search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.55k stars 3.87k forks source link

migrate: "Dev1ApplicationStackStack could not be generated because LocalIpv4NetworkCidr is not a valid property for resource VPNConnection of type AWS::EC2::VPNConnection" #31560

Open richardgavel-ordinaryexperts opened 2 days ago

richardgavel-ordinaryexperts commented 2 days ago

Describe the bug

See error above.

The property in question is in the CF documentation: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpnconnection.html and in the L1 construct https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.CfnVPNConnection.html. However, it looks like you depend on a library cdklabs/cdk-from-cfn which does not have the property in its https://github.com/cdklabs/cdk-from-cfn/blob/main/src/specification/cdk-resources.json file.

Regression Issue

Last Known Working CDK Version

No response

Expected Behavior

Migration occurs

Current Behavior

Dev1ApplicationStackStack could not be generated because LocalIpv4NetworkCidr is not a valid property for resource VPNConnection of type AWS::EC2::VPNConnection [12:16:45] Error: Dev1ApplicationStackStack could not be generated because LocalIpv4NetworkCidr is not a valid property for resource VPNConnection of type AWS::EC2::VPNConnection at generateStack (/usr/lib/node_modules/aws-cdk/lib/index.js:471:151618) at CdkToolkit.migrate (/usr/lib/node_modules/aws-cdk/lib/index.js:473:4355) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async exec4 (/usr/lib/node_modules/aws-cdk/lib/index.js:526:54490)

Reproduction Steps

cdk migrate on a stack that includes a VPN Connection

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.160.0

Framework Version

No response

Node.js Version

v18.20.4

OS

Ubuntu

Language

TypeScript

Language Version

No response

Other information

No response

ashishdhingra commented 1 day ago

Reproducible using below template (saved locally with name template-1727389237339.yaml):

YAML template Code taken from [here](https://github.com/microsoft/referencesource/blob/51cf7850defa8a17d815b4700b67116e3fa283c2/System.ServiceModel.Internals/System/Runtime/Collections/OrderedDictionary.cs#L14) ```YAML AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS CloudFormation Sample Template VPC_With_VPN_Connection.template: Sample template showing how to create a private subnet with a VPN connection using static routing to an existing VPN endpoint. NOTE: The VPNConnection created will define the configuration you need yonk the tunnels to your VPN endpoint - you can get the VPN Gateway configuration from the AWS Management console. You will be billed for the AWS resources used if you create a stack from this template.' Outputs: PrivateSubnet: Description: SubnetId of the VPN connected subnet Value: !Ref PrivateSubnet VPCId: Description: VPCId of the newly created VPC Value: !Ref VPC Parameters: OnPremiseCIDR: AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. Default: 10.0.0.0/16 Description: IP Address range for your existing infrastructure MaxLength: '18' MinLength: '9' Type: String SubnetCIDR: AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. Default: 10.1.0.0/24 Description: IP Address range for the VPN connected Subnet MaxLength: '18' MinLength: '9' Type: String VPCCIDR: AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2}) ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x. Default: 10.1.0.0/16 Description: IP Address range for the VPN connected VPC MaxLength: '18' MinLength: '9' Type: String VPNAddress: AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3}) ConstraintDescription: must be a valid IP address of the form x.x.x.x Description: IP Address of your VPN device MaxLength: '15' MinLength: '7' Type: String Resources: CustomerGateway: Properties: BgpAsn: 65000 IpAddress: !Ref VPNAddress Tags: - Key: Application Value: !Ref AWS::StackName - Key: VPN Value: !Join - '' - - 'Gateway to ' - !Ref VPNAddress Type: ipsec.1 Type: AWS::EC2::CustomerGateway InboundPrivateNetworkAclEntry: Properties: CidrBlock: 0.0.0.0/0 Egress: false NetworkAclId: !Ref PrivateNetworkAcl PortRange: From: 0 To: 65535 Protocol: 6 RuleAction: allow RuleNumber: 100 Type: AWS::EC2::NetworkAclEntry OutBoundPrivateNetworkAclEntry: Properties: CidrBlock: 0.0.0.0/0 Egress: true NetworkAclId: !Ref PrivateNetworkAcl PortRange: From: 0 To: 65535 Protocol: 6 RuleAction: allow RuleNumber: 100 Type: AWS::EC2::NetworkAclEntry PrivateNetworkAcl: Properties: Tags: - Key: Application Value: !Ref AWS::StackName - Key: Network Value: Private VpcId: !Ref VPC Type: AWS::EC2::NetworkAcl PrivateRoute: Properties: DestinationCidrBlock: 0.0.0.0/0 GatewayId: !Ref VPNGateway RouteTableId: !Ref PrivateRouteTable Type: AWS::EC2::Route PrivateRouteTable: Properties: Tags: - Key: Application Value: !Ref AWS::StackName - Key: Network Value: VPN Connected Subnet VpcId: !Ref VPC Type: AWS::EC2::RouteTable PrivateSubnet: Properties: CidrBlock: !Ref SubnetCIDR Tags: - Key: Application Value: !Ref AWS::StackName - Key: Network Value: VPN Connected Subnet VpcId: !Ref VPC Type: AWS::EC2::Subnet PrivateSubnetNetworkAclAssociation: Properties: NetworkAclId: !Ref PrivateNetworkAcl SubnetId: !Ref PrivateSubnet Type: AWS::EC2::SubnetNetworkAclAssociation PrivateSubnetRouteTableAssociation: Properties: RouteTableId: !Ref PrivateRouteTable SubnetId: !Ref PrivateSubnet Type: AWS::EC2::SubnetRouteTableAssociation VPC: Properties: CidrBlock: !Ref VPCCIDR EnableDnsHostnames: true EnableDnsSupport: true Tags: - Key: Application Value: !Ref AWS::StackName - Key: Network Value: VPN Connected VPC Type: AWS::EC2::VPC VPNConnection: Properties: CustomerGatewayId: !Ref CustomerGateway StaticRoutesOnly: true Type: ipsec.1 VpnGatewayId: !Ref VPNGateway LocalIpv4NetworkCidr: 10.1.0.0/16 Type: AWS::EC2::VPNConnection VPNConnectionRoute: Properties: DestinationCidrBlock: !Ref OnPremiseCIDR VpnConnectionId: !Ref VPNConnection Type: AWS::EC2::VPNConnectionRoute VPNGateway: Properties: Tags: - Key: Application Value: !Ref AWS::StackName Type: ipsec.1 Type: AWS::EC2::VPNGateway VPNGatewayAttachment: Properties: VpcId: !Ref VPC VpnGatewayId: !Ref VPNGateway Type: AWS::EC2::VPCGatewayAttachment ```

gives the below error using command cdk migrate --stack-name CDK-Local-Template-Migrate-Demo --language typescript --from-path ./template-1727389237339.yaml:

This command is an experimental feature.
 ❌  Migrate failed for `CDK-Local-Template-Migrate-Demo`: CdkLocalTemplateMigrateDemoStack could not be generated because LocalIpv4NetworkCidr is not a valid property for resource VPNConnection of type AWS::EC2::VPNConnection

CdkLocalTemplateMigrateDemoStack could not be generated because LocalIpv4NetworkCidr is not a valid property for resource VPNConnection of type AWS::EC2::VPNConnection

Somehow, in CloudFormation application composer, error message Property LocalIpv4NetworkCidr is not allowed.yaml-schema: Resources(0) is displayed.