[SES VPC Endpoints] Incorrect Service Name for HTTPS VPC Endpoints

vinmvn commented 4 days ago

Describe the bug

When creating SES VPC endpoints using AWS CDK, the generated endpoints are for com.amazonaws.ap-southeast-2.email-smtp, rather than the expected com.amazonaws.ap-southeast-2.email service name, which supports HTTPS for SES.

Regression Issue

[ ] Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The SES VPC endpoint generated by the CDK should have the service name com.amazonaws.ap-southeast-2.email, which corresponds to the HTTPS service, not the SMTP service. The SES service endpoint in the CDK is generating an endpoint with com.amazonaws.ap-southeast-2.email-smtp, which is incorrect when HTTPS is intended.

Current Behavior

The code snippet below creates an SES VPC endpoint in CDK, but the generated resource references the com.amazonaws.ap-southeast-2.email-smtp service:

ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESEMAILENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.SES,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)

The expected resource should reference com.amazonaws.ap-southeast-2.email, but instead, the output is:

"serviceName": "com.amazonaws.ap-southeast-2.email-smtp"

Reproduction Steps

Both of these CDK code generates same serviceName - (ec2.InterfaceVpcEndpointAwsService.EMAIL_SMTP and ec2.InterfaceVpcEndpointAwsService.SES)

ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESSMTPENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.SES,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)

ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESSMTPENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.EMAIL_SMTP,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)

Upon synthesis, both the resources the generated o CloudFormation stack results in same serviceName:

"serviceName": "com.amazonaws.ap-southeast-2.email-smtp"

Possible Solution

The CDK should generate the correct service name when ec2.InterfaceVpcEndpointAwsService.SES is used. The service name should point to the HTTPS endpoint com.amazonaws.ap-southeast-2.email, rather than the SMTP service.

Additional Information/Context

No response

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

v20.17.0

OS

macOS Sonoma 14.5

Language

Python

Language Version

3.10.13

Other information

No response

pahud commented 4 days ago

https://github.com/aws/aws-cdk/blob/5e7e61f2379074f0e862da8066f01bb43488066a/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts#L569

This is actually deprecated. I guess we need InterfaceVpcEndpointAwsService.EMAIL but I can't find any document about this. Are you able to provide any links to the document about the HTTPS endpoint?

Hakai-Shin commented 4 days ago

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpointAwsService.html#static-sesspan-classapi-icon-api-icon-deprecated-titlethis-api-element-is-deprecated-its-use-is-not-recommended%EF%B8%8Fspan

mazyu36 commented 4 days ago

Based on the documentation, the current email-smtp appears to be correct. The "email" does not exist.

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

vinmvn commented 3 days ago

Here's the documentation about HTTPS endpoint. https://docs.aws.amazon.com/general/latest/gr/ses.html .

capuns commented 3 days ago

@vinmvn unfortunately SES does not support VPC Endpoints for the SES API. The endpoints you mentioned are the public endpoints. In order to use the API you'd need to use the public endpoint or use the SES SMTP option which provides an VPCE.

aws / aws-cdk