Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(ec2): interface endpoint AZ lookup does not guard against broken situations #12033

Merged
merged 21 commits into from
Jan 6, 2021
Merged

fix(ec2): interface endpoint AZ lookup does not guard against broken situations #12033

merged 21 commits into from
Jan 6, 2021

Conversation

flemjame-at-amazon
Copy link
Contributor

lookupSupportedAzs can create a VPC endpoint object with no subnets, or fewer subnets than expected, if AZs are not resolved (i.e. they are Tokens). This can create deployment-time failures if all the VPC subnets are filtered out.

This is not a problem with stock CDK, this is a problem with third-party CDK libraries that do not provide concrete AZs (us-east-1a, us-east-1b) for subnets, even though the account and region are specified.

A less common problem is that lookupSupportedAzs can return no subnets if there is no overlap between the user's VPC AZs and the AZs of a service they're connecting to. This also results in a deployment-time failure.

This commit adds error checking to make sure that all subnet AZs are concrete values when using lookupSupportedAzs, and also throws an error if the user inadvertently attempts to create a VPC endpoint with no subnets.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Dec 12, 2020
edited
Loading

@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Dec 12, 2020
rix0rrr
rix0rrr previously requested changes Dec 14, 2020
View reviewed changes
packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts Outdated Show resolved Hide resolved
packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts Outdated Show resolved Hide resolved
@mergify mergify bot dismissed rix0rrr’s stale review December 14, 2020 15:29

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 2d0db2f
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@flemjame-at-amazon
Copy link
Contributor Author

@rix0rrr any update on this?

@rix0rrr rix0rrr changed the title fix(ec2): add error checking to vpc endpoint creation fix(ec2): interface endpoint AZ lookup does not guard against broken situations Jan 6, 2021
@mergify
Copy link
Contributor

mergify bot commented Jan 6, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Jan 6, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 80f0bfd into aws:master Jan 6, 2021
@flemjame-at-amazon flemjame-at-amazon deleted the lookup-azs-warnings branch February 16, 2021 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rootulp rootulp rootulp approved these changes

@rix0rrr rix0rrr rix0rrr approved these changes

Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@flemjame-at-amazon @aws-cdk-automation @rix0rrr @rootulp