From 326e79d7b078062fa6fdc441b5a06bc23aa88079 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Tue, 25 Apr 2023 11:15:36 -0400
Subject: [PATCH] add shared-vpc-interface-endpoints standalone and within the
 full setup

---
 ...endpoints.tf => vpc-endpoints.tf.disabled} |  0
 .../vpc-endpoints/locals.tf                   | 13 ++++
 .../vpc-endpoints/provider.route53_main.tf    | 21 ++++++
 .../vpc-endpoints/region.tf                   |  4 +
 .../vpc-endpoints/tf-run.data                 | 19 +++++
 .../vpc-endpoints/variables.route53.tf        | 16 ++++
 .../vpc-endpoints/variables.username.tf       |  5 ++
 .../vpc-endpoints/variables.vpc-endpoints.tf  | 16 ++++
 .../vpc-endpoints/versions.tf                 | 37 +++++++++
 .../vpc-endpoints/vpc-endpoints.shared.tf     | 75 +++++++++++++++++++
 .../vpc-endpoints/vpc-endpoints.tf            | 40 ++++++++++
 .../shared-vpc-interfaces-endpoints/locals.tf | 13 ++++
 .../provider.route53_main.tf                  | 21 ++++++
 .../shared-vpc-interfaces-endpoints/region.tf |  4 +
 .../tf-run.data                               | 19 +++++
 .../variables.route53.tf                      | 16 ++++
 .../variables.username.tf                     |  5 ++
 .../variables.vpc-endpoints.tf                | 16 ++++
 .../versions.tf                               | 37 +++++++++
 .../vpc-endpoints.shared.tf                   | 75 +++++++++++++++++++
 .../vpc-endpoints.tf                          | 40 ++++++++++
 21 files changed, 492 insertions(+)
 rename examples/full-setup-tf-upgrade/{vpc-endpoints.tf => vpc-endpoints.tf.disabled} (100%)
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/locals.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/provider.route53_main.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/region.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/tf-run.data
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/variables.route53.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/variables.username.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/variables.vpc-endpoints.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/versions.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.shared.tf
 create mode 100644 examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/locals.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/provider.route53_main.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/region.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/tf-run.data
 create mode 100644 examples/shared-vpc-interfaces-endpoints/variables.route53.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/variables.username.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/variables.vpc-endpoints.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/versions.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/vpc-endpoints.shared.tf
 create mode 100644 examples/shared-vpc-interfaces-endpoints/vpc-endpoints.tf

diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints.tf b/examples/full-setup-tf-upgrade/vpc-endpoints.tf.disabled
similarity index 100%
rename from examples/full-setup-tf-upgrade/vpc-endpoints.tf
rename to examples/full-setup-tf-upgrade/vpc-endpoints.tf.disabled
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/locals.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/locals.tf
new file mode 100644
index 0000000..630807e
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+
+  vpc_id    = data.terraform_remote_state.vpc_REGION_VPCN.outputs.vpc_id
+  sg_web_id = data.terraform_remote_state.vpc_REGION_VPCN.outputs.sg_web_id
+
+  tags = {
+    CostAllocation = "csvd:infrastructure"
+    Environment    = var.vpc_environment
+  }
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/provider.route53_main.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/provider.route53_main.tf
new file mode 100644
index 0000000..1b63eae
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/provider.route53_main.tf
@@ -0,0 +1,21 @@
+#---
+# network prod
+#---
+provider "aws" {
+  alias  = "route53_main_east"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias  = "route53_main_west"
+  region = var.region_map["west"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/region.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/region.tf
new file mode 100644
index 0000000..b7b1696
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/region.tf
@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/tf-run.data b/examples/full-setup-tf-upgrade/vpc-endpoints/tf-run.data
new file mode 100644
index 0000000..c8df7a2
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/tf-run.data
@@ -0,0 +1,19 @@
+VERSION 1.0.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+
+ALL
+COMMAND tf-directory-setup.py -l s3
+
+
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/variables.route53.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.route53.tf
new file mode 100644
index 0000000..140e7f2
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.route53.tf
@@ -0,0 +1,16 @@
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/variables.username.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.username.tf
new file mode 100644
index 0000000..46f8f47
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.username.tf
@@ -0,0 +1,5 @@
+variable "os_username" {
+  description = "OS username from environment variable, ideally as $USER"
+  type        = string
+  default     = null
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/variables.vpc-endpoints.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.vpc-endpoints.tf
new file mode 100644
index 0000000..8faf3f9
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/variables.vpc-endpoints.tf
@@ -0,0 +1,16 @@
+locals {
+
+  # Use this to select specific vpc endpoints to share from the central account.  An empty list will share everything defined
+  # in the central account (network-prod).  If you try to share something, and it's not there it shoud probably be added to the
+  # central account.  By default, you most likely want this to be an empty list [].  If this is null, no sharing will be setup.
+
+  shared_vpc_endpoints = []
+
+  # Use this to create non-shared VPC endpoints. This should be rare, and restricted to specific specialty services.
+  # This is a map of service naem, and a value of:
+  #   "" (empty string): this means use this service name as is
+  #   null: this means this service will NOT be created (disabled)
+  #   string: A string used to find the service name. This is very service specific.  sagemaker notebooks are one example.
+
+  vpc_endpoints = {}
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/versions.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/versions.tf
new file mode 100644
index 0000000..c6f5c66
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/versions.tf
@@ -0,0 +1,37 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+    ldap = {
+      source  = "trevex/ldap"
+      version = ">= 0.5.4"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 1.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 1.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 1.0"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 1.0"
+    }
+    infoblox = {
+      source  = "infobloxopen/infoblox"
+      version = ">= 2.1.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
+  }
+  required_version = ">= 1.0.0"
+}
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.shared.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.shared.tf
new file mode 100644
index 0000000..d7f95db
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.shared.tf
@@ -0,0 +1,75 @@
+data "aws_ssm_parameters_by_path" "vpce_east" {
+  provider  = aws.route53_main_east
+  path      = format("/enterprise/%v/vpc-endpoints/", data.aws_arn.current.partition)
+  recursive = true
+}
+
+data "aws_ssm_parameters_by_path" "vpce_west" {
+  provider  = aws.route53_main_west
+  path      = format("/enterprise/%v/vpc-endpoints/", data.aws_arn.current.partition)
+  recursive = true
+}
+
+locals {
+  vpc_endpoints_ssm_east = { for k, v in zipmap(data.aws_ssm_parameters_by_path.vpce_east.names, data.aws_ssm_parameters_by_path.vpce_east.values) : k => jsondecode(v) }
+  vpc_endpoints_ssm_west = { for k, v in zipmap(data.aws_ssm_parameters_by_path.vpce_west.names, data.aws_ssm_parameters_by_path.vpce_west.values) : k => jsondecode(v) }
+}
+
+# selects all available zones for this region
+# settings:
+#   shared_vpc_endpoints = null		do not use any shared endpoints (from SSM param)
+#   shared_vpc_endpoints = [] 		use all available shared endpoints (from SSM param) *recommended
+#   shared_vpc_endpoints = [ "sms", "kms", ]	use selected VPC endpoints
+
+module "vpce_shared_east" {
+  count = local.shared_vpc_endpoints == null ? 0 : 1
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_east
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+  region   = local.region
+  vpc_id   = local.vpc_id
+  zone_ids = compact([for k, v in nonsensitive(local.vpc_endpoints_ssm_east) : v.zone_id if length(local.shared_vpc_endpoints) == 0 || try(contains(local.shared_vpc_endpoints, v.name), true)])
+
+  tags = merge(
+    local.common_tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
+
+module "vpce_shared_west" {
+  count = local.shared_vpc_endpoints == null ? 0 : 1
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_west
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+  region   = local.region
+  vpc_id   = local.vpc_id
+  zone_ids = compact([for k, v in nonsensitive(local.vpc_endpoints_ssm_west) : v.zone_id if length(local.shared_vpc_endpoints) == 0 || try(contains(local.shared_vpc_endpoints, v.name), true)])
+
+  tags = merge(
+    local.common_tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
+
+## data "aws_ssm_parameter" "vpce" {
+##   for_each = toset(data.aws_ssm_parameters_by_path.vpce.names)
+##   name = each.key
+## }
+## 
+##   "/enterprise/aws-us-gov/vpc-endpoints/us-gov-west-1/elasticloadbalancing" = {
+##     "create_time" = 1680897055
+##     "dns_name" = "elasticloadbalancing.us-gov-west-1.amazonaws.com"
+##     "id" = "vpce-0dcf1e1c5b81b5dce"
+##     "name" = "elasticloadbalancing"
+##     "region" = "us-gov-west-1"
+##     "zone" = "elasticloadbalancing.us-gov-west-1.amazonaws.com"
+##     "zone_id" = "Z0438795ORVM3AZOHHAV"
+##   }
diff --git a/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.tf b/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.tf
new file mode 100644
index 0000000..0c4b61c
--- /dev/null
+++ b/examples/full-setup-tf-upgrade/vpc-endpoints/vpc-endpoints.tf
@@ -0,0 +1,40 @@
+# there is no need to change this file.  use variables.vpc-endpoints.tf (for the locals needing to be set)
+
+locals {
+  security_group_ids = [local.sg_web_id]
+
+  # these are defined in variables.vpc-endpoints.tf
+  ## shared_vpc_endpoints = []
+  ## vpc_endpoints = { }
+}
+
+data "aws_subnets" "endpoint_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [local.vpc_id]
+  }
+  filter {
+    name   = "tag:Name"
+    values = ["*-endpoints-*"]
+  }
+}
+
+module "vpce" {
+  for_each = local.vpc_endpoints
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint?ref=tf-upgrade"
+
+  service            = each.value == "" ? each.key : each.value
+  subnet_ids         = tolist(data.aws_subnets.endpoint_subnets.ids)
+  security_group_ids = local.security_group_ids
+
+  vpc_id          = local.vpc_id
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+
+  tags = merge(
+    local.common_tags,
+    local.tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/locals.tf b/examples/shared-vpc-interfaces-endpoints/locals.tf
new file mode 100644
index 0000000..630807e
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  base_tags = {
+    "boc:created_by" = "terraform"
+  }
+
+  vpc_id    = data.terraform_remote_state.vpc_REGION_VPCN.outputs.vpc_id
+  sg_web_id = data.terraform_remote_state.vpc_REGION_VPCN.outputs.sg_web_id
+
+  tags = {
+    CostAllocation = "csvd:infrastructure"
+    Environment    = var.vpc_environment
+  }
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/provider.route53_main.tf b/examples/shared-vpc-interfaces-endpoints/provider.route53_main.tf
new file mode 100644
index 0000000..1b63eae
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/provider.route53_main.tf
@@ -0,0 +1,21 @@
+#---
+# network prod
+#---
+provider "aws" {
+  alias  = "route53_main_east"
+  region = var.region_map["east"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
+provider "aws" {
+  alias  = "route53_main_west"
+  region = var.region_map["west"]
+  assume_role {
+    role_arn     = format("arn:%v:iam::%v:role/r-inf-terraform-route53", data.aws_arn.current.partition, var.route53_endpoints["route53_main"].account_id)
+    session_name = var.os_username
+  }
+}
+
diff --git a/examples/shared-vpc-interfaces-endpoints/region.tf b/examples/shared-vpc-interfaces-endpoints/region.tf
new file mode 100644
index 0000000..b7b1696
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/region.tf
@@ -0,0 +1,4 @@
+locals {
+  region = var.region
+}
+
diff --git a/examples/shared-vpc-interfaces-endpoints/tf-run.data b/examples/shared-vpc-interfaces-endpoints/tf-run.data
new file mode 100644
index 0000000..c8df7a2
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/tf-run.data
@@ -0,0 +1,19 @@
+VERSION 1.0.2
+REMOTE-STATE
+COMMAND tf-directory-setup.py -l none -f
+COMMAND setup-new-directory.sh
+COMMAND tf-init -upgrade
+
+LINKTOP includes.d/variables.account_tags.tf
+LINKTOP includes.d/variables.account_tags.auto.tfvars
+LINKTOP includes.d/variables.infrastructure_tags.tf
+LINKTOP includes.d/variables.infrastructure_tags.auto.tfvars
+LINKTOP includes.d/variables.application_tags.tf
+LINKTOP includes.d/variables.application_tags.auto.tfvars
+LINK variables.vpc.tf
+LINK variables.vpc.auto.tfvars
+
+ALL
+COMMAND tf-directory-setup.py -l s3
+
+
diff --git a/examples/shared-vpc-interfaces-endpoints/variables.route53.tf b/examples/shared-vpc-interfaces-endpoints/variables.route53.tf
new file mode 100644
index 0000000..140e7f2
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/variables.route53.tf
@@ -0,0 +1,16 @@
+variable "route53_endpoints" {
+  description = "Map of target route53 endpoints (for inbound) central VPCs"
+  type        = map(map(string))
+  default = {
+    route53_main = {
+      "account_id"    = "057405694017"
+      "us-gov-east-1" = "vpc-0871ba8a6040d623a"
+      "us-gov-west-1" = "vpc-0f03ea065333f72c5"
+    }
+    route53_main_legacy = {
+      "account_id"    = "107742151971"
+      "us-gov-east-1" = "vpc-099a991da7c4eb8a5"
+      "us-gov-west-1" = "vpc-77877a12"
+    }
+  }
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/variables.username.tf b/examples/shared-vpc-interfaces-endpoints/variables.username.tf
new file mode 100644
index 0000000..46f8f47
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/variables.username.tf
@@ -0,0 +1,5 @@
+variable "os_username" {
+  description = "OS username from environment variable, ideally as $USER"
+  type        = string
+  default     = null
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/variables.vpc-endpoints.tf b/examples/shared-vpc-interfaces-endpoints/variables.vpc-endpoints.tf
new file mode 100644
index 0000000..8faf3f9
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/variables.vpc-endpoints.tf
@@ -0,0 +1,16 @@
+locals {
+
+  # Use this to select specific vpc endpoints to share from the central account.  An empty list will share everything defined
+  # in the central account (network-prod).  If you try to share something, and it's not there it shoud probably be added to the
+  # central account.  By default, you most likely want this to be an empty list [].  If this is null, no sharing will be setup.
+
+  shared_vpc_endpoints = []
+
+  # Use this to create non-shared VPC endpoints. This should be rare, and restricted to specific specialty services.
+  # This is a map of service naem, and a value of:
+  #   "" (empty string): this means use this service name as is
+  #   null: this means this service will NOT be created (disabled)
+  #   string: A string used to find the service name. This is very service specific.  sagemaker notebooks are one example.
+
+  vpc_endpoints = {}
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/versions.tf b/examples/shared-vpc-interfaces-endpoints/versions.tf
new file mode 100644
index 0000000..c6f5c66
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/versions.tf
@@ -0,0 +1,37 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.0"
+    }
+    ldap = {
+      source  = "trevex/ldap"
+      version = ">= 0.5.4"
+    }
+    external = {
+      source  = "hashicorp/external"
+      version = ">= 1.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 1.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 1.0"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 1.0"
+    }
+    infoblox = {
+      source  = "infobloxopen/infoblox"
+      version = ">= 2.1.0"
+    }
+    time = {
+      source  = "hashicorp/time"
+      version = ">= 0.9"
+    }
+  }
+  required_version = ">= 1.0.0"
+}
diff --git a/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.shared.tf b/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.shared.tf
new file mode 100644
index 0000000..d7f95db
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.shared.tf
@@ -0,0 +1,75 @@
+data "aws_ssm_parameters_by_path" "vpce_east" {
+  provider  = aws.route53_main_east
+  path      = format("/enterprise/%v/vpc-endpoints/", data.aws_arn.current.partition)
+  recursive = true
+}
+
+data "aws_ssm_parameters_by_path" "vpce_west" {
+  provider  = aws.route53_main_west
+  path      = format("/enterprise/%v/vpc-endpoints/", data.aws_arn.current.partition)
+  recursive = true
+}
+
+locals {
+  vpc_endpoints_ssm_east = { for k, v in zipmap(data.aws_ssm_parameters_by_path.vpce_east.names, data.aws_ssm_parameters_by_path.vpce_east.values) : k => jsondecode(v) }
+  vpc_endpoints_ssm_west = { for k, v in zipmap(data.aws_ssm_parameters_by_path.vpce_west.names, data.aws_ssm_parameters_by_path.vpce_west.values) : k => jsondecode(v) }
+}
+
+# selects all available zones for this region
+# settings:
+#   shared_vpc_endpoints = null		do not use any shared endpoints (from SSM param)
+#   shared_vpc_endpoints = [] 		use all available shared endpoints (from SSM param) *recommended
+#   shared_vpc_endpoints = [ "sms", "kms", ]	use selected VPC endpoints
+
+module "vpce_shared_east" {
+  count = local.shared_vpc_endpoints == null ? 0 : 1
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_east
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+  region   = local.region
+  vpc_id   = local.vpc_id
+  zone_ids = compact([for k, v in nonsensitive(local.vpc_endpoints_ssm_east) : v.zone_id if length(local.shared_vpc_endpoints) == 0 || try(contains(local.shared_vpc_endpoints, v.name), true)])
+
+  tags = merge(
+    local.common_tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
+
+module "vpce_shared_west" {
+  count = local.shared_vpc_endpoints == null ? 0 : 1
+  providers = {
+    aws.self = aws
+    aws.peer = aws.route53_main_west
+  }
+
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//route53-zone-association/vpc?ref=tf-upgrade"
+  region   = local.region
+  vpc_id   = local.vpc_id
+  zone_ids = compact([for k, v in nonsensitive(local.vpc_endpoints_ssm_west) : v.zone_id if length(local.shared_vpc_endpoints) == 0 || try(contains(local.shared_vpc_endpoints, v.name), true)])
+
+  tags = merge(
+    local.common_tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}
+
+## data "aws_ssm_parameter" "vpce" {
+##   for_each = toset(data.aws_ssm_parameters_by_path.vpce.names)
+##   name = each.key
+## }
+## 
+##   "/enterprise/aws-us-gov/vpc-endpoints/us-gov-west-1/elasticloadbalancing" = {
+##     "create_time" = 1680897055
+##     "dns_name" = "elasticloadbalancing.us-gov-west-1.amazonaws.com"
+##     "id" = "vpce-0dcf1e1c5b81b5dce"
+##     "name" = "elasticloadbalancing"
+##     "region" = "us-gov-west-1"
+##     "zone" = "elasticloadbalancing.us-gov-west-1.amazonaws.com"
+##     "zone_id" = "Z0438795ORVM3AZOHHAV"
+##   }
diff --git a/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.tf b/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.tf
new file mode 100644
index 0000000..0c4b61c
--- /dev/null
+++ b/examples/shared-vpc-interfaces-endpoints/vpc-endpoints.tf
@@ -0,0 +1,40 @@
+# there is no need to change this file.  use variables.vpc-endpoints.tf (for the locals needing to be set)
+
+locals {
+  security_group_ids = [local.sg_web_id]
+
+  # these are defined in variables.vpc-endpoints.tf
+  ## shared_vpc_endpoints = []
+  ## vpc_endpoints = { }
+}
+
+data "aws_subnets" "endpoint_subnets" {
+  filter {
+    name   = "vpc-id"
+    values = [local.vpc_id]
+  }
+  filter {
+    name   = "tag:Name"
+    values = ["*-endpoints-*"]
+  }
+}
+
+module "vpce" {
+  for_each = local.vpc_endpoints
+  source   = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//vpc-interface-endpoint?ref=tf-upgrade"
+
+  service            = each.value == "" ? each.key : each.value
+  subnet_ids         = tolist(data.aws_subnets.endpoint_subnets.ids)
+  security_group_ids = local.security_group_ids
+
+  vpc_id          = local.vpc_id
+  vpc_full_name   = var.vpc_full_name
+  vpc_environment = var.vpc_environment
+
+  tags = merge(
+    local.common_tags,
+    local.tags,
+    var.account_tags,
+    var.application_tags,
+  )
+}