MaterializeInc · jshiwamV · Nov 24, 2025 · Nov 22, 2025 · Nov 22, 2025 · Nov 22, 2025
diff --git a/aws/examples/simple/main.tf b/aws/examples/simple/main.tf
@@ -10,8 +10,9 @@ provider "aws" {
 # The ECR public authorization token endpoint isn't in all regions,
 # so lets get a new provider just for this purpose.
 provider "aws" {
-  region = "us-east-1"
-  alias  = "ecrpublic_token_provider"
+  region  = "us-east-1"
+  profile = var.aws_profile
+  alias   = "ecrpublic_token_provider"
 }
 
 data "aws_ecrpublic_authorization_token" "token" {
@@ -66,6 +67,8 @@ module "networking" {
   private_subnet_cidrs = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
   public_subnet_cidrs  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
 
+  enable_vpc_endpoints = true
+
   tags = var.tags
 }
 

diff --git a/aws/modules/networking/README.md b/aws/modules/networking/README.md
@@ -7,24 +7,30 @@
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 5.0 |
+| <a name="module_vpc_endpoints"></a> [vpc\_endpoints](#module\_vpc\_endpoints) | terraform-aws-modules/vpc/aws//modules/vpc-endpoints | ~> 5.0 |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [aws_security_group.vpc_endpoints](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | List of availability zones | `list(string)` | n/a | yes |
 | <a name="input_create_vpc"></a> [create\_vpc](#input\_create\_vpc) | Controls if VPC should be created (it affects almost all resources) | `bool` | `true` | no |
+| <a name="input_enable_vpc_endpoints"></a> [enable\_vpc\_endpoints](#input\_enable\_vpc\_endpoints) | Enable VPC endpoints for AWS services (PrivateLink) | `bool` | `false` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix for all resource names | `string` | n/a | yes |
 | <a name="input_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#input\_private\_subnet\_cidrs) | CIDR blocks for private subnets | `list(string)` | n/a | yes |
 | <a name="input_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#input\_public\_subnet\_cidrs) | CIDR blocks for public subnets | `list(string)` | n/a | yes |
@@ -40,4 +46,5 @@ No resources.
 | <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | List of private subnet IDs |
 | <a name="output_public_subnet_ids"></a> [public\_subnet\_ids](#output\_public\_subnet\_ids) | List of public subnet IDs |
 | <a name="output_vpc_cidr_block"></a> [vpc\_cidr\_block](#output\_vpc\_cidr\_block) | The CIDR block of the VPC |
+| <a name="output_vpc_endpoints"></a> [vpc\_endpoints](#output\_vpc\_endpoints) | Map of VPC endpoints created |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
diff --git a/aws/modules/networking/main.tf b/aws/modules/networking/main.tf
@@ -1,3 +1,4 @@
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 5.0"
@@ -27,5 +28,114 @@ module "vpc" {
     "kubernetes.io/cluster/${var.name_prefix}-eks" = "shared"
   }
 
+  tags = var.tags
+
+}
+
+module "vpc_endpoints" {
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "~> 5.0"
+
+  create = var.enable_vpc_endpoints
+
+  vpc_id             = module.vpc.vpc_id
+  subnet_ids         = module.vpc.private_subnets
+  security_group_ids = [aws_security_group.vpc_endpoints[0].id]
+
+  endpoints = {
+    # we store metadata in s3 all pod requests go through this endpoint
+    s3 = {
+      service         = "s3"
+      service_type    = "Gateway"
+      route_table_ids = module.vpc.private_route_table_ids
+      tags            = { Name = "${var.name_prefix}-s3-gateway-endpoint" }
+    }
+
+    # not adding aws rds endpoint as it will add up unnecessary cost
+    # pods connect to rds using private ip. The traffic doesn't leave vpc so not needed.
+    # we would endup paying extra $0.02*24*30 = $14.4 per month even if we don't use it.
+    # https://aws.amazon.com/privatelink/pricing/
+
+    # ec2 api is useful for Karpenter
+    ec2 = {
+      service             = "ec2"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ec2-endpoint" }
+    }
+
+    # not needed secretsmanager endpoint as we use k8s secrets, discuss and remove it.
+    secretsmanager = {
+      service             = "secretsmanager"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-secretsmanager-endpoint" }
+    }
+
+    # Required for AWS Session Manager to work, useful to ssh into worker nodes via aws console/cli
+    ssm = {
+      service             = "ssm"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ssm-endpoint" }
+    }
+    ssmmessages = {
+      service             = "ssmmessages"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ssmmessages-endpoint" }
+    }
+    ec2messages = {
+      service             = "ec2messages"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ec2messages-endpoint" }
+    }
+
+    # sts endpoint is useful for IRSA
+    sts = {
+      service             = "sts"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-sts-endpoint" }
+    }
+
+    # not needed kms endpoint as we rely on ebs encryption in nodes, discuss and remove it.
+    kms = {
+      service             = "kms"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-kms-endpoint" }
+    }
+
+    # Allows private access to the ELB API to create/manage load balancers. Useful for aws-lbc
+    elasticloadbalancing = {
+      service             = "elasticloadbalancing"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-elasticloadbalancing-endpoint" }
+    }
+
+    # for image pulls from ecr
+    ecr_api = {
+      service             = "ecr.api"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ecr-api-endpoint" }
+    }
+    ecr_dkr = {
+      service             = "ecr.dkr"
+      private_dns_enabled = true
+      tags                = { Name = "${var.name_prefix}-ecr-dkr-endpoint" }
+    }
+  }
+
+  tags = var.tags
+}
+
+resource "aws_security_group" "vpc_endpoints" {
+  count       = var.enable_vpc_endpoints ? 1 : 0
+  name        = "${var.name_prefix}-vpc-endpoints"
+  description = "Security group for VPC endpoints"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [var.vpc_cidr]
+  }
+
   tags = var.tags
 }
diff --git a/aws/modules/networking/outputs.tf b/aws/modules/networking/outputs.tf
@@ -22,3 +22,8 @@ output "nat_public_ips" {
   description = "List of public Elastic IPs created for AWS NAT Gateway"
   value       = module.vpc.nat_public_ips
 }
+
+output "vpc_endpoints" {
+  description = "Map of VPC endpoints created"
+  value       = module.vpc_endpoints.endpoints
+}
diff --git a/aws/modules/networking/variables.tf b/aws/modules/networking/variables.tf
@@ -42,3 +42,9 @@ variable "tags" {
   type        = map(string)
   default     = {}
 }
+
+variable "enable_vpc_endpoints" {
+  description = "Enable VPC endpoints for AWS services (PrivateLink)"
+  type        = bool
+  default     = false
+}