terraform-aws-modules · bryantbiggs · Oct 1, 2025 · Sep 15, 2025 · Oct 1, 2025 · JoeyBG
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.100.0
+    rev: v1.101.0
     hooks:
       - id: terraform_wrapper_module_for_each
       - id: terraform_fmt

diff --git a/README.md b/README.md
@@ -119,6 +119,7 @@ module "ecs" {
       }
 
       subnet_ids = ["subnet-abcde012", "subnet-bcde012a", "subnet-fghi345a"]
+
       security_group_ingress_rules = {
         alb_3000 = {
           description                  = "Service port"

diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -177,6 +177,7 @@ module "ecs" {
       ]
 
       subnet_ids                    = module.vpc.private_subnets
+      vpc_id                        = module.vpc.vpc_id
       availability_zone_rebalancing = "ENABLED"
       security_group_ingress_rules = {
         alb_3000 = {

diff --git a/modules/service/README.md b/modules/service/README.md
@@ -342,6 +342,7 @@ module "ecs_service" {
 | <a name="input_triggers"></a> [triggers](#input\_triggers) | Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with `timestamp()` | `map(string)` | `null` | no |
 | <a name="input_volume"></a> [volume](#input\_volume) | Configuration block for volumes that containers in your task may use | <pre>map(object({<br/>    configure_at_launch = optional(bool)<br/>    docker_volume_configuration = optional(object({<br/>      autoprovision = optional(bool)<br/>      driver        = optional(string)<br/>      driver_opts   = optional(map(string))<br/>      labels        = optional(map(string))<br/>      scope         = optional(string)<br/>    }))<br/>    efs_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        access_point_id = optional(string)<br/>        iam             = optional(string)<br/>      }))<br/>      file_system_id          = string<br/>      root_directory          = optional(string)<br/>      transit_encryption      = optional(string)<br/>      transit_encryption_port = optional(number)<br/>    }))<br/>    fsx_windows_file_server_volume_configuration = optional(object({<br/>      authorization_config = optional(object({<br/>        credentials_parameter = string<br/>        domain                = string<br/>      }))<br/>      file_system_id = string<br/>      root_directory = string<br/>    }))<br/>    host_path = optional(string)<br/>    name      = optional(string)<br/>  }))</pre> | `null` | no |
 | <a name="input_volume_configuration"></a> [volume\_configuration](#input\_volume\_configuration) | Configuration for a volume specified in the task definition as a volume that is configured at launch time | <pre>object({<br/>    name = string<br/>    managed_ebs_volume = object({<br/>      encrypted        = optional(bool)<br/>      file_system_type = optional(string)<br/>      iops             = optional(number)<br/>      kms_key_id       = optional(string)<br/>      size_in_gb       = optional(number)<br/>      snapshot_id      = optional(string)<br/>      tag_specifications = optional(list(object({<br/>        propagate_tags = optional(string, "TASK_DEFINITION")<br/>        resource_type  = string<br/>        tags           = optional(map(string))<br/>      })))<br/>      throughput  = optional(number)<br/>      volume_type = optional(string)<br/>    })<br/>  })</pre> | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided | `string` | `null` | no |
 | <a name="input_vpc_lattice_configurations"></a> [vpc\_lattice\_configurations](#input\_vpc\_lattice\_configurations) | The VPC Lattice configuration for your service that allows Lattice to connect, secure, and monitor your service across multiple accounts and VPCs | <pre>object({<br/>    role_arn         = string<br/>    target_group_arn = string<br/>    port_name        = string<br/>  })</pre> | `null` | no |
 | <a name="input_wait_for_steady_state"></a> [wait\_for\_steady\_state](#input\_wait\_for\_steady\_state) | If true, Terraform will wait for the service to reach a steady state before continuing. Default is `false` | `bool` | `null` | no |
 | <a name="input_wait_until_stable"></a> [wait\_until\_stable](#input\_wait\_until\_stable) | Whether terraform should wait until the task set has reached `STEADY_STATE` | `bool` | `null` | no |

diff --git a/modules/service/main.tf b/modules/service/main.tf
@@ -1638,7 +1638,7 @@ locals {
 }
 
 data "aws_subnet" "this" {
-  count = local.create_security_group ? 1 : 0
+  count = local.create_security_group && var.vpc_id != null ? 1 : 0
-  count = local.create_security_group && var.vpc_id != null ? 1 : 0
+  count = local.create_security_group && var.vpc_id == null ? 1 : 0
-  count = local.create_security_group && var.vpc_id != null ? 1 : 0
+  count = local.create_security_group && var.vpc_id == null ? 1 : 0
 
   region = var.region
 
@@ -1653,7 +1653,7 @@ resource "aws_security_group" "this" {
   name        = var.security_group_use_name_prefix ? null : local.security_group_name
   name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null
   description = var.security_group_description
-  vpc_id      = data.aws_subnet.this[0].vpc_id
+  vpc_id      = try(data.aws_subnet.this[0].vpc_id, var.vpc_id)
-  vpc_id      = try(data.aws_subnet.this[0].vpc_id, var.vpc_id)
+  vpc_id      = coalesce(var.vpc_id, data.aws_subnet.this[0].vpc_id)
-  vpc_id      = try(data.aws_subnet.this[0].vpc_id, var.vpc_id)
+  vpc_id      = coalesce(var.vpc_id, data.aws_subnet.this[0].vpc_id)
 
   tags = merge(
     var.tags,

diff --git a/modules/service/variables.tf b/modules/service/variables.tf
@@ -209,6 +209,12 @@ variable "subnet_ids" {
   nullable    = false
 }
 
+variable "vpc_id" {
+  description = "The VPC ID where to deploy the task or service. If not provided, the VPC ID is derived from the subnets provided"
+  type        = string
+  default     = null
+}
+
 variable "ordered_placement_strategy" {
   description = "Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence"
   type = map(object({

diff --git a/wrappers/service/main.tf b/wrappers/service/main.tf
@@ -138,6 +138,7 @@ module "wrapper" {
   triggers                                = try(each.value.triggers, var.defaults.triggers, null)
   volume                                  = try(each.value.volume, var.defaults.volume, null)
   volume_configuration                    = try(each.value.volume_configuration, var.defaults.volume_configuration, null)
+  vpc_id                                  = try(each.value.vpc_id, var.defaults.vpc_id, null)
   vpc_lattice_configurations              = try(each.value.vpc_lattice_configurations, var.defaults.vpc_lattice_configurations, null)
   wait_for_steady_state                   = try(each.value.wait_for_steady_state, var.defaults.wait_for_steady_state, null)
   wait_until_stable                       = try(each.value.wait_until_stable, var.defaults.wait_until_stable, null)