoint
ssmmessages_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
states_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Step Function endpoint
states_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Step Function endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
states_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Step
# Function endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Step Function
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
states_endpoint_subnet_ids = []
# Tags for the Step Function endpoint
states_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
storagegateway_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Storage Gateway endpoint
storagegateway_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Storage Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
storagegateway_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Storage
# Gateway endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Storage Gateway
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
storagegateway_endpoint_subnet_ids = []
# Tags for the Storage Gateway endpoint
storagegateway_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sts_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the STS endpoint
sts_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the STS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sts_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the STS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sts_endpoint_subnet_ids = []
# Tags for the STS endpoint
sts_endpoint_tags = {}
# A map of tags to apply to all endpoints.
tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
textract_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Textract endpoint
textract_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Textract endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
textract_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Textract
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Textract endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
textract_endpoint_subnet_ids = []
# Tags for the Textract endpoint
textract_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transfer_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer endpoint
transfer_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Transfer endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
transfer_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Transfer
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Transfer endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
transfer_endpoint_subnet_ids = []
# Tags for the Transfer endpoint
transfer_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transferserver_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer Server endpoint
transferserver_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Transfer Server endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
transferserver_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Transfer
# Server endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Transfer Server
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
transferserver_endpoint_subnet_ids = []
# Tags for the Transfer Server endpoint
transferserver_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
vpc_lattice_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the VPC lattice endpoint.
vpc_lattice_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the VPC lattice endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
vpc_lattice_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the VPC
# lattice endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
vpc_lattice_endpoint_subnet_ids = []
# Tags for the VPC lattice endpoint
vpc_lattice_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
workspaces_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Workspaces endpoint
workspaces_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Workspaces endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
workspaces_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Workspaces
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Workspaces endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
workspaces_endpoint_subnet_ids = []
# Tags for the Workspaces endpoint
workspaces_endpoint_tags = {}
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-INTERFACE-ENDPOINT MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-interface-endpoint?ref=v0.28.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# A list of IDs of the subnets for all endpoints. Each endpoint will create
# one ENI (Elastic Network Interface) per subnet.
subnet_ids = <list(string)>
# The ID of the VPC for all modules
vpc_id = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
access_analyzer_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Access Analyzer endpoint
access_analyzer_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Access Analyzer endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
access_analyzer_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Access
# Analyzer endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Access Analyzer
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
access_analyzer_endpoint_subnet_ids = []
# Tags for the Access Analyzer endpoint
access_analyzer_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
acm_pca_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ACM PCA endpoint
acm_pca_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ACM PCA endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
acm_pca_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ACM PCA
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, ACM PCA endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
acm_pca_endpoint_subnet_ids = []
# Tags for the ACM PCA endpoint
acm_pca_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
api_gateway_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the API Gateway endpoint
api_gateway_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the API Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
api_gateway_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the API
# Gateway endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
api_gateway_endpoint_subnet_ids = []
# Tags for the API Gateway endpoint
api_gateway_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appmesh_envoy_management_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppMesh endpoint
appmesh_envoy_management_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppMesh endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
appmesh_envoy_management_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppMesh
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, AppMesh endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appmesh_envoy_management_endpoint_subnet_ids = []
# Tags for the AppMesh endpoint
appmesh_envoy_management_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream API endpoint
appstream_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppStream API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
appstream_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppStream
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, AppStream API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
appstream_api_endpoint_subnet_ids = []
# Tags for the AppStream API endpoint
appstream_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
appstream_streaming_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the AppStream STREAMING endpoint
appstream_streaming_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the AppStream STREAMING endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
appstream_streaming_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the AppStream
# STREAMING endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, AppStream STREAMING
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
appstream_streaming_endpoint_subnet_ids = []
# Tags for the AppStream STREAMING endpoint
appstream_streaming_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
athena_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Athena endpoint
athena_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Athena endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
athena_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Athena
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Athena endpoint is not supported
# in all the AZs, so this variable helps to overcome this issue.
athena_endpoint_subnet_ids = []
# Tags for the Athena endpoint
athena_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
auto_scaling_plans_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Auto Scaling Plans endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
auto_scaling_plans_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Auto
# Scaling Plans endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Auto Scaling Plans
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
auto_scaling_plans_endpoint_subnet_ids = []
# Tags for the Auto Scaling Plans endpoint
auto_scaling_plans_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloud_directory_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloud Directory endpoint
cloud_directory_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Cloud Directory endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloud_directory_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Cloud
# Directory endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Cloud Directory
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
cloud_directory_endpoint_subnet_ids = []
# Tags for the Cloud Directory endpoint
cloud_directory_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudformation_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Cloudformation endpoint
cloudformation_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Cloudformation endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudformation_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# theCloudformation endpoint. Only a single subnet within an AZ is supported.
# If omitted, only subnet_ids will be used.
cloudformation_endpoint_subnet_ids = []
# Tags for the CloudFormation endpoint
cloudformation_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudtrail_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudTrail endpoint
cloudtrail_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudTrail endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudtrail_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudTrail
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
cloudtrail_endpoint_subnet_ids = []
# Tags for the CloudTrail endpoint
cloudtrail_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_events_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Events endpoint
cloudwatch_events_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Events endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_events_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Events endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_events_endpoint_subnet_ids = []
# Tags for the CloudWatch Events endpoint
cloudwatch_events_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_logs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Logs endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
cloudwatch_logs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Logs endpoint. Only a single subnet within an AZ is supported. If omitted,
# only subnet_ids will be used.
cloudwatch_logs_endpoint_subnet_ids = []
# Tags for the CloudWatch Logs endpoint
cloudwatch_logs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
cloudwatch_monitoring_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CloudWatch Monitoring endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
cloudwatch_monitoring_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CloudWatch
# Monitoring endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
cloudwatch_monitoring_endpoint_subnet_ids = []
# Tags for the CloudWatch Monitoring endpoint
cloudwatch_monitoring_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeArtifact API endpoint
codeartifact_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Codeartifact API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codeartifact_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Codeartifact API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Codeartifact
# API endpoint is not supported in all the AZs, so this variable helps to
# overcome this issue.
codeartifact_api_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
codeartifact_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codeartifact_repositories_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Codeartifact repositories endpoint
codeartifact_repositories_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Codeartifact repositories endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codeartifact_repositories_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Codeartifact repositories endpoint. Only a single subnet within an AZ is
# supported. When defined, it overrides var.subnet_ids. For some regions,
# Codeartifact repositories endpoint is not supported in all the AZs, so this
# variable helps to overcome this issue.
codeartifact_repositories_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
codeartifact_repositories_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codebuild_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeBuild endpoint
codebuild_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeBuild endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codebuild_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeBuild
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeBuild endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codebuild_endpoint_subnet_ids = []
# Tags for the CodeBuild endpoint
codebuild_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codecommit_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeCommit endpoint
codecommit_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codecommit_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeCommit
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, CodeCommit endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codecommit_endpoint_subnet_ids = []
# Tags for the CodeCommit endpoint
codecommit_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_commands_secure_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy Commands Secure endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
codedeploy_commands_secure_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeDeploy
# Commands Secure endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, CodeDeploy
# Commands Secure endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
codedeploy_commands_secure_endpoint_subnet_ids = []
# Tags for the CodeDeploy Commands Secure endpoint
codedeploy_commands_secure_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codedeploy_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodeDeploy endpoint
codedeploy_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodeDeploy endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codedeploy_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the CodeDeploy
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, CodeDeploy endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
codedeploy_endpoint_subnet_ids = []
# Tags for the CodeDeploy endpoint
codedeploy_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
codepipeline_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the CodePipeline endpoint
codepipeline_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the CodePipeline endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
codepipeline_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# CodePipeline endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, CodePipeline
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
codepipeline_endpoint_subnet_ids = []
# Tags for the CodePipeline endpoint
codepipeline_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
config_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the config endpoint
config_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the config endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
config_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the config
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
config_endpoint_subnet_ids = []
# Tags for the Config endpoint
config_endpoint_tags = {}
# If true, creates a security group that allows ingress on port 443 and
# applies it to all endpoints. Must set this to true or supply
# security_group_ids.
create_https_security_group = false
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
datasync_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Data Sync endpoint
datasync_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Data Sync endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
datasync_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Data Sync
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Data Sync endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
datasync_endpoint_subnet_ids = []
# Tags for the Data Sync endpoint
datasync_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ebs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EBS endpoint.
ebs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EBS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ebs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EBS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ebs_endpoint_subnet_ids = []
# Tags for the EBS endpoint
ebs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_autoscaling_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2-Autoscaling endpoint
ec2_autoscaling_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2-Autoscaling endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2_autoscaling_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# EC2-Autoscaling endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, EC2-Autoscaling
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
ec2_autoscaling_endpoint_subnet_ids = []
# Tags for the CodeArtifact API endpoint
ec2_autoscaling_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 endpoint
ec2_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2 endpoint
ec2_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EC2
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ec2_endpoint_subnet_ids = []
# Tags for the EC2 endpoint
ec2_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ec2messages_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EC2 Messages endpoint
ec2messages_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EC2 Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ec2messages_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EC2
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ec2messages_endpoint_subnet_ids = []
# Tags for the EC2 Messages endpoint
ec2messages_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECR API endpoint
ecr_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECR API endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECR api
# endpoint. If omitted, only subnet_ids will be used.
ecr_api_endpoint_subnet_ids = []
# Tags for the ECR API endpoint
ecr_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecr_dkr_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for ECR DKR endpoint
ecr_dkr_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECR DKR endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
ecr_dkr_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECR dkr
# endpoint. If omitted, only subnet_ids will be used.
ecr_dkr_endpoint_subnet_ids = []
# Tags for the ECR DKR endpoint
ecr_dkr_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_agent_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Agent endpoint
ecs_agent_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS Agent endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_agent_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS Agent
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_agent_endpoint_subnet_ids = []
# Tags for the ECS Agent endpoint
ecs_agent_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS endpoint
ecs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
ecs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
ecs_endpoint_subnet_ids = []
# Tags for the ECS endpoint
ecs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ecs_telemetry_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the ECS Telemetry endpoint
ecs_telemetry_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the ECS Telemetry endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ecs_telemetry_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the ECS
# Telemetry endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ecs_telemetry_endpoint_subnet_ids = []
# Tags for the ECS Telemetry endpoint
ecs_telemetry_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
efs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EFS endpoint.
efs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EFS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
efs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EFS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
efs_endpoint_subnet_ids = []
# Tags for the EFS endpoint
efs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elastic_inference_runtime_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Inference Runtime endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elastic_inference_runtime_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Inference Runtime endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Inference Runtime endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elastic_inference_runtime_endpoint_subnet_ids = []
# Tags for the Elastic Inference Runtime endpoint
elastic_inference_runtime_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
elasticbeanstalk_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Elastic Beanstalk
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
elasticbeanstalk_endpoint_subnet_ids = []
# Tags for the Elastic Beanstalk endpoint
elasticbeanstalk_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elasticbeanstalk_health_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Beanstalk Health endpoint. If none is provided,
# AWS will associate the default security group for the VPC.
elasticbeanstalk_health_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Beanstalk Health endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Elastic
# Beanstalk Health endpoint is not supported in all the AZs, so this variable
# helps to overcome this issue.
elasticbeanstalk_health_endpoint_subnet_ids = []
# Tags for the Elastic Beanstalk Health endpoint
elasticbeanstalk_health_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
elb_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Elastic Load Balancing endpoint
elb_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Elastic Load Balancing endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
elb_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Elastic
# Load Balancing endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
elb_endpoint_subnet_ids = []
# Tags for the Elastic Load Balancing endpoint
elb_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
emr_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the EMR endpoint
emr_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the EMR endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
emr_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the EMR
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, EMR endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
emr_endpoint_subnet_ids = []
# Tags for the EMR endpoint
emr_endpoint_tags = {}
# Set to true if you want to provision a Access Analyzer Endpoint within the
# VPC
enable_access_analyzer_endpoint = false
# Set to true if you want to provision a ACM PCA Endpoint within the VPC
enable_acm_pca_endpoint = false
# Set to true if you want to provision an API Gateway within the VPC
enable_api_gateway_endpoint = false
# Set to true if you want to provision a AppMesh Endpoint within the VPC
enable_appmesh_envoy_management_endpoint = false
# Set to true if you want to provision a AppStream API Endpoint within the VPC
enable_appstream_api_endpoint = false
# Set to true if you want to provision a AppStream STREAMING Endpoint within
# the VPC
enable_appstream_streaming_endpoint = false
# Set to true if you want to provision a Athena Endpoint within the VPC
enable_athena_endpoint = false
# Set to true if you want to provision a Auto Scaling Plans Endpoint within
# the VPC
enable_auto_scaling_plans_endpoint = false
# Set to true if you want to provision a Cloud Directory Endpoint within the
# VPC
enable_cloud_directory_endpoint = false
# Set to true if you want to provision a Cloudformation within the VPC
enable_cloudformation_endpoint = false
# Set to true if you want to provision a CloudTrail within the VPC
enable_cloudtrail_endpoint = false
# Set to true if you want to provision a CloudWatch Events within the VPC
enable_cloudwatch_events_endpoint = false
# Set to true if you want to provision a CloudWatch Logs within the VPC
enable_cloudwatch_logs_endpoint = false
# Set to true if you want to provision a Codeartifact API Endpoint within the
# VPC
enable_codeartifact_api_endpoint = false
# Set to true if you want to provision a Codeartifact repositories Endpoint
# within the VPC
enable_codeartifact_repositories_endpoint = false
# Set to true if you want to provision a CodeBuild Endpoint within the VPC
enable_codebuild_endpoint = false
# Set to true if you want to provision a CodeCommit Endpoint within the VPC
enable_codecommit_endpoint = false
# Set to true if you want to provision a CodeDeploy Commands Secure Endpoint
# within the VPC
enable_codedeploy_commands_secure_endpoint = false
# Set to true if you want to provision a CodeDeploy Endpoint within the VPC
enable_codedeploy_endpoint = false
# Set to true if you want to provision a CodePipeline Endpoint within the VPC
enable_codepipeline_endpoint = false
# Set to true if you want to provision a config within the VPC
enable_config_endpoint = false
# Set to true if you want to provision a Data Sync Endpoint within the VPC
enable_datasync_endpoint = false
# Set to true if you want to provision a EBS endpoint within the VPC.
enable_ebs_endpoint = false
# Set to true if you want to provision a EC2-Autoscaling Endpoint within the
# VPC
enable_ec2_autoscaling_endpoint = false
# Set to true if you want to provision an EC2 within the VPC
enable_ec2_endpoint = false
# Set to true if you want to provision an EC2 Messages endpoint within the VPC
enable_ec2messages_endpoint = false
# Set to true if you want to provision an ECR API within the VPC
enable_ecr_api_endpoint = false
# Set to true if you want to provision an ECR DKR within the VPC
enable_ecr_dkr_endpoint = false
# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_agent_endpoint = false
# Set to true if you want to provision an ECS within the VPC
enable_ecs_endpoint = false
# Set to true if you want to provision an ECS Agent within the VPC
enable_ecs_telemetry_endpoint = false
# Set to true if you want to provision a EFS endpoint within the VPC.
enable_efs_endpoint = false
# Set to true if you want to provision a Elastic Inference Runtime Endpoint
# within the VPC
enable_elastic_inference_runtime_endpoint = false
# Set to true if you want to provision a Elastic Beanstalk Endpoint within the
# VPC
enable_elasticbeanstalk_endpoint = false
# Set to true if you want to provision a Elastic Beanstalk Health Endpoint
# within the VPC
enable_elasticbeanstalk_health_endpoint = false
# Set to true if you want to provision an Elastic Load Balancing within the
# VPC
enable_elb_endpoint = false
# Set to true if you want to provision a EMR Endpoint within the VPC
enable_emr_endpoint = false
# Set to true if you want to provision a Git CodeCommit Endpoint within the
# VPC
enable_git_codecommit_endpoint = false
# Set to true if you want to provision a Glue endpoint within the VPC.
enable_glue_endpoint = false
# Set to true if you want to provision a KINESIS Firehose Endpoint within the
# VPC
enable_kinesis_firehose_endpoint = false
# Set to true if you want to provision a Kinesis Streams within the VPC
enable_kinesis_streams_endpoint = false
# Set to true if you want to provision a KMS within the VPC
enable_kms_endpoint = false
# Set to true if you want to provision a Lambda endpoint within the VPC.
enable_lambda_endpoint = false
# Set to true if you want to provision a QLDB Session Endpoint within the VPC
enable_qldb_session_endpoint = false
# Set to true if you want to provision a RDS Endpoint within the VPC
enable_rds_endpoint = false
# Set to true if you want to provision a Redshift within the VPC
enable_redshift_data_endpoint = false
# Set to true if you want to provision a Rekognition Endpoint within the VPC
enable_rekognition_endpoint = false
# Set to true if you want to provision a SageMaker API Endpoint within the VPC
enable_sagemaker_api_endpoint = false
# Set to true if you want to provision a SageMaker Runtime Endpoint within the
# VPC
enable_sagemaker_runtime_endpoint = false
# Set to true if you want to provision a Secrets Manager within the VPC
enable_secretsmanager_endpoint = false
# Set to true if you want to provision a Service Catalog Endpoint within the
# VPC
enable_servicecatalog_endpoint = false
# Set to true if you want to provision a Simple Email Service within the VPC
enable_ses_endpoint = false
# Set to true if you want to provision a SMS Endpoint within the VPC
enable_sms_endpoint = false
# Set to true if you want to provision a SNS within the VPC
enable_sns_endpoint = false
# Set to true if you want to provision a SQS within the VPC
enable_sqs_endpoint = false
# Set to true if you want to provision an SSM endpoint within the VPC
enable_ssm_endpoint = false
# Set to true if you want to provision an SSM Messages endpoint within the VPC
enable_ssmmessages_endpoint = false
# Set to true if you want to provision a Step Function Endpoint within the VPC
enable_states_endpoint = false
# Set to true if you want to provision a Storage Gateway Endpoint within the
# VPC
enable_storagegateway_endpoint = false
# Set to true if you want to provision a STS within the VPC
enable_sts_endpoint = false
# Set to true if you want to provision a Textract Endpoint within the VPC
enable_textract_endpoint = false
# Set to true if you want to provision a Transfer Endpoint within the VPC
enable_transfer_endpoint = false
# Set to true if you want to provision a Transfer Server Endpoint within the
# VPC
enable_transferserver_endpoint = false
# Set to true if you want to provision a CloudWatch Monitoring within the VPC
enable_vpc_cloudwatch_monitoring_endpoint = false
# Set to true if you want to provision a VPC lattice endpoint within the VPC.
enable_vpc_lattice_endpoint = false
# Set to true if you want to provision a Workspaces Endpoint within the VPC
enable_workspaces_endpoint = false
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
git_codecommit_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Git CodeCommit API endpoint
git_codecommit_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Git CodeCommit endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
git_codecommit_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Git
# CodeCommit API endpoint. Only a single subnet within an AZ is supported.
# When defined, it overrides var.subnet_ids. For some regions, Git CodeCommit
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
git_codecommit_endpoint_subnet_ids = []
# Tags for the Git CodeCommit endpoint
git_codecommit_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
glue_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Glue endpoint.
glue_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the glue endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
glue_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the glue
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
glue_endpoint_subnet_ids = []
# Tags for the Glue endpoint
glue_endpoint_tags = {}
# List of CIDR blocks where HTTPS ingress should be allowed from. Defaults to
# the VPC's CIDR if left empty. Only used if create_https_security_group is
# true.
https_security_group_cidr_blocks = []
# Name prefix to use on the created SG. A random string will be appended.
https_security_group_name_prefix = "allow-https-"
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_firehose_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the KINESIS Firehose endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_firehose_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the KINESIS
# Firehose endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, KINESIS Firehose
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
kinesis_firehose_endpoint_subnet_ids = []
# Tags for the KINESIS Firehose endpoint
kinesis_firehose_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kinesis_streams_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Kinesis Streams endpoint
kinesis_streams_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Kinesis Streams endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
kinesis_streams_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Kinesis
# Streams endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
kinesis_streams_endpoint_subnet_ids = []
# Tags for the Kinesis endpoint
kinesis_streams_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
kms_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the KMS endpoint
kms_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the KMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
kms_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the KMS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
kms_endpoint_subnet_ids = []
# Tags for the KMS endpoint
kms_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
lambda_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Lambda endpoint.
lambda_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Lambda endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
lambda_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Lambda
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
lambda_endpoint_subnet_ids = []
# Tags for the Lambda endpoint
lambda_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
qldb_session_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the QLDB Session endpoint
qldb_session_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the QLDB Session endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
qldb_session_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the QLDB
# Session endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, QLDB Session
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
qldb_session_endpoint_subnet_ids = []
# Tags for the QLDB Session endpoint
qldb_session_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rds_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the RDS endpoint
rds_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the RDS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
rds_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the RDS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, RDS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
rds_endpoint_subnet_ids = []
# Tags for the RDS endpoint
rds_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
redshift_data_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Redshift endpoint
redshift_data_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Redshift endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
redshift_data_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Redshift
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
redshift_data_endpoint_subnet_ids = []
# Tags for the Redshift endpoint
redshift_data_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
rekognition_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Rekognition endpoint
rekognition_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Rekognition endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
rekognition_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the
# Rekognition endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Rekognition endpoint
# is not supported in all the AZs, so this variable helps to overcome this
# issue.
rekognition_endpoint_subnet_ids = []
# Tags for the Rekognition endpoint
rekognition_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_api_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker API endpoint
sagemaker_api_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SageMaker API endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_api_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SageMaker
# API endpoint. Only a single subnet within an AZ is supported. When defined,
# it overrides var.subnet_ids. For some regions, SageMaker API endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
sagemaker_api_endpoint_subnet_ids = []
# Tags for the SageMaker API endpoint
sagemaker_api_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sagemaker_runtime_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SageMaker Runtime endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
sagemaker_runtime_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SageMaker
# Runtime endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SageMaker Runtime
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
sagemaker_runtime_endpoint_subnet_ids = []
# Tags for the SageMaker Runtime endpoint
sagemaker_runtime_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
secretsmanager_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Secrets Manager endpoint
secretsmanager_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Secrets Manager endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
secretsmanager_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Secrets
# Manager endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
secretsmanager_endpoint_subnet_ids = []
# Tags for the Secrets Manager endpoint
secretsmanager_endpoint_tags = {}
# A list of IDs of the security groups which will apply for all endpoints.
# Must supply this or create_https_security_group = true.
security_group_ids = []
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
servicecatalog_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Service Catalog endpoint
servicecatalog_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Service Catalog endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
servicecatalog_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Service
# Catalog endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Service Catalog
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
servicecatalog_endpoint_subnet_ids = []
# Tags for the Service Catalog endpoint
servicecatalog_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ses_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Simple Email Service endpoint
ses_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Simple Email Service endpoint. If none is provided, AWS
# will associate the default security group for the VPC.
ses_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Simple
# Email Service endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, SES is not supported
# in all the AZs, so this variable helps to overcome this issue.
ses_endpoint_subnet_ids = []
# Tags for the Simple Email Service endpoint
ses_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sms_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SMS endpoint
sms_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SMS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sms_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SMS
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, SMS endpoint is not supported in
# all the AZs, so this variable helps to overcome this issue.
sms_endpoint_subnet_ids = []
# Tags for the SMS endpoint
sms_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sns_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SNS endpoint
sns_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SNS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sns_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SNS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sns_endpoint_subnet_ids = []
# Tags for the SNS endpoint
sns_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sqs_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SQS endpoint
sqs_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SQS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sqs_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SQS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sqs_endpoint_subnet_ids = []
# Tags for the SQS endpoint
sqs_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssm_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Endpoint endpoint
ssm_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SSM Endpoint endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssm_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SSM
# Endpoint endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssm_endpoint_subnet_ids = []
# Tags for the SSM Endpoint endpoint
ssm_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
ssmmessages_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the SSM Messages endpoint
ssmmessages_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the SSM Messages endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
ssmmessages_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the SSM
# Messages endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
ssmmessages_endpoint_subnet_ids = []
# Tags for the SSM Messages endpoint
ssmmessages_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
states_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Step Function endpoint
states_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Step Function endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
states_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Step
# Function endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Step Function
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
states_endpoint_subnet_ids = []
# Tags for the Step Function endpoint
states_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
storagegateway_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Storage Gateway endpoint
storagegateway_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Storage Gateway endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
storagegateway_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Storage
# Gateway endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Storage Gateway
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
storagegateway_endpoint_subnet_ids = []
# Tags for the Storage Gateway endpoint
storagegateway_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
sts_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the STS endpoint
sts_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the STS endpoint. If none is provided, AWS will associate the
# default security group for the VPC.
sts_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the STS
# endpoint. Only a single subnet within an AZ is supported. If omitted, only
# subnet_ids will be used.
sts_endpoint_subnet_ids = []
# Tags for the STS endpoint
sts_endpoint_tags = {}
# A map of tags to apply to all endpoints.
tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
textract_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Textract endpoint
textract_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Textract endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
textract_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Textract
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Textract endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
textract_endpoint_subnet_ids = []
# Tags for the Textract endpoint
textract_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transfer_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer endpoint
transfer_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Transfer endpoint. If none is provided, AWS will associate
# the default security group for the VPC.
transfer_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Transfer
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Transfer endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
transfer_endpoint_subnet_ids = []
# Tags for the Transfer endpoint
transfer_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
transferserver_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Transfer Server endpoint
transferserver_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Transfer Server endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
transferserver_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Transfer
# Server endpoint. Only a single subnet within an AZ is supported. When
# defined, it overrides var.subnet_ids. For some regions, Transfer Server
# endpoint is not supported in all the AZs, so this variable helps to overcome
# this issue.
transferserver_endpoint_subnet_ids = []
# Tags for the Transfer Server endpoint
transferserver_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
vpc_lattice_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the VPC lattice endpoint.
vpc_lattice_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the VPC lattice endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
vpc_lattice_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the VPC
# lattice endpoint. Only a single subnet within an AZ is supported. If
# omitted, only subnet_ids will be used.
vpc_lattice_endpoint_subnet_ids = []
# Tags for the VPC lattice endpoint
vpc_lattice_endpoint_tags = {}
# IAM policy to restrict what resources can call this endpoint. For example,
# you can add an IAM policy that allows EC2 instances to talk to this endpoint
# but no other types of resources. If not specified, all resources will be
# allowed to call this endpoint.
workspaces_endpoint_policy = null
# Set to false if you don't want to associate a private hosted zone with the
# specified VPC for the Workspaces endpoint
workspaces_endpoint_private_dns_enabled = true
# The ID of one or more security groups to associate with the network
# interface for the Workspaces endpoint. If none is provided, AWS will
# associate the default security group for the VPC.
workspaces_endpoint_security_group_ids = []
# The IDs of subnets in which to create a network interface for the Workspaces
# endpoint. Only a single subnet within an AZ is supported. When defined, it
# overrides var.subnet_ids. For some regions, Workspaces endpoint is not
# supported in all the AZs, so this variable helps to overcome this issue.
workspaces_endpoint_subnet_ids = []
# Tags for the Workspaces endpoint
workspaces_endpoint_tags = {}
}
Reference
- Inputs
- Outputs
Required
subnet_ids
list(string)A list of IDs of the subnets for all endpoints. Each endpoint will create one ENI (Elastic Network Interface) per subnet.
vpc_id
stringThe ID of the VPC for all modules
Optional
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Access Analyzer endpoint
true
access_analyzer_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Access Analyzer endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
access_analyzer_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Access Analyzer endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Access Analyzer endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
access_analyzer_endpoint_tags
map(string)Tags for the Access Analyzer endpoint
{}
acm_pca_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the ACM PCA endpoint
true
acm_pca_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ACM PCA endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
acm_pca_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ACM PCA endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, ACM PCA endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
acm_pca_endpoint_tags
map(string)Tags for the ACM PCA endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the API Gateway endpoint
true
api_gateway_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the API Gateway endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
api_gateway_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the API Gateway endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
api_gateway_endpoint_tags
map(string)Tags for the API Gateway endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppMesh endpoint
true
The ID of one or more security groups to associate with the network interface for the AppMesh endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
appmesh_envoy_management_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the AppMesh endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, AppMesh endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
appmesh_envoy_management_endpoint_tags
map(string)Tags for the AppMesh endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppStream API endpoint
true
appstream_api_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the AppStream API endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
appstream_api_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the AppStream API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, AppStream API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
appstream_api_endpoint_tags
map(string)Tags for the AppStream API endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the AppStream STREAMING endpoint
true
appstream_streaming_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the AppStream STREAMING endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
appstream_streaming_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the AppStream STREAMING endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, AppStream STREAMING endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
appstream_streaming_endpoint_tags
map(string)Tags for the AppStream STREAMING endpoint
{}
athena_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Athena endpoint
true
athena_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Athena endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
athena_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Athena endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Athena endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
athena_endpoint_tags
map(string)Tags for the Athena endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Auto Scaling Plans endpoint
true
auto_scaling_plans_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Auto Scaling Plans endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
auto_scaling_plans_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Auto Scaling Plans endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Auto Scaling Plans endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
auto_scaling_plans_endpoint_tags
map(string)Tags for the Auto Scaling Plans endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Cloud Directory endpoint
true
cloud_directory_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Cloud Directory endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloud_directory_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Cloud Directory endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Cloud Directory endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
cloud_directory_endpoint_tags
map(string)Tags for the Cloud Directory endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Cloudformation endpoint
true
cloudformation_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Cloudformation endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloudformation_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the theCloudformation endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
cloudformation_endpoint_tags
map(string)Tags for the CloudFormation endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudTrail endpoint
true
cloudtrail_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CloudTrail endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloudtrail_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CloudTrail endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
cloudtrail_endpoint_tags
map(string)Tags for the CloudTrail endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Events endpoint
true
cloudwatch_events_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CloudWatch Events endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloudwatch_events_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CloudWatch Events endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
cloudwatch_events_endpoint_tags
map(string)Tags for the CloudWatch Events endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Logs endpoint
true
cloudwatch_logs_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CloudWatch Logs endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloudwatch_logs_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CloudWatch Logs endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
cloudwatch_logs_endpoint_tags
map(string)Tags for the CloudWatch Logs endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CloudWatch Monitoring endpoint
true
The ID of one or more security groups to associate with the network interface for the CloudWatch Monitoring endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
cloudwatch_monitoring_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CloudWatch Monitoring endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
cloudwatch_monitoring_endpoint_tags
map(string)Tags for the CloudWatch Monitoring endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeArtifact API endpoint
true
codeartifact_api_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Codeartifact API endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codeartifact_api_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Codeartifact API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Codeartifact API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codeartifact_api_endpoint_tags
map(string)Tags for the CodeArtifact API endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Codeartifact repositories endpoint
true
The ID of one or more security groups to associate with the network interface for the Codeartifact repositories endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codeartifact_repositories_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Codeartifact repositories endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Codeartifact repositories endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codeartifact_repositories_endpoint_tags
map(string)Tags for the CodeArtifact API endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeBuild endpoint
true
codebuild_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CodeBuild endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codebuild_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CodeBuild endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, CodeBuild endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codebuild_endpoint_tags
map(string)Tags for the CodeBuild endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeCommit endpoint
true
codecommit_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CodeCommit endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codecommit_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CodeCommit API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, CodeCommit endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codecommit_endpoint_tags
map(string)Tags for the CodeCommit endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeDeploy Commands Secure endpoint
true
The ID of one or more security groups to associate with the network interface for the CodeDeploy Commands Secure endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codedeploy_commands_secure_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CodeDeploy Commands Secure endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, CodeDeploy Commands Secure endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codedeploy_commands_secure_endpoint_tags
map(string)Tags for the CodeDeploy Commands Secure endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodeDeploy endpoint
true
codedeploy_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CodeDeploy endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codedeploy_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CodeDeploy endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, CodeDeploy endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codedeploy_endpoint_tags
map(string)Tags for the CodeDeploy endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the CodePipeline endpoint
true
codepipeline_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the CodePipeline endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
codepipeline_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the CodePipeline endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, CodePipeline endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
codepipeline_endpoint_tags
map(string)Tags for the CodePipeline endpoint
{}
config_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the config endpoint
true
config_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the config endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
config_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the config endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
config_endpoint_tags
map(string)Tags for the Config endpoint
{}
If true, creates a security group that allows ingress on port 443 and applies it to all endpoints. Must set this to true or supply security_group_ids.
false
datasync_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Data Sync endpoint
true
datasync_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Data Sync endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
datasync_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Data Sync endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Data Sync endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
datasync_endpoint_tags
map(string)Tags for the Data Sync endpoint
{}
ebs_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EBS endpoint.
true
ebs_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EBS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ebs_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EBS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ebs_endpoint_tags
map(string)Tags for the EBS endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2-Autoscaling endpoint
true
ec2_autoscaling_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EC2-Autoscaling endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ec2_autoscaling_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EC2-Autoscaling endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, EC2-Autoscaling endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
ec2_autoscaling_endpoint_tags
map(string)Tags for the CodeArtifact API endpoint
{}
ec2_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2 endpoint
true
ec2_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EC2 endpoint
[]
ec2_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EC2 endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ec2_endpoint_tags
map(string)Tags for the EC2 endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EC2 Messages endpoint
true
ec2messages_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EC2 Messages endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ec2messages_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EC2 Messages endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ec2messages_endpoint_tags
map(string)Tags for the EC2 Messages endpoint
{}
ecr_api_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECR API endpoint
true
ecr_api_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ECR API endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ecr_api_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ECR api endpoint. If omitted, only subnet_ids will be used.
[]
ecr_api_endpoint_tags
map(string)Tags for the ECR API endpoint
{}
ecr_dkr_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for ECR DKR endpoint
true
ecr_dkr_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ECR DKR endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ecr_dkr_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ECR dkr endpoint. If omitted, only subnet_ids will be used.
[]
ecr_dkr_endpoint_tags
map(string)Tags for the ECR DKR endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS Agent endpoint
true
ecs_agent_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ECS Agent endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ecs_agent_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ECS Agent endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ecs_agent_endpoint_tags
map(string)Tags for the ECS Agent endpoint
{}
ecs_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS endpoint
true
ecs_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ECS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ecs_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ECS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ecs_endpoint_tags
map(string)Tags for the ECS endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the ECS Telemetry endpoint
true
ecs_telemetry_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the ECS Telemetry endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ecs_telemetry_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the ECS Telemetry endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ecs_telemetry_endpoint_tags
map(string)Tags for the ECS Telemetry endpoint
{}
efs_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EFS endpoint.
true
efs_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EFS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
efs_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EFS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
efs_endpoint_tags
map(string)Tags for the EFS endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Inference Runtime endpoint
true
The ID of one or more security groups to associate with the network interface for the Elastic Inference Runtime endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
elastic_inference_runtime_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Elastic Inference Runtime endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Elastic Inference Runtime endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
elastic_inference_runtime_endpoint_tags
map(string)Tags for the Elastic Inference Runtime endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Beanstalk endpoint
true
elasticbeanstalk_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Elastic Beanstalk endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
elasticbeanstalk_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Elastic Beanstalk endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Elastic Beanstalk endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
elasticbeanstalk_endpoint_tags
map(string)Tags for the Elastic Beanstalk endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Beanstalk Health endpoint
true
The ID of one or more security groups to associate with the network interface for the Elastic Beanstalk Health endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
elasticbeanstalk_health_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Elastic Beanstalk Health endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Elastic Beanstalk Health endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
elasticbeanstalk_health_endpoint_tags
map(string)Tags for the Elastic Beanstalk Health endpoint
{}
elb_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Elastic Load Balancing endpoint
true
elb_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Elastic Load Balancing endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
elb_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Elastic Load Balancing endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
elb_endpoint_tags
map(string)Tags for the Elastic Load Balancing endpoint
{}
emr_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the EMR endpoint
true
emr_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the EMR endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
emr_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the EMR endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, EMR endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
emr_endpoint_tags
map(string)Tags for the EMR endpoint
{}
Set to true if you want to provision a Access Analyzer Endpoint within the VPC
false
Set to true if you want to provision a ACM PCA Endpoint within the VPC
false
Set to true if you want to provision an API Gateway within the VPC
false
Set to true if you want to provision a AppMesh Endpoint within the VPC
false
Set to true if you want to provision a AppStream API Endpoint within the VPC
false
Set to true if you want to provision a AppStream STREAMING Endpoint within the VPC
false
Set to true if you want to provision a Athena Endpoint within the VPC
false
Set to true if you want to provision a Auto Scaling Plans Endpoint within the VPC
false
Set to true if you want to provision a Cloud Directory Endpoint within the VPC
false
Set to true if you want to provision a Cloudformation within the VPC
false
Set to true if you want to provision a CloudTrail within the VPC
false
Set to true if you want to provision a CloudWatch Events within the VPC
false
Set to true if you want to provision a CloudWatch Logs within the VPC
false
Set to true if you want to provision a Codeartifact API Endpoint within the VPC
false
Set to true if you want to provision a Codeartifact repositories Endpoint within the VPC
false
Set to true if you want to provision a CodeBuild Endpoint within the VPC
false
Set to true if you want to provision a CodeCommit Endpoint within the VPC
false
Set to true if you want to provision a CodeDeploy Commands Secure Endpoint within the VPC
false
Set to true if you want to provision a CodeDeploy Endpoint within the VPC
false
Set to true if you want to provision a CodePipeline Endpoint within the VPC
false
Set to true if you want to provision a config within the VPC
false
Set to true if you want to provision a Data Sync Endpoint within the VPC
false
Set to true if you want to provision a EBS endpoint within the VPC.
false
Set to true if you want to provision a EC2-Autoscaling Endpoint within the VPC
false
Set to true if you want to provision an EC2 within the VPC
false
Set to true if you want to provision an EC2 Messages endpoint within the VPC
false
Set to true if you want to provision an ECR API within the VPC
false
Set to true if you want to provision an ECR DKR within the VPC
false
Set to true if you want to provision an ECS Agent within the VPC
false
Set to true if you want to provision an ECS within the VPC
false
Set to true if you want to provision an ECS Agent within the VPC
false
Set to true if you want to provision a EFS endpoint within the VPC.
false
Set to true if you want to provision a Elastic Inference Runtime Endpoint within the VPC
false
Set to true if you want to provision a Elastic Beanstalk Endpoint within the VPC
false
Set to true if you want to provision a Elastic Beanstalk Health Endpoint within the VPC
false
Set to true if you want to provision an Elastic Load Balancing within the VPC
false
Set to true if you want to provision a EMR Endpoint within the VPC
false
Set to true if you want to provision a Git CodeCommit Endpoint within the VPC
false
Set to true if you want to provision a Glue endpoint within the VPC.
false
Set to true if you want to provision a KINESIS Firehose Endpoint within the VPC
false
Set to true if you want to provision a Kinesis Streams within the VPC
false
Set to true if you want to provision a KMS within the VPC
false
Set to true if you want to provision a Lambda endpoint within the VPC.
false
Set to true if you want to provision a QLDB Session Endpoint within the VPC
false
Set to true if you want to provision a RDS Endpoint within the VPC
false
Set to true if you want to provision a Redshift within the VPC
false
Set to true if you want to provision a Rekognition Endpoint within the VPC
false
Set to true if you want to provision a SageMaker API Endpoint within the VPC
false
Set to true if you want to provision a SageMaker Runtime Endpoint within the VPC
false
Set to true if you want to provision a Secrets Manager within the VPC
false
Set to true if you want to provision a Service Catalog Endpoint within the VPC
false
Set to true if you want to provision a Simple Email Service within the VPC
false
Set to true if you want to provision a SMS Endpoint within the VPC
false
Set to true if you want to provision a SNS within the VPC
false
Set to true if you want to provision a SQS within the VPC
false
Set to true if you want to provision an SSM endpoint within the VPC
false
Set to true if you want to provision an SSM Messages endpoint within the VPC
false
Set to true if you want to provision a Step Function Endpoint within the VPC
false
Set to true if you want to provision a Storage Gateway Endpoint within the VPC
false
Set to true if you want to provision a STS within the VPC
false
Set to true if you want to provision a Textract Endpoint within the VPC
false
Set to true if you want to provision a Transfer Endpoint within the VPC
false
Set to true if you want to provision a Transfer Server Endpoint within the VPC
false
Set to true if you want to provision a CloudWatch Monitoring within the VPC
false
Set to true if you want to provision a VPC lattice endpoint within the VPC.
false
Set to true if you want to provision a Workspaces Endpoint within the VPC
false
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Git CodeCommit API endpoint
true
git_codecommit_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Git CodeCommit endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
git_codecommit_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Git CodeCommit API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Git CodeCommit endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
git_codecommit_endpoint_tags
map(string)Tags for the Git CodeCommit endpoint
{}
glue_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Glue endpoint.
true
glue_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the glue endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
glue_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the glue endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
glue_endpoint_tags
map(string)Tags for the Glue endpoint
{}
https_security_group_cidr_blocks
list(string)List of CIDR blocks where HTTPS ingress should be allowed from. Defaults to the VPC's CIDR if left empty. Only used if create_https_security_group is true.
[]
Name prefix to use on the created SG. A random string will be appended.
"allow-https-"
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the KINESIS Firehose endpoint
true
kinesis_firehose_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the KINESIS Firehose endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
kinesis_firehose_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the KINESIS Firehose endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, KINESIS Firehose endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
kinesis_firehose_endpoint_tags
map(string)Tags for the KINESIS Firehose endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Kinesis Streams endpoint
true
kinesis_streams_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Kinesis Streams endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
kinesis_streams_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Kinesis Streams endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
kinesis_streams_endpoint_tags
map(string)Tags for the Kinesis endpoint
{}
kms_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the KMS endpoint
true
kms_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the KMS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
kms_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the KMS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
kms_endpoint_tags
map(string)Tags for the KMS endpoint
{}
lambda_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Lambda endpoint.
true
lambda_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Lambda endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
lambda_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Lambda endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
lambda_endpoint_tags
map(string)Tags for the Lambda endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the QLDB Session endpoint
true
qldb_session_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the QLDB Session endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
qldb_session_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the QLDB Session endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, QLDB Session endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
qldb_session_endpoint_tags
map(string)Tags for the QLDB Session endpoint
{}
rds_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the RDS endpoint
true
rds_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the RDS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
rds_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the RDS endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, RDS endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
rds_endpoint_tags
map(string)Tags for the RDS endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Redshift endpoint
true
redshift_data_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Redshift endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
redshift_data_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Redshift endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
redshift_data_endpoint_tags
map(string)Tags for the Redshift endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Rekognition endpoint
true
rekognition_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Rekognition endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
rekognition_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Rekognition endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Rekognition endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
rekognition_endpoint_tags
map(string)Tags for the Rekognition endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SageMaker API endpoint
true
sagemaker_api_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SageMaker API endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sagemaker_api_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SageMaker API endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, SageMaker API endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
sagemaker_api_endpoint_tags
map(string)Tags for the SageMaker API endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SageMaker Runtime endpoint
true
sagemaker_runtime_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SageMaker Runtime endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sagemaker_runtime_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SageMaker Runtime endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, SageMaker Runtime endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
sagemaker_runtime_endpoint_tags
map(string)Tags for the SageMaker Runtime endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Secrets Manager endpoint
true
secretsmanager_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Secrets Manager endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
secretsmanager_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Secrets Manager endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
secretsmanager_endpoint_tags
map(string)Tags for the Secrets Manager endpoint
{}
security_group_ids
list(string)A list of IDs of the security groups which will apply for all endpoints. Must supply this or create_https_security_group = true.
[]
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Service Catalog endpoint
true
servicecatalog_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Service Catalog endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
servicecatalog_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Service Catalog endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Service Catalog endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
servicecatalog_endpoint_tags
map(string)Tags for the Service Catalog endpoint
{}
ses_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Simple Email Service endpoint
true
ses_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Simple Email Service endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ses_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Simple Email Service endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, SES is not supported in all the AZs, so this variable helps to overcome this issue.
[]
ses_endpoint_tags
map(string)Tags for the Simple Email Service endpoint
{}
sms_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SMS endpoint
true
sms_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SMS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sms_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SMS endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, SMS endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
sms_endpoint_tags
map(string)Tags for the SMS endpoint
{}
sns_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SNS endpoint
true
sns_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SNS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sns_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SNS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
sns_endpoint_tags
map(string)Tags for the SNS endpoint
{}
sqs_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SQS endpoint
true
sqs_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SQS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sqs_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SQS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
sqs_endpoint_tags
map(string)Tags for the SQS endpoint
{}
ssm_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SSM Endpoint endpoint
true
ssm_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SSM Endpoint endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ssm_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SSM Endpoint endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ssm_endpoint_tags
map(string)Tags for the SSM Endpoint endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the SSM Messages endpoint
true
ssmmessages_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the SSM Messages endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
ssmmessages_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the SSM Messages endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
ssmmessages_endpoint_tags
map(string)Tags for the SSM Messages endpoint
{}
states_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Step Function endpoint
true
states_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Step Function endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
states_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Step Function endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Step Function endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
states_endpoint_tags
map(string)Tags for the Step Function endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Storage Gateway endpoint
true
storagegateway_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Storage Gateway endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
storagegateway_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Storage Gateway endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Storage Gateway endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
storagegateway_endpoint_tags
map(string)Tags for the Storage Gateway endpoint
{}
sts_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the STS endpoint
true
sts_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the STS endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
sts_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the STS endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
sts_endpoint_tags
map(string)Tags for the STS endpoint
{}
tags
map(string)A map of tags to apply to all endpoints.
{}
textract_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Textract endpoint
true
textract_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Textract endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
textract_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Textract endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Textract endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
textract_endpoint_tags
map(string)Tags for the Textract endpoint
{}
transfer_endpoint_policy
stringIAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Transfer endpoint
true
transfer_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Transfer endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
transfer_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Transfer endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Transfer endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
transfer_endpoint_tags
map(string)Tags for the Transfer endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Transfer Server endpoint
true
transferserver_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Transfer Server endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
transferserver_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Transfer Server endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Transfer Server endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
transferserver_endpoint_tags
map(string)Tags for the Transfer Server endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the VPC lattice endpoint.
true
vpc_lattice_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the VPC lattice endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
vpc_lattice_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the VPC lattice endpoint. Only a single subnet within an AZ is supported. If omitted, only subnet_ids will be used.
[]
vpc_lattice_endpoint_tags
map(string)Tags for the VPC lattice endpoint
{}
IAM policy to restrict what resources can call this endpoint. For example, you can add an IAM policy that allows EC2 instances to talk to this endpoint but no other types of resources. If not specified, all resources will be allowed to call this endpoint.
null
Set to false if you don't want to associate a private hosted zone with the specified VPC for the Workspaces endpoint
true
workspaces_endpoint_security_group_ids
list(string)The ID of one or more security groups to associate with the network interface for the Workspaces endpoint. If none is provided, AWS will associate the default security group for the VPC.
[]
workspaces_endpoint_subnet_ids
list(string)The IDs of subnets in which to create a network interface for the Workspaces endpoint. Only a single subnet within an AZ is supported. When defined, it overrides subnet_ids
. For some regions, Workspaces endpoint is not supported in all the AZs, so this variable helps to overcome this issue.
[]
workspaces_endpoint_tags
map(string)Tags for the Workspaces endpoint
{}
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint. E.g. aws ec2 --endpoint-url https://vpce-008ec8becff9267dc-8qumgjia.ec2.us-east-1.vpce.amazonaws.com/ [...args]
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you allow the creation of the HTTPS security group, the id of the created group will be output here.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your API calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.
If you have private dns enabled, then your streaming calls would automatically go through the VPC Endpoint. Otherwise, you need to explicitly to use this endpoint.