Skip to content

Resource: awsVpcEndpoint

Provides a VPC Endpoint resource.

\~> NOTE on VPC Endpoints and VPC Endpoint Associations: Terraform provides both standalone VPC Endpoint Associations for Route Tables - (an association between a VPC endpoint and a single routeTableId), Security Groups - (an association between a VPC endpoint and a single securityGroupId), and Subnets - (an association between a VPC endpoint and a single subnetId) and a VPC Endpoint resource with routeTableIds and subnetIds attributes. Do not use the same resource ID in both a VPC Endpoint resource and a VPC Endpoint Association resource. Doing so will cause a conflict of associations and will overwrite the association.

Example Usage

Basic

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.vpcEndpoint.VpcEndpoint(this, "s3", {
  serviceName: "com.amazonaws.us-west-2.s3",
  vpcId: "${aws_vpc.main.id}",
});

Basic w/ Tags

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.vpcEndpoint.VpcEndpoint(this, "s3", {
  serviceName: "com.amazonaws.us-west-2.s3",
  tags: {
    Environment: "test",
  },
  vpcId: "${aws_vpc.main.id}",
});

Interface Endpoint Type

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.vpcEndpoint.VpcEndpoint(this, "ec2", {
  privateDnsEnabled: true,
  securityGroupIds: ["${aws_security_group.sg1.id}"],
  serviceName: "com.amazonaws.us-west-2.ec2",
  vpcEndpointType: "Interface",
  vpcId: "${aws_vpc.main.id}",
});

Gateway Load Balancer Endpoint Type

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const dataAwsCallerIdentityCurrent =
  new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const awsVpcEndpointServiceExample =
  new aws.vpcEndpointService.VpcEndpointService(this, "example", {
    acceptanceRequired: false,
    allowedPrincipals: [dataAwsCallerIdentityCurrent.arn],
    gatewayLoadBalancerArns: ["${aws_lb.example.arn}"],
  });
const awsVpcEndpointExample = new aws.vpcEndpoint.VpcEndpoint(
  this,
  "example_2",
  {
    serviceName: awsVpcEndpointServiceExample.serviceName,
    subnetIds: ["${aws_subnet.example.id}"],
    vpcEndpointType: awsVpcEndpointServiceExample.serviceType,
    vpcId: "${aws_vpc.example.id}",
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsVpcEndpointExample.overrideLogicalId("example");

Non-AWS Service

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsVpcEndpointPtfeService = new aws.vpcEndpoint.VpcEndpoint(
  this,
  "ptfe_service",
  {
    privateDnsEnabled: false,
    securityGroupIds: ["${aws_security_group.ptfe_service.id}"],
    serviceName: "${var.ptfe_service}",
    subnetIds: ["${local.subnet_ids}"],
    vpcEndpointType: "Interface",
    vpcId: "${var.vpc_id}",
  }
);
const dataAwsRoute53ZoneInternal =
  new aws.dataAwsRoute53Zone.DataAwsRoute53Zone(this, "internal", {
    name: "vpc.internal.",
    privateZone: true,
    vpcId: "${var.vpc_id}",
  });
const awsRoute53RecordPtfeService = new aws.route53Record.Route53Record(
  this,
  "ptfe_service_2",
  {
    name: `ptfe.\${${dataAwsRoute53ZoneInternal.name}}`,
    records: [`\${${awsVpcEndpointPtfeService.dnsEntry.fqn}[0]["dns_name"]}`],
    ttl: "300",
    type: "CNAME",
    zoneId: dataAwsRoute53ZoneInternal.zoneId,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53RecordPtfeService.overrideLogicalId("ptfe_service");

\~> NOTE The dnsEntry output is a list of maps: Terraform interpolation support for lists of maps requires the lookup and [] until full support of lists of maps is available

Argument Reference

The following arguments are supported:

  • serviceName - (Required) The service name. For AWS services the service name is usually in the form comAmazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form awsSagemaker.<region>Notebook).
  • vpcId - (Required) The ID of the VPC in which the endpoint will be used.
  • autoAccept - (Optional) Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
  • policy - (Optional) A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All gateway and some interface endpoints support policies - see the relevant AWS documentation for more details. For more information about building AWS IAM policy documents with Terraform, see the AWS IAM Policy Document Guide.
  • privateDnsEnabled - (Optional; AWS services and AWS Marketplace partner services only) Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type interface. Defaults to false.
  • dnsOptions - (Optional) The DNS options for the endpoint. See dns_options below.
  • ipAddressType - (Optional) The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
  • routeTableIds - (Optional) One or more route table IDs. Applicable for endpoints of type gateway.
  • subnetIds - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type gatewayLoadBalancer and interface.
  • securityGroupIds - (Optional) The ID of one or more security groups to associate with the network interface. Applicable for endpoints of type interface. If no security groups are specified, the VPC's default security group is associated with the endpoint.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
  • vpcEndpointType - (Optional) The VPC endpoint type, gateway, gatewayLoadBalancer, or interface. Defaults to gateway.

dnsOptions

  • dnsRecordIpType - (Optional) The DNS records created for the endpoint. Valid values are ipv4, dualstack, serviceDefined, and ipv6.

Timeouts

Configuration options:

  • create - (Default 10M)
  • update - (Default 10M)
  • delete - (Default 10M)

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The ID of the VPC endpoint.
  • arn - The Amazon Resource Name (ARN) of the VPC endpoint.
  • cidrBlocks - The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type gateway.
  • dnsEntry - The DNS entries for the VPC Endpoint. Applicable for endpoints of type interface. DNS blocks are documented below.
  • networkInterfaceIds - One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type interface.
  • ownerId - The ID of the AWS account that owns the VPC endpoint.
  • prefixListId - The prefix list ID of the exposed AWS service. Applicable for endpoints of type gateway.
  • requesterManaged - Whether or not the VPC Endpoint is being managed by its service - true or false.
  • state - The state of the VPC endpoint.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

DNS blocks (for dnsEntry) support the following attributes:

  • dnsName - The DNS name.
  • hostedZoneId - The ID of the private hosted zone.

Import

VPC Endpoints can be imported using the vpcEndpointId, e.g.,

$ terraform import aws_vpc_endpoint.endpoint1 vpce-3ecf2a57