From 6638d22fe89eb26b6f3d17d6b1fc1bf54c2ccf64 Mon Sep 17 00:00:00 2001
From: Yisheng Cai <yisheng.cai@streamnative.io>
Date: Tue, 17 Feb 2026 03:34:19 -0800
Subject: [PATCH] feat: Support cross region privatelink endpoint

---
 modules/aws/private-link/main.tf      | 4 ++++
 modules/aws/private-link/variables.tf | 8 +++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/modules/aws/private-link/main.tf b/modules/aws/private-link/main.tf
index df4f0db..857a5cb 100644
--- a/modules/aws/private-link/main.tf
+++ b/modules/aws/private-link/main.tf
@@ -74,9 +74,11 @@ locals {
 }
 
 resource "aws_vpc_endpoint" "this" {
+  region             = var.region
   vpc_id             = var.vpc_id
   subnet_ids         = var.subnet_ids
   service_name       = var.service_name
+  service_region     = var.service_region != "" ? var.service_region : var.region
   security_group_ids = local.security_group_ids
 
   vpc_endpoint_type   = "Interface"
@@ -92,6 +94,7 @@ resource "aws_security_group" "this" {
   count = var.security_group_ids == null ? 1 : 0
 
   name_prefix = var.service_name
+  region      = var.region
   vpc_id      = var.vpc_id
   description = "For access vpc endpoint service ${var.service_name}"
 
@@ -107,6 +110,7 @@ resource "aws_security_group" "this" {
 resource "aws_security_group_rule" "this" {
   for_each = { for k, v in local.security_group_rules : k => v if var.security_group_ids == null }
 
+  region            = var.region
   security_group_id = aws_security_group.this[0].id
   type              = each.value.type
   protocol          = each.value.protocol
diff --git a/modules/aws/private-link/variables.tf b/modules/aws/private-link/variables.tf
index 82a1528..5cb6c2e 100644
--- a/modules/aws/private-link/variables.tf
+++ b/modules/aws/private-link/variables.tf
@@ -1,6 +1,12 @@
 variable "region" {
   type        = string
-  description = "The region of vpc endpoint service. The VPC Endpoint must be the same region as Endpoint Service"
+  description = "The region of vpc endpoint to be created. This should be the same as the region of the VPC."
+}
+
+variable "service_region" {
+  type        = string
+  description = "The region of the VPC endpoint service. The VPC Endpoint can be in a different region, will fallback to the VPC endpoint region if not specified."
+  default = ""
 }
 
 variable "vpc_id" {