feat(synthetics): add vpc configuration

[RichiCoder1]

This PR adds vpc support to synthetics and is a continuation of #11865.

See Running a canary on a vpc.

Fixes #9954

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[gitpod-io]

[kaizencc]

Hi @RichiCoder1, thanks for opening this PR! As a first step, lets split this into two PRs, one for runConfig and one for vpcConfig. Specifically for runConfig, can you tell me the value add for exposing the rest of those properties over just using escape hatches? I don't see much of a use case for them and we're certainly not blocking anyone. That's why I didn't implement them in the L2 and I don't see anyone knocking down the door for them (the way they were for environment variables). vpcConfig might be helpful, but also might be harder to get right.

[RichiCoder1]

Specifically for runConfig, can you tell me the value add for exposing the rest of those properties over just using escape hatches? I don't see much of a use case for them and we're certainly not blocking anyone. That's why I didn't implement them in the L2 and I don't see anyone knocking down the door for them (the way they were for environment variables)

Partially completeness, partially convenience. I'm personally using the timeout and tracing properties, and while "normal" it's weird to drop the Cfn just to set them when they're simple to implement (and Duration/Size are much nicer to work with).

As a first step, lets split this into two PRs, one for runConfig and one for vpcConfig

I probably should have seen this ask coming, I'll see what I can do :). Before I do so, do we want the VPC configuration options to be top level options, or a sub config like I have in this PR?

[kaizencc]

I don't think its partially complete -- environment variables is its own thing separate from timeout and tracing. The canary L2 is not simply a shell for the L1 and we do not need to adhere to how cfn clusters properties; this means that supplying env variables in the L2 is visible at the top level. But sure, I hear your point that its low-hanging fruit and Duration/Size is better to work with. Happy to add them.

For vpcConfig, I think we should expose a property vpc: ec2.IVpc similar to what we do in lambda.

[RichiCoder1]

Sorry for taking so long to circle back around on this. Gonna scope it back down to VPC (current biggest pain point IMHO) and then can do a follow up on Run Config props.

[RichiCoder1]

This is should be good to review now!

[kaizencc]

Hi @RichiCoder1! Thanks for the PR - it looks like a great start. I don't have much experience with vpcs, so I'm hoping we can lean on your context to provide the best possible experience for our users.

[kaizencc]

This probably should go back to the way it was

[kaizencc]

Please put this in a new integ test file called integ.vpc-canary.ts. If you can come up with stack verification steps that would be great too.

[RichiCoder1]

Sounds good. For stack verification, do mean something like checking the underlying Lambda is in a VPC, or simulate some sort of VPC-only scenario?

[kaizencc]

best if we can check underlying lambda is in vpc, if possible. i don't actually know how.

[kaizencc]

whats this?

[RichiCoder1]

Not sure, don't know how I missed this. Might have been added by some tooling or a bad merge. I'll strip it out and see if it comes back

Pull request has been modified.

[kaizencc]

Looks good to me @RichiCoder1. Approved, though I am going to wait on a second pair of eyes before we get this merged.

[corymhall]

@RichiCoder1 just a couple of comments, the main one around implementing IConnectable.

Since the Canary class can now have security groups, it should implement ec2.IConnectable

export class Canary extends cdk.Resource implements ec2.IConnectable {

[corymhall]

I don't think this is needed. I think it should be fine to just add this to the documentation in the readme and the vpcSubnets docstring. Users will specify if they want to place it in isolated subnets via the vpcSubnets prop, asking again here feels like a "are you sure you know what you are doing?" and I don't think that is needed.

[RichiCoder1]

Nuked allowPrivateSubnet and added IConnectable! Let me know if that looks good and the implementation looks appropriate @corymhall.

Pull request has been modified.

[RichiCoder1]

Nuked allowPrivateSubnet and added IConnectable! Let me know if that looks good and the implementation looks appropriate @corymhall. Implementation more or less swiped from Lambda with wording tweaks (and a slightly variance in how security groups are appended)

[corymhall]

Just 1 more comment and then we are good to go!

[corymhall]

We should pull the list of security groups from this.connections since users will be able to modify this connections object.

securityGroupIds: Lazy.listValue({ produce: () => this.connections.securityGroups.map(sg => sg.securityGroupId) }),

[RichiCoder1]

@corymhall Done! Though used Lazy.list as I got a warning that listValue was deprecated and that seemed to be the replacement. Good to know too, I was wondering how this sort of lazy evaluation worked!

Pull request has been modified.

Pull request has been modified.

[kaizencc]

Looks great @RichiCoder1. Thanks for the contribution!

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
• Commit ID: 2a38371
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).