Custom VPC endponts list and the module resources?

[bd-spl]

When deploying w/o NAT gateway, what is the expected pattern for giving a list of required VPC endpoints, with EKS cluster security group ID(s) and policies (aws_iam_policy_document) maybe?

To my understanding, endpoints would be the right place to add it there?

FTR, I want to follow that guide to deploy on a private VPC and Fargate workers instead of EC2, so I need the following PrivateLinks (VPC endpoints):

• Interface endpoints for ECR (both ecr.api and ecr.dkr) to pull container images
• A gateway endpoint for S3 to pull the actual image layers
• An interface endpoint for EC2
• An interface endpoint for STS to support Fargate and IAM Roles for Services Accounts
• An interface endpoint for CloudWatch logging (logs) if CloudWatch logging is required

What I couldn't get is, how/should I specify other module inputs for endpoints then: aws_iam_policy_document and security_group, like it is shown in example?

Please confirm if that can be done like that:

• the rules defined in node_security_group_additional_rules, merged with defaults that terraform-eks-aws provides via local cluster_security_group_rules, should be pre-created by tEKS. And then passed into terraform-aws-eks via external cluster_security_group_id = "sg-xxxx" and setting create_cluster_security_group = false

[ArchiFleKs]

@bd-spl I think you need to play with the vpc-endpoint module, each endpoint can reference a security group. To avoid dependencies loop, the best think would be to use the default vpc security group for endpoints which allowed 0.0.0.0/0 in teks default. And then switch to allow the cluster security group

[ArchiFleKs]

@bd-spl I'll close this for now, could you please reopen in Discussions as it is not technically tEKS issue