* 2.13.0 -- 2025-10-15

- vpc-interface-endpoint - add use_route53_profiles option
terraform-modules · Oct 15, 2025 · 693c031 · 693c031
1 parent f0b0edb
commit 693c031
Show file tree

Hide file tree

Showing 7 changed files with 22 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -488,3 +488,7 @@
 * 2.12.2 -- 2025-10-07
   - route53-zone-association/terraform-role
     - add route53profile permissions
+
+* 2.13.0 -- 2025-10-15
+  - vpc-interface-endpoint
+    - add use_route53_profiles option
diff --git a/common/version.tf b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.12.2"
+  _module_version = "2.13.0"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

diff --git a/vpc-interface-endpoint/README.md b/vpc-interface-endpoint/README.md
@@ -245,6 +245,7 @@ These are not included in the module because they don't exist until the resource
 | <a name="input_service"></a> [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_use_route53_profiles"></a> [use\_route53\_profiles](#input\_use\_route53\_profiles) | Flag to use a route53 profile for association instead of the PHZ zone sharing | `bool` | `false` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |

diff --git a/vpc-interface-endpoint/main.tf b/vpc-interface-endpoint/main.tf
@@ -57,6 +57,8 @@ locals {
   account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
   region              = data.aws_region.current.name
 
+  private_dns_unsupported = ["s3"]
+
   service_parts      = split(".", var.service)
   service            = length(local.service_parts) <= 2 ? format("com.amazonaws.%v.%v", local.region, var.service) : var.service
   full_service_parts = split(".", local.service)
@@ -65,7 +67,7 @@ locals {
   #  short_service = element(local.full_service_parts, length(local.full_service_parts) - 1)
   #short_service = join(".", slice(local.full_service_parts, index(local.full_service_parts, local.region) + 1, length(local.full_service_parts)))
   short_service    = replace(replace(local.service, "com.amazonaws.", ""), format("%v.", local.region), "")
-  is_short_service = ! (local.full_service_parts[0] != "com" || ! contains(local.full_service_parts, local.region))
+  is_short_service = !(local.full_service_parts[0] != "com" || !contains(local.full_service_parts, local.region))
 
   base_tags = {
     "boc:tf_module_version" = local._module_version
@@ -81,7 +83,7 @@ data "aws_vpc_endpoint_service" "interface_endpoint" {
   #  service      = local.full_service_parts[0] == "com" ? local.short_service : null
   #  service_name = local.full_service_parts[0] != "com" ? local.service : null
   service      = local.is_short_service ? local.short_service : null
-  service_name = ! local.is_short_service ? local.service : null
+  service_name = !local.is_short_service ? local.service : null
   filter {
     name   = "service-type"
     values = ["Interface"]
@@ -94,7 +96,7 @@ resource "aws_vpc_endpoint" "interface_endpoint" {
   vpc_endpoint_type   = "Interface"
   subnet_ids          = var.subnet_ids
   security_group_ids  = var.security_group_ids
-  private_dns_enabled = var.private_dns_enabled
+  private_dns_enabled = (var.private_dns_enabled || var.use_route53_profiles) && !contains(local.private_dns_unsupported, var.service)
   auto_accept         = true
 
   ip_address_type = var.ip_address_type

diff --git a/vpc-interface-endpoint/outputs.tf b/vpc-interface-endpoint/outputs.tf
@@ -6,18 +6,19 @@
 output "vpce_service_info" {
   description = "VPC Interface Endpoint information for service"
   value = {
-    "arn"                   = aws_vpc_endpoint.interface_endpoint.arn,
     "name"                  = local.short_service,
     "service_name"          = aws_vpc_endpoint.interface_endpoint.service_name,
     "id"                    = aws_vpc_endpoint.interface_endpoint.id,
+    "arn"                   = aws_vpc_endpoint.interface_endpoint.arn,
     "dns_entry"             = aws_vpc_endpoint.interface_endpoint.dns_entry,
     "subnet_ids"            = aws_vpc_endpoint.interface_endpoint.subnet_ids,
     "network_interface_ids" = aws_vpc_endpoint.interface_endpoint.network_interface_ids,
     # "subnet_interface_id_map" = { for k, v in data.aws_network_interface.vpce_interfaces : v.subnet_id => k }
     "subnet_interface_id_map" = zipmap(tolist(aws_vpc_endpoint.interface_endpoint.subnet_ids), tolist(aws_vpc_endpoint.interface_endpoint.network_interface_ids)),
     # "subnet_interface_ip_map" = { for k, v in data.aws_network_interface.vpce_interfaces : v.subnet_id => v.private_ip }
-    zone_name = local.r53_create ? aws_route53_zone.vpce[0].name : null
-    zone_id   = local.r53_create ? aws_route53_zone.vpce[0].id : null
+    private_dns_enabled = aws_vpc_endpoint.interface_endpoint.private_dns_enabled
+    zone_name           = local.r53_create ? aws_route53_zone.vpce[0].name : null
+    zone_id             = local.r53_create ? aws_route53_zone.vpce[0].id : null
   }
 }
 

diff --git a/vpc-interface-endpoint/route53.tf b/vpc-interface-endpoint/route53.tf
@@ -16,8 +16,7 @@ locals {
   has_service          = data.aws_vpc_endpoint_service.interface_endpoint.service != null
   has_domain_name      = data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name != null
   domain_name          = local.is_wildcard ? join(".", slice(local.service_domain_parts, 1, length(local.service_domain_parts))) : data.aws_vpc_endpoint_service.interface_endpoint.private_dns_name
-  #  r53_create           = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_service
-  r53_create = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_domain_name
+  r53_create           = contains(local.permitted_accounts, local.account_id) && var.create_central_vpc_endpoint && length(local.domain_name) > 0 && local.has_domain_name && !var.use_route53_profiles
 }
 
 resource "aws_route53_zone" "vpce" {

diff --git a/vpc-interface-endpoint/variables.tf b/vpc-interface-endpoint/variables.tf
@@ -32,6 +32,12 @@ variable "create_central_vpc_endpoint" {
   default     = false
 }
 
+variable "use_route53_profiles" {
+  description = "Flag to use a route53 profile for association instead of the PHZ zone sharing"
+  type        = bool
+  default     = false
+}
+
 # currently no use for dns_options.dns_record_ip_type to be service-defined
 
 variable "ip_address_type" {