(ec2): default vpn amazon side asn equals default customer side asn

[nwouda]

Describe the bug

When deploying a VPN Connection you can supply the ASN of the Customer Gateway. Due to a bug in CDK, the same ASN is used for the AmazonSideAsn parameter on the VPN Gateway it creates.

Expected Behavior

The VPN Connection should create a VPN Gateway resource with a non-specified AmazonSideAsn parameter and have CloudFormation handle the creation of the resource.

Current Behavior

Stack creation/update fails with the following message:

Resource handler returned message: "The ASN of the specified customer gateway and virtual private gateway are the same. 

Reproduction Steps

app = cdk.App()
stack = cdk.Stack(app, 'stack')
vpc = ec2.Vpc(
    stack, 'vpc',
)
ec2.VpnConnection(
    stack, 'vpn',
    vpc=vpc,
    ip='1.1.1.1',
    asn=65001
)
app.synth()

Possible Solution

Delete this line: https://github.com/aws/aws-cdk/blob/4bdb18e6a43c41ad403c16ab836fe7b991f9531c/packages/%40aws-cdk/aws-ec2/lib/vpn.ts#L295

Additional Information/Context

Not supplying the customer gateway ASN results in something entirely different from 65000, so I think this number is generated upon resource creation.

CDK CLI Version

2.50.0

Framework Version

No response

Node.js Version

v14.17.6

OS

MacOS Ventura

Language

Python

Language Version

3.9.13

Other information

No response

[peterwoodworth]

I was able to reproduce this, thanks for reporting!

Thanks for the PR submission as well, we'll try to take a look when we have the time.

Until we fix this, you can use escape hatches to modify the number generated, or just remove it altogether!

    const gateway = vpc.node.findChild('VpnGateway') as VpnGateway;
    // call addPropertyDeletionOverride to remove the property
    (gateway.node.defaultChild as CfnVPNGateway).addPropertyOverride('AmazonSideAsn', 65002);