Add 'prefix_list_id' exported attribute to AWS VPC Endpoint

'prefix_list_id' can be used in egress rules in VPC security groups.

builtin/providers/aws/resource_aws_vpc_endpoint.go

@@ -43,6 +43,10 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
+			"prefix_list_id": &schema.Schema{
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -101,12 +105,36 @@ func resourceAwsVPCEndpointRead(d *schema.ResourceData, meta interface{}) error
 
 	vpce := output.VpcEndpoints[0]
 
+	// A VPC Endpoint is associated with exactly one prefix list name (also called Service Name).
+	// The prefix list ID can be used in security groups, so retrieve it to support that capability.
+	prefixListServiceName := *vpce.ServiceName
+	prefixListInput := &ec2.DescribePrefixListsInput{
+		Filters: []*ec2.Filter{
+			{Name: aws.String("prefix-list-name"), Values: []*string{aws.String(prefixListServiceName)}},
+		},
+	}
+
+	log.Printf("[DEBUG] Reading VPC Endpoint prefix list: %s", prefixListServiceName)
+	prefixListsOutput, err := conn.DescribePrefixLists(prefixListInput)
+
+	if err != nil {
+		_, ok := err.(awserr.Error)
+		if !ok {
+			return fmt.Errorf("Error reading VPC Endpoint prefix list: %s", err.Error())
+		}
+	}
+
+	if len(prefixListsOutput.PrefixLists) != 1 {
+		return fmt.Errorf("There are multiple prefix lists associated with the service name '%s'. Unexpected", prefixListServiceName)
+	}
+
 	d.Set("vpc_id", vpce.VpcId)
 	d.Set("policy", normalizeJson(*vpce.PolicyDocument))
 	d.Set("service_name", vpce.ServiceName)
 	if err := d.Set("route_table_ids", aws.StringValueSlice(vpce.RouteTableIds)); err != nil {
 		return err
 	}
+	d.Set("prefix_list_id", prefixListsOutput.PrefixLists[0].PrefixListId)
 
 	return nil
 }

builtin/providers/aws/resource_aws_vpc_endpoint_test.go

@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -25,6 +26,7 @@ func TestAccAWSVpcEndpoint_basic(t *testing.T) {
 				Config: testAccVpcEndpointWithRouteTableAndPolicyConfig,
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointExists("aws_vpc_endpoint.second-private-s3", &endpoint),
+					testAccCheckVpcEndpointPrefixListAvailable("aws_vpc_endpoint.second-private-s3"),
 				),
 			},
 		},
@@ -118,6 +120,25 @@ func testAccCheckVpcEndpointExists(n string, endpoint *ec2.VpcEndpoint) resource
 	}
 }
 
+func testAccCheckVpcEndpointPrefixListAvailable(n string) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[n]
+		if !ok {
+			return fmt.Errorf("Not found: %s", n)
+		}
+
+		prefixListID := rs.Primary.Attributes["prefix_list_id"]
+		if prefixListID == "" {
+			return fmt.Errorf("Prefix list ID not available")
+		}
+		if !strings.HasPrefix(prefixListID, "pl") {
+			return fmt.Errorf("Prefix list ID does not appear to be a valid value: '%s'", prefixListID)
+		}
+
+		return nil
+	}
+}
+
 const testAccVpcEndpointWithRouteTableAndPolicyConfig = `
 resource "aws_vpc" "foo" {
     cidr_block = "10.0.0.0/16"

website/source/docs/providers/aws/r/vpc_endpoint.html.markdown

@@ -35,3 +35,4 @@ The following arguments are supported:
 The following attributes are exported:
 
 * `id` - The ID of the VPC endpoint.
+* `prefix_list_id` - The prefix list ID of the exposed service.