ec2_vpc_endpoint - Add vpc_endpint_subnets and vpc_endpoint_security_groups parameters.

changelogs/fragments/544-vpc-endpoint-add-subnets-sg-option.yml

@@ -0,0 +1,3 @@
+minor_changes:
+- ec2_vpc_endpoint - added ``vpc_endpoint_subnets`` parameter to support defining the subnet attached to an interface or gateway endpoint (https://github.com/ansible-collections/amazon.aws/pull/544).
+- ec2_vpc_endpoint - added ``vpc_endpoint_security_groups`` parameter to support defining the security group attached to an interface endpoint (https://github.com/ansible-collections/amazon.aws/pull/544).

plugins/modules/ec2_vpc_endpoint.py

@@ -28,6 +28,22 @@
     choices: [ "Interface", "Gateway", "GatewayLoadBalancer" ]
     type: str
     version_added: 1.5.0
+  vpc_endpoint_subnets:
+    description:
+      - The list of subnets to attach to the endpoint.
+      - Requires I(vpc_endpoint_type=GatewayLoadBalancer) or I(vpc_endpoint_type=Interface).
+    required: false
+    type: list
+    elements: str
+    version_added: 2.1.0
+  vpc_endpoint_security_groups:
+    description:
+      - The list of security groups to attach to the endpoint.
+      - Requires I(vpc_endpoint_type=GatewayLoadBalancer) or I(vpc_endpoint_type=Interface).
+    required: false
+    type: list
+    elements: str
+    version_added: 2.1.0
   service:
     description:
       - An AWS supported vpc endpoint service. Use the M(amazon.aws.ec2_vpc_endpoint_info)
@@ -301,6 +317,12 @@ def create_vpc_endpoint(client, module):
     if module.params.get('route_table_ids'):
         params['RouteTableIds'] = module.params.get('route_table_ids')
 
+    if module.params.get('vpc_endpoint_subnets'):
+        params['SubnetIds'] = module.params.get('vpc_endpoint_subnets')
+
+    if module.params.get('vpc_endpoint_security_groups'):
+        params['SecurityGroupIds'] = module.params.get('vpc_endpoint_security_groups')
+
     if module.params.get('client_token'):
         token_provided = True
         request_time = datetime.datetime.utcnow()
@@ -398,6 +420,8 @@ def main():
     argument_spec = dict(
         vpc_id=dict(),
         vpc_endpoint_type=dict(default='Gateway', choices=['Interface', 'Gateway', 'GatewayLoadBalancer']),
+        vpc_endpoint_security_groups=dict(type='list', elements='str'),
+        vpc_endpoint_subnets=dict(type='list', elements='str'),
         service=dict(),
         policy=dict(type='json'),
         policy_file=dict(type='path', aliases=['policy_path']),
@@ -428,6 +452,21 @@ def main():
                          ' will be removed after 2022-12-01',
                          date='2022-12-01', collection_name='amazon.aws')
 
+    if module.params.get('vpc_endpoint_type'):
+        if module.params.get('vpc_endpoint_type') == 'Gateway':
+            if module.params.get('vpc_endpoint_subnets') or module.params.get('vpc_endpoint_security_groups'):
+                module.fail_json(msg="Parameter vpc_endpoint_subnets and/or vpc_endpoint_security_groups can't be used with Gateway endpoint type")
+
+        if module.params.get('vpc_endpoint_type') == 'GatewayLoadBalancer':
+            if module.params.get('vpc_endpoint_security_groups'):
+                module.fail_json(msg="Parameter vpc_endpoint_security_groups can't be used with GatewayLoadBalancer endpoint type")
+
+        if module.params.get('vpc_endpoint_type') == 'Interface':
+            if module.params.get('vpc_endpoint_subnets') and not module.params.get('vpc_endpoint_security_groups'):
+                module.fail_json(msg="Parameter vpc_endpoint_security_groups must be set when endpoint type is Interface and vpc_endpoint_subnets is defined")
+            if not module.params.get('vpc_endpoint_subnets') and module.params.get('vpc_endpoint_security_groups'):
+                module.fail_json(msg="Parameter vpc_endpoint_subnets must be set when endpoint type is Interface and vpc_endpoint_security_groups is defined")
+
     try:
         ec2 = module.client('ec2', retry_decorator=AWSRetry.jittered_backoff())
     except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:

tests/integration/targets/ec2_vpc_endpoint/tasks/main.yml

@@ -754,6 +754,51 @@
       that:
       - interface_endpoint_delete_check is changed
 
+  - name: Create a subnet
+    ec2_vpc_subnet:
+      state: present
+      vpc_id: '{{ vpc_id }}'
+      az: "{{ aws_region}}a"
+      cidr: "{{ vpc_cidr }}"
+    register: interface_endpoint_create_subnet_check
+
+  - name: Create a security group
+    ec2_group:
+      name: securitygroup-prodext
+      description: "security group for Ansible interface endpoint"
+      state: present
+      vpc_id: "{{ vpc.vpc.id }}"
+      rules:
+        - proto: tcp
+          from_port: 1
+          to_port: 65535
+          cidr_ip: 0.0.0.0/0
+    register: interface_endpoint_create_sg_check
+
+  - name: Create interface endpoint attached to a subnet
+    ec2_vpc_endpoint:
+      state: present
+      vpc_id: '{{ vpc_id }}'
+      service: '{{ endpoint_service_a }}'
+      vpc_endpoint_type: Interface
+      vpc_endpoint_subnets: "{{ interface_endpoint_create_subnet_check.subnet.id') }}"
+      vpc_endpoint_security_groups: "{{ interface_endpoint_create_sg_check.group_id }}"
+    register: create_interface_endpoint_with_sg_subnets
+  - name: Check that the interface endpoint was created properly
+    assert:
+      that:
+        - create_interface_endpoint_with_sg_subnets is changed
+        - create_interface_endpoint_with_sg_subnets.result.vpc_endpoint_type == "Interface"
+
+  - name: Delete interface endpoint
+    ec2_vpc_endpoint:
+      state: absent
+      vpc_endpoint_id: "{{ create_interface_endpoint_with_sg_subnets.result.vpc_endpoint_id }}"
+    register: create_interface_endpoint_with_sg_subnets_delete_check
+  - assert:
+      that:
+        - create_interface_endpoint_with_sg_subnets_delete_check is changed
+
   # ============================================================
   # BEGIN POST-TEST CLEANUP
   always: