AWS::EC2::VPCEndpoint: "Enable private DNS only for inbound endpoint"

dieter-aerit commented 1 year ago

Name of the resource

AWS::EC2::VPCEndpoint

Resource name

No response

Description

Screenshot 2023-05-02 at 09 25 58

The AWS GUI for an interface endpoint contains an option: "Enable private DNS only for inbound endpoint" . There is no matching CloudFormation property to manipulate this option as far as I can see.

I would like a property to exist so I can manipulate this VPC Interface Endpoint setting.

Other Details

No response

ditahm6 commented 9 months ago

faced similar issue and wanted to find out of there is an SLA for this ?

bkuhlen73 commented 3 months ago

Has anyone set this up with a custom resource to bypass the bottleneck for the time being? If yes, links or code to share? Thanks :)

danblacklist commented 3 months ago

I was able to come up with this custom resource which should help for the timebeing:

Resources:
  S3InterfaceEndpoint:
    Type: 'Custom::S3InterfaceEndpoint'
    Properties:
      ServiceToken: !GetAtt LambdaFunction.Arn
      VpcId: vpc-8750d3fd
      PrivateDnsEnabled: true
      SubnetIds:
        - subnet-02cfbf5e
        - subnet-104c4a5a
        - subnet-c6c872f8
      SecurityGroupIds:
        - sg-05fa5723976bdb4d8
  LambdaFunction:
    Type: 'AWS::Lambda::Function'
    Properties:
      Code:
        ZipFile: !Sub |
          import json
          import boto3
          import botocore
          import logging
          import cfnresponse
          logger = logging.getLogger()
          logger.setLevel(logging.INFO)
          ec2 = boto3.client('ec2')
          def lambda_handler(event, context):
              try:
                  # Check if the request is for creating or deleting the resource
                  if event['RequestType'] == 'Create':
                      return on_create(event, context)
                  elif event['RequestType'] == 'Delete':
                      return on_delete(event, context)
                  # elif event['RequestType'] == 'Update':
                  #     return on_update(event)
              except Exception as e:
                  logger.error('Exception: %s', e)
                  send_response(event, context, 'FAILED', {'Message': str(e)})
          def on_create(event, context):
              print("==========CREATION==========")
              print(event)
              print("==========CREATING==========")
              props = event['ResourceProperties']
              vpc_id = props['VpcId']
              private_dns_enabled = True #Configure this if you need to get it from the stack
              subnet_ids = props['SubnetIds']
              security_group_ids = props['SecurityGroupIds']
              try:
                  response = ec2.create_vpc_endpoint(
                      VpcId=vpc_id,
                      ServiceName="com.amazonaws.us-east-1.s3",
                      VpcEndpointType="Interface",
                      PrivateDnsEnabled=private_dns_enabled,
                      SubnetIds=subnet_ids,
                      SecurityGroupIds=security_group_ids,
                      DnsOptions={
                          'PrivateDnsOnlyForInboundResolverEndpoint': False #Configure this if you need to get it from the stack
                      }
                  )
                  vpc_endpoint_id = response['VpcEndpoint']['VpcEndpointId']
                  print("==========SIGNALLING-SUCCESS==========")
                  return send_response(event, context, 'SUCCESS', {'VpcEndpointId': vpc_endpoint_id})
              except botocore.exceptions.ClientError as e:
                  logger.error('Error creating VPC endpoint: %s', e)
                  return send_response(event, context, 'FAILED', {'Message': str(e)})
          def on_delete(event, context):
              print("==========DELETION==========")
              vpc_endpoint_id = event['PhysicalResourceId']
              print(vpc_endpoint_id)
              print("==========DELETING==========")
              try:
                  ec2.delete_vpc_endpoints(VpcEndpointIds=[vpc_endpoint_id])
                  return send_response(event, context, 'SUCCESS', {})
              except botocore.exceptions.ClientError as e:
                  logger.error('Error deleting VPC endpoint: %s', e)
                  return send_response(event, context, 'FAILED', {'Message': str(e)})
          # def on_update(event):
          #     print("UPDATE")
          #     print(event)
          #     # For simplicity, we'll treat an update like a re-create
          #     #return on_delete(event) + on_create(event)
          def send_response(event, context, response_status, response_data):
              print("Sending success signal")
              # VpcEndpointId = response_data.get('PhysicalResourceId')
              response_body = json.dumps({
                  'Status': response_status,
                  'Reason': 'See the details in CloudWatch Log Stream: '+ context.log_stream_name,
                  'PhysicalResourceId': response_data.get('VpcEndpointId'),
                  'StackId': event['StackId'],
                  'RequestId': event['RequestId'],
                  'LogicalResourceId': event['LogicalResourceId'],
                  'Data': response_data
              }).encode('utf-8')
              print(response_body)
              print(response_data)
              cfnresponse.send(event, context, cfnresponse.SUCCESS, response_data, response_data.get('VpcEndpointId'))
      Handler: index.lambda_handler
      Runtime: python3.9
      Role: 'arn:aws:iam::<ACCOUNT_ID>:role/admin-lambda'
      Timeout: 60

I haven't defined the UPDATE handler, it can be defined based on the needed workflow.

You would need to input VPC, Subnets, SecurityGroups and Lambda IAM Role with the right permissions from your account to make it work.

aws-cloudformation / cloudformation-coverage-roadmap