From 864285b1bb6c014e2352c17d714969e9b9624712 Mon Sep 17 00:00:00 2001
From: Kit Ewbank <Christopher.Ewbank@capitalone.com>
Date: Wed, 15 May 2019 15:29:43 -0400
Subject: [PATCH] Tagging for VPC Endpoints and VPC Endpoint Services.

---
 aws/data_source_aws_vpc_endpoint.go           |  45 +--
 aws/data_source_aws_vpc_endpoint_service.go   |  32 +-
 ...ta_source_aws_vpc_endpoint_service_test.go |  81 +++--
 aws/data_source_aws_vpc_endpoint_test.go      | 195 +++++++-----
 aws/resource_aws_vpc_endpoint.go              | 107 ++++---
 aws/resource_aws_vpc_endpoint_service.go      |  24 +-
 aws/resource_aws_vpc_endpoint_service_test.go | 107 ++++---
 aws/resource_aws_vpc_endpoint_test.go         | 279 ++++++++++--------
 website/docs/d/vpc_endpoint.html.markdown     |   1 +
 .../docs/d/vpc_endpoint_service.html.markdown |   2 +
 website/docs/r/vpc_endpoint.html.markdown     |  20 +-
 .../docs/r/vpc_endpoint_service.html.markdown |  20 +-
 12 files changed, 538 insertions(+), 375 deletions(-)

diff --git a/aws/data_source_aws_vpc_endpoint.go b/aws/data_source_aws_vpc_endpoint.go
index c8fc0acc0be5..5b22bd94567d 100644
--- a/aws/data_source_aws_vpc_endpoint.go
+++ b/aws/data_source_aws_vpc_endpoint.go
@@ -15,26 +15,6 @@ func dataSourceAwsVpcEndpoint() *schema.Resource {
 		Read: dataSourceAwsVpcEndpointRead,
 
 		Schema: map[string]*schema.Schema{
-			"id": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
-			"service_name": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
-			"state": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
-			"vpc_id": {
-				Type:     schema.TypeString,
-				Optional: true,
-				Computed: true,
-			},
 			"cidr_blocks": {
 				Type:     schema.TypeList,
 				Computed: true,
@@ -56,6 +36,11 @@ func dataSourceAwsVpcEndpoint() *schema.Resource {
 					},
 				},
 			},
+			"id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"network_interface_ids": {
 				Type:     schema.TypeSet,
 				Computed: true,
@@ -90,16 +75,32 @@ func dataSourceAwsVpcEndpoint() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
+			"service_name": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
+			"state": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 			"subnet_ids": {
 				Type:     schema.TypeSet,
 				Computed: true,
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
+			"tags": tagsSchemaComputed(),
 			"vpc_endpoint_type": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"vpc_id": {
+				Type:     schema.TypeString,
+				Optional: true,
+				Computed: true,
+			},
 		},
 	}
 }
@@ -194,6 +195,10 @@ func dataSourceAwsVpcEndpointRead(d *schema.ResourceData, meta interface{}) erro
 	if err != nil {
 		return fmt.Errorf("error setting subnet_ids: %s", err)
 	}
+	err = d.Set("tags", tagsToMap(vpce.Tags))
+	if err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
 	// VPC endpoints don't have types in GovCloud, so set type to default if empty
 	if vpceType := aws.StringValue(vpce.VpcEndpointType); vpceType == "" {
 		d.Set("vpc_endpoint_type", ec2.VpcEndpointTypeGateway)
diff --git a/aws/data_source_aws_vpc_endpoint_service.go b/aws/data_source_aws_vpc_endpoint_service.go
index fcbcef7b6588..3a4fc93b65c7 100644
--- a/aws/data_source_aws_vpc_endpoint_service.go
+++ b/aws/data_source_aws_vpc_endpoint_service.go
@@ -16,17 +16,6 @@ func dataSourceAwsVpcEndpointService() *schema.Resource {
 		Read: dataSourceAwsVpcEndpointServiceRead,
 
 		Schema: map[string]*schema.Schema{
-			"service": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				ConflictsWith: []string{"service_name"},
-			},
-			"service_name": {
-				Type:          schema.TypeString,
-				Optional:      true,
-				Computed:      true,
-				ConflictsWith: []string{"service"},
-			},
 			"acceptance_required": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -55,10 +44,26 @@ func dataSourceAwsVpcEndpointService() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"service": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				ConflictsWith: []string{"service_name"},
+			},
+			"service_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"service_name": {
+				Type:          schema.TypeString,
+				Optional:      true,
+				Computed:      true,
+				ConflictsWith: []string{"service"},
+			},
 			"service_type": {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"tags": tagsSchemaComputed(),
 			"vpc_endpoint_policy_supported": {
 				Type:     schema.TypeBool,
 				Computed: true,
@@ -130,7 +135,12 @@ func dataSourceAwsVpcEndpointServiceRead(d *schema.ResourceData, meta interface{
 	d.Set("manages_vpc_endpoints", sd.ManagesVpcEndpoints)
 	d.Set("owner", sd.Owner)
 	d.Set("private_dns_name", sd.PrivateDnsName)
+	d.Set("service_id", sd.ServiceId)
 	d.Set("service_type", sd.ServiceType[0].ServiceType)
+	err = d.Set("tags", tagsToMap(sd.Tags))
+	if err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
 	d.Set("vpc_endpoint_policy_supported", sd.VpcEndpointPolicySupported)
 
 	return nil
diff --git a/aws/data_source_aws_vpc_endpoint_service_test.go b/aws/data_source_aws_vpc_endpoint_service_test.go
index 22b42ae7d811..b1cd15696025 100644
--- a/aws/data_source_aws_vpc_endpoint_service_test.go
+++ b/aws/data_source_aws_vpc_endpoint_service_test.go
@@ -9,7 +9,8 @@ import (
 )
 
 func TestAccDataSourceAwsVpcEndpointService_gateway(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint_service.s3"
+	datasourceName := "data.aws_vpc_endpoint_service.test"
+	region := testAccGetRegion()
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -18,20 +19,16 @@ func TestAccDataSourceAwsVpcEndpointService_gateway(t *testing.T) {
 			{
 				Config: testAccDataSourceAwsVpcEndpointServiceGatewayConfig,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(datasourceName, "service_name", "com.amazonaws.us-west-2.s3"),
+					resource.TestCheckResourceAttr(datasourceName, "service_name", fmt.Sprintf("com.amazonaws.%s.s3", region)),
 					resource.TestCheckResourceAttr(datasourceName, "acceptance_required", "false"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.#", "4"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.2487133097", "us-west-2a"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.221770259", "us-west-2b"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.2050015877", "us-west-2c"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.3830732582", "us-west-2d"),
+					resource.TestCheckResourceAttrPair(datasourceName, "availability_zones.#", "data.aws_availability_zones.available", "names.#"),
 					resource.TestCheckResourceAttr(datasourceName, "base_endpoint_dns_names.#", "1"),
-					resource.TestCheckResourceAttr(datasourceName, "base_endpoint_dns_names.3003388505", "s3.us-west-2.amazonaws.com"),
 					resource.TestCheckResourceAttr(datasourceName, "manages_vpc_endpoints", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "owner", "amazon"),
 					resource.TestCheckResourceAttr(datasourceName, "private_dns_name", ""),
 					resource.TestCheckResourceAttr(datasourceName, "service_type", "Gateway"),
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_policy_supported", "true"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "0"),
 				),
 			},
 		},
@@ -39,7 +36,8 @@ func TestAccDataSourceAwsVpcEndpointService_gateway(t *testing.T) {
 }
 
 func TestAccDataSourceAwsVpcEndpointService_interface(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint_service.ec2"
+	datasourceName := "data.aws_vpc_endpoint_service.test"
+	region := testAccGetRegion()
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
@@ -48,19 +46,15 @@ func TestAccDataSourceAwsVpcEndpointService_interface(t *testing.T) {
 			{
 				Config: testAccDataSourceAwsVpcEndpointServiceInterfaceConfig,
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr(datasourceName, "service_name", "com.amazonaws.us-west-2.ec2"),
+					resource.TestCheckResourceAttr(datasourceName, "service_name", fmt.Sprintf("com.amazonaws.%s.ec2", region)),
 					resource.TestCheckResourceAttr(datasourceName, "acceptance_required", "false"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.#", "3"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.2487133097", "us-west-2a"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.221770259", "us-west-2b"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.2050015877", "us-west-2c"),
 					resource.TestCheckResourceAttr(datasourceName, "base_endpoint_dns_names.#", "1"),
-					resource.TestCheckResourceAttr(datasourceName, "base_endpoint_dns_names.1880016359", "ec2.us-west-2.vpce.amazonaws.com"),
 					resource.TestCheckResourceAttr(datasourceName, "manages_vpc_endpoints", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "owner", "amazon"),
-					resource.TestCheckResourceAttr(datasourceName, "private_dns_name", "ec2.us-west-2.amazonaws.com"),
+					resource.TestCheckResourceAttr(datasourceName, "private_dns_name", fmt.Sprintf("ec2.%s.amazonaws.com", region)),
 					resource.TestCheckResourceAttr(datasourceName, "service_type", "Interface"),
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_policy_supported", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "0"),
 				),
 			},
 		},
@@ -68,7 +62,7 @@ func TestAccDataSourceAwsVpcEndpointService_interface(t *testing.T) {
 }
 
 func TestAccDataSourceAwsVpcEndpointService_custom(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint_service.foo"
+	datasourceName := "data.aws_vpc_endpoint_service.test"
 	rName := fmt.Sprintf("tf-testacc-vpcesvc-%s", acctest.RandStringFromCharSet(13, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -80,12 +74,12 @@ func TestAccDataSourceAwsVpcEndpointService_custom(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(datasourceName, "acceptance_required", "true"),
 					resource.TestCheckResourceAttr(datasourceName, "availability_zones.#", "2"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.2487133097", "us-west-2a"),
-					resource.TestCheckResourceAttr(datasourceName, "availability_zones.221770259", "us-west-2b"),
 					resource.TestCheckResourceAttr(datasourceName, "manages_vpc_endpoints", "false"),
 					testAccCheckResourceAttrAccountID(datasourceName, "owner"),
 					resource.TestCheckResourceAttr(datasourceName, "service_type", "Interface"),
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_policy_supported", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.Name", rName),
 				),
 			},
 		},
@@ -93,29 +87,22 @@ func TestAccDataSourceAwsVpcEndpointService_custom(t *testing.T) {
 }
 
 const testAccDataSourceAwsVpcEndpointServiceGatewayConfig = `
-provider "aws" {
-  region = "us-west-2"
-}
+data "aws_availability_zones" "available" {}
 
-data "aws_vpc_endpoint_service" "s3" {
+data "aws_vpc_endpoint_service" "test" {
   service = "s3"
 }
 `
 
 const testAccDataSourceAwsVpcEndpointServiceInterfaceConfig = `
-provider "aws" {
-  region = "us-west-2"
-}
-
-data "aws_vpc_endpoint_service" "ec2" {
+data "aws_vpc_endpoint_service" "test" {
   service = "ec2"
 }
 `
 
 func testAccDataSourceAwsVpcEndpointServiceCustomConfig(rName string) string {
-	return fmt.Sprintf(
-		`
-resource "aws_vpc" "nlb_test" {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -123,12 +110,12 @@ resource "aws_vpc" "nlb_test" {
   }
 }
 
-resource "aws_lb" "nlb_test_1" {
+resource "aws_lb" "test" {
   name = %[1]q
 
   subnets = [
-    "${aws_subnet.nlb_test_1.id}",
-    "${aws_subnet.nlb_test_2.id}",
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
   ]
 
   load_balancer_type         = "network"
@@ -141,36 +128,42 @@ resource "aws_lb" "nlb_test_1" {
   }
 }
 
-resource "aws_subnet" "nlb_test_1" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-west-2a"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_subnet" "nlb_test_2" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-west-2b"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint_service" "foo" {
+resource "aws_vpc_endpoint_service" "test" {
   acceptance_required = true
 
   network_load_balancer_arns = [
-    "${aws_lb.nlb_test_1.id}",
+    "${aws_lb.test.id}",
   ]
+
+  tags = {
+    Name = %[1]q
+  }
 }
 
-data "aws_vpc_endpoint_service" "foo" {
-  service_name = "${aws_vpc_endpoint_service.foo.service_name}"
+data "aws_vpc_endpoint_service" "test" {
+  service_name = "${aws_vpc_endpoint_service.test.service_name}"
 }
 `, rName)
 }
diff --git a/aws/data_source_aws_vpc_endpoint_test.go b/aws/data_source_aws_vpc_endpoint_test.go
index bd8faca3a0a3..e34065c56293 100644
--- a/aws/data_source_aws_vpc_endpoint_test.go
+++ b/aws/data_source_aws_vpc_endpoint_test.go
@@ -1,20 +1,23 @@
 package aws
 
 import (
+	"fmt"
 	"testing"
 
+	"github.com/hashicorp/terraform/helper/acctest"
 	"github.com/hashicorp/terraform/helper/resource"
 )
 
 func TestAccDataSourceAwsVpcEndpoint_gatewayBasic(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint.s3"
+	datasourceName := "data.aws_vpc_endpoint.test"
+	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsVpcEndpointConfig_gatewayBasic,
+				Config: testAccDataSourceAwsVpcEndpointConfig_gatewayBasic(rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_type", "Gateway"),
 					resource.TestCheckResourceAttrSet(datasourceName, "prefix_list_id"),
@@ -25,6 +28,7 @@ func TestAccDataSourceAwsVpcEndpoint_gatewayBasic(t *testing.T) {
 					resource.TestCheckResourceAttr(datasourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(datasourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "0"),
 				),
 			},
 		},
@@ -32,14 +36,15 @@ func TestAccDataSourceAwsVpcEndpoint_gatewayBasic(t *testing.T) {
 }
 
 func TestAccDataSourceAwsVpcEndpoint_byId(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint.s3"
+	datasourceName := "data.aws_vpc_endpoint.test"
+	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsVpcEndpointConfig_byId,
+				Config: testAccDataSourceAwsVpcEndpointConfig_byId(rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_type", "Gateway"),
 					resource.TestCheckResourceAttrSet(datasourceName, "prefix_list_id"),
@@ -50,21 +55,23 @@ func TestAccDataSourceAwsVpcEndpoint_byId(t *testing.T) {
 					resource.TestCheckResourceAttr(datasourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(datasourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "0"),
 				),
 			},
 		},
 	})
 }
 
-func TestAccDataSourceAwsVpcEndpoint_gatewayWithRouteTable(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint.s3"
+func TestAccDataSourceAwsVpcEndpoint_gatewayWithRouteTableAndTags(t *testing.T) {
+	datasourceName := "data.aws_vpc_endpoint.test"
+	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsVpcEndpointConfig_gatewayWithRouteTable,
+				Config: testAccDataSourceAwsVpcEndpointConfig_gatewayWithRouteTableAndTags(rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_type", "Gateway"),
 					resource.TestCheckResourceAttrSet(datasourceName, "prefix_list_id"),
@@ -75,6 +82,8 @@ func TestAccDataSourceAwsVpcEndpoint_gatewayWithRouteTable(t *testing.T) {
 					resource.TestCheckResourceAttr(datasourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(datasourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.Name", rName),
 				),
 			},
 		},
@@ -82,14 +91,15 @@ func TestAccDataSourceAwsVpcEndpoint_gatewayWithRouteTable(t *testing.T) {
 }
 
 func TestAccDataSourceAwsVpcEndpoint_interface(t *testing.T) {
-	datasourceName := "data.aws_vpc_endpoint.ec2"
+	datasourceName := "data.aws_vpc_endpoint.test"
+	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck:  func() { testAccPreCheck(t) },
 		Providers: testAccProviders,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccDataSourceAwsVpcEndpointConfig_interface,
+				Config: testAccDataSourceAwsVpcEndpointConfig_interface(rName),
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr(datasourceName, "vpc_endpoint_type", "Interface"),
 					resource.TestCheckNoResourceAttr(datasourceName, "prefix_list_id"),
@@ -100,128 +110,159 @@ func TestAccDataSourceAwsVpcEndpoint_interface(t *testing.T) {
 					resource.TestCheckResourceAttr(datasourceName, "security_group_ids.#", "1"),
 					resource.TestCheckResourceAttr(datasourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(datasourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(datasourceName, "tags.Name", rName),
 				),
 			},
 		},
 	})
 }
 
-const testAccDataSourceAwsVpcEndpointConfig_gatewayBasic = `
-provider "aws" {
-  region = "us-west-2"
-}
-
-resource "aws_vpc" "foo" {
+func testAccDataSourceAwsVpcEndpointConfig_gatewayBasic(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.1.0.0/16"
 
   tags = {
-    Name = "terraform-testacc-vpc-endpoint-data-source-gw-basic"
+    Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "com.amazonaws.us-west-2.s3"
-}
+data "aws_region" "current" {}
 
-data "aws_vpc_endpoint" "s3" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "${aws_vpc_endpoint.s3.service_name}"
-  state = "available"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
 }
-`
 
-const testAccDataSourceAwsVpcEndpointConfig_byId = `
-provider "aws" {
-  region = "us-west-2"
+data "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "${aws_vpc_endpoint.test.service_name}"
+  state        = "available"
+}
+`, rName)
 }
 
-resource "aws_vpc" "foo" {
+func testAccDataSourceAwsVpcEndpointConfig_byId(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.1.0.0/16"
 
   tags = {
-    Name = "terraform-testacc-vpc-endpoint-data-source-by-id"
+    Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "com.amazonaws.us-west-2.s3"
-}
+data "aws_region" "current" {}
 
-data "aws_vpc_endpoint" "s3" {
-  id = "${aws_vpc_endpoint.s3.id}"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
 }
-`
 
-const testAccDataSourceAwsVpcEndpointConfig_gatewayWithRouteTable = `
-provider "aws" {
-  region = "us-west-2"
+data "aws_vpc_endpoint" "test" {
+  id = "${aws_vpc_endpoint.test.id}"
+}
+`, rName)
 }
 
-resource "aws_vpc" "foo" {
+func testAccDataSourceAwsVpcEndpointConfig_gatewayWithRouteTableAndTags(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.1.0.0/16"
 
   tags = {
-    Name = "terraform-testacc-vpc-endpoint-data-source-with-route-table"
+    Name = %[1]q
   }
 }
 
-resource "aws_route_table" "rt" {
-  vpc_id = "${aws_vpc.foo.id}"
-}
+resource "aws_route_table" "test" {
+  vpc_id = "${aws_vpc.test.id}"
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "com.amazonaws.us-west-2.s3"
-  route_table_ids = ["${aws_route_table.rt.id}"]
+  tags = {
+    Name = %[1]q
+  }
 }
 
-data "aws_vpc_endpoint" "s3" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "${aws_vpc_endpoint.s3.service_name}"
-  state = "available"
+data "aws_region" "current" {}
+
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
+
+  route_table_ids = [
+    "${aws_route_table.test.id}",
+  ]
+
+  tags = {
+    Name = %[1]q
+  }
 }
-`
 
-const testAccDataSourceAwsVpcEndpointConfig_interface = `
-provider "aws" {
-  region = "us-west-2"
+data "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "${aws_vpc_endpoint.test.service_name}"
+  state        = "available"
+}
+`, rName)
 }
 
-resource "aws_vpc" "foo" {
+func testAccDataSourceAwsVpcEndpointConfig_interface(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.1.0.0/16"
 
   tags = {
-    Name = "terraform-testacc-vpc-endpoint-data-source-interface"
+    Name = %[1]q
   }
 }
 
-resource "aws_subnet" "sn" {
-  vpc_id = "${aws_vpc.foo.id}"
-  cidr_block = "${aws_vpc.foo.cidr_block}"
-  availability_zone = "us-west-2a"
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "test" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${aws_vpc.test.cidr_block}"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
+
   tags = {
-    Name = "tf-acc-vpc-endpoint-data-source-interface"
+    Name = %[1]q
   }
 }
 
-resource "aws_security_group" "sg" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test" {
+  vpc_id = "${aws_vpc.test.id}"
+  name   = %[1]q
+
+  tags = {
+    Name = %[1]q
+  }
 }
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id = "${aws_vpc.foo.id}"
-  vpc_endpoint_type = "Interface"
-  service_name = "com.amazonaws.us-west-2.ec2"
-  subnet_ids = ["${aws_subnet.sn.id}"]
-  security_group_ids = ["${aws_security_group.sg.id}"]
+data "aws_region" "current" {}
+
+resource "aws_vpc_endpoint" "test" {
+  vpc_id              = "${aws_vpc.test.id}"
+  vpc_endpoint_type   = "Interface"
+  service_name        = "com.amazonaws.${data.aws_region.current.name}.ec2"
   private_dns_enabled = false
+
+  subnet_ids = [
+    "${aws_subnet.test.id}",
+  ]
+
+  security_group_ids = [
+    "${aws_security_group.test.id}",
+  ]
+
+  tags = {
+    Name = %[1]q
+  }
 }
 
-data "aws_vpc_endpoint" "ec2" {
-  vpc_id = "${aws_vpc.foo.id}"
-  service_name = "${aws_vpc_endpoint.ec2.service_name}"
-  state = "available"
+data "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+  service_name = "${aws_vpc_endpoint.test.service_name}"
+  state        = "available"
+}
+`, rName)
 }
-`
diff --git a/aws/resource_aws_vpc_endpoint.go b/aws/resource_aws_vpc_endpoint.go
index c522f314b71e..dc7ab25b4db6 100644
--- a/aws/resource_aws_vpc_endpoint.go
+++ b/aws/resource_aws_vpc_endpoint.go
@@ -25,20 +25,37 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 		},
 
 		Schema: map[string]*schema.Schema{
-			"service_name": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-			},
-			"vpc_id": {
-				Type:     schema.TypeString,
-				Required: true,
-				ForceNew: true,
-			},
 			"auto_accept": {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"cidr_blocks": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"dns_entry": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"dns_name": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+						"hosted_zone_id": {
+							Type:     schema.TypeString,
+							Computed: true,
+						},
+					},
+				},
+			},
+			"network_interface_ids": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+			},
 			"policy": {
 				Type:             schema.TypeString,
 				Optional:         true,
@@ -50,11 +67,19 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 					return json
 				},
 			},
+			"prefix_list_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"private_dns_enabled": {
 				Type:     schema.TypeBool,
 				Optional: true,
 				Default:  false,
 			},
+			"requester_managed": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
 			"route_table_ids": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -69,6 +94,15 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
+			"service_name": {
+				Type:     schema.TypeString,
+				Required: true,
+				ForceNew: true,
+			},
+			"state": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
 			"subnet_ids": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -76,6 +110,7 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 				Elem:     &schema.Schema{Type: schema.TypeString},
 				Set:      schema.HashString,
 			},
+			"tags": tagsSchema(),
 			"vpc_endpoint_type": {
 				Type:     schema.TypeString,
 				Optional: true,
@@ -86,44 +121,10 @@ func resourceAwsVpcEndpoint() *schema.Resource {
 					ec2.VpcEndpointTypeInterface,
 				}, false),
 			},
-			"cidr_blocks": {
-				Type:     schema.TypeList,
-				Computed: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-			},
-			"dns_entry": {
-				Type:     schema.TypeList,
-				Computed: true,
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"dns_name": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-						"hosted_zone_id": {
-							Type:     schema.TypeString,
-							Computed: true,
-						},
-					},
-				},
-			},
-			"network_interface_ids": {
-				Type:     schema.TypeSet,
-				Computed: true,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set:      schema.HashString,
-			},
-			"prefix_list_id": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"requester_managed": {
-				Type:     schema.TypeBool,
-				Computed: true,
-			},
-			"state": {
+			"vpc_id": {
 				Type:     schema.TypeString,
-				Computed: true,
+				Required: true,
+				ForceNew: true,
 			},
 		},
 
@@ -181,6 +182,10 @@ func resourceAwsVpcEndpointCreate(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := setTags(conn, d); err != nil {
+		return err
+	}
+
 	return resourceAwsVpcEndpointRead(d, meta)
 }
 
@@ -261,6 +266,10 @@ func resourceAwsVpcEndpointRead(d *schema.ResourceData, meta interface{}) error
 	if err != nil {
 		return fmt.Errorf("error setting subnet_ids: %s", err)
 	}
+	err = d.Set("tags", tagsToMap(vpce.Tags))
+	if err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
 	// VPC endpoints don't have types in GovCloud, so set type to default if empty
 	if vpceType := aws.StringValue(vpce.VpcEndpointType); vpceType == "" {
 		d.Set("vpc_endpoint_type", ec2.VpcEndpointTypeGateway)
@@ -314,6 +323,10 @@ func resourceAwsVpcEndpointUpdate(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
+	if err := setTags(conn, d); err != nil {
+		return err
+	}
+
 	return resourceAwsVpcEndpointRead(d, meta)
 }
 
diff --git a/aws/resource_aws_vpc_endpoint_service.go b/aws/resource_aws_vpc_endpoint_service.go
index e9546f90d211..83b728752f5d 100644
--- a/aws/resource_aws_vpc_endpoint_service.go
+++ b/aws/resource_aws_vpc_endpoint_service.go
@@ -27,13 +27,6 @@ func resourceAwsVpcEndpointService() *schema.Resource {
 				Type:     schema.TypeBool,
 				Required: true,
 			},
-			"network_load_balancer_arns": {
-				Type:     schema.TypeSet,
-				Required: true,
-				MinItems: 1,
-				Elem:     &schema.Schema{Type: schema.TypeString},
-				Set:      schema.HashString,
-			},
 			"allowed_principals": {
 				Type:     schema.TypeSet,
 				Optional: true,
@@ -57,6 +50,13 @@ func resourceAwsVpcEndpointService() *schema.Resource {
 				Type:     schema.TypeBool,
 				Computed: true,
 			},
+			"network_load_balancer_arns": {
+				Type:     schema.TypeSet,
+				Required: true,
+				MinItems: 1,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+				Set:      schema.HashString,
+			},
 			"private_dns_name": {
 				Type:     schema.TypeString,
 				Computed: true,
@@ -73,6 +73,7 @@ func resourceAwsVpcEndpointService() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"tags": tagsSchema(),
 		},
 	}
 }
@@ -138,6 +139,10 @@ func resourceAwsVpcEndpointServiceRead(d *schema.ResourceData, meta interface{})
 	d.Set("service_name", svcCfg.ServiceName)
 	d.Set("service_type", svcCfg.ServiceType[0].ServiceType)
 	d.Set("state", svcCfg.ServiceState)
+	err = d.Set("tags", tagsToMap(svcCfg.Tags))
+	if err != nil {
+		return fmt.Errorf("error setting tags: %s", err)
+	}
 
 	resp, err := conn.DescribeVpcEndpointServicePermissions(&ec2.DescribeVpcEndpointServicePermissionsInput{
 		ServiceId: aws.String(d.Id()),
@@ -197,6 +202,11 @@ func resourceAwsVpcEndpointServiceUpdate(d *schema.ResourceData, meta interface{
 		d.SetPartial("allowed_principals")
 	}
 
+	if err := setTags(conn, d); err != nil {
+		return err
+	}
+	d.SetPartial("tags")
+
 	d.Partial(false)
 	return resourceAwsVpcEndpointServiceRead(d, meta)
 }
diff --git a/aws/resource_aws_vpc_endpoint_service_test.go b/aws/resource_aws_vpc_endpoint_service_test.go
index d1ccfb06f0fc..a6177fd00ad1 100644
--- a/aws/resource_aws_vpc_endpoint_service_test.go
+++ b/aws/resource_aws_vpc_endpoint_service_test.go
@@ -82,24 +82,27 @@ func testSweepEc2VpcEndpointServices(region string) error {
 
 func TestAccAWSVpcEndpointService_basic(t *testing.T) {
 	var svcCfg ec2.ServiceConfiguration
-	resourceName := "aws_vpc_endpoint_service.foo"
+	resourceName := "aws_vpc_endpoint_service.test"
 	rName1 := fmt.Sprintf("tf-testacc-vpcesvc-%s", acctest.RandStringFromCharSet(13, acctest.CharSetAlphaNum))
 	rName2 := fmt.Sprintf("tf-testacc-vpcesvc-%s", acctest.RandStringFromCharSet(13, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
-		PreCheck:      func() { testAccPreCheck(t) },
-		IDRefreshName: "aws_vpc_endpoint_service.foo",
-		Providers:     testAccProviders,
-		CheckDestroy:  testAccCheckVpcEndpointServiceDestroy,
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckVpcEndpointServiceDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccVpcEndpointServiceBasicConfig(rName1),
+				Config: testAccVpcEndpointServiceConfig_basic(rName1),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointServiceExists(resourceName, &svcCfg),
 					resource.TestCheckResourceAttr(resourceName, "acceptance_required", "false"),
 					resource.TestCheckResourceAttr(resourceName, "network_load_balancer_arns.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "allowed_principals.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "manages_vpc_endpoints", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "3"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Environment", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Usage", "original"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName1),
 				),
 			},
 			{
@@ -108,12 +111,15 @@ func TestAccAWSVpcEndpointService_basic(t *testing.T) {
 				ImportStateVerify: true,
 			},
 			{
-				Config: testAccVpcEndpointServiceModifiedConfig(rName1, rName2),
+				Config: testAccVpcEndpointServiceConfig_modified(rName1, rName2),
 				Check: resource.ComposeTestCheckFunc(
-					testAccCheckVpcEndpointServiceExists("aws_vpc_endpoint_service.foo", &svcCfg),
+					testAccCheckVpcEndpointServiceExists(resourceName, &svcCfg),
 					resource.TestCheckResourceAttr(resourceName, "acceptance_required", "true"),
 					resource.TestCheckResourceAttr(resourceName, "network_load_balancer_arns.#", "2"),
 					resource.TestCheckResourceAttr(resourceName, "allowed_principals.#", "0"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Usage", "changed"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName1),
 				),
 			},
 		},
@@ -122,7 +128,7 @@ func TestAccAWSVpcEndpointService_basic(t *testing.T) {
 
 func TestAccAWSVpcEndpointService_removed(t *testing.T) {
 	var svcCfg ec2.ServiceConfiguration
-	resourceName := "aws_vpc_endpoint_service.foo"
+	resourceName := "aws_vpc_endpoint_service.test"
 	rName := fmt.Sprintf("tf-testacc-vpcesvc-%s", acctest.RandStringFromCharSet(13, acctest.CharSetAlphaNum))
 
 	testDestroy := func(*terraform.State) error {
@@ -141,7 +147,7 @@ func TestAccAWSVpcEndpointService_removed(t *testing.T) {
 		CheckDestroy: testAccCheckVpcEndpointServiceDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccVpcEndpointServiceBasicConfig(rName),
+				Config: testAccVpcEndpointServiceConfig_basic(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointServiceExists(resourceName, &svcCfg),
 					testDestroy,
@@ -209,10 +215,9 @@ func testAccCheckVpcEndpointServiceExists(n string, svcCfg *ec2.ServiceConfigura
 	}
 }
 
-func testAccVpcEndpointServiceBasicConfig(rName string) string {
-	return fmt.Sprintf(
-		`
-resource "aws_vpc" "nlb_test" {
+func testAccVpcEndpointServiceConfig_basic(rName string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -220,12 +225,12 @@ resource "aws_vpc" "nlb_test" {
   }
 }
 
-resource "aws_lb" "nlb_test_1" {
+resource "aws_lb" "test1" {
   name =  %[1]q
 
   subnets = [
-    "${aws_subnet.nlb_test_1.id}",
-    "${aws_subnet.nlb_test_2.id}",
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
   ]
 
   load_balancer_type         = "network"
@@ -238,20 +243,22 @@ resource "aws_lb" "nlb_test_1" {
   }
 }
 
-resource "aws_subnet" "nlb_test_1" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-west-2a"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
   tags = {
     Name =  %[1]q
   }
 }
 
-resource "aws_subnet" "nlb_test_2" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-west-2b"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
   tags = {
     Name =  %[1]q
@@ -260,24 +267,29 @@ resource "aws_subnet" "nlb_test_2" {
 
 data "aws_caller_identity" "current" {}
 
-resource "aws_vpc_endpoint_service" "foo" {
+resource "aws_vpc_endpoint_service" "test" {
   acceptance_required = false
 
   network_load_balancer_arns = [
-    "${aws_lb.nlb_test_1.id}",
+    "${aws_lb.test1.arn}",
   ]
 
   allowed_principals = [
     "${data.aws_caller_identity.current.arn}"
   ]
+
+  tags = {
+    Environment = "test"
+    Usage       = "original"
+    Name        = %[1]q
+  }
 }
 `, rName)
 }
 
-func testAccVpcEndpointServiceModifiedConfig(rName1, rName2 string) string {
-	return fmt.Sprintf(
-		`
-resource "aws_vpc" "nlb_test" {
+func testAccVpcEndpointServiceConfig_modified(rName1, rName2 string) string {
+	return fmt.Sprintf(`
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -285,12 +297,12 @@ resource "aws_vpc" "nlb_test" {
   }
 }
 
-resource "aws_lb" "nlb_test_1" {
+resource "aws_lb" "test1" {
   name = %[1]q
 
   subnets = [
-    "${aws_subnet.nlb_test_1.id}",
-    "${aws_subnet.nlb_test_2.id}",
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
   ]
 
   load_balancer_type         = "network"
@@ -303,12 +315,12 @@ resource "aws_lb" "nlb_test_1" {
   }
 }
 
-resource "aws_lb" "nlb_test_2" {
+resource "aws_lb" "test2" {
   name = %[2]q
 
   subnets = [
-    "${aws_subnet.nlb_test_1.id}",
-    "${aws_subnet.nlb_test_2.id}",
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
   ]
 
   load_balancer_type         = "network"
@@ -321,20 +333,22 @@ resource "aws_lb" "nlb_test_2" {
   }
 }
 
-resource "aws_subnet" "nlb_test_1" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+data "aws_availability_zones" "available" {}
+
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-west-2a"
+  availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_subnet" "nlb_test_2" {
-  vpc_id            = "${aws_vpc.nlb_test.id}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-west-2b"
+  availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
   tags = {
     Name = %[1]q
@@ -343,15 +357,20 @@ resource "aws_subnet" "nlb_test_2" {
 
 data "aws_caller_identity" "current" {}
 
-resource "aws_vpc_endpoint_service" "foo" {
+resource "aws_vpc_endpoint_service" "test" {
   acceptance_required = true
 
   network_load_balancer_arns = [
-    "${aws_lb.nlb_test_1.id}",
-    "${aws_lb.nlb_test_2.id}",
+    "${aws_lb.test1.arn}",
+    "${aws_lb.test2.arn}",
   ]
 
   allowed_principals = []
+
+  tags = {
+    Usage = "changed"
+    Name  = %[1]q
+  }
 }
 `, rName1, rName2)
 }
diff --git a/aws/resource_aws_vpc_endpoint_test.go b/aws/resource_aws_vpc_endpoint_test.go
index 39a95ccbe4e2..007028caf6be 100644
--- a/aws/resource_aws_vpc_endpoint_test.go
+++ b/aws/resource_aws_vpc_endpoint_test.go
@@ -83,7 +83,7 @@ func testSweepEc2VpcEndpoints(region string) error {
 
 func TestAccAWSVpcEndpoint_gatewayBasic(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
-	resourceName := "aws_vpc_endpoint.s3"
+	resourceName := "aws_vpc_endpoint.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -92,7 +92,7 @@ func TestAccAWSVpcEndpoint_gatewayBasic(t *testing.T) {
 		CheckDestroy: testAccCheckVpcEndpointDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicy(rName),
+				Config: testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicyOrTags(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointExists(resourceName, &endpoint),
 					testAccCheckVpcEndpointPrefixListAvailable(resourceName),
@@ -103,17 +103,18 @@ func TestAccAWSVpcEndpoint_gatewayBasic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
 		},
 	})
 }
 
-func TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy(t *testing.T) {
+func TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicyAndTags(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
 	var routeTable ec2.RouteTable
-	resourceName := "aws_vpc_endpoint.s3"
-	resourceNameRt := "aws_route_table.default"
+	resourceName := "aws_vpc_endpoint.test"
+	resourceNameRt := "aws_route_table.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -122,7 +123,7 @@ func TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy(t *testing.T) {
 		CheckDestroy: testAccCheckVpcEndpointDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicy(rName),
+				Config: testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyAndTags(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointExists(resourceName, &endpoint),
 					testAccCheckRouteTableExists(resourceNameRt, &routeTable),
@@ -134,10 +135,14 @@ func TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "3"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Environment", "test"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Usage", "original"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName),
 				),
 			},
 			{
-				Config: testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyModified(rName),
+				Config: testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyAndTagsModified(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointExists(resourceName, &endpoint),
 					testAccCheckRouteTableExists(resourceNameRt, &routeTable),
@@ -149,6 +154,9 @@ func TestAccAWSVpcEndpoint_gatewayWithRouteTableAndPolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "0"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "2"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Usage", "changed"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName),
 				),
 			},
 			{
@@ -224,7 +232,7 @@ func TestAccAWSVpcEndpoint_gatewayPolicy(t *testing.T) {
 
 func TestAccAWSVpcEndpoint_interfaceBasic(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
-	resourceName := "aws_vpc_endpoint.ec2"
+	resourceName := "aws_vpc_endpoint.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -245,6 +253,7 @@ func TestAccAWSVpcEndpoint_interfaceBasic(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
 		},
@@ -253,7 +262,7 @@ func TestAccAWSVpcEndpoint_interfaceBasic(t *testing.T) {
 
 func TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
-	resourceName := "aws_vpc_endpoint.ec2"
+	resourceName := "aws_vpc_endpoint.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -274,6 +283,8 @@ func TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "2"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName),
 				),
 			},
 			{
@@ -289,6 +300,7 @@ func TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "security_group_ids.#", "1"),
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "true"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "0"),
 				),
 			},
 			{
@@ -302,7 +314,7 @@ func TestAccAWSVpcEndpoint_interfaceWithSubnetAndSecurityGroup(t *testing.T) {
 
 func TestAccAWSVpcEndpoint_interfaceNonAWSService(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
-	resourceName := "aws_vpc_endpoint.foo"
+	resourceName := "aws_vpc_endpoint.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	resource.ParallelTest(t, resource.TestCase{
@@ -324,6 +336,8 @@ func TestAccAWSVpcEndpoint_interfaceNonAWSService(t *testing.T) {
 					resource.TestCheckResourceAttr(resourceName, "private_dns_enabled", "false"),
 					resource.TestCheckResourceAttr(resourceName, "requester_managed", "false"),
 					resource.TestCheckResourceAttr(resourceName, "state", "available"),
+					resource.TestCheckResourceAttr(resourceName, "tags.%", "1"),
+					resource.TestCheckResourceAttr(resourceName, "tags.Name", rName),
 				),
 			},
 		},
@@ -332,7 +346,7 @@ func TestAccAWSVpcEndpoint_interfaceNonAWSService(t *testing.T) {
 
 func TestAccAWSVpcEndpoint_removed(t *testing.T) {
 	var endpoint ec2.VpcEndpoint
-	resourceName := "aws_vpc_endpoint.s3"
+	resourceName := "aws_vpc_endpoint.test"
 	rName := fmt.Sprintf("tf-testacc-vpce-%s", acctest.RandStringFromCharSet(16, acctest.CharSetAlphaNum))
 
 	// reach out and DELETE the VPC Endpoint outside of Terraform
@@ -353,7 +367,7 @@ func TestAccAWSVpcEndpoint_removed(t *testing.T) {
 		CheckDestroy: testAccCheckVpcEndpointDestroy,
 		Steps: []resource.TestStep{
 			{
-				Config: testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicy(rName),
+				Config: testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicyOrTags(rName),
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckVpcEndpointExists(resourceName, &endpoint),
 					testDestroy,
@@ -454,9 +468,9 @@ func testAccCheckVpcEndpointPrefixListAvailable(n string) resource.TestCheckFunc
 	}
 }
 
-func testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicy(rName string) string {
+func testAccVpcEndpointConfig_gatewayWithoutRouteTableOrPolicyOrTags(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -466,16 +480,16 @@ resource "aws_vpc" "foo" {
 
 data "aws_region" "current" {}
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id       = "${aws_vpc.foo.id}"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
   service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
 }
 `, rName)
 }
 
-func testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicy(rName string) string {
+func testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyAndTags(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -483,8 +497,8 @@ resource "aws_vpc" "foo" {
   }
 }
 
-resource "aws_subnet" "foo" {
-  vpc_id     = "${aws_vpc.foo.id}"
+resource "aws_subnet" "test" {
+  vpc_id     = "${aws_vpc.test.id}"
   cidr_block = "10.0.1.0/24"
 
   tags = {
@@ -494,11 +508,12 @@ resource "aws_subnet" "foo" {
 
 data "aws_region" "current" {}
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id          = "${aws_vpc.foo.id}"
-  service_name    = "com.amazonaws.${data.aws_region.current.name}.s3"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+	service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
+
   route_table_ids = [
-    "${aws_route_table.default.id}",
+    "${aws_route_table.test.id}",
   ]
 
   policy = <<POLICY
@@ -513,26 +528,32 @@ resource "aws_vpc_endpoint" "s3" {
   }]
 }
 POLICY
+
+  tags = {
+    Environment = "test"
+    Usage       = "original"
+    Name        = %[1]q
+  }
 }
 
-resource "aws_route_table" "default" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_route_table" "test" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_route_table_association" "main" {
-  subnet_id      = "${aws_subnet.foo.id}"
-  route_table_id = "${aws_route_table.default.id}"
+resource "aws_route_table_association" "test" {
+  subnet_id      = "${aws_subnet.test.id}"
+  route_table_id = "${aws_route_table.test.id}"
 }
 `, rName)
 }
 
-func testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyModified(rName string) string {
+func testAccVpcEndpointConfig_gatewayWithRouteTableAndPolicyAndTagsModified(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -540,8 +561,8 @@ resource "aws_vpc" "foo" {
   }
 }
 
-resource "aws_subnet" "foo" {
-  vpc_id     = "${aws_vpc.foo.id}"
+resource "aws_subnet" "test" {
+  vpc_id     = "${aws_vpc.test.id}"
   cidr_block = "10.0.1.0/24"
 
   tags = {
@@ -551,28 +572,34 @@ resource "aws_subnet" "foo" {
 
 data "aws_region" "current" {}
 
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id          = "${aws_vpc.foo.id}"
-  service_name    = "com.amazonaws.${data.aws_region.current.name}.s3"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id       = "${aws_vpc.test.id}"
+	service_name = "com.amazonaws.${data.aws_region.current.name}.s3"
+
   route_table_ids = []
 
   policy = ""
+
+  tags = {
+    Usage = "changed"
+    Name  = %[1]q
+  }
 }
 
-resource "aws_internet_gateway" "gw" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_internet_gateway" "test" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_route_table" "default" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_route_table" "test" {
+  vpc_id = "${aws_vpc.test.id}"
 
   route {
     cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.gw.id}"
+    gateway_id = "${aws_internet_gateway.test.id}"
   }
 
   tags = {
@@ -580,16 +607,16 @@ resource "aws_route_table" "default" {
   }
 }
 
-resource "aws_route_table_association" "main" {
-  subnet_id      = "${aws_subnet.foo.id}"
-  route_table_id = "${aws_route_table.default.id}"
+resource "aws_route_table_association" "test" {
+  subnet_id      = "${aws_subnet.test.id}"
+  route_table_id = "${aws_route_table.test.id}"
 }
 `, rName)
 }
 
 func testAccVpcEndpointConfig_interfaceWithoutSubnet(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -597,19 +624,20 @@ resource "aws_vpc" "foo" {
   }
 }
 
-data "aws_security_group" "default" {
-  vpc_id = "${aws_vpc.foo.id}"
+data "aws_security_group" "test" {
+  vpc_id = "${aws_vpc.test.id}"
   name   = "default"
 }
 
 data "aws_region" "current" {}
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id             = "${aws_vpc.foo.id}"
-  service_name       = "com.amazonaws.${data.aws_region.current.name}.ec2"
-  vpc_endpoint_type  = "Interface"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id            = "${aws_vpc.test.id}"
+  service_name      = "com.amazonaws.${data.aws_region.current.name}.ec2"
+	vpc_endpoint_type = "Interface"
+
   security_group_ids = [
-    "${data.aws_security_group.default.id}",
+    "${data.aws_security_group.test.id}",
   ]
 }
 `, rName)
@@ -617,7 +645,7 @@ resource "aws_vpc_endpoint" "ec2" {
 
 func testAccVpcEndpointConfigGatewayPolicy(rName, policy string) string {
 	return fmt.Sprintf(`
-data "aws_vpc_endpoint_service" "s3" {
+data "aws_vpc_endpoint_service" "test" {
   service = "s3"
 }
 
@@ -631,7 +659,7 @@ resource "aws_vpc" "test" {
 
 resource "aws_vpc_endpoint" "test" {
   policy       = <<POLICY%[2]sPOLICY
-  service_name = "${data.aws_vpc_endpoint_service.s3.service_name}"
+  service_name = "${data.aws_vpc_endpoint_service.test.service_name}"
   vpc_id       = "${aws_vpc.test.id}"
 }
 `, rName, policy)
@@ -639,7 +667,7 @@ resource "aws_vpc_endpoint" "test" {
 
 func testAccVpcEndpointConfig_interfaceWithSubnet(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block           = "10.0.0.0/16"
   enable_dns_support   = true
   enable_dns_hostnames = true
@@ -653,9 +681,9 @@ data "aws_region" "current" {}
 
 data "aws_availability_zones" "available" {}
 
-resource "aws_subnet" "sn1" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 0)}"
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 0)}"
   availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
   tags = {
@@ -663,9 +691,9 @@ resource "aws_subnet" "sn1" {
   }
 }
 
-resource "aws_subnet" "sn2" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 1)}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 1)}"
   availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
   tags = {
@@ -673,9 +701,9 @@ resource "aws_subnet" "sn2" {
   }
 }
 
-resource "aws_subnet" "sn3" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 2)}"
+resource "aws_subnet" "test3" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 2)}"
   availability_zone = "${data.aws_availability_zones.available.names[2]}"
 
   tags = {
@@ -683,41 +711,47 @@ resource "aws_subnet" "sn3" {
   }
 }
 
-resource "aws_security_group" "sg1" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test1" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_security_group" "sg2" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test2" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id              = "${aws_vpc.foo.id}"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id              = "${aws_vpc.test.id}"
   service_name        = "com.amazonaws.${data.aws_region.current.name}.ec2"
-  vpc_endpoint_type   = "Interface"
-  subnet_ids          = [
-    "${aws_subnet.sn1.id}",
-  ]
-  security_group_ids  = [
-    "${aws_security_group.sg1.id}",
-    "${aws_security_group.sg2.id}",
+	vpc_endpoint_type   = "Interface"
+	private_dns_enabled = false
+
+  subnet_ids = [
+    "${aws_subnet.test1.id}",
+	]
+
+  security_group_ids = [
+    "${aws_security_group.test1.id}",
+    "${aws_security_group.test2.id}",
   ]
-  private_dns_enabled = false
+
+  tags = {
+    Name = %[1]q
+  }
 }
 `, rName)
 }
 
 func testAccVpcEndpointConfig_interfaceWithSubnetModified(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block           = "10.0.0.0/16"
   enable_dns_support   = true
   enable_dns_hostnames = true
@@ -731,9 +765,9 @@ data "aws_region" "current" {}
 
 data "aws_availability_zones" "available" {}
 
-resource "aws_subnet" "sn1" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 0)}"
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 0)}"
   availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
   tags = {
@@ -741,9 +775,9 @@ resource "aws_subnet" "sn1" {
   }
 }
 
-resource "aws_subnet" "sn2" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 1)}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 1)}"
   availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
   tags = {
@@ -751,9 +785,9 @@ resource "aws_subnet" "sn2" {
   }
 }
 
-resource "aws_subnet" "sn3" {
-  vpc_id            = "${aws_vpc.foo.id}"
-  cidr_block        = "${cidrsubnet(aws_vpc.foo.cidr_block, 2, 2)}"
+resource "aws_subnet" "test3" {
+  vpc_id            = "${aws_vpc.test.id}"
+  cidr_block        = "${cidrsubnet(aws_vpc.test.cidr_block, 2, 2)}"
   availability_zone = "${data.aws_availability_zones.available.names[2]}"
 
   tags = {
@@ -761,42 +795,44 @@ resource "aws_subnet" "sn3" {
   }
 }
 
-resource "aws_security_group" "sg1" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test1" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_security_group" "sg2" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test2" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id              = "${aws_vpc.foo.id}"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id              = "${aws_vpc.test.id}"
   service_name        = "com.amazonaws.${data.aws_region.current.name}.ec2"
   vpc_endpoint_type   = "Interface"
-  subnet_ids          = [
-    "${aws_subnet.sn1.id}",
-    "${aws_subnet.sn2.id}",
-    "${aws_subnet.sn3.id}",
+  private_dns_enabled = true
+
+  subnet_ids = [
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
+    "${aws_subnet.test3.id}",
   ]
-  security_group_ids  = [
-    "${aws_security_group.sg1.id}",
+
+  security_group_ids = [
+    "${aws_security_group.test1.id}",
   ]
-  private_dns_enabled = true
 }
 `, rName)
 }
 
 func testAccVpcEndpointConfig_interfaceNonAWSService(rName string) string {
 	return fmt.Sprintf(`
-resource "aws_vpc" "foo" {
+resource "aws_vpc" "test" {
   cidr_block = "10.0.0.0/16"
 
   tags = {
@@ -804,12 +840,12 @@ resource "aws_vpc" "foo" {
   }
 }
 
-resource "aws_lb" "nlb_test_1" {
+resource "aws_lb" "test" {
   name = %[1]q
 
   subnets = [
-    "${aws_subnet.nlb_test_1.id}",
-    "${aws_subnet.nlb_test_2.id}",
+    "${aws_subnet.test1.id}",
+    "${aws_subnet.test2.id}",
   ]
 
   load_balancer_type         = "network"
@@ -826,8 +862,8 @@ data "aws_region" "current" {}
 
 data "aws_availability_zones" "available" {}
 
-resource "aws_subnet" "nlb_test_1" {
-  vpc_id            = "${aws_vpc.foo.id}"
+resource "aws_subnet" "test1" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.1.0/24"
   availability_zone = "${data.aws_availability_zones.available.names[0]}"
 
@@ -836,8 +872,8 @@ resource "aws_subnet" "nlb_test_1" {
   }
 }
 
-resource "aws_subnet" "nlb_test_2" {
-  vpc_id            = "${aws_vpc.foo.id}"
+resource "aws_subnet" "test2" {
+  vpc_id            = "${aws_vpc.test.id}"
   cidr_block        = "10.0.2.0/24"
   availability_zone = "${data.aws_availability_zones.available.names[1]}"
 
@@ -846,31 +882,36 @@ resource "aws_subnet" "nlb_test_2" {
   }
 }
 
-resource "aws_vpc_endpoint_service" "foo" {
+resource "aws_vpc_endpoint_service" "test" {
   acceptance_required = true
 
   network_load_balancer_arns = [
-    "${aws_lb.nlb_test_1.id}",
+    "${aws_lb.test.id}",
   ]
 }
 
-resource "aws_security_group" "sg1" {
-  vpc_id = "${aws_vpc.foo.id}"
+resource "aws_security_group" "test" {
+  vpc_id = "${aws_vpc.test.id}"
 
   tags = {
     Name = %[1]q
   }
 }
 
-resource "aws_vpc_endpoint" "foo" {
-  vpc_id              = "${aws_vpc.foo.id}"
-  service_name        = "${aws_vpc_endpoint_service.foo.service_name}"
+resource "aws_vpc_endpoint" "test" {
+  vpc_id              = "${aws_vpc.test.id}"
+  service_name        = "${aws_vpc_endpoint_service.test.service_name}"
   vpc_endpoint_type   = "Interface"
-  security_group_ids  = [
-    "${aws_security_group.sg1.id}",
-  ]
   private_dns_enabled = false
   auto_accept         = true
+
+  security_group_ids = [
+    "${aws_security_group.test.id}",
+  ]
+
+  tags = {
+    Name = %[1]q
+  }
 }
 `, rName)
 }
diff --git a/website/docs/d/vpc_endpoint.html.markdown b/website/docs/d/vpc_endpoint.html.markdown
index c5b85c8f49fe..6759291f2778 100644
--- a/website/docs/d/vpc_endpoint.html.markdown
+++ b/website/docs/d/vpc_endpoint.html.markdown
@@ -50,6 +50,7 @@ In addition to all arguments above, the following attributes are exported:
 * `route_table_ids` - One or more route tables associated with the VPC Endpoint. Applicable for endpoints of type `Gateway`.
 * `security_group_ids` - One or more security groups associated with the network interfaces. Applicable for endpoints of type `Interface`.
 * `subnet_ids` - One or more subnets in which the VPC Endpoint is located. Applicable for endpoints of type `Interface`.
+* `tags` - A mapping of tags assigned to the resource.
 * `vpc_endpoint_type` - The VPC Endpoint type, `Gateway` or `Interface`.
 
 DNS blocks (for `dns_entry`) support the following attributes:
diff --git a/website/docs/d/vpc_endpoint_service.html.markdown b/website/docs/d/vpc_endpoint_service.html.markdown
index 743e92fd9d39..4a5c7a70a978 100644
--- a/website/docs/d/vpc_endpoint_service.html.markdown
+++ b/website/docs/d/vpc_endpoint_service.html.markdown
@@ -61,5 +61,7 @@ In addition to all arguments above, the following attributes are exported:
 * `manages_vpc_endpoints` - Whether or not the service manages its VPC endpoints - `true` or `false`.
 * `owner` - The AWS account ID of the service owner or `amazon`.
 * `private_dns_name` - The private DNS name for the service.
+* `service_id` - The ID of the endpoint service.
 * `service_type` - The service type, `Gateway` or `Interface`.
+* `tags` - A mapping of tags assigned to the resource.
 * `vpc_endpoint_policy_supported` - Whether or not the service supports endpoint policies - `true` or `false`.
diff --git a/website/docs/r/vpc_endpoint.html.markdown b/website/docs/r/vpc_endpoint.html.markdown
index 63c481854324..03c6d8c06f84 100644
--- a/website/docs/r/vpc_endpoint.html.markdown
+++ b/website/docs/r/vpc_endpoint.html.markdown
@@ -19,7 +19,7 @@ Doing so will cause a conflict of associations and will overwrite the associatio
 
 ## Example Usage
 
-Basic usage:
+### Basic
 
 ```hcl
 resource "aws_vpc_endpoint" "s3" {
@@ -28,7 +28,20 @@ resource "aws_vpc_endpoint" "s3" {
 }
 ```
 
-Interface type usage:
+### Basic w/ Tags
+
+```hcl
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id       = "${aws_vpc.main.id}"
+  service_name = "com.amazonaws.us-west-2.s3"
+
+  tags = {
+    Environment = "test"
+  }
+}
+```
+
+### Interface Endpoint Type
 
 ```hcl
 resource "aws_vpc_endpoint" "ec2" {
@@ -44,7 +57,7 @@ resource "aws_vpc_endpoint" "ec2" {
 }
 ```
 
-Custom Service Usage:
+### Custom Service
 
 ```hcl
 resource "aws_vpc_endpoint" "ptfe_service" {
@@ -90,6 +103,7 @@ Defaults to `false`.
 * `route_table_ids` - (Optional) One or more route table IDs. Applicable for endpoints of type `Gateway`.
 * `subnet_ids` - (Optional) The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type `Interface`.
 * `security_group_ids` - (Optional) The ID of one or more security groups to associate with the network interface. Required for endpoints of type `Interface`.
+* `tags` - (Optional) A mapping of tags to assign to the resource.
 * `vpc_endpoint_type` - (Optional) The VPC endpoint type, `Gateway` or `Interface`. Defaults to `Gateway`.
 
 ### Timeouts
diff --git a/website/docs/r/vpc_endpoint_service.html.markdown b/website/docs/r/vpc_endpoint_service.html.markdown
index 7a30b0a47fed..e46682e4301b 100644
--- a/website/docs/r/vpc_endpoint_service.html.markdown
+++ b/website/docs/r/vpc_endpoint_service.html.markdown
@@ -19,12 +19,25 @@ and will overwrite the association.
 
 ## Example Usage
 
-Basic usage:
+### Basic
 
 ```hcl
-resource "aws_vpc_endpoint_service" "foo" {
+resource "aws_vpc_endpoint_service" "example" {
   acceptance_required        = false
-  network_load_balancer_arns = ["${aws_lb.test.arn}"]
+  network_load_balancer_arns = ["${aws_lb.example.arn}"]
+}
+```
+
+### Basic w/ Tags
+
+```hcl
+resource "aws_vpc_endpoint_service" "example" {
+  acceptance_required        = false
+  network_load_balancer_arns = ["${aws_lb.example.arn}"]
+
+  tags = {
+    Environment = "test"
+  }
 }
 ```
 
@@ -35,6 +48,7 @@ The following arguments are supported:
 * `acceptance_required` - (Required) Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - `true` or `false`.
 * `network_load_balancer_arns` - (Required) The ARNs of one or more Network Load Balancers for the endpoint service.
 * `allowed_principals` - (Optional) The ARNs of one or more principals allowed to discover the endpoint service.
+* `tags` - (Optional) A mapping of tags to assign to the resource.
 
 ## Attributes Reference