FIX: corrected vpcep SG, removing default gateway endpoints, updated readme

modules/networking/vpc-endpoints/README.md

@@ -16,8 +16,7 @@ Automatically, this module performs the following additional tasks
 
 # Types of endpoints
 ## Gateway endpoints
-At time of writing, AWS provides 2 gateway endpoints at no charge. These endpoints are deployed by default,
-unless an empty list `[]` is provided as input.
+At time of writing, AWS provides 2 gateway endpoints at no charge. 
 * s3
 * dynamodb
 

modules/networking/vpc-endpoints/main.tf

@@ -55,14 +55,15 @@ resource "aws_security_group" "vpc-ep-sg" {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
+    # cidr_blocks = [data.aws_vpc.this-vpc.cidr_block]
+    cidr_blocks = data.aws_vpc.this-vpc.cidr_block_associations.*.cidr_block
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
-    cidr_blocks = compact(concat(["0.0.0.0/0"], var.secondary_cidrs))
+    cidr_blocks = ["0.0.0.0/0"]
   }
 
   tags = { "Name" : "VpcEpAccess" }

modules/networking/vpc-endpoints/variables.tf

@@ -5,8 +5,8 @@ variable interface-ep-services {
 }
 variable gateway-ep-services {
   type = list(string)
-  default = ["s3","dynamodb"]
-  description = "Gateway endpoints are free, so deploy for all supported services by default."
+  default = []
+  description = "s3 and dynamodb gateway endpoints are free."
 }
 variable resource-prefix {}
 variable secondary_cidrs {