feat: Add EC2 Instance Connect Endpoint support

Author: alvinjaison

README.md

@@ -460,6 +460,7 @@ No modules.
 | <a name="input_igw_tags"></a> [igw\_tags](#input\_igw\_tags) | Additional tags for the internet gateway | `map(string)` | `{}` | no |
 | <a name="input_instance_connect_endpoint_create_in_private_subnets"></a> [instance\_connect\_endpoint\_create\_in\_private\_subnets](#input\_instance\_connect\_endpoint\_create\_in\_private\_subnets) | Create EC2 Instance Connect Endpoint(s) in all private subnets if no subnet IDs are provided | `bool` | `true` | no |
 | <a name="input_instance_connect_endpoint_subnets"></a> [instance\_connect\_endpoint\_subnets](#input\_instance\_connect\_endpoint\_subnets) | List of subnet IDs where EC2 Instance Connect Endpoint(s) should be created. If null and create\_in\_private\_subnets is true, defaults to private subnets | `list(string)` | `null` | no |
+| <a name="input_instance_connect_preserve_client_ip"></a> [instance\_connect\_preserve\_client\_ip](#input\_instance\_connect\_preserve\_client\_ip) | Whether to preserve the client IP address when connecting via EC2 Instance Connect Endpoint | `bool` | `false` | no |
 | <a name="input_instance_connect_security_group_ids"></a> [instance\_connect\_security\_group\_ids](#input\_instance\_connect\_security\_group\_ids) | List of security group IDs to associate with EC2 Instance Connect Endpoint(s). If null, defaults to no security groups | `list(string)` | `null` | no |
 | <a name="input_instance_connect_tags"></a> [instance\_connect\_tags](#input\_instance\_connect\_tags) | Additional tags for EC2 Instance Connect Endpoint resources | `map(string)` | `{}` | no |
 | <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | A tenancy option for instances launched into the VPC | `string` | `"default"` | no |
@@ -638,10 +639,7 @@ No modules.
 | <a name="output_elasticache_subnets_ipv6_cidr_blocks"></a> [elasticache\_subnets\_ipv6\_cidr\_blocks](#output\_elasticache\_subnets\_ipv6\_cidr\_blocks) | List of IPv6 cidr\_blocks of elasticache subnets in an IPv6 enabled VPC |
 | <a name="output_igw_arn"></a> [igw\_arn](#output\_igw\_arn) | The ARN of the Internet Gateway |
 | <a name="output_igw_id"></a> [igw\_id](#output\_igw\_id) | The ID of the Internet Gateway |
-| <a name="output_instance_connect_endpoint_arns"></a> [instance\_connect\_endpoint\_arns](#output\_instance\_connect\_endpoint\_arns) | ARNs of the EC2 Instance Connect Endpoint(s) |
-| <a name="output_instance_connect_endpoint_ids"></a> [instance\_connect\_endpoint\_ids](#output\_instance\_connect\_endpoint\_ids) | IDs of the EC2 Instance Connect Endpoint(s) created |
-| <a name="output_instance_connect_endpoint_security_group_ids"></a> [instance\_connect\_endpoint\_security\_group\_ids](#output\_instance\_connect\_endpoint\_security\_group\_ids) | Security group IDs associated with the EC2 Instance Connect Endpoint(s) |
-| <a name="output_instance_connect_endpoint_subnet_ids"></a> [instance\_connect\_endpoint\_subnet\_ids](#output\_instance\_connect\_endpoint\_subnet\_ids) | Subnet IDs where EC2 Instance Connect Endpoint(s) were created |
+| <a name="output_instance_connect_endpoints"></a> [instance\_connect\_endpoints](#output\_instance\_connect\_endpoints) | Map of EC2 Instance Connect Endpoints created, keyed by subnet index |
 | <a name="output_intra_network_acl_arn"></a> [intra\_network\_acl\_arn](#output\_intra\_network\_acl\_arn) | ARN of the intra network ACL |
 | <a name="output_intra_network_acl_id"></a> [intra\_network\_acl\_id](#output\_intra\_network\_acl\_id) | ID of the intra network ACL |
 | <a name="output_intra_route_table_association_ids"></a> [intra\_route\_table\_association\_ids](#output\_intra\_route\_table\_association\_ids) | List of IDs of the intra route table association |

examples/ec2-instance-connect-endpoint/README.md

@@ -0,0 +1,84 @@
+# EC2 Instance Connect Endpoint
+
+Configuration in this directory creates a **VPC** with **EC2 Instance Connect Endpoints (EICE)** deployed in private subnets.
+This allows secure SSH or RDP access to instances **without using a bastion host** or assigning public IPs.
+
+## Features
+
+This example demonstrates:
+
+- Deployment of a VPC with public and private subnets across multiple Availability Zones
+- Creation of a **NAT Gateway** for outbound internet access
+- Deployment of **EC2 Instance Connect Endpoints** in private subnets
+- Creation of a security group allowing SSH access
+- Demonstration of the `preserve_client_ip` and tagging features for EICE resources
+
+---
+
+## Usage
+
+To run this example, execute:
+
+```bash
+terraform init
+terraform plan
+terraform apply
+```
+
+⚠️ Note:
+This example may create resources that incur costs (such as VPCs, NAT Gateways, and EC2 endpoints).
+Run terraform destroy when you no longer need these resources.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.5 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.5 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../.. | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_security_group.allow_ssh](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_instance_connect_endpoints"></a> [instance\_connect\_endpoints](#output\_instance\_connect\_endpoints) | Map of EC2 Instance Connect Endpoints created |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+<!-- END_TF_DOCS -->
+
+##Example Output
+
+Example output after deployment:
+
+```bash
+instance_connect_endpoints = {
+  "0" = {
+    "id"        = "eice-0c123456789abcd"
+    "arn"       = "arn:aws:ec2:us-east-1:123456789012:ec2-instance-connect-endpoint/eice-0c123456789abcd"
+    "subnet_id" = "subnet-0123456789abcdef"
+    "sg_ids"    = ["sg-0123456789abcdef"]
+  }
+}
+```

examples/ec2-instance-connect-endpoint/main.tf

@@ -0,0 +1,92 @@
+################################################################################
+# Provider Configuration
+################################################################################
+
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+################################################################################
+# Locals
+################################################################################
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "us-east-1"
+
+  # Get the first 2 availability zones for simplicity
+  azs = slice(data.aws_availability_zones.available.names, 0, 2)
+
+  # Base VPC CIDR
+  vpc_cidr = "10.0.0.0/16"
+
+  # Calculate subnet CIDRs automatically based on AZ count
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k + 10)]
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../.."
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = local.private_subnets
+  public_subnets  = local.public_subnets
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  # EC2 Instance Connect Endpoint Configuration
+  create_instance_connect_endpoint    = true
+  instance_connect_preserve_client_ip = true
+  instance_connect_security_group_ids = [aws_security_group.allow_ssh.id]
+  instance_connect_tags = {
+    Environment = "example"
+  }
+
+  tags = merge(local.tags, {
+    Name = local.name
+  })
+}
+
+################################################################################
+# Security Group for EC2 Instance Connect
+################################################################################
+
+resource "aws_security_group" "allow_ssh" {
+  name        = "${local.name}-allow-ssh"
+  description = "Allow SSH for EC2 Instance Connect"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(local.tags, {
+    Name = "${local.name}-allow-ssh"
+  })
+}

examples/ec2-instance-connect-endpoint/outputs.tf

@@ -0,0 +1,9 @@
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}
+
+output "instance_connect_endpoints" {
+  description = "Map of EC2 Instance Connect Endpoints created"
+  value       = module.vpc.instance_connect_endpoints
+}

examples/ec2-instance-connect-endpoint/variables.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.5.7"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.5"
+    }
+  }
+}

examples/ec2-instance-connect-endpoint/versions.tf

@@ -1571,6 +1571,7 @@ resource "aws_ec2_instance_connect_endpoint" "this" {
     : []
   )
 
+  preserve_client_ip = var.instance_connect_preserve_client_ip
 
   tags = merge(
     var.tags,

main.tf

@@ -672,22 +672,14 @@ output "name" {
 # EC2 Instance Connect Endpoint
 ################################################################################
 
-output "instance_connect_endpoint_ids" {
-  description = "IDs of the EC2 Instance Connect Endpoint(s) created"
-  value       = try([for v in aws_ec2_instance_connect_endpoint.this : v.id], [])
-}
-
-output "instance_connect_endpoint_subnet_ids" {
-  description = "Subnet IDs where EC2 Instance Connect Endpoint(s) were created"
-  value       = try([for v in aws_ec2_instance_connect_endpoint.this : v.subnet_id], [])
-}
-
-output "instance_connect_endpoint_security_group_ids" {
-  description = "Security group IDs associated with the EC2 Instance Connect Endpoint(s)"
-  value       = try(var.instance_connect_security_group_ids, [])
-}
-
-output "instance_connect_endpoint_arns" {
-  description = "ARNs of the EC2 Instance Connect Endpoint(s)"
-  value       = try([for v in aws_ec2_instance_connect_endpoint.this : v.arn], [])
+output "instance_connect_endpoints" {
+  description = "Map of EC2 Instance Connect Endpoints created, keyed by subnet index"
+  value = try({
+    for k, v in aws_ec2_instance_connect_endpoint.this : k => {
+      id        = v.id
+      arn       = v.arn
+      subnet_id = v.subnet_id
+      sg_ids    = v.security_group_ids
+    }
+  }, {})
 }

outputs.tf

@@ -1712,3 +1712,9 @@ variable "instance_connect_tags" {
   default     = {}
   description = "Additional tags for EC2 Instance Connect Endpoint resources"
 }
+
+variable "instance_connect_preserve_client_ip" {
+  type        = bool
+  default     = false
+  description = "Whether to preserve the client IP address when connecting via EC2 Instance Connect Endpoint"
+}

variables.tf

@@ -186,6 +186,7 @@ module "wrapper" {
   igw_tags                                                          = try(each.value.igw_tags, var.defaults.igw_tags, {})
   instance_connect_endpoint_create_in_private_subnets               = try(each.value.instance_connect_endpoint_create_in_private_subnets, var.defaults.instance_connect_endpoint_create_in_private_subnets, true)
   instance_connect_endpoint_subnets                                 = try(each.value.instance_connect_endpoint_subnets, var.defaults.instance_connect_endpoint_subnets, null)
+  instance_connect_preserve_client_ip                               = try(each.value.instance_connect_preserve_client_ip, var.defaults.instance_connect_preserve_client_ip, false)
   instance_connect_security_group_ids                               = try(each.value.instance_connect_security_group_ids, var.defaults.instance_connect_security_group_ids, null)
   instance_connect_tags                                             = try(each.value.instance_connect_tags, var.defaults.instance_connect_tags, {})
   instance_tenancy                                                  = try(each.value.instance_tenancy, var.defaults.instance_tenancy, "default")