Workaround for service endpoint lookup in the wrong region

nightspotlight · nightspotlight · commit a77de686c247 · 2025-07-22T19:10:34.000+02:00
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
@@ -94,6 +94,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `false` | no |
+| <a name="input_enable_service_endpoint_lookup"></a> [enable\_service\_endpoint\_lookup](#input\_enable\_service\_endpoint\_lookup) | Determines whether to look up the service endpoint in the AWS API. If set to false, the `service_endpoint` attribute (usually in the form of `com.amazonaws.<region>.<service>`) must be provided in the `endpoints` map | `bool` | `true` | no |
 | <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | `string` | `null` | no |
 | <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
@@ -9,11 +9,11 @@ locals {
 }
 
 data "aws_vpc_endpoint_service" "this" {
-  for_each = local.endpoints
+  for_each = { for k, v in local.endpoints : k => v if var.enable_service_endpoint_lookup }
 
   service         = try(each.value.service, null)
   service_name    = try(each.value.service_name, null)
-  service_regions = try(coalescelist(compact([each.value.service_region])), [var.region], null)
+  service_regions = try(coalescelist(compact([each.value.service_region])), null)
 
   filter {
     name   = "service-type"
@@ -27,7 +27,7 @@ resource "aws_vpc_endpoint" "this" {
   region = var.region
 
   vpc_id            = var.vpc_id
-  service_name      = try(each.value.service_endpoint, data.aws_vpc_endpoint_service.this[each.key].service_name)
+  service_name      = try(data.aws_vpc_endpoint_service.this[each.key].service_name, each.value.service_endpoint)
   service_region    = try(each.value.service_region, null)
   vpc_endpoint_type = try(each.value.service_type, "Interface")
   auto_accept       = try(each.value.auto_accept, null)
diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
@@ -22,6 +22,12 @@ variable "endpoints" {
   default     = {}
 }
 
+variable "enable_service_endpoint_lookup" {
+  description = "Determines whether to look up the service endpoint in the AWS API. If set to false, the `service_endpoint` attribute (usually in the form of `com.amazonaws.<region>.<service>`) must be provided in the `endpoints` map"
+  type        = bool
+  default     = true
+}
+
 variable "security_group_ids" {
   description = "Default security group IDs to associate with the VPC endpoints"
   type        = list(string)
