From d66bbbe7a687bcf7fa84d0ff60e3183978f76edb Mon Sep 17 00:00:00 2001
From: Mohamed El Mouctar HAIDARA <mohamed.haidara@external.grtgaz.com>
Date: Tue, 2 Feb 2021 19:56:32 +0100
Subject: [PATCH 1/2] fix: Specify an endpoint type for S3 VPC endpoint

This is now required because AWS seems to have added a new endpoint Interface for S3. If you don't filter the datasource for S3 endpoint on type, Terraform will fail because it will return multiple VPC endpoints
`Error: multiple VPC Endpoint Services matched; use additional constraints to reduce matches to a single VPC Endpoint Service`
---
 README.md        | 1 +
 variables.tf     | 7 +++++++
 vpc-endpoints.tf | 6 +++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 24b5851da..7bb37cdca 100644
--- a/README.md
+++ b/README.md
@@ -589,6 +589,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | rekognition\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for Rekognition endpoint | `list(string)` | `[]` | no |
 | rekognition\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for Rekognition endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
 | reuse\_nat\_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
+| s3\_endpoint\_type | S3 VPC endpoint type | `string` | `"Gateway"` | no |
 | sagemaker\_api\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for SageMaker API endpoint | `bool` | `false` | no |
 | sagemaker\_api\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for SageMaker API endpoint | `list(string)` | `[]` | no |
 | sagemaker\_api\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for SageMaker API endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
diff --git a/variables.tf b/variables.tf
index f673931de..6c98be821 100644
--- a/variables.tf
+++ b/variables.tf
@@ -322,6 +322,13 @@ variable "enable_s3_endpoint" {
   default     = false
 }
 
+variable "s3_endpoint_type" {
+  description = "S3 VPC endpoint type"
+  type        = string
+  default     = "Gateway"
+}
+
+
 variable "enable_codeartifact_api_endpoint" {
   description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
   type        = bool
diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf
index 540074b6b..c0e1d0e09 100644
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -2,9 +2,9 @@
 # VPC Endpoint for S3
 ######################
 data "aws_vpc_endpoint_service" "s3" {
-  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
-
-  service = "s3"
+  count        = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
+  service_type = var.s3_endpoint_type
+  service      = "s3"
 }
 
 resource "aws_vpc_endpoint" "s3" {

From c7ce590e23ab155756dafe6602c35a71dca418dc Mon Sep 17 00:00:00 2001
From: Anton Babenko <anton@antonbabenko.com>
Date: Tue, 2 Feb 2021 21:06:47 +0100
Subject: [PATCH 2/2] Fixed code for S3 and DynamoDB VPC endpoints

---
 README.md                   |  3 ++-
 examples/simple-vpc/main.tf |  5 +++++
 variables.tf                |  7 ++++++-
 vpc-endpoints.tf            | 22 ++++++++++++++--------
 4 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 7bb37cdca..9e5fe8015 100644
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ These types of resources are supported:
 * [VPC Flow Log](https://www.terraform.io/docs/providers/aws/r/flow_log.html)
 * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html):
   * Gateway: S3, DynamoDB
-  * Interface: EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
+  * Interface: S3, EC2, SSM, EC2 Messages, SSM Messages, SQS, ECR API, ECR DKR, API Gateway, KMS,
 ECS, ECS Agent, ECS Telemetry, SES, SNS, STS, Glue, CloudWatch(Monitoring, Logs, Events),
 Elastic Load Balancing, CloudTrail, Secrets Manager, Config, Codeartifact(API, Repositories), CodeBuild, CodeCommit,
 Git-Codecommit, Textract, Transfer Server, Kinesis Streams, Kinesis Firehose, SageMaker(Notebook, Runtime, API),
@@ -353,6 +353,7 @@ It is possible to integrate this VPC module with [terraform-aws-transit-gateway
 | dms\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for DMS endpoint | `bool` | `false` | no |
 | dms\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for DMS endpoint | `list(string)` | `[]` | no |
 | dms\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for DMS endpoint. Only a single subnet within an AZ is supported. If omitted, private subnets will be used. | `list(string)` | `[]` | no |
+| dynamodb\_endpoint\_type | DynamoDB VPC endpoint type | `string` | `"Gateway"` | no |
 | ebs\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for EBS endpoint | `bool` | `false` | no |
 | ebs\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for EBS endpoint | `list(string)` | `[]` | no |
 | ebs\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for EBS endpoint. Only a single subnet within an AZ is supported. Ifomitted, private subnets will be used. | `list(string)` | `[]` | no |
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
index 99bcb3da2..2c9b4a64e 100644
--- a/examples/simple-vpc/main.tf
+++ b/examples/simple-vpc/main.tf
@@ -18,6 +18,11 @@ module "vpc" {
   enable_nat_gateway = true
   single_nat_gateway = true
 
+  #  s3_endpoint_type = "Interface"
+
+  enable_s3_endpoint       = true
+  enable_dynamodb_endpoint = true
+
   public_subnet_tags = {
     Name = "overridden-name-public"
   }
diff --git a/variables.tf b/variables.tf
index 6c98be821..f7bd1cd57 100644
--- a/variables.tf
+++ b/variables.tf
@@ -316,6 +316,12 @@ variable "enable_dynamodb_endpoint" {
   default     = false
 }
 
+variable "dynamodb_endpoint_type" {
+  description = "DynamoDB VPC endpoint type"
+  type        = string
+  default     = "Gateway"
+}
+
 variable "enable_s3_endpoint" {
   description = "Should be true if you want to provision an S3 endpoint to the VPC"
   type        = bool
@@ -328,7 +334,6 @@ variable "s3_endpoint_type" {
   default     = "Gateway"
 }
 
-
 variable "enable_codeartifact_api_endpoint" {
   description = "Should be true if you want to provision an Codeartifact API endpoint to the VPC"
   type        = bool
diff --git a/vpc-endpoints.tf b/vpc-endpoints.tf
index c0e1d0e09..896325e8c 100644
--- a/vpc-endpoints.tf
+++ b/vpc-endpoints.tf
@@ -2,7 +2,8 @@
 # VPC Endpoint for S3
 ######################
 data "aws_vpc_endpoint_service" "s3" {
-  count        = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
+  count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
+
   service_type = var.s3_endpoint_type
   service      = "s3"
 }
@@ -10,9 +11,11 @@ data "aws_vpc_endpoint_service" "s3" {
 resource "aws_vpc_endpoint" "s3" {
   count = var.create_vpc && var.enable_s3_endpoint ? 1 : 0
 
-  vpc_id       = local.vpc_id
-  service_name = data.aws_vpc_endpoint_service.s3[0].service_name
-  tags         = local.vpce_tags
+  vpc_id            = local.vpc_id
+  service_name      = data.aws_vpc_endpoint_service.s3[0].service_name
+  vpc_endpoint_type = var.s3_endpoint_type
+
+  tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_s3" {
@@ -42,15 +45,18 @@ resource "aws_vpc_endpoint_route_table_association" "public_s3" {
 data "aws_vpc_endpoint_service" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  service = "dynamodb"
+  service_type = var.dynamodb_endpoint_type
+  service      = "dynamodb"
 }
 
 resource "aws_vpc_endpoint" "dynamodb" {
   count = var.create_vpc && var.enable_dynamodb_endpoint ? 1 : 0
 
-  vpc_id       = local.vpc_id
-  service_name = data.aws_vpc_endpoint_service.dynamodb[0].service_name
-  tags         = local.vpce_tags
+  vpc_id            = local.vpc_id
+  vpc_endpoint_type = var.dynamodb_endpoint_type
+  service_name      = data.aws_vpc_endpoint_service.dynamodb[0].service_name
+
+  tags = local.vpce_tags
 }
 
 resource "aws_vpc_endpoint_route_table_association" "private_dynamodb" {