Per recommendations from AWS support, add Allow statement to example VPC endpoint policy and switch S3 endpoint to type 'Gateway'

Alex Hewson · Alex Hewson · commit 54e4611b47da · 2025-06-09T09:11:11.000+01:00
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -106,10 +106,9 @@ module "vpc_endpoints" {
     s3 = {
       service             = "s3"
       private_dns_enabled = true
-      dns_options = {
-        private_dns_only_for_inbound_resolver_endpoint = false
-      }
-      tags = { Name = "s3-vpc-endpoint" }
+      type                = "Gateway"
+      route_table_ids     = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
+      tags                = { Name = "s3-vpc-endpoint" }
     },
     dynamodb = {
       service         = "dynamodb"
@@ -210,6 +209,17 @@ data "aws_iam_policy_document" "generic_endpoint_policy" {
       values = [module.vpc.vpc_id]
     }
   }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+  }
 }
 
 resource "aws_security_group" "rds" {
