feat: Add EC2 Instance Connect Endpoint support

README.md

@@ -264,6 +264,7 @@ No modules.
 | [aws_default_route_table.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_route_table) | resource |
 | [aws_default_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_security_group) | resource |
 | [aws_default_vpc.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_vpc) | resource |
+| [aws_ec2_instance_connect_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_instance_connect_endpoint) | resource |
 | [aws_egress_only_internet_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/egress_only_internet_gateway) | resource |
 | [aws_eip.nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_elasticache_subnet_group.elasticache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/elasticache_subnet_group) | resource |
@@ -359,6 +360,7 @@ No modules.
 | <a name="input_create_flow_log_cloudwatch_iam_role"></a> [create\_flow\_log\_cloudwatch\_iam\_role](#input\_create\_flow\_log\_cloudwatch\_iam\_role) | Whether to create IAM role for VPC Flow Logs | `bool` | `false` | no |
 | <a name="input_create_flow_log_cloudwatch_log_group"></a> [create\_flow\_log\_cloudwatch\_log\_group](#input\_create\_flow\_log\_cloudwatch\_log\_group) | Whether to create CloudWatch log group for VPC Flow Logs | `bool` | `false` | no |
 | <a name="input_create_igw"></a> [create\_igw](#input\_create\_igw) | Controls if an Internet Gateway is created for public subnets and the related routes that connect them | `bool` | `true` | no |
+| <a name="input_create_instance_connect_endpoint"></a> [create\_instance\_connect\_endpoint](#input\_create\_instance\_connect\_endpoint) | Whether to create an EC2 Instance Connect Endpoint | `bool` | `false` | no |
 | <a name="input_create_multiple_intra_route_tables"></a> [create\_multiple\_intra\_route\_tables](#input\_create\_multiple\_intra\_route\_tables) | Indicates whether to create a separate route table for each intra subnet. Default: `false` | `bool` | `false` | no |
 | <a name="input_create_multiple_public_route_tables"></a> [create\_multiple\_public\_route\_tables](#input\_create\_multiple\_public\_route\_tables) | Indicates whether to create a separate route table for each public subnet. Default: `false` | `bool` | `false` | no |
 | <a name="input_create_private_nat_gateway_route"></a> [create\_private\_nat\_gateway\_route](#input\_create\_private\_nat\_gateway\_route) | Controls if a nat gateway route should be created to give internet access to the private subnets | `bool` | `true` | no |
@@ -456,6 +458,9 @@ No modules.
 | <a name="input_flow_log_per_hour_partition"></a> [flow\_log\_per\_hour\_partition](#input\_flow\_log\_per\_hour\_partition) | (Optional) Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries | `bool` | `false` | no |
 | <a name="input_flow_log_traffic_type"></a> [flow\_log\_traffic\_type](#input\_flow\_log\_traffic\_type) | The type of traffic to capture. Valid values: ACCEPT, REJECT, ALL | `string` | `"ALL"` | no |
 | <a name="input_igw_tags"></a> [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no |
+| <a name="input_instance_connect_preserve_client_ip"></a> [instance\_connect\_preserve\_client\_ip](#input\_instance\_connect\_preserve\_client\_ip) | Whether to preserve the client IP address when connecting via EC2 Instance Connect Endpoint | `bool` | `false` | no |
+| <a name="input_instance_connect_security_group_ids"></a> [instance\_connect\_security\_group\_ids](#input\_instance\_connect\_security\_group\_ids) | List of security group IDs to associate with the Instance Connect Endpoint | `list(string)` | `[]` | no |
+| <a name="input_instance_connect_subnet_id"></a> [instance\_connect\_subnet\_id](#input\_instance\_connect\_subnet\_id) | The ID of the subnet in which to create the Instance Connect Endpoint | `string` | `null` | no |
 | <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no |
 | <a name="input_intra_acl_tags"></a> [intra\_acl\_tags](#input\_intra\_acl\_tags) | Additional tags for the intra subnets network ACL | `map(string)` | `{}` | no |
 | <a name="input_intra_dedicated_network_acl"></a> [intra\_dedicated\_network\_acl](#input\_intra\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | `bool` | `false` | no |
@@ -632,6 +637,10 @@ No modules.
 | <a name="output_elasticache_subnets_ipv6_cidr_blocks"></a> [elasticache\_subnets\_ipv6\_cidr\_blocks](#output\_elasticache\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC |
 | <a name="output_igw_arn"></a> [igw\_arn](#output\_igw\_arn) | The ARN of the Internet Gateway |
 | <a name="output_igw_id"></a> [igw\_id](#output\_igw\_id) | The ID of the Internet Gateway |
+| <a name="output_instance_connect_endpoint_arn"></a> [instance\_connect\_endpoint\_arn](#output\_instance\_connect\_endpoint\_arn) | The ARN of the EC2 Instance Connect Endpoint |
+| <a name="output_instance_connect_endpoint_dns_name"></a> [instance\_connect\_endpoint\_dns\_name](#output\_instance\_connect\_endpoint\_dns\_name) | The DNS name of the EC2 Instance Connect Endpoint |
+| <a name="output_instance_connect_endpoint_id"></a> [instance\_connect\_endpoint\_id](#output\_instance\_connect\_endpoint\_id) | The ID of the EC2 Instance Connect Endpoint |
+| <a name="output_instance_connect_endpoint_network_interface_ids"></a> [instance\_connect\_endpoint\_network\_interface\_ids](#output\_instance\_connect\_endpoint\_network\_interface\_ids) | The network interface IDs associated with the EC2 Instance Connect Endpoint |
 | <a name="output_intra_network_acl_arn"></a> [intra\_network\_acl\_arn](#output\_intra\_network\_acl\_arn) | ARN of the intra network ACL |
 | <a name="output_intra_network_acl_id"></a> [intra\_network\_acl\_id](#output\_intra\_network\_acl\_id) | ID of the intra network ACL |
 | <a name="output_intra_route_table_association_ids"></a> [intra\_route\_table\_association\_ids](#output\_intra\_route\_table\_association\_ids) | List of IDs of the intra route table association |

examples/ec2-instance-connect-endpoint/README.md

@@ -0,0 +1,22 @@
+# Example: EC2 Instance Connect Endpoint
+
+This example demonstrates how to enable the EC2 Instance Connect Endpoint feature within the VPC module.
+
+## Usage
+
+```hcl
+module "vpc" {
+  source = "../../"
+
+  name = "example-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = ["us-east-1a", "us-east-1b"]
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
+
+  create_instance_connect_endpoint      = true
+  instance_connect_subnet_id            = element(module.vpc.private_subnets, 0)
+  instance_connect_security_group_ids   = [aws_security_group.allow_ssh.id]
+  instance_connect_preserve_client_ip   = false
+}

examples/ec2-instance-connect-endpoint/main.tf

@@ -0,0 +1,75 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name            = "ex-${basename(path.cwd)}"
+  region          = "us-east-1"
+  azs             = slice(data.aws_availability_zones.available.names, 0, 3)
+  private_subnets = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets  = ["10.0.101.0/24", "10.0.102.0/24"]
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# EC2 Instance Connect Endpoint Example
+################################################################################
+
+module "vpc" {
+  source = "../../"
+
+  name = "example-vpc"
+  cidr = "10.0.0.0/16"
+
+  azs             = local.azs
+  private_subnets = local.private_subnets
+  public_subnets  = local.public_subnets
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  # EC2 Instance Connect Endpoint configuration
+  create_instance_connect_endpoint    = true
+  instance_connect_subnet_id          = element(local.private_subnets, 0)
+  instance_connect_security_group_ids = [aws_security_group.allow_ssh.id]
+  instance_connect_preserve_client_ip = false
+
+  tags = merge({
+    Name = "example-vpc"
+  }, local.tags)
+}
+
+################################################################################
+# Security Group for EC2 Instance Connect
+################################################################################
+
+resource "aws_security_group" "allow_ssh" {
+  name        = "allow-ssh"
+  description = "Allow SSH access for EC2 Instance Connect"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge({
+    Name = "allow-ssh"
+  }, local.tags)
+}

examples/ec2-instance-connect-endpoint/outputs.tf

@@ -0,0 +1,4 @@
+output "instance_connect_endpoint_id" {
+  description = "The ID of the EC2 Instance Connect Endpoint"
+  value       = module.vpc.instance_connect_endpoint_id
+}

examples/ec2-instance-connect-endpoint/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.6.0"
+    }
+  }
+}

main.tf

@@ -1541,3 +1541,23 @@ resource "aws_default_route_table" "default" {
     var.default_route_table_tags,
   )
 }
+
+################################################################################
+# Endpoints
+################################################################################
+
+resource "aws_ec2_instance_connect_endpoint" "this" {
+  count = var.create_instance_connect_endpoint ? 1 : 0
+
+  subnet_id          = var.instance_connect_subnet_id
+  security_group_ids = var.instance_connect_security_group_ids
+
+  preserve_client_ip = var.instance_connect_preserve_client_ip
+
+  tags = merge(
+    var.tags,
+    {
+      "Name" = "${var.name}-instance-connect-endpoint"
+    }
+  )
+}

outputs.tf

@@ -667,3 +667,26 @@ output "name" {
   description = "The name of the VPC specified as argument to this module"
   value       = var.name
 }
+
+################################################################################
+# EC2 Instance Connect Endpoint
+################################################################################
+output "instance_connect_endpoint_id" {
+  description = "The ID of the EC2 Instance Connect Endpoint"
+  value       = try(aws_ec2_instance_connect_endpoint.this[0].id, null)
+}
+
+output "instance_connect_endpoint_arn" {
+  description = "The ARN of the EC2 Instance Connect Endpoint"
+  value       = aws_ec2_instance_connect_endpoint.this[0].arn
+}
+
+output "instance_connect_endpoint_network_interface_ids" {
+  description = "The network interface IDs associated with the EC2 Instance Connect Endpoint"
+  value       = aws_ec2_instance_connect_endpoint.this[0].network_interface_ids
+}
+
+output "instance_connect_endpoint_dns_name" {
+  description = "The DNS name of the EC2 Instance Connect Endpoint"
+  value       = aws_ec2_instance_connect_endpoint.this[0].dns_name
+}

variables.tf

@@ -1678,3 +1678,31 @@ variable "putin_khuylo" {
   type        = bool
   default     = true
 }
+
+################################################################################
+# Endpoints
+################################################################################
+
+variable "create_instance_connect_endpoint" {
+  description = "Whether to create an EC2 Instance Connect Endpoint"
+  type        = bool
+  default     = false
+}
+
+variable "instance_connect_subnet_id" {
+  description = "The ID of the subnet in which to create the Instance Connect Endpoint"
+  type        = string
+  default     = null
+}
+
+variable "instance_connect_security_group_ids" {
+  description = "List of security group IDs to associate with the Instance Connect Endpoint"
+  type        = list(string)
+  default     = []
+}
+
+variable "instance_connect_preserve_client_ip" {
+  description = "Whether to preserve the client IP address when connecting via EC2 Instance Connect Endpoint"
+  type        = bool
+  default     = false
+}

wrappers/main.tf

@@ -16,6 +16,7 @@ module "wrapper" {
   create_flow_log_cloudwatch_iam_role    = try(each.value.create_flow_log_cloudwatch_iam_role, var.defaults.create_flow_log_cloudwatch_iam_role, false)
   create_flow_log_cloudwatch_log_group   = try(each.value.create_flow_log_cloudwatch_log_group, var.defaults.create_flow_log_cloudwatch_log_group, false)
   create_igw                             = try(each.value.create_igw, var.defaults.create_igw, true)
+  create_instance_connect_endpoint       = try(each.value.create_instance_connect_endpoint, var.defaults.create_instance_connect_endpoint, false)
   create_multiple_intra_route_tables     = try(each.value.create_multiple_intra_route_tables, var.defaults.create_multiple_intra_route_tables, false)
   create_multiple_public_route_tables    = try(each.value.create_multiple_public_route_tables, var.defaults.create_multiple_public_route_tables, false)
   create_private_nat_gateway_route       = try(each.value.create_private_nat_gateway_route, var.defaults.create_private_nat_gateway_route, true)
@@ -183,6 +184,9 @@ module "wrapper" {
   flow_log_per_hour_partition                                       = try(each.value.flow_log_per_hour_partition, var.defaults.flow_log_per_hour_partition, false)
   flow_log_traffic_type                                             = try(each.value.flow_log_traffic_type, var.defaults.flow_log_traffic_type, "ALL")
   igw_tags                                                          = try(each.value.igw_tags, var.defaults.igw_tags, {})
+  instance_connect_preserve_client_ip                               = try(each.value.instance_connect_preserve_client_ip, var.defaults.instance_connect_preserve_client_ip, false)
+  instance_connect_security_group_ids                               = try(each.value.instance_connect_security_group_ids, var.defaults.instance_connect_security_group_ids, [])
+  instance_connect_subnet_id                                        = try(each.value.instance_connect_subnet_id, var.defaults.instance_connect_subnet_id, null)
   instance_tenancy                                                  = try(each.value.instance_tenancy, var.defaults.instance_tenancy, "default")
   intra_acl_tags                                                    = try(each.value.intra_acl_tags, var.defaults.intra_acl_tags, {})
   intra_dedicated_network_acl                                       = try(each.value.intra_dedicated_network_acl, var.defaults.intra_dedicated_network_acl, false)