fix: Specify an endpoint type for S3 VPC endpoint (#573)

Author: haidaraM

README.md

@@ -19,7 +19,7 @@ These types of resources are supported:
 * [VPC Flow Log](https://www.terraform.io/docs/providers/aws/r/flow_log.html)
 * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
   * Gateway: S3, DynamoDB
-  * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
+  * Interface: S3, EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
 ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events),
 Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codeartifact(API, Repositories), CodeBuild, CodeCommit,
 Git-Codecommit, Textract, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API),
@@ -353,6 +353,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | dms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint | `bool` | `false` | no |
 | dms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DMS endpoint | `list(string)` | `[]` | no |
 | dms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| dynamodb\_endpoint\_type | DynamoDB VPC endpoint type | `string` | `"Gateway"` | no |
 | ebs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no |
 | ebs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no |
 | ebs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
@@ -589,6 +590,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | `list(string)` | `[]` | no |
 | rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
+| s3\_endpoint\_type | S3 VPC endpoint type | `string` | `"Gateway"` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | `bool` | `false` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | `list(string)` | `[]` | no |
 | sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |

examples/simple-vpc/main.tf

@@ -18,6 +18,11 @@ module "vpc" {
   enable_nat_gateway = true
   single_nat_gateway = true
 
+  #  s3_endpoint_type = "Interface"
+
+  enable_s3_endpoint       = true
+  enable_dynamodb_endpoint = true
+
   public_subnet_tags = {
     Name = "overridden-name-public"
   }

variables.tf

@@ -316,12 +316,24 @@ variable "enable_dynamodb_endpoint" {
   default     = false
 }
 
+variable "dynamodb_endpoint_type" {
+  description = "DynamoDB VPC endpoint type"
+  type        = string
+  default     = "Gateway"
+}
+
 variable "enable_s3_endpoint" {
   description = "Should be true if you want to provision an S3 endpoint to the VPC"
   type        = bool
   default     = false
 }
 
+variable "s3_endpoint_type" {
+  description = "S3 VPC endpoint type"
+  type        = string
+  default     = "Gateway"
+}
+
 variable "enable_codeartifact_api_endpoint" {
   description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
   type        = bool

vpc-endpoints.tf

@@ -4,15 +4,18 @@
 data "aws_vpc_endpoint_service" "s3" {
   count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
 
-  service = "s3"
+  service_type = var.s3_endpoint_type
+  service      = "s3"
 }
 
 resource "aws_vpc_endpoint" "s3" {
   count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
 
-  vpc_id       = local.vpc_id
-  service_name = data.aws_vpc_endpoint_service.s3[0].service_name
-  tags         = local.vpce_tags
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.s3[0].service_name
+  vpc_endpoint_type = var.s3_endpoint_type
+
+  tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
@@ -42,15 +45,18 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
 data "aws_vpc_endpoint_service" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  service = "dynamodb"
+  service_type = var.dynamodb_endpoint_type
+  service      = "dynamodb"
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  vpc_id       = local.vpc_id
-  service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name
-  tags         = local.vpce_tags
+  vpc_id            = local.vpc_id
+  vpc_endpoint_type = var.dynamodb_endpoint_type
+  service_name      = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+
+  tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {