search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.5k stars 3.84k forks source link

(aws_apigatewayv2): VpcLink can't see Private_Isolated subnets #29221

Open rantoniuk opened 6 months ago

rantoniuk commented 6 months ago

Describe the bug

VPC defined as:

 this.vpc = new ec2.Vpc(this, 'Vpc', {
      maxAzs: 2,
      subnetConfiguration: [
        { cidrMask: 24, name: 'Isolated', subnetType: ec2.SubnetType.PRIVATE_ISOLATED },
      ],
    });

When trying to deploy the below APIGW definition:


    const lb = new cdk.aws_elasticloadbalancingv2.ApplicationLoadBalancer(this, 'lb', { vpc: props.vpc });
    const listener = lb.addListener('Listener', { port: 80 });

    listener.addTargets('ecs', {
      port: 80,
      targets: [props.backendService.loadBalancerTarget({
        containerName: 'backend',
        containerPort: 8000,
      })],
    });

    const vpcLink = new cdk.aws_apigatewayv2.VpcLink(this, 'VpcLink', { vpc: props.vpc });

    new cdk.aws_apigatewayv2.HttpApi(this, 'HttpProxyPrivateApi', {
      apiName: 'BackendApi',
      defaultIntegration: new HttpAlbIntegration('DefaultIntegration', listener, { vpcLink }),
    });
  }

Expected Behavior

VpcLink is created using Isolated subnets automatically.

Current Behavior

Error: There are no 'Private' subnet groups in this VPC. Available types: Isolated,Deprecated_Isolated

Reproduction Steps

As above.

Possible Solution

Workaround:

const vpcLink = new cdk.aws_apigatewayv2.VpcLink(this, 'VpcLink', { vpc: props.vpc, subnets: { subnetType: ec2.SubnetType.PRIVATE_ISOLATED } });

Additional Information/Context

No response

CDK CLI Version

2.129.0

Framework Version

No response

Node.js Version

18.18.2

OS

MacOS

Language

TypeScript

Language Version

No response

Other information

No response

pahud commented 6 months ago

Yes if you don't specify props.subnets it would filter and pick up with { subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }, which you don't have in your use case. So you will need to specify props.subnets.

https://github.com/aws/aws-cdk/blob/f0af5b1b1551e03198098610f0377af11447e098/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/vpc-link.ts#L101

rantoniuk commented 6 months ago

I would challenge the fact of using PRIVATE_EGRESS as the default - having a VpcLink already means that someone is probably looking for strict security so:

I know it's just an opinion but simplicity of the usage of constructs and minimising the number of props overrides is important in my opinion. Up to you to decide though!

pahud commented 3 months ago

Yeah I guess we need to improve the doc here.

rantoniuk commented 3 months ago

I suggested something else rather than improving the docs.