resource aws_vpc "aws:ec2/vpc:Vpc" {
  cidrBlock       = "10.0.0.0/16"
  instanceTenancy = "default"
}

resource privateS3VpcEndpoint "aws:ec2/vpcEndpoint:VpcEndpoint" {
  vpcId       = aws_vpc.id
  serviceName = "com.amazonaws.us-west-2.s3"
}

privateS3PrefixList = invoke("aws:ec2:getPrefixList", {
  prefixListId = privateS3VpcEndpoint.prefixListId
})

resource bar "aws:ec2/networkAcl:NetworkAcl" {
  vpcId = aws_vpc.id
}

resource privateS3NetworkAclRule "aws:ec2/networkAclRule:NetworkAclRule" {
  networkAclId = bar.id
  ruleNumber   = 200
  egress       = false
  protocol     = "tcp"
  ruleAction   = "allow"
  cidrBlock    = privateS3PrefixList.cidrBlocks[0]
  fromPort     = 443
  toPort       = 443
}

# A contrived example to test that helper nested records ( `filters`
# below) generate correctly when using output-versioned function
# invoke forms.
amis = invoke("aws:ec2:getAmiIds", {
  owners = [bar.id]
  filters = [{name=bar.id, values=["pulumi*"]}]
})