feat: Add EC2 Instance Connect Endpoint support

[alvinjaison]

Description

Added support for EC2 Instance Connect Endpoint (EICE) in the VPC module.
This allows users to securely SSH or RDP into instances in private subnets without using a bastion host or exposing public IPs.
Also added a fully self-contained example under examples/ec2-instance-connect-endpoint/.

---

Motivation and Context

AWS recently introduced EC2 Instance Connect Endpoint, which simplifies secure connectivity to private subnets.
Currently, the VPC module does not support this resource natively, requiring users to define it manually.
This feature:

• Standardizes secure SSH/RDP connectivity patterns
• Reduces boilerplate for creating endpoints in private subnets
• Exposes a simple boolean variable create_instance_connect_endpoint for optional usage

Closes: #1253

---

Breaking Changes

No breaking changes.

• Feature is optional (create_instance_connect_endpoint = false by default)
• All existing variables, resources, and examples remain unchanged

---

How Has This Been Tested?

• Added a new example in examples/ec2-instance-connect-endpoint/.
• Validated the configuration using the following commands:

  terraform init
  terraform apply
  terraform destroy

• Verified SSH access to a private EC2 instance through the EC2 Instance Connect Endpoint (EICE) using the following commands:

1. Send SSH public key:

   aws ec2-instance-connect send-ssh-public-key \
     --instance-id <instance-id> \
     --instance-os-user ec2-user \
     --ssh-public-key file://~/.ssh/id_rsa.pub \
     --region us-east-1

2. Open an EC2 Instance Connect tunnel:

   aws ec2-instance-connect open-tunnel \
     --instance-id <instance-id> \
     --local-port 2222 \
     --region us-east-1

3. Connect to the instance via SSH:

   ssh -p 2222 ec2-user@localhost

Example Usage

data "aws_availability_zones" "available" {}

locals {
  vpc_cidr = "10.0.0.0/16"
  azs      = slice(data.aws_availability_zones.available.names, 0, 2)
}

module "vpc" {
  source = "../../"

  name = "example-vpc"
  cidr = local.vpc_cidr

  azs             = local.azs
  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k + 10)]

  enable_nat_gateway = true
  single_nat_gateway = true

  create_instance_connect_endpoint      = true
  instance_connect_subnet_id            = element(module.vpc.private_subnets, 0)
  instance_connect_security_group_ids   = [aws_security_group.allow_ssh.id]
  instance_connect_preserve_client_ip   = false

  tags = {
    Environment = "example"
  }
}

resource "aws_security_group" "allow_ssh" {
  name        = "allow-ssh"
  description = "Allow SSH access for EC2 Instance Connect"
  vpc_id      = module.vpc.vpc_id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "allow-ssh"
  }
}

💡 Tip
Set instance_connect_preserve_client_ip = true if you want the target instance to see your real public IP (for IP-based restrictions).
Otherwise, keep it false for easier access in typical VPC setups.

Checklist

• I have updated at least one of the examples/* to demonstrate and validate my changes.
• I have tested and validated these changes using one or more of the provided examples/* projects.
• I have executed pre-commit run -a on my pull request.

[alvinjaison]

Hi @antonbabenko, could you please review this PR when you have a moment? Thanks!