diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json index 242191d193c64..5490b730ae136 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.assets.json @@ -1,7 +1,7 @@ { - "version": "20.0.0", + "version": "36.0.0", "files": { - "211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35": { + "682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343": { "source": { "path": "aws-cdk-ec2-vpc-endpoint.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35.json", + "objectKey": "682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json index df7f7ab44ffc0..e717007a4ecf9 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/aws-cdk-ec2-vpc-endpoint.template.json @@ -18,9 +18,6 @@ "MyVpcPublicSubnet1SubnetF6608456": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -44,21 +41,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet1RouteTableC46AB2F4": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet1RouteTableAssociation2ECEE1CB": { @@ -75,12 +75,12 @@ "MyVpcPublicSubnet1DefaultRoute95FDF9EB": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "RouteTableId": { + "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" } }, "DependsOn": [ @@ -102,15 +102,15 @@ "MyVpcPublicSubnet1NATGatewayAD3400C1": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "MyVpcPublicSubnet1SubnetF6608456" - }, "AllocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet1EIP096967CB", "AllocationId" ] }, + "SubnetId": { + "Ref": "MyVpcPublicSubnet1SubnetF6608456" + }, "Tags": [ { "Key": "Name", @@ -126,9 +126,6 @@ "MyVpcPublicSubnet2Subnet492B6BFB": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -152,21 +149,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet2RouteTable1DF17386": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPublicSubnet2RouteTableAssociation227DE78D": { @@ -183,12 +183,12 @@ "MyVpcPublicSubnet2DefaultRoute052936F6": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" - }, "DestinationCidrBlock": "0.0.0.0/0", "GatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "RouteTableId": { + "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } }, "DependsOn": [ @@ -210,15 +210,15 @@ "MyVpcPublicSubnet2NATGateway91BFBEC9": { "Type": "AWS::EC2::NatGateway", "Properties": { - "SubnetId": { - "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" - }, "AllocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet2EIP8CCBA239", "AllocationId" ] }, + "SubnetId": { + "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" + }, "Tags": [ { "Key": "Name", @@ -234,9 +234,6 @@ "MyVpcPrivateSubnet1Subnet5057CF7E": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 0, @@ -260,21 +257,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet1RouteTable8819E6E2": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet1RouteTableAssociation56D38C7E": { @@ -291,21 +291,18 @@ "MyVpcPrivateSubnet1DefaultRouteA8CDE2FA": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "MyVpcPublicSubnet1NATGatewayAD3400C1" + }, + "RouteTableId": { + "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" } } }, "MyVpcPrivateSubnet2Subnet0040C983": { "Type": "AWS::EC2::Subnet", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "AvailabilityZone": { "Fn::Select": [ 1, @@ -329,21 +326,24 @@ "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet2RouteTableCEDCEECE": { "Type": "AWS::EC2::RouteTable", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "Tags": [ { "Key": "Name", "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcPrivateSubnet2RouteTableAssociation86A610DA": { @@ -360,12 +360,12 @@ "MyVpcPrivateSubnet2DefaultRoute9CE96294": { "Type": "AWS::EC2::Route", "Properties": { - "RouteTableId": { - "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" - }, "DestinationCidrBlock": "0.0.0.0/0", "NatGatewayId": { "Ref": "MyVpcPublicSubnet2NATGateway91BFBEC9" + }, + "RouteTableId": { + "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" } } }, @@ -383,32 +383,17 @@ "MyVpcVPCGW488ACE0D": { "Type": "AWS::EC2::VPCGatewayAttachment", "Properties": { - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "InternetGatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "VpcId": { + "Ref": "MyVpcF9F0CA6F" } } }, "MyVpcS3FADC1889": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { - "ServiceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".s3" - ] - ] - }, - "VpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "RouteTableIds": [ { "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" @@ -423,12 +408,6 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "VpcEndpointType": "Gateway" - } - }, - "MyVpcDynamoDbEndpointE6A39B0D": { - "Type": "AWS::EC2::VPCEndpoint", - "Properties": { "ServiceName": { "Fn::Join": [ "", @@ -437,13 +416,19 @@ { "Ref": "AWS::Region" }, - ".dynamodb" + ".s3" ] ] }, + "VpcEndpointType": "Gateway", "VpcId": { "Ref": "MyVpcF9F0CA6F" - }, + } + } + }, + "MyVpcDynamoDbEndpointE6A39B0D": { + "Type": "AWS::EC2::VPCEndpoint", + "Properties": { "PolicyDocument": { "Statement": [ { @@ -474,7 +459,22 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "VpcEndpointType": "Gateway" + "ServiceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, + "VpcEndpointType": "Gateway", + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1": { @@ -530,6 +530,15 @@ "MyVpcEcrDockerEndpoint0385050C": { "Type": "AWS::EC2::VPCEndpoint", "Properties": { + "PrivateDnsEnabled": true, + "SecurityGroupIds": [ + { + "Fn::GetAtt": [ + "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "GroupId" + ] + } + ], "ServiceName": { "Fn::Join": [ "", @@ -542,18 +551,94 @@ ] ] }, + "SubnetIds": [ + { + "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" + }, + { + "Ref": "MyVpcPrivateSubnet2Subnet0040C983" + } + ], + "VpcEndpointType": "Interface", "VpcId": { "Ref": "MyVpcF9F0CA6F" - }, - "PrivateDnsEnabled": true, + } + } + }, + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF": { + "Type": "AWS::EC2::SecurityGroup", + "Properties": { + "GroupDescription": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "SecurityGroupEgress": [ + { + "CidrIp": "0.0.0.0/0", + "Description": "Allow all outbound traffic by default", + "IpProtocol": "-1" + } + ], + "SecurityGroupIngress": [ + { + "CidrIp": { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + "Description": { + "Fn::Join": [ + "", + [ + "from ", + { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + ":443" + ] + ] + }, + "FromPort": 443, + "IpProtocol": "tcp", + "ToPort": 443 + } + ], + "Tags": [ + { + "Key": "Name", + "Value": "aws-cdk-ec2-vpc-endpoint/MyVpc" + } + ], + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } + }, + "MyVpcDynamoDbInterfaceEndpointA97B3149": { + "Type": "AWS::EC2::VPCEndpoint", + "Properties": { + "PrivateDnsEnabled": false, "SecurityGroupIds": [ { "Fn::GetAtt": [ - "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF", "GroupId" ] } ], + "ServiceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, "SubnetIds": [ { "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" @@ -562,7 +647,10 @@ "Ref": "MyVpcPrivateSubnet2Subnet0040C983" } ], - "VpcEndpointType": "Interface" + "VpcEndpointType": "Interface", + "VpcId": { + "Ref": "MyVpcF9F0CA6F" + } } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out index 8ecc185e9dbee..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"21.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json index a1e6ca7e8cd1c..291d0adf528b8 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "20.0.0", + "version": "36.0.0", "testCases": { "integ.vpc-endpoint.lit": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json index 542140e0169c4..8a9073b8710a7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/manifest.json @@ -1,12 +1,6 @@ { - "version": "20.0.0", + "version": "36.0.0", "artifacts": { - "Tree": { - "type": "cdk:tree", - "properties": { - "file": "tree.json" - } - }, "aws-cdk-ec2-vpc-endpoint.assets": { "type": "cdk:asset-manifest", "properties": { @@ -20,10 +14,11 @@ "environment": "aws://unknown-account/unknown-region", "properties": { "templateFile": "aws-cdk-ec2-vpc-endpoint.template.json", + "terminationProtection": false, "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/211c13487f1f150aef71cb67b4da3fe4727ea378abaff0cace0f9230b9e65b35.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/682c0c54750397812543d2f9f0be89b6d5668e279b45ede909c9ef6ee4e67343.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ @@ -201,6 +196,18 @@ "data": "MyVpcEcrDockerEndpoint0385050C" } ], + "/aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF" + } + ], + "/aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/Resource": [ + { + "type": "aws:cdk:logicalId", + "data": "MyVpcDynamoDbInterfaceEndpointA97B3149" + } + ], "/aws-cdk-ec2-vpc-endpoint/BootstrapVersion": [ { "type": "aws:cdk:logicalId", @@ -215,6 +222,12 @@ ] }, "displayName": "aws-cdk-ec2-vpc-endpoint" + }, + "Tree": { + "type": "cdk:tree", + "properties": { + "file": "tree.json" + } } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json index e30022e677238..d2dea84eda685 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.js.snapshot/tree.json @@ -4,14 +4,6 @@ "id": "App", "path": "", "children": { - "Tree": { - "id": "Tree", - "path": "Tree", - "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" - } - }, "aws-cdk-ec2-vpc-endpoint": { "id": "aws-cdk-ec2-vpc-endpoint", "path": "aws-cdk-ec2-vpc-endpoint", @@ -39,7 +31,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPC", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPC", "version": "0.0.0" } }, @@ -53,9 +45,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -79,11 +68,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -91,8 +83,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -101,19 +93,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -132,7 +124,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -142,17 +134,17 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "routeTableId": { + "Ref": "MyVpcPublicSubnet1RouteTableC46AB2F4" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } }, @@ -172,7 +164,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnEIP", + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", "version": "0.0.0" } }, @@ -182,15 +174,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "MyVpcPublicSubnet1SubnetF6608456" - }, "allocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet1EIP096967CB", "AllocationId" ] }, + "subnetId": { + "Ref": "MyVpcPublicSubnet1SubnetF6608456" + }, "tags": [ { "key": "Name", @@ -200,13 +192,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PublicSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", "version": "0.0.0" } }, @@ -220,9 +212,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -246,11 +235,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -258,8 +250,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -268,19 +260,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PublicSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -299,7 +291,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -309,17 +301,17 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" - }, "destinationCidrBlock": "0.0.0.0/0", "gatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "routeTableId": { + "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } }, @@ -339,7 +331,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnEIP", + "fqn": "aws-cdk-lib.aws_ec2.CfnEIP", "version": "0.0.0" } }, @@ -349,15 +341,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::NatGateway", "aws:cdk:cloudformation:props": { - "subnetId": { - "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" - }, "allocationId": { "Fn::GetAtt": [ "MyVpcPublicSubnet2EIP8CCBA239", "AllocationId" ] }, + "subnetId": { + "Ref": "MyVpcPublicSubnet2Subnet492B6BFB" + }, "tags": [ { "key": "Name", @@ -367,13 +359,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnNatGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnNatGateway", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PublicSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PublicSubnet", "version": "0.0.0" } }, @@ -387,9 +379,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 0, @@ -413,11 +402,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -425,8 +417,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -435,19 +427,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet1" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -466,7 +458,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -476,23 +468,23 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "MyVpcPublicSubnet1NATGatewayAD3400C1" + }, + "routeTableId": { + "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", "version": "0.0.0" } }, @@ -506,9 +498,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Subnet", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "availabilityZone": { "Fn::Select": [ 1, @@ -532,11 +521,14 @@ "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnet", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnet", "version": "0.0.0" } }, @@ -544,8 +536,8 @@ "id": "Acl", "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2/Acl", "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" } }, "RouteTable": { @@ -554,19 +546,19 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::RouteTable", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "tags": [ { "key": "Name", "value": "aws-cdk-ec2-vpc-endpoint/MyVpc/PrivateSubnet2" } - ] + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRouteTable", + "fqn": "aws-cdk-lib.aws_ec2.CfnRouteTable", "version": "0.0.0" } }, @@ -585,7 +577,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSubnetRouteTableAssociation", + "fqn": "aws-cdk-lib.aws_ec2.CfnSubnetRouteTableAssociation", "version": "0.0.0" } }, @@ -595,23 +587,23 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::Route", "aws:cdk:cloudformation:props": { - "routeTableId": { - "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" - }, "destinationCidrBlock": "0.0.0.0/0", "natGatewayId": { "Ref": "MyVpcPublicSubnet2NATGateway91BFBEC9" + }, + "routeTableId": { + "Ref": "MyVpcPrivateSubnet2RouteTableCEDCEECE" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnRoute", + "fqn": "aws-cdk-lib.aws_ec2.CfnRoute", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.PrivateSubnet", + "fqn": "aws-cdk-lib.aws_ec2.PrivateSubnet", "version": "0.0.0" } }, @@ -630,7 +622,7 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnInternetGateway", + "fqn": "aws-cdk-lib.aws_ec2.CfnInternetGateway", "version": "0.0.0" } }, @@ -640,16 +632,16 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCGatewayAttachment", "aws:cdk:cloudformation:props": { - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "internetGatewayId": { "Ref": "MyVpcIGW5C4A4F63" + }, + "vpcId": { + "Ref": "MyVpcF9F0CA6F" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCGatewayAttachment", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCGatewayAttachment", "version": "0.0.0" } }, @@ -663,21 +655,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { - "serviceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".s3" - ] - ] - }, - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "routeTableIds": [ { "Ref": "MyVpcPrivateSubnet1RouteTable8819E6E2" @@ -692,17 +669,32 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "vpcEndpointType": "Gateway" + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".s3" + ] + ] + }, + "vpcEndpointType": "Gateway", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.GatewayVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -716,21 +708,6 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { - "serviceName": { - "Fn::Join": [ - "", - [ - "com.amazonaws.", - { - "Ref": "AWS::Region" - }, - ".dynamodb" - ] - ] - }, - "vpcId": { - "Ref": "MyVpcF9F0CA6F" - }, "policyDocument": { "Statement": [ { @@ -761,17 +738,32 @@ "Ref": "MyVpcPublicSubnet2RouteTable1DF17386" } ], - "vpcEndpointType": "Gateway" + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, + "vpcEndpointType": "Gateway", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.GatewayVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } }, @@ -837,13 +829,13 @@ } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnSecurityGroup", + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.SecurityGroup", + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", "version": "0.0.0" } }, @@ -853,6 +845,15 @@ "attributes": { "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", "aws:cdk:cloudformation:props": { + "privateDnsEnabled": true, + "securityGroupIds": [ + { + "Fn::GetAtt": [ + "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "GroupId" + ] + } + ], "serviceName": { "Fn::Join": [ "", @@ -865,18 +866,130 @@ ] ] }, + "subnetIds": [ + { + "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" + }, + { + "Ref": "MyVpcPrivateSubnet2Subnet0040C983" + } + ], + "vpcEndpointType": "Interface", "vpcId": { "Ref": "MyVpcF9F0CA6F" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.Resource", + "version": "0.0.0" + } + }, + "DynamoDbInterfaceEndpoint": { + "id": "DynamoDbInterfaceEndpoint", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint", + "children": { + "SecurityGroup": { + "id": "SecurityGroup", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "children": { + "Resource": { + "id": "Resource", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::SecurityGroup", + "aws:cdk:cloudformation:props": { + "groupDescription": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/SecurityGroup", + "securityGroupEgress": [ + { + "cidrIp": "0.0.0.0/0", + "description": "Allow all outbound traffic by default", + "ipProtocol": "-1" + } + ], + "securityGroupIngress": [ + { + "cidrIp": { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + "ipProtocol": "tcp", + "fromPort": 443, + "toPort": 443, + "description": { + "Fn::Join": [ + "", + [ + "from ", + { + "Fn::GetAtt": [ + "MyVpcF9F0CA6F", + "CidrBlock" + ] + }, + ":443" + ] + ] + } + } + ], + "tags": [ + { + "key": "Name", + "value": "aws-cdk-ec2-vpc-endpoint/MyVpc" + } + ], + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } + } }, - "privateDnsEnabled": true, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.CfnSecurityGroup", + "version": "0.0.0" + } + } + }, + "constructInfo": { + "fqn": "aws-cdk-lib.aws_ec2.SecurityGroup", + "version": "0.0.0" + } + }, + "Resource": { + "id": "Resource", + "path": "aws-cdk-ec2-vpc-endpoint/MyVpc/DynamoDbInterfaceEndpoint/Resource", + "attributes": { + "aws:cdk:cloudformation:type": "AWS::EC2::VPCEndpoint", + "aws:cdk:cloudformation:props": { + "privateDnsEnabled": false, "securityGroupIds": [ { "Fn::GetAtt": [ - "MyVpcEcrDockerEndpointSecurityGroup47BB9CC1", + "MyVpcDynamoDbInterfaceEndpointSecurityGroupD6D5A6EF", "GroupId" ] } ], + "serviceName": { + "Fn::Join": [ + "", + [ + "com.amazonaws.", + { + "Ref": "AWS::Region" + }, + ".dynamodb" + ] + ] + }, "subnetIds": [ { "Ref": "MyVpcPrivateSubnet1Subnet5057CF7E" @@ -885,36 +998,63 @@ "Ref": "MyVpcPrivateSubnet2Subnet0040C983" } ], - "vpcEndpointType": "Interface" + "vpcEndpointType": "Interface", + "vpcId": { + "Ref": "MyVpcF9F0CA6F" + } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.CfnVPCEndpoint", + "fqn": "aws-cdk-lib.aws_ec2.CfnVPCEndpoint", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.InterfaceVpcEndpoint", + "fqn": "aws-cdk-lib.Resource", "version": "0.0.0" } } }, "constructInfo": { - "fqn": "@aws-cdk/aws-ec2.Vpc", + "fqn": "aws-cdk-lib.aws_ec2.Vpc", + "version": "0.0.0" + } + }, + "BootstrapVersion": { + "id": "BootstrapVersion", + "path": "aws-cdk-ec2-vpc-endpoint/BootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnParameter", + "version": "0.0.0" + } + }, + "CheckBootstrapVersion": { + "id": "CheckBootstrapVersion", + "path": "aws-cdk-ec2-vpc-endpoint/CheckBootstrapVersion", + "constructInfo": { + "fqn": "aws-cdk-lib.CfnRule", "version": "0.0.0" } } }, + "constructInfo": { + "fqn": "aws-cdk-lib.Stack", + "version": "0.0.0" + } + }, + "Tree": { + "id": "Tree", + "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.1.85" + "version": "10.3.0" } } }, "constructInfo": { - "fqn": "constructs.Construct", - "version": "10.1.85" + "fqn": "aws-cdk-lib.App", + "version": "0.0.0" } } } \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts index 85b03505da83e..eab0459f015eb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint.lit.ts @@ -42,6 +42,11 @@ class VpcEndpointStack extends cdk.Stack { // open: false }); /// !hide + + // Add an interface endpoint privateDnsDefault false + vpc.addInterfaceEndpoint('DynamoDbInterfaceEndpoint', { + service: ec2.InterfaceVpcEndpointAwsService.DYNAMODB, + }); } } diff --git a/packages/aws-cdk-lib/aws-ec2/README.md b/packages/aws-cdk-lib/aws-ec2/README.md index 2e380cedc1f18..9e633b6307ab6 100644 --- a/packages/aws-cdk-lib/aws-ec2/README.md +++ b/packages/aws-cdk-lib/aws-ec2/README.md @@ -1061,6 +1061,9 @@ new ec2.InterfaceVpcEndpoint(this, 'VPC Endpoint', { }); ``` +If the interface endpoint doesn't support Private DNS, `privateDnsDefault` will be set false. +In that case, you can't set `privateDnsEnabled` to be true. + #### Security groups for interface VPC endpoints By default, interface VPC endpoints create a new security group and all traffic to the endpoint from within the VPC will be automatically allowed. diff --git a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts index d186d00987317..30bbba87b2463 100644 --- a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts @@ -374,6 +374,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ public static readonly DEADLINE_CLOUD_SCHEDULING = new InterfaceVpcEndpointAwsService('deadline.scheduling'); public static readonly DEVOPS_GURU = new InterfaceVpcEndpointAwsService('devops-guru'); public static readonly DIRECTORY_SERVICE = new InterfaceVpcEndpointAwsService('ds'); + public static readonly DYNAMODB = new InterfaceVpcEndpointAwsService('dynamodb'); public static readonly EBS_DIRECT = new InterfaceVpcEndpointAwsService('ebs'); public static readonly EC2 = new InterfaceVpcEndpointAwsService('ec2'); public static readonly EC2_MESSAGES = new InterfaceVpcEndpointAwsService('ec2messages'); @@ -613,6 +614,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ /** * Whether Private DNS is supported by default. + * If the interface endpoint doesn't support Private DNS, privateDnsDefault will be set false. */ public readonly privateDnsDefault?: boolean = true; @@ -638,6 +640,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }, }); + this.privateDnsDefault = this.getPrivateDnsDefault(name); this.name = `${prefix || defaultEndpointPrefix}.${regionPrefix}${name}${defaultEndpointSuffix}`; this.shortName = name; this.port = port || 443; @@ -691,6 +694,16 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ }; return VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name) ? '.cn' : ''; } + + /** + * Get whether the inteface endpoint support Private DNS + */ + private getPrivateDnsDefault(name: string) { + const PRIVATE_DNS_NOT_SUPPORTED_SERVICES = [ + 'dynamodb', + ]; + return !PRIVATE_DNS_NOT_SUPPORTED_SERVICES.includes(name); + } } /** @@ -852,6 +865,10 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn this.connections.allowDefaultPortFrom(Peer.ipv4(props.vpc.vpcCidrBlock)); } + if (props.service instanceof InterfaceVpcEndpointAwsService && props.service.privateDnsDefault === false && props.privateDnsEnabled === true) { + throw new Error(`Cannot create a VPC Endpoint private dns enabled: ${props.service.shortName}`); + } + // Determine which subnets to place the endpoint in const subnetIds = this.endpointSubnets(props); diff --git a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts index 3c1c05ba8dfa8..ba78665aa1a35 100644 --- a/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts +++ b/packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts @@ -549,7 +549,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { region: 'us-east-1' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -563,7 +563,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -589,7 +589,7 @@ describe('vpc endpoint', () => { const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -603,7 +603,7 @@ describe('vpc endpoint', () => { const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-east-1' } }); const vpc = new Vpc(stack, 'VPC'); // WHEN - expect(() =>vpc.addInterfaceEndpoint('YourService', { + expect(() => vpc.addInterfaceEndpoint('YourService', { service: { name: 'com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc', port: 443, @@ -934,5 +934,38 @@ describe('vpc endpoint', () => { ServiceName: 'aws.api.global.codecatalyst', }); }); + + test('vpc interface endpoints with private dns disabled', () => { + //GIVEN + const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } }); + const vpc = new Vpc(stack, 'VPC'); + + //WHEN + vpc.addInterfaceEndpoint('DynamoDB Endpoint', { + service: InterfaceVpcEndpointAwsService.DYNAMODB, + }); + + //THEN + Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', { + ServiceName: 'com.amazonaws.us-west-2.dynamodb', + VpcId: { + Ref: 'VPCB9E5F0B4', + }, + PrivateDnsEnabled: false, + VpcEndpointType: 'Interface', + }); + }); + + test('vpc interface endpoint does not support private dns enabled', () => { + //GIVEN + const stack = new Stack(undefined, 'TestStack'); + const vpc = new Vpc(stack, 'VPC'); + + expect(() => vpc.addInterfaceEndpoint('DynamoDB Endpoint', { + service: InterfaceVpcEndpointAwsService.DYNAMODB, + privateDnsEnabled: true, + }), + ).toThrow('Cannot create a VPC Endpoint private dns enabled: dynamodb'); + }); }); });