terraform-aws-modules
diff --git a/‎README.md‎
Lines changed: 1 addition & 0 deletions b/‎README.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎examples/block-public-access/README.md‎
Lines changed: 208 additions & 0 deletions b/‎examples/block-public-access/README.md‎
Lines changed: 208 additions & 0 deletions
diff --git a/‎examples/block-public-access/main.tf‎
Lines changed: 63 additions & 0 deletions b/‎examples/block-public-access/main.tf‎
Lines changed: 63 additions & 0 deletions
@@ -704,6 +704,7 @@ No modules.
 | <a name="output_vgw_arn"></a> [vgw\_arn](#output\_vgw\_arn) | The ARN of the VPN Gateway |
 | <a name="output_vgw_id"></a> [vgw\_id](#output\_vgw\_id) | The ID of the VPN Gateway |
 | <a name="output_vpc_arn"></a> [vpc\_arn](#output\_vpc\_arn) | The ARN of the VPC |
+| <a name="output_vpc_block_public_access_exclusions"></a> [vpc\_block\_public\_access\_exclusions](#output\_vpc\_block\_public\_access\_exclusions) | List of VPC block public access exclusions |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
 | <a name="output_vpc_enable_dns_hostnames"></a> [vpc\_enable\_dns\_hostnames](#output\_vpc\_enable\_dns\_hostnames) | Whether or not the VPC has DNS hostname support |
 | <a name="output_vpc_enable_dns_support"></a> [vpc\_enable\_dns\_support](#output\_vpc\_enable\_dns\_support) | Whether or not the VPC has DNS support |
 
@@ -0,0 +1,63 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../../"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+
+  ### VPC Block Public Access Options
+  # internet_gateway_block_enabled = true
+  # internet_gateway_block_mode    = "block-bidirectional"
+
+  ### VPC Block Public Access Exclusion at the VPC level
+  # vpc_block_public_access_exclusions = {
+  #   exclude_vpc = {
+  #     exclude_vpc                     = true
+  #     internet_gateway_exclusion_mode = "allow-bidirectional"
+  #   }
+  # }
+
+  ### VPC Block Public Access Exclusion at the subnet level
+  vpc_block_public_access_exclusions = {
+    exclude_subnet_private1 = {
+      exclude_subnet                  = true
+      subnet_type                     = "private"
+      subnet_index                    = 1
+      internet_gateway_exclusion_mode = "allow-egress"
+    }
+    exclude_subnet_private2 = {
+      exclude_subnet                  = true
+      subnet_type                     = "private"
+      subnet_index                    = 2
+      internet_gateway_exclusion_mode = "allow-egress"
+    }
+  }
+
+  tags = local.tags
+}