* 2.11.8 -- 2025-04-11

  - vpc-interface-endpoint
    - add finops_ tagging of network interface if finops_ tags are present in var.tags

CHANGELOG.md

@@ -467,3 +467,7 @@
     - add variables:
       - enable_tgw_attachment (for firewall tables, to not attach the TGW which is only for attachment)
       - add output for self and peer attachment ids 
+
+* 2.11.8 -- 2025-04-11
+  - vpc-interface-endpoint
+    - add finops_ tagging of network interface if finops_ tags are present in var.tags

common/version.tf

@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.11.7"
+  _module_version = "2.11.8"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 

vpc-interface-endpoint/README.md

@@ -209,6 +209,7 @@ These are not included in the module because they don't exist until the resource
 
 | Name | Type |
 |------|------|
+| [aws_ec2_tag.vpce_interface](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
 | [aws_route53_record.vpce](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_heritage_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_route53_record.vpce_info_txt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
@@ -244,7 +245,7 @@ These are not included in the module because they don't exist until the resource
 | <a name="input_service"></a> [service](#input\_service) | VPC Endpoint service name ({name} or long name com.amazonaws.{region}.{name} | `string` | n/a | yes |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | VPC Subnet ID List | `list(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
-| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod, inpection) | `string` | `null` | no |
 | <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
 | <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |

vpc-interface-endpoint/route53.tf

@@ -68,6 +68,25 @@ data "aws_network_interface" "vpce" {
   id       = each.key
 }
 
+# tag this here because we cannot tag an interface automatically with the creation of the vpce
+# assume finops_ tags passed in, and update the role add the vpce name
+# only do the finops_ tags at this point
+locals {
+  vpce_interface_tags = [for p in setproduct(keys(data.aws_network_interface.vpce), keys(var.tags)) : {
+    label        = format("%v:%v", p[0], p[1])
+    interface_id = p[0]
+    tag_key      = p[1]
+    tag_value    = var.tags[p[1]]
+  } if startswith(p[1], "finops_")]
+}
+
+resource "aws_ec2_tag" "vpce_interface" {
+  for_each    = { for x in local.vpce_interface_tags : x.label => x }
+  resource_id = each.value.interface_id
+  key         = each.value.tag_key
+  value       = each.value.tag_key == "finops_project_role" ? format("%v/%v", each.value.tag_value, replace(local.short_service, ".", "_")) : each.value.tag_value
+}
+
 ## govcloud does not support aliases
 ## resource "aws_route53_record" "vpce_kms_alias" {
 ##   for_each = module.vpce_kms