Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

fix(ec2): global vpc endpoint support #29563

Merged
merged 6 commits into from
Mar 30, 2024

Conversation

nmussy
Copy link
Contributor

@nmussy nmussy commented Mar 20, 2024

Issue # (if applicable)

Closes #29560.

Reason for this change

The service name generated by the CDK for global VPC endpoints was incorrect, as it contained the stack's region:

$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName'

"com.amazonaws.s3-global.accesspoint"
new CfnOutput(this, "endpoint", {
	value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name,
});

// TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint

In addition, another global endpoint was missing from InterfaceVpcEndpointAwsService.

Description of changes

  • The InterfaceVpcEndpointAwsService constructor was modified to
    • I would have preferred to switch to a single object for the optional constructor properties (prefix, port, and now global), but couldn't make a breaking change to a publicly accessible constructor
  • InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS was changed to be a global VPC endpoint
  • InterfaceVpcEndpointAwsService.CODECATALYST was added

Description of how you validated changes

I've added a unit test to check that the global endpoints' name were set correctly.

I also added an integration test for InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.
To test it, I created a publicly accessible EC2 instance on the VPC, connected to it and ran nslookup accesspoint.s3-global.amazonaws.com to make sure it was resolvable (see Configuring a Multi-Region Access Point for use with AWS PrivateLink):

Without the InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS interface endpoint:

$ nslookup accesspoint.s3-global.amazonaws.com
Server:         10.0.0.2
Address:        10.0.0.2#53

Non-authoritative answer:
*** Can't find accesspoint.s3-global.amazonaws.com: No answer

With the InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS interface endpoint:

$ nslookup accesspoint.s3-global.amazonaws.com
Server:         10.0.0.2
Address:        10.0.0.2#53

Non-authoritative answer:
Name:   accesspoint.s3-global.amazonaws.com
Address: 10.0.156.75
Name:   accesspoint.s3-global.amazonaws.com
Address: 10.0.246.83

Checklist


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Mar 20, 2024
@aws-cdk-automation aws-cdk-automation requested a review from a team March 20, 2024 17:27
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

@aws-cdk-automation aws-cdk-automation dismissed their stale review March 21, 2024 18:54

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@msambol
Copy link
Contributor

msambol commented Mar 21, 2024

@nmussy want to rebase this and i'll take a look?

@nmussy nmussy force-pushed the fix-ec2-global-vpc-endpoints branch from 250a767 to 6874c9b Compare March 22, 2024 05:04
@nmussy nmussy marked this pull request as ready for review March 22, 2024 05:04
@nmussy
Copy link
Contributor Author

nmussy commented Mar 22, 2024

@msambol Should be good to go, thanks 👍

Copy link
Contributor

@msambol msambol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 22, 2024
Copy link
Contributor

@msambol msambol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIce! Thanks.

Copy link
Contributor

@aaythapa aaythapa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making this change! Just one nit and question

@aaythapa
Copy link
Contributor

aaythapa commented Mar 22, 2024

I would have preferred to switch to a single object for the optional constructor properties (prefix, port, and now global), but couldn't make a breaking change to a publicly accessible constructor

Not sure I fully understand this part of the description, could you elaborate? Did you want to add prefix, port and global as one props like object?

@nmussy
Copy link
Contributor Author

nmussy commented Mar 22, 2024

Did you want to add prefix, port and global as one props like object?

Ideally, yes. The Props interface we ended up with still leaves us with undefined args before it, but changing that would cause a breaking change. We could have a factory function I suppose, but I would require storing the global property to allow the constructor to access it.

Copy link
Contributor

mergify bot commented Mar 25, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 25, 2024
Copy link
Contributor

mergify bot commented Mar 25, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@msambol
Copy link
Contributor

msambol commented Mar 29, 2024

@Mergifyio refresh

Copy link
Contributor

mergify bot commented Mar 29, 2024

refresh

❌ Command disallowed due to command restrictions in the Mergify configuration.

  • any of:
    • sender-permission>=write
    • sender={{author}}

@nmussy
Copy link
Contributor Author

nmussy commented Mar 29, 2024

@Mergifyio refresh

Copy link
Contributor

mergify bot commented Mar 29, 2024

refresh

✅ Pull request refreshed

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 5f4a42d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

Copy link
Contributor

mergify bot commented Mar 29, 2024

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@nmussy
Copy link
Contributor Author

nmussy commented Mar 30, 2024

@Mergifyio refresh

Copy link
Contributor

mergify bot commented Mar 30, 2024

refresh

✅ Pull request refreshed

@mergify mergify bot merged commit df48fd7 into aws:main Mar 30, 2024
9 checks passed
@nmussy nmussy deleted the fix-ec2-global-vpc-endpoints branch March 30, 2024 10:41
@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort p2
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ec2: Missing and invalid global VPC endpoints
4 participants