terraform-aws-modules · bryantbiggs · Sep 22, 2025 · Jul 16, 2025 · Jul 16, 2025 · Jul 16, 2025
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.99.0
+    rev: v1.99.5
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

diff --git a/README.md b/README.md
@@ -579,6 +579,7 @@ No modules.
 | <a name="input_redshift_subnet_suffix"></a> [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
 | <a name="input_redshift_subnet_tags"></a> [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
 | <a name="input_redshift_subnets"></a> [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | `string` | `null` | no |
 | <a name="input_reuse_nat_ips"></a> [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |
 | <a name="input_single_nat_gateway"></a> [single\_nat\_gateway](#input\_single\_nat\_gateway) | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | `bool` | `false` | no |

diff --git a/main.tf b/main.tf
diff --git a/modules/vpc-endpoints/README.md b/modules/vpc-endpoints/README.md
@@ -95,6 +95,7 @@ No modules.
 | <a name="input_create"></a> [create](#input\_create) | Determines whether resources will be created | `bool` | `true` | no |
 | <a name="input_create_security_group"></a> [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `false` | no |
 | <a name="input_endpoints"></a> [endpoints](#input\_endpoints) | A map of interface and/or gateway endpoints containing their properties and configurations | `any` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region where the resource(s) will be managed. Defaults to the region set in the provider configuration | `string` | `null` | no |
 | <a name="input_security_group_description"></a> [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no |
 | <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | Default security group IDs to associate with the VPC endpoints | `list(string)` | `[]` | no |
 | <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created. Conflicts with `security_group_name_prefix` | `string` | `null` | no |

diff --git a/modules/vpc-endpoints/main.tf b/modules/vpc-endpoints/main.tf
@@ -13,7 +13,7 @@ data "aws_vpc_endpoint_service" "this" {
 
   service         = try(each.value.service, null)
   service_name    = try(each.value.service_name, null)
-  service_regions = try(coalescelist(compact([each.value.service_region])), null)
+  service_regions = try(coalescelist(compact([each.value.service_region])), [var.region], null)
 
   filter {
     name   = "service-type"
@@ -24,6 +24,8 @@ data "aws_vpc_endpoint_service" "this" {
 resource "aws_vpc_endpoint" "this" {
   for_each = local.endpoints
 
+  region = var.region
+
   vpc_id            = var.vpc_id
   service_name      = try(each.value.service_endpoint, data.aws_vpc_endpoint_service.this[each.key].service_name)
   service_region    = try(each.value.service_region, null)
@@ -76,6 +78,8 @@ resource "aws_vpc_endpoint" "this" {
 resource "aws_security_group" "this" {
   count = var.create && var.create_security_group ? 1 : 0
 
+  region = var.region
+
   name        = var.security_group_name
   name_prefix = var.security_group_name_prefix
   description = var.security_group_description
@@ -95,6 +99,8 @@ resource "aws_security_group" "this" {
 resource "aws_security_group_rule" "this" {
   for_each = { for k, v in var.security_group_rules : k => v if var.create && var.create_security_group }
 
+  region = var.region
+
   # Required
   security_group_id = aws_security_group.this[0].id
   protocol          = try(each.value.protocol, "tcp")

diff --git a/modules/vpc-endpoints/variables.tf b/modules/vpc-endpoints/variables.tf
@@ -4,6 +4,12 @@ variable "create" {
   default     = true
 }
 
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "vpc_id" {
   description = "The ID of the VPC in which the endpoint will be used"
   type        = string

diff --git a/variables.tf b/variables.tf
@@ -8,6 +8,12 @@ variable "create_vpc" {
   default     = true
 }
 
+variable "region" {
+  description = "Region where the resource(s) will be managed. Defaults to the region set in the provider configuration"
+  type        = string
+  default     = null
+}
+
 variable "name" {
   description = "Name to be used on all the resources as identifier"
   type        = string

diff --git a/vpc-flow-logs.tf b/vpc-flow-logs.tf
@@ -1,6 +1,8 @@
 data "aws_region" "current" {
   # Call this API only if create_vpc and enable_flow_log are true
   count = var.create_vpc && var.enable_flow_log ? 1 : 0
+
+  region = var.region
 }
 
 data "aws_caller_identity" "current" {
@@ -36,6 +38,8 @@ locals {
 resource "aws_flow_log" "this" {
   count = local.enable_flow_log ? 1 : 0
 
+  region = var.region
+
   log_destination_type       = var.flow_log_destination_type
   log_destination            = local.flow_log_destination_arn
   log_format                 = var.flow_log_log_format
@@ -65,6 +69,8 @@ resource "aws_flow_log" "this" {
 resource "aws_cloudwatch_log_group" "flow_log" {
   count = local.create_flow_log_cloudwatch_log_group ? 1 : 0
 
+  region = var.region
+
   name              = "${var.flow_log_cloudwatch_log_group_name_prefix}${local.flow_log_cloudwatch_log_group_name_suffix}"
   retention_in_days = var.flow_log_cloudwatch_log_group_retention_in_days
   kms_key_id        = var.flow_log_cloudwatch_log_group_kms_key_id