From 30d7b37cb86a14c6269c9349b6ad1d5d3869d4e0 Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Sun, 12 May 2024 13:48:24 +0900 Subject: [PATCH 1/9] feat: dynamodb interface endpoint --- .../aws-cdk-ec2-vpc-endpoint.assets.json | 6 +- .../aws-cdk-ec2-vpc-endpoint.template.json | 250 ++++++---- .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 29 +- .../tree.json | 426 ++++++++++++------ .../aws-ec2/test/integ.vpc-endpoint.lit.ts | 5 + .../aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 13 + .../aws-ec2/test/vpc-endpoint.test.ts | 52 ++- 9 files changed, 544 insertions(+), 241 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json index 242191d193c64..5490b730ae136 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json @@ -1,7 +1,7 @@ { - "version": "20.0.0", + "version": "36.0.0", "files": { - "211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35": { + "682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343": { "source": { "path": "aws-cdk-ec2-vpc-endpoint.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35.json", + "objectKey": "682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json index df7f7ab44ffc0..e717007a4ecf9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json @@ -18,9 +18,6 @@ "MyVpcPublicSubnet1SubnetF6608456": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -44,21 +41,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet1RouteTableC46AB2F4": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet1RouteTableAssociation2ECEE1CB": { @@ -75,12 +75,12 @@ "MyVpcPublicSubnet1DefaultRoute95FDF9EB": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "RouteTableId": { + "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" } }, "DependsOn": [ @@ -102,15 +102,15 @@ "MyVpcPublicSubnet1NATGatewayAD3400C1": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "MyVpcPublicSubnet1SubnetF6608456" - }, "AllocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet1EIP096967CB", "AllocationId" ] }, + "SubnetId": { + "Ref": "MyVpcPublicSubnet1SubnetF6608456" + }, "Tags": [ { "Key": "Name", @@ -126,9 +126,6 @@ "MyVpcPublicSubnet2Subnet492B6BFB": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -152,21 +149,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet2RouteTable1DF17386": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet2RouteTableAssociation227DE78D": { @@ -183,12 +183,12 @@ "MyVpcPublicSubnet2DefaultRoute052936F6": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "RouteTableId": { + "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } }, "DependsOn": [ @@ -210,15 +210,15 @@ "MyVpcPublicSubnet2NATGateway91BFBEC9": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" - }, "AllocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet2EIP8CCBA239", "AllocationId" ] }, + "SubnetId": { + "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" + }, "Tags": [ { "Key": "Name", @@ -234,9 +234,6 @@ "MyVpcPrivateSubnet1Subnet5057CF7E": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -260,21 +257,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet1RouteTable8819E6E2": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet1RouteTableAssociation56D38C7E": { @@ -291,21 +291,18 @@ "MyVpcPrivateSubnet1DefaultRouteA8CDE2FA": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "MyVpcPublicSubnet1NATGatewayAD3400C1" + }, + "RouteTableId": { + "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" } } }, "MyVpcPrivateSubnet2Subnet0040C983": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -329,21 +326,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet2RouteTableCEDCEECE": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet2RouteTableAssociation86A610DA": { @@ -360,12 +360,12 @@ "MyVpcPrivateSubnet2DefaultRoute9CE96294": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "MyVpcPublicSubnet2NATGateway91BFBEC9" + }, + "RouteTableId": { + "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" } } }, @@ -383,32 +383,17 @@ "MyVpcVPCGW488ACE0D": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "InternetGatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "VpcId": { + "Ref": "MyVpcF9F0CA6F" } } }, "MyVpcS3FADC1889": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { - "ServiceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".s3" - ] - ] - }, - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "RouteTableIds": [ { "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" @@ -423,12 +408,6 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "VpcEndpointType": "Gateway" - } - }, - "MyVpcDynamoDbEndpointE6A39B0D": { - "Type": "AWS::EC2::VPCEndpoint", - "Properties": { "ServiceName": { "Fn::Join": [ "", @@ -437,13 +416,19 @@ { "Ref": "AWS::Region" }, - ".dynamodb" + ".s3" ] ] }, + "VpcEndpointType": "Gateway", "VpcId": { "Ref": "MyVpcF9F0CA6F" - }, + } + } + }, + "MyVpcDynamoDbEndpointE6A39B0D": { + "Type": "AWS::EC2::VPCEndpoint", + "Properties": { "PolicyDocument": { "Statement": [ { @@ -474,7 +459,22 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "VpcEndpointType": "Gateway" + "ServiceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, + "VpcEndpointType": "Gateway", + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1": { @@ -530,6 +530,15 @@ "MyVpcEcrDockerEndpoint0385050C": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { + "PrivateDnsEnabled": true, + "SecurityGroupIds": [ + { + "Fn::GetAtt": [ + "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "GroupId" + ] + } + ], "ServiceName": { "Fn::Join": [ "", @@ -542,18 +551,94 @@ ] ] }, + "SubnetIds": [ + { + "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" + }, + { + "Ref": "MyVpcPrivateSubnet2Subnet0040C983" + } + ], + "VpcEndpointType": "Interface", "VpcId": { "Ref": "MyVpcF9F0CA6F" - }, - "PrivateDnsEnabled": true, + } + } + }, + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "SecurityGroupIngress": [ + { + "CidrIp": { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + "Description": { + "Fn::Join": [ + "", + [ + "from ", + { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + ":443" + ] + ] + }, + "FromPort": 443, + "IpProtocol": "tcp", + "ToPort": 443 + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc" + } + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } + }, + "MyVpcDynamoDbInterfaceEndpointA97B3149": { + "Type": "AWS::EC2::VPCEndpoint", + "Properties": { + "PrivateDnsEnabled": false, "SecurityGroupIds": [ { "Fn::GetAtt": [ - "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF", "GroupId" ] } ], + "ServiceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, "SubnetIds": [ { "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" @@ -562,7 +647,10 @@ "Ref": "MyVpcPrivateSubnet2Subnet0040C983" } ], - "VpcEndpointType": "Interface" + "VpcEndpointType": "Interface", + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out index 8ecc185e9dbee..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"21.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json index a1e6ca7e8cd1c..291d0adf528b8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "36.0.0", "testCases": { "integ.vpc-endpoint.lit": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json index 542140e0169c4..8a9073b8710a7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "36.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "aws-cdk-ec2-vpc-endpoint.assets": { "type": "cdk:asset-manifest", "properties": { @@ -20,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "aws-cdk-ec2-vpc-endpoint.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -201,6 +196,18 @@ "data": "MyVpcEcrDockerEndpoint0385050C" } ], + "/aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF" + } + ], + "/aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyVpcDynamoDbInterfaceEndpointA97B3149" + } + ], "/aws-cdk-ec2-vpc-endpoint/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -215,6 +222,12 @@ ] }, "displayName": "aws-cdk-ec2-vpc-endpoint" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json index e30022e677238..d2dea84eda685 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "aws-cdk-ec2-vpc-endpoint": { "id": "aws-cdk-ec2-vpc-endpoint", "path": "aws-cdk-ec2-vpc-endpoint", @@ -39,7 +31,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPC", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", "version": "0.0.0" } }, @@ -53,9 +45,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -79,11 +68,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -91,8 +83,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -101,19 +93,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -132,7 +124,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -142,17 +134,17 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "routeTableId": { + "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } }, @@ -172,7 +164,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnEIP", + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", "version": "0.0.0" } }, @@ -182,15 +174,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "MyVpcPublicSubnet1SubnetF6608456" - }, "allocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet1EIP096967CB", "AllocationId" ] }, + "subnetId": { + "Ref": "MyVpcPublicSubnet1SubnetF6608456" + }, "tags": [ { "key": "Name", @@ -200,13 +192,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PublicSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", "version": "0.0.0" } }, @@ -220,9 +212,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -246,11 +235,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -258,8 +250,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -268,19 +260,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -299,7 +291,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -309,17 +301,17 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "routeTableId": { + "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } }, @@ -339,7 +331,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnEIP", + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", "version": "0.0.0" } }, @@ -349,15 +341,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" - }, "allocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet2EIP8CCBA239", "AllocationId" ] }, + "subnetId": { + "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" + }, "tags": [ { "key": "Name", @@ -367,13 +359,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PublicSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", "version": "0.0.0" } }, @@ -387,9 +379,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -413,11 +402,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -425,8 +417,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -435,19 +427,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -466,7 +458,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -476,23 +468,23 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "MyVpcPublicSubnet1NATGatewayAD3400C1" + }, + "routeTableId": { + "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", "version": "0.0.0" } }, @@ -506,9 +498,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -532,11 +521,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -544,8 +536,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -554,19 +546,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -585,7 +577,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -595,23 +587,23 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "MyVpcPublicSubnet2NATGateway91BFBEC9" + }, + "routeTableId": { + "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", "version": "0.0.0" } }, @@ -630,7 +622,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnInternetGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", "version": "0.0.0" } }, @@ -640,16 +632,16 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "internetGatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "vpcId": { + "Ref": "MyVpcF9F0CA6F" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCGatewayAttachment", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", "version": "0.0.0" } }, @@ -663,21 +655,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { - "serviceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".s3" - ] - ] - }, - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "routeTableIds": [ { "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" @@ -692,17 +669,32 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "vpcEndpointType": "Gateway" + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".s3" + ] + ] + }, + "vpcEndpointType": "Gateway", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.GatewayVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -716,21 +708,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { - "serviceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".dynamodb" - ] - ] - }, - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "policyDocument": { "Statement": [ { @@ -761,17 +738,32 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "vpcEndpointType": "Gateway" + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, + "vpcEndpointType": "Gateway", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.GatewayVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -837,13 +829,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSecurityGroup", + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.SecurityGroup", + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", "version": "0.0.0" } }, @@ -853,6 +845,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { + "privateDnsEnabled": true, + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "GroupId" + ] + } + ], "serviceName": { "Fn::Join": [ "", @@ -865,18 +866,130 @@ ] ] }, + "subnetIds": [ + { + "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" + }, + { + "Ref": "MyVpcPrivateSubnet2Subnet0040C983" + } + ], + "vpcEndpointType": "Interface", "vpcId": { "Ref": "MyVpcF9F0CA6F" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "DynamoDbInterfaceEndpoint": { + "id": "DynamoDbInterfaceEndpoint", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint", + "children": { + "SecurityGroup": { + "id": "SecurityGroup", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", + "aws:cdk:cloudformation:props": { + "groupDescription": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "securityGroupEgress": [ + { + "cidrIp": "0.0.0.0/0", + "description": "Allow all outbound traffic by default", + "ipProtocol": "-1" + } + ], + "securityGroupIngress": [ + { + "cidrIp": { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + "ipProtocol": "tcp", + "fromPort": 443, + "toPort": 443, + "description": { + "Fn::Join": [ + "", + [ + "from ", + { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + ":443" + ] + ] + } + } + ], + "tags": [ + { + "key": "Name", + "value": "aws-cdk-ec2-vpc-endpoint/MyVpc" + } + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } }, - "privateDnsEnabled": true, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", + "aws:cdk:cloudformation:props": { + "privateDnsEnabled": false, "securityGroupIds": [ { "Fn::GetAtt": [ - "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF", "GroupId" ] } ], + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, "subnetIds": [ { "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" @@ -885,36 +998,63 @@ "Ref": "MyVpcPrivateSubnet2Subnet0040C983" } ], - "vpcEndpointType": "Interface" + "vpcEndpointType": "Interface", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.InterfaceVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.Vpc", + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-ec2-vpc-endpoint/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-ec2-vpc-endpoint/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts index 85b03505da83e..eab0459f015eb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts @@ -42,6 +42,11 @@ class VpcEndpointStack extends cdk.Stack { // open: false }); /// !hide + + // Add an interface endpoint privateDnsDefault false + vpc.addInterfaceEndpoint('DynamoDbInterfaceEndpoint', { + service: ec2.InterfaceVpcEndpointAwsService.DYNAMODB, + }); } } diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index 8cd8424219d2b..c65055c5385c9 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -360,6 +360,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ public static readonly DATABASE_MIGRATION_SERVICE_FIPS = new InterfaceVpcEndpointAwsService('dms-fips'); public static readonly DEVOPS_GURU = new InterfaceVpcEndpointAwsService('devops-guru'); public static readonly DIRECTORY_SERVICE = new InterfaceVpcEndpointAwsService('ds'); + public static readonly DYNAMODB = new InterfaceVpcEndpointAwsService('dynamodb'); public static readonly EBS_DIRECT = new InterfaceVpcEndpointAwsService('ebs'); public static readonly EC2 = new InterfaceVpcEndpointAwsService('ec2'); public static readonly EC2_MESSAGES = new InterfaceVpcEndpointAwsService('ec2messages'); @@ -589,6 +590,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }, }); + this.privateDnsDefault = this.getPrivateDnsDefault(name); this.name = `${prefix || defaultEndpointPrefix}.${regionPrefix}${name}${defaultEndpointSuffix}`; this.shortName = name; this.port = port || 443; @@ -642,6 +644,13 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }; return VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name) ? '.cn' : ''; } + + private getPrivateDnsDefault(name: string) { + const PRIVATE_DNS_NOT_SUPPORTED_SERVICES = [ + 'dynamodb', + ]; + return !PRIVATE_DNS_NOT_SUPPORTED_SERVICES.includes(name); + } } /** @@ -803,6 +812,10 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock)); } + if (props.service instanceof InterfaceVpcEndpointAwsService && props.service.privateDnsDefault === false && props.privateDnsEnabled === true) { + throw new Error(`Cannot create a VPC Endpoint enable private dns enabled: ${props.service.shortName}`); + } + // Determine which subnets to place the endpoint in const subnetIds = this.endpointSubnets(props); diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index 3c1c05ba8dfa8..513004d63f09b 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -549,7 +549,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { region: 'us-east-1' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -563,7 +563,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -589,7 +589,7 @@ describe('vpc endpoint', () => { const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -603,7 +603,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-east-1' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -934,5 +934,49 @@ describe('vpc endpoint', () => { ServiceName: 'aws.api.global.codecatalyst', }); }); + + test('vpc interface endpoints with private dns disabled', () => { + //GIVEN + const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } }); + const vpc = new Vpc(stack, 'VPC'); + + //WHEN + vpc.addInterfaceEndpoint('DynamoDB Endpoint', { + service: InterfaceVpcEndpointAwsService.DYNAMODB, + }); + + //THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', { + ServiceName: { + 'Fn::Join': [ + '', + [ + 'com.amazonaws.', + { + Ref: 'AWS::Region', + }, + '.dynamodb', + ], + ], + }, + VpcId: { + Ref: 'VPCB9E5F0B4', + }, + PrivateDnsEnabled: false, + VpcEndpointType: "Interface", + }); + }); + + test('vpc interface endpoint does\'nt support private dns enabled', () => { + //GIVEN + const stack = new Stack(undefined, 'TestStack'); + const vpc = new Vpc(stack, 'VPC'); + + expect(() => vpc.addInterfaceEndpoint('DynamoDB Endpoint', { + service: InterfaceVpcEndpointAwsService.DYNAMODB, + privateDnsEnabled: true, + }), + ).toThrow('Cannot create a VPC Endpoint enable private dns enabled: dynamodb'); + }); }); }); From e7b6fa65651b03cc185317ae55039e52592cf61c Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Sun, 12 May 2024 23:13:10 +0900 Subject: [PATCH 2/9] fix: update docs --- packages/aws-cdk-lib/aws-ec2/README.md | 9 ++++++--- packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 4 ++++ packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts | 4 ++-- 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 900dddf2f20cb..7589c019eeddf 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -253,7 +253,7 @@ for (const gateway of provider.gatewayInstances) { [using NAT instances](test/integ.nat-instances.lit.ts) [Deprecated] The V1 `NatProvider.instance` construct will use the AWS official NAT instance AMI, which has already -reached EOL on Dec 31, 2023. For more information, see the following blog post: +reached EOL on Dec 31, 2023. For more information, see the following blog post: [Amazon Linux AMI end of life](https://aws.amazon.com/blogs/aws/update-on-amazon-linux-ami-end-of-life/). ```ts @@ -451,7 +451,7 @@ Here is a break down of IPv4 and IPv6 specifc `subnetConfiguration` properties i ```ts const vpc = new ec2.Vpc(this, 'TheVPC', { ipProtocol: ec2.IpProtocol.DUAL_STACK, - + subnetConfiguration: [ { // general properties @@ -474,7 +474,7 @@ The property `mapPublicIpOnLaunch` controls if a public IPv4 address will be ass The `ipv6AssignAddressOnCreation` property controls the same behavior for the IPv6 address. It defaults to true. -Using IPv6 specific properties in an IPv4 only VPC will result in errors. +Using IPv6 specific properties in an IPv4 only VPC will result in errors. ### Accessing the Internet Gateway @@ -1061,6 +1061,9 @@ new ec2.InterfaceVpcEndpoint(this, 'VPC Endpoint', { }); ``` +If the interface endpoint doesn't support Private DNS, `privateDnsDefault` will be set false. +In that case, you can't set `privateDnsEnabled` to be true. + #### Security groups for interface VPC endpoints By default, interface VPC endpoints create a new security group and all traffic to the endpoint from within the VPC will be automatically allowed. diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index c65055c5385c9..1311cd9fc2ce8 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -565,6 +565,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ /** * Whether Private DNS is supported by default. + * If the interface endpoint doesn't support Private DNS, privateDnsDefault will be set false. */ public readonly privateDnsDefault?: boolean = true; @@ -645,6 +646,9 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ return VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name) ? '.cn' : ''; } + /** + * Get whether the inteface endpoint support Private DNS + */ private getPrivateDnsDefault(name: string) { const PRIVATE_DNS_NOT_SUPPORTED_SERVICES = [ 'dynamodb', diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index 513004d63f09b..5a97a5693216e 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -963,8 +963,8 @@ describe('vpc endpoint', () => { Ref: 'VPCB9E5F0B4', }, PrivateDnsEnabled: false, - VpcEndpointType: "Interface", - }); + VpcEndpointType: 'Interface', + }); }); test('vpc interface endpoint does\'nt support private dns enabled', () => { From d3b7b5055e9cbcd0d7ca20dcbf08e53317c244e8 Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Sun, 12 May 2024 23:21:50 +0900 Subject: [PATCH 3/9] fix: typo --- packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 2 +- packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index 1311cd9fc2ce8..9c5d8b67acd43 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -817,7 +817,7 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn } if (props.service instanceof InterfaceVpcEndpointAwsService && props.service.privateDnsDefault === false && props.privateDnsEnabled === true) { - throw new Error(`Cannot create a VPC Endpoint enable private dns enabled: ${props.service.shortName}`); + throw new Error(`Cannot create a VPC Endpoint private dns enabled: ${props.service.shortName}`); } // Determine which subnets to place the endpoint in diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index 5a97a5693216e..acd13ee850029 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -976,7 +976,7 @@ describe('vpc endpoint', () => { service: InterfaceVpcEndpointAwsService.DYNAMODB, privateDnsEnabled: true, }), - ).toThrow('Cannot create a VPC Endpoint enable private dns enabled: dynamodb'); + ).toThrow('Cannot create a VPC Endpoint private dns enabled: dynamodb'); }); }); }); From 67013975bea34d0e6b8b4d1ff945b41792638d0a Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Mon, 13 May 2024 00:29:30 +0900 Subject: [PATCH 4/9] fix: unit test --- .../aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index acd13ee850029..a1bc829534a7b 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -947,18 +947,7 @@ describe('vpc endpoint', () => { //THEN Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', { - ServiceName: { - 'Fn::Join': [ - '', - [ - 'com.amazonaws.', - { - Ref: 'AWS::Region', - }, - '.dynamodb', - ], - ], - }, + ServiceName: 'com.amazonaws.us-west-2.dynamodb', VpcId: { Ref: 'VPCB9E5F0B4', }, From 162dda7f4513943fa8b0360f9e911eaafff551ae Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Mon, 13 May 2024 19:04:16 +0900 Subject: [PATCH 5/9] fix: typo --- packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index a1bc829534a7b..ba78665aa1a35 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -956,7 +956,7 @@ describe('vpc endpoint', () => { }); }); - test('vpc interface endpoint does\'nt support private dns enabled', () => { + test('vpc interface endpoint does not support private dns enabled', () => { //GIVEN const stack = new Stack(undefined, 'TestStack'); const vpc = new Vpc(stack, 'VPC'); From e3d7da0db3a6c4d6c38c626705e6c44362501b3e Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Wed, 2 Oct 2024 20:49:12 +0900 Subject: [PATCH 6/9] lint --- packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index 9c5d8b67acd43..4ca36472939a1 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -647,8 +647,8 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ } /** - * Get whether the inteface endpoint support Private DNS - */ + * Get whether the inteface endpoint support Private DNS + */ private getPrivateDnsDefault(name: string) { const PRIVATE_DNS_NOT_SUPPORTED_SERVICES = [ 'dynamodb', From 30a970c8eb6fec9ddd75e4235b1e996a34831170 Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Wed, 2 Oct 2024 21:03:35 +0900 Subject: [PATCH 7/9] update integ --- .../aws-cdk-ec2-vpc-endpoint.assets.json | 2 +- .../test/integ.vpc-endpoint.lit.js.snapshot/cdk.out | 2 +- .../test/integ.vpc-endpoint.lit.js.snapshot/integ.json | 2 +- .../test/integ.vpc-endpoint.lit.js.snapshot/manifest.json | 3 ++- .../test/integ.vpc-endpoint.lit.js.snapshot/tree.json | 8 ++++---- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json index 5490b730ae136..fbe2a15a4b619 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "38.0.1", "files": { "682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out index 1f0068d32659a..c6e612584e352 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"36.0.0"} \ No newline at end of file +{"version":"38.0.1"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json index 291d0adf528b8..c2b84e3e20ee8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "38.0.1", "testCases": { "integ.vpc-endpoint.lit": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json index 8a9073b8710a7..1f0923f541fae 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "36.0.0", + "version": "38.0.1", "artifacts": { "aws-cdk-ec2-vpc-endpoint.assets": { "type": "cdk:asset-manifest", @@ -16,6 +16,7 @@ "templateFile": "aws-cdk-ec2-vpc-endpoint.template.json", "terminationProtection": false, "validateOnSynth": false, + "notificationArns": [], "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343.json", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json index d2dea84eda685..fd791ab34b91e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json @@ -694,7 +694,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.Resource", + "fqn": "aws-cdk-lib.aws_ec2.GatewayVpcEndpoint", "version": "0.0.0" } }, @@ -763,7 +763,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.Resource", + "fqn": "aws-cdk-lib.aws_ec2.GatewayVpcEndpoint", "version": "0.0.0" } }, @@ -887,7 +887,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.Resource", + "fqn": "aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint", "version": "0.0.0" } }, @@ -1011,7 +1011,7 @@ } }, "constructInfo": { - "fqn": "aws-cdk-lib.Resource", + "fqn": "aws-cdk-lib.aws_ec2.InterfaceVpcEndpoint", "version": "0.0.0" } } From 787c62fd0b2b66e71a0daff99ead45f2d6c16d44 Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Thu, 3 Oct 2024 11:03:31 +0900 Subject: [PATCH 8/9] incorporate review comments --- .../test/aws-ec2/test/integ.vpc-endpoint.lit.ts | 3 ++- packages/aws-cdk-lib/aws-ec2/README.md | 3 --- .../aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts | 16 ---------------- .../aws-ec2/test/vpc-endpoint.test.ts | 17 ++--------------- 4 files changed, 4 insertions(+), 35 deletions(-) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts index eab0459f015eb..e10a3203a187f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts @@ -43,9 +43,10 @@ class VpcEndpointStack extends cdk.Stack { }); /// !hide - // Add an interface endpoint privateDnsDefault false + // Add an interface endpoint with privateDnsDefault false vpc.addInterfaceEndpoint('DynamoDbInterfaceEndpoint', { service: ec2.InterfaceVpcEndpointAwsService.DYNAMODB, + privateDnsEnabled: false, }); } } diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 9e633b6307ab6..2e380cedc1f18 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -1061,9 +1061,6 @@ new ec2.InterfaceVpcEndpoint(this, 'VPC Endpoint', { }); ``` -If the interface endpoint doesn't support Private DNS, `privateDnsDefault` will be set false. -In that case, you can't set `privateDnsEnabled` to be true. - #### Security groups for interface VPC endpoints By default, interface VPC endpoints create a new security group and all traffic to the endpoint from within the VPC will be automatically allowed. diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index 6c26c1720e700..392759d91f835 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -618,7 +618,6 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ /** * Whether Private DNS is supported by default. - * If the interface endpoint doesn't support Private DNS, privateDnsDefault will be set false. */ public readonly privateDnsDefault?: boolean = true; @@ -644,7 +643,6 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }, }); - this.privateDnsDefault = this.getPrivateDnsDefault(name); this.name = `${prefix || defaultEndpointPrefix}.${regionPrefix}${name}${defaultEndpointSuffix}`; this.shortName = name; this.port = port || 443; @@ -698,16 +696,6 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }; return VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name) ? '.cn' : ''; } - - /** - * Get whether the inteface endpoint support Private DNS - */ - private getPrivateDnsDefault(name: string) { - const PRIVATE_DNS_NOT_SUPPORTED_SERVICES = [ - 'dynamodb', - ]; - return !PRIVATE_DNS_NOT_SUPPORTED_SERVICES.includes(name); - } } /** @@ -869,10 +857,6 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock)); } - if (props.service instanceof InterfaceVpcEndpointAwsService && props.service.privateDnsDefault === false && props.privateDnsEnabled === true) { - throw new Error(`Cannot create a VPC Endpoint private dns enabled: ${props.service.shortName}`); - } - // Determine which subnets to place the endpoint in const subnetIds = this.endpointSubnets(props); diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index ba78665aa1a35..8c1877eb00634 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -943,29 +943,16 @@ describe('vpc endpoint', () => { //WHEN vpc.addInterfaceEndpoint('DynamoDB Endpoint', { service: InterfaceVpcEndpointAwsService.DYNAMODB, + privateDnsEnabled: false, }); //THEN Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', { ServiceName: 'com.amazonaws.us-west-2.dynamodb', - VpcId: { - Ref: 'VPCB9E5F0B4', - }, + VpcId: stack.resolve(vpc.vpcId), PrivateDnsEnabled: false, VpcEndpointType: 'Interface', }); }); - - test('vpc interface endpoint does not support private dns enabled', () => { - //GIVEN - const stack = new Stack(undefined, 'TestStack'); - const vpc = new Vpc(stack, 'VPC'); - - expect(() => vpc.addInterfaceEndpoint('DynamoDB Endpoint', { - service: InterfaceVpcEndpointAwsService.DYNAMODB, - privateDnsEnabled: true, - }), - ).toThrow('Cannot create a VPC Endpoint private dns enabled: dynamodb'); - }); }); }); From 5caf3bc00c03a4f13a8509260bce52e166dd740f Mon Sep 17 00:00:00 2001 From: maz <yiyth.fcb6@gmail.com> Date: Thu, 3 Oct 2024 12:29:24 +0900 Subject: [PATCH 9/9] update test --- packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index 8c1877eb00634..6faa231a475dd 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -935,7 +935,7 @@ describe('vpc endpoint', () => { }); }); - test('vpc interface endpoints with private dns disabled', () => { + test('test vpc interface endpoint with private dns disabled', () => { //GIVEN const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } }); const vpc = new Vpc(stack, 'VPC');