cdk: deploying to Govcloud region givesError [ValidationError]: Template error: Unable to get mapping for LatestNodeRuntimeMap::us-gov-west-1::value

[RossMeyers]

Workaround

If you run into this error, there are a couple ways to work around it:

1. Edit the @aws-cdk/core:target-partitions feature flag in your cdk.json file
   a. Remove the flag entirely - it limits what is rendered in the mappings, so it is not needed
   b. Add the partition you are missing, for example:

...
"context": {
    ...
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn",
      "aws-us-gov"
    ],
    ...
}
...

2. Set your region in your stack's env, for example

new ExampleStack(app, 'ExampleStack', {
  env: { region: 'us-gov-west-1' },
});

If you are a deploying into Govcloud or iso regions, you should change/remove the feature flag no matter what.

Original Issue Below

Describe the bug

I create a new VPC, synth, and try to deploy to AWS Govcloud and get Error [ValidationError]: Template error: Unable to get mapping for LatestNodeRuntimeMap::us-gov-west-1::value. The LatestNodeRuntimeMap that was added a month ago does not include the two govcloud regions.

Expected Behavior

cdk deploy does not error out and govcloud regions are part of the mapping.

Current Behavior

cdk deploy fails with Error [ValidationError]: Template error: Unable to get mapping for LatestNodeRuntimeMap::us-gov-west-1::value

Reproduction Steps

1. Create a vpc

    const vpc = new ec2.Vpc(this, 'SandboxVpc1',{
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
        {
          cidrMask: 24,
          name: 'private',
          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
        }
      ]
    })

4. cdk synth
5. cdk deploy - region is us-gov-east-1 or us-gov-west-1

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

3.150.0

Framework Version

No response

Node.js Version

22.5.1

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

[pahud]

According to this added in #30108, it should contain GovCloud

aws-cdk/packages/aws-cdk-lib/aws-lambda/test/function.test.ts

Lines 4074 to 4180 in 31808b4

	Template.fromStack(stack).hasMapping('LatestNodeRuntimeMap', {
	'af-south-1': {
	value: 'nodejs20.x',
	},
	'ap-east-1': {
	value: 'nodejs20.x',
	},
	'ap-northeast-1': {
	value: 'nodejs20.x',
	},
	'ap-northeast-2': {
	value: 'nodejs20.x',
	},
	'ap-northeast-3': {
	value: 'nodejs20.x',
	},
	'ap-south-1': {
	value: 'nodejs20.x',
	},
	'ap-south-2': {
	value: 'nodejs20.x',
	},
	'ap-southeast-1': {
	value: 'nodejs20.x',
	},
	'ap-southeast-2': {
	value: 'nodejs20.x',
	},
	'ap-southeast-3': {
	value: 'nodejs20.x',
	},
	'ap-southeast-4': {
	value: 'nodejs20.x',
	},
	'ca-central-1': {
	value: 'nodejs20.x',
	},
	'cn-north-1': {
	value: 'nodejs18.x',
	},
	'cn-northwest-1': {
	value: 'nodejs18.x',
	},
	'eu-central-1': {
	value: 'nodejs20.x',
	},
	'eu-central-2': {
	value: 'nodejs20.x',
	},
	'eu-north-1': {
	value: 'nodejs20.x',
	},
	'eu-south-1': {
	value: 'nodejs20.x',
	},
	'eu-south-2': {
	value: 'nodejs20.x',
	},
	'eu-west-1': {
	value: 'nodejs20.x',
	},
	'eu-west-2': {
	value: 'nodejs20.x',
	},
	'eu-west-3': {
	value: 'nodejs20.x',
	},
	'il-central-1': {
	value: 'nodejs20.x',
	},
	'me-central-1': {
	value: 'nodejs20.x',
	},
	'me-south-1': {
	value: 'nodejs20.x',
	},
	'sa-east-1': {
	value: 'nodejs20.x',
	},
	'us-east-1': {
	value: 'nodejs20.x',
	},
	'us-east-2': {
	value: 'nodejs20.x',
	},
	'us-gov-east-1': {
	value: 'nodejs18.x',
	},
	'us-gov-west-1': {
	value: 'nodejs18.x',
	},
	'us-iso-east-1': {
	value: 'nodejs18.x',
	},
	'us-iso-west-1': {
	value: 'nodejs18.x',
	},
	'us-isob-east-1': {
	value: 'nodejs18.x',
	},
	'us-west-1': {
	value: 'nodejs20.x',
	},
	'us-west-2': {
	value: 'nodejs20.x',
	},
	});

But from my test with 2.150.0

 new lambda.Function(this, 'Lambda', {
      code: lambda.Code.fromInline('foo'),
      handler: 'index.handler',
      runtime: lambda.determineLatestNodeRuntime(this),
    });

The LatestNodeRuntimeMap mapping does not contain GovCloud.

"Mappings": {
  "LatestNodeRuntimeMap": {
   "af-south-1": {
    "value": "nodejs20.x"
   },
   "ap-east-1": {
    "value": "nodejs20.x"
   },
   "ap-northeast-1": {
    "value": "nodejs20.x"
   },
   "ap-northeast-2": {
    "value": "nodejs20.x"
   },
   "ap-northeast-3": {
    "value": "nodejs20.x"
   },
   "ap-south-1": {
    "value": "nodejs20.x"
   },
   "ap-south-2": {
    "value": "nodejs20.x"
   },
   "ap-southeast-1": {
    "value": "nodejs20.x"
   },
   "ap-southeast-2": {
    "value": "nodejs20.x"
   },
   "ap-southeast-3": {
    "value": "nodejs20.x"
   },
   "ap-southeast-4": {
    "value": "nodejs20.x"
   },
   "ap-southeast-5": {
    "value": "nodejs20.x"
   },
   "ap-southeast-7": {
    "value": "nodejs20.x"
   },
   "ca-central-1": {
    "value": "nodejs20.x"
   },
   "ca-west-1": {
    "value": "nodejs20.x"
   },
   "cn-north-1": {
    "value": "nodejs18.x"
   },
   "cn-northwest-1": {
    "value": "nodejs18.x"
   },
   "eu-central-1": {
    "value": "nodejs20.x"
   },
   "eu-central-2": {
    "value": "nodejs20.x"
   },
   "eu-north-1": {
    "value": "nodejs20.x"
   },
   "eu-south-1": {
    "value": "nodejs20.x"
   },
   "eu-south-2": {
    "value": "nodejs20.x"
   },
   "eu-west-1": {
    "value": "nodejs20.x"
   },
   "eu-west-2": {
    "value": "nodejs20.x"
   },
   "eu-west-3": {
    "value": "nodejs20.x"
   },
   "il-central-1": {
    "value": "nodejs20.x"
   },
   "me-central-1": {
    "value": "nodejs20.x"
   },
   "me-south-1": {
    "value": "nodejs20.x"
   },
   "mx-central-1": {
    "value": "nodejs20.x"
   },
   "sa-east-1": {
    "value": "nodejs20.x"
   },
   "us-east-1": {
    "value": "nodejs20.x"
   },
   "us-east-2": {
    "value": "nodejs20.x"
   },
   "us-west-1": {
    "value": "nodejs20.x"
   },
   "us-west-2": {
    "value": "nodejs20.x"
   }
  }
 },

It's probably a bug. We'll discuss this with the team.

[pahud]

By the way @RossMeyers

Creating a new VPC should not generate the LatestNodeRuntimeMap mapping.

Did you define any other resources in addition to the Vpc?

 const vpc = new ec2.Vpc(this, 'SandboxVpc1',{
      ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
        {
          cidrMask: 24,
          name: 'private',
          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
        }
      ]
    })

[RossMeyers]

@pahud no just the VPC. It looks like it was called as part of a lambda to remove security group rules when readonly restrictDefaultSecurityGroup?: boolean; is left to true

[pahud]

Yes you are right.

According to this:

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts

Lines 1115 to 1121 in 31808b4

	/**
	* If set to true then the default inbound & outbound rules will be removed
	* from the default security group
	*
	* @default true if '@aws-cdk/aws-ec2:restrictDefaultSecurityGroup' is enabled, false otherwise
	*/
	readonly restrictDefaultSecurityGroup?: boolean;

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts

Lines 1694 to 1696 in 31808b4

	if ((restrictFlag && props.restrictDefaultSecurityGroup !== false) || props.restrictDefaultSecurityGroup) {
	this.restrictDefaultSecurityGroup();
	}

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts

Lines 1895 to 1924 in 31808b4

	private restrictDefaultSecurityGroup(): void {
	const id = 'Custom::VpcRestrictDefaultSG';
	const provider = RestrictDefaultSgProvider.getOrCreateProvider(this, id, {
	description: 'Lambda function for removing all inbound/outbound rules from the VPC default security group',
	});
	provider.addToRolePolicy({
	Effect: 'Allow',
	Action: [
	'ec2:AuthorizeSecurityGroupIngress',
	'ec2:AuthorizeSecurityGroupEgress',
	'ec2:RevokeSecurityGroupIngress',
	'ec2:RevokeSecurityGroupEgress',
	],
	Resource: [
	Stack.of(this).formatArn({
	resource: 'security-group',
	service: 'ec2',
	resourceName: this.vpcDefaultSecurityGroup,
	}),
	],
	});
	new CustomResource(this, 'RestrictDefaultSecurityGroupCustomResource', {
	resourceType: id,
	serviceToken: provider.serviceToken,
	properties: {
	DefaultSecurityGroupId: this.vpcDefaultSecurityGroup,
	Account: Stack.of(this).account,
	},
	});
	}

restrictDefaultSecurityGroup is a feature flag which default is True so a custom resource and its lambda provider would be created.

[GavinZZ]

As a workaround, please update this feature flag (@aws-cdk/core:target-partitions) to include aws-us-gov partitions or remove the feature flag for now.

So in your app's cdk.json:

...
"context": {
    ...
    "@aws-cdk/core:target-partitions": [
      "aws",
      "aws-cn",
      "aws-us-gov"
    ],
    ...
}
...

This should give you both GovCloud regions.

Removing the entry altogether will populate the mapping with values for all regions.

[scanlonp]

Hey @RossMeyers, hope this fixes your issue - please let us know if something is still not working for you! Also, setting a region in your stack's env variable should prevent all region mapping issues as well.

I am going to edit the description of this issue to make it more findable and make the workaround clear.