feat(route53): Vpc endpoint service private dns

packages/@aws-cdk/aws-ec2/README.md

@@ -621,6 +621,20 @@ new VpcEndpointService(this, 'EndpointService', {
 });
 ```
 
+Endpoint services support private DNS, which makes it easier for clients to connect to your service by automatically setting up DNS in their VPC.
+You can enable private DNS on an endpoint service like so:
+
+```ts
+new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
+  endpointService: vpces,
+  domainName: 'my-stuff.aws-cdk.dev',
+  publicZone: zone,
+});
+```
+
+Note: You must have verifiable ownership of the domain before customers can use private DNS. The VpcEndpointServiceDomainName
+will verify ownership for you, assuming you own the domain.
+
 ## Instances
 
 You can use the `Instance` class to start up a single EC2 instance. For production setups, we recommend

packages/@aws-cdk/aws-ec2/lib/vpc-endpoint-service.ts

@@ -27,6 +27,14 @@ export interface IVpcEndpointService extends IResource {
    * @attribute
    */
   readonly vpcEndpointServiceName: string;
+
+  /**
+   * The id of the VPC Endpoint Service that clients use to connect to,
+   * like vpce-svc-xxxxxxxxxxxxxxxx
+   *
+   * @attribute
+   */
+  readonly vpcEndpointServiceId: string;
 }
 
 /**

packages/@aws-cdk/aws-route53-patterns/README.md

@@ -49,3 +49,41 @@ As an existing certificate is not provided, one will be created in `us-east-1` b
     })
   });
   ```
+
+## VPC Endpoint Service Private DNS
+
+When you create a VPC endpoint service, AWS generates endpoint-specific DNS hostnames that consumers use to communicate with the service.
+For example, vpce-1234-abcdev-us-east-1.vpce-svc-123345.us-east-1.vpce.amazonaws.com.
+By default, your consumers access the service with that DNS name.
+This can cause problems with HTTPS traffic because the DNS will not match the backend certificate.
+To mitigate this, clients have to create an alias in Route53 which requires changes to their application.
+
+Private DNS for an endpoint service lets you configure a private DNS name so consumers can
+access the service using an existing DNS name without making changes to their applications.
+This DNS name can also be guaranteed to match up with the backend certificate.
+
+Before consumers can use the private DNS name, you must verify that you have control of the domain/subdomain.
+
+Assuming your account has verifiable ownership of the particlar domain/subdomain,
+this construct sets up the private DNS configuration on the endpoint service,
+creates all the necessary Route53 entries, and verifies domain ownership.
+
+```
+stack = new Stack();
+vpc = new Vpc(stack, 'VPC');
+nlb = new NetworkLoadBalancer(stack, 'NLB', {
+  vpc,
+});
+vpces = new VpcEndpointService(stack, 'VPCES', {
+  vpcEndpointServiceLoadBalancers: [nlb],
+});
+// You must use a public hosted zone so domain ownership can be verified
+zone = new PublicHostedZone(stack, 'PHZ', {
+  zoneName: 'aws-cdk.dev',
+});
+new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
+  endpointService: vpces,
+  domainName: 'my-stuff.aws-cdk.dev',
+  publicZone: zone,
+});
+```

packages/@aws-cdk/aws-route53-patterns/lib/index.ts

@@ -1 +1,2 @@
+export * from './vpc-endpoint-service-domain-name';
 export * from './website-redirect';

packages/@aws-cdk/aws-route53-patterns/lib/vpc-endpoint-service-domain-name.ts

@@ -0,0 +1,178 @@
+import { IVpcEndpointService } from '@aws-cdk/aws-ec2';
+import { IPublicHostedZone, TxtRecord } from '@aws-cdk/aws-route53';
+import { Fn } from '@aws-cdk/core';
+import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from '@aws-cdk/custom-resources';
+import { Construct } from 'constructs';
+
+// v2 - keep this import as a separate section to reduce merge conflict when forward merging with the v2 branch.
+// eslint-disable-next-line
+import { Construct as CoreConstruct } from '@aws-cdk/core';
+
+/**
+ * Properties to configure a VPC Endpoint Service domain name
+ */
+export interface VpcEndpointServiceDomainNameProps {
+
+  /**
+   * The VPC Endpoint Service to configure Private DNS for
+   */
+  readonly endpointService: IVpcEndpointService;
+
+  /**
+   * The domain name to use.
+   *
+   * This domain name must be verifiably owned by this account, or otherwise
+   * delegated to this account.
+   * https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-services-dns-validation.html
+   */
+  readonly domainName: string;
+
+  /**
+   * The public hosted zone to use for the domain.
+   */
+  readonly publicZone: IPublicHostedZone;
+}
+
+/**
+ * A Private DNS configuration for a VPC endpoint service.
+ */
+export class VpcEndpointServiceDomainName extends CoreConstruct {
+
+  // Track all domain names created, so someone doesn't accidentally associate two domains with a single service
+  private static readonly endpointServices: IVpcEndpointService[] = [];
+
+  // The way this class works is by using three custom resources and a TxtRecord in conjunction
+  // The first custom resource tells the VPC endpoint service to use the given DNS name
+  // The VPC endpoint service will then say:
+  // "ok, create a TXT record using these two values to prove you own the domain"
+  // The second custom resource retrieves these two values from the service
+  // The TxtRecord is created from these two values
+  // The third custom resource tells the VPC Endpoint Service to verify the domain ownership
+  constructor(scope: Construct, id: string, props: VpcEndpointServiceDomainNameProps) {
+    super(scope, id);
+
+    // Make sure a user doesn't accidentally add multiple domains
+    this.validateParams(props);
+    VpcEndpointServiceDomainName.endpointServices.push(props.endpointService);
+
+    const serviceId = props.endpointService.vpcEndpointServiceId;
+    const privateDnsName = props.domainName;
+
+    // Turns creates the Private DNS configuration on the endpoint service
+    const enable = new AwsCustomResource(this, 'EnableDns', {
+      onCreate: {
+        service: 'EC2',
+        action: 'modifyVpcEndpointServiceConfiguration',
+        parameters: {
+          ServiceId: serviceId,
+          PrivateDnsName: privateDnsName,
+        },
+        physicalResourceId: PhysicalResourceId.of(id),
+      },
+      onUpdate: {
+        service: 'EC2',
+        action: 'modifyVpcEndpointServiceConfiguration',
+        parameters: {
+          ServiceId: serviceId,
+          PrivateDnsName: privateDnsName,
+        },
+        physicalResourceId: PhysicalResourceId.of(id),
+      },
+      onDelete: {
+        service: 'EC2',
+        action: 'modifyVpcEndpointServiceConfiguration',
+        parameters: {
+          ServiceId: serviceId,
+          RemovePrivateDnsName: true,
+        },
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+      }),
+    });
+
+    // Get the name/value pair for the TxtRecord
+    // We're always going to check the name/value because it's harmless
+    const guaranteeAlwaysLookup = randomString();
+    const getNames = new AwsCustomResource(this, 'GetNames', {
+      onCreate: {
+        service: 'EC2',
+        action: 'describeVpcEndpointServiceConfigurations',
+        parameters: {
+          ServiceIds: [serviceId],
+        },
+        physicalResourceId: PhysicalResourceId.of(guaranteeAlwaysLookup),
+      },
+      onUpdate: {
+        service: 'EC2',
+        action: 'describeVpcEndpointServiceConfigurations',
+        parameters: {
+          ServiceIds: [serviceId],
+        },
+        physicalResourceId: PhysicalResourceId.of(guaranteeAlwaysLookup),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+      }),
+    });
+    // We only want to call and get the TXT DNS details after we've enabled private DNS
+    getNames.node.addDependency(enable);
+
+    // Here are the name/value we get from the endpoint service
+    const name = getNames.getResponseField('ServiceConfigurations.0.PrivateDnsNameConfiguration.Name');
+    const value = getNames.getResponseField('ServiceConfigurations.0.PrivateDnsNameConfiguration.Value');
+
+    // Create the TXT record in the provided hosted zone
+    const verificationRecord = new TxtRecord(this, 'DnsVerificationRecord', {
+      recordName: name,
+      values: [value],
+      zone: props.publicZone,
+    });
+    // Only try making it once we have the values
+    verificationRecord.node.addDependency(getNames);
+
+    // Tell the endpoint service to verify the domain ownership
+    const startVerification = new AwsCustomResource(this, 'StartVerification', {
+      onCreate: {
+        service: 'EC2',
+        action: 'startVpcEndpointServicePrivateDnsVerification',
+        parameters: {
+          ServiceId: serviceId,
+        },
+        physicalResourceId: PhysicalResourceId.of(Fn.join(':', [name, value])),
+      },
+      onUpdate: {
+        service: 'EC2',
+        action: 'startVpcEndpointServicePrivateDnsVerification',
+        parameters: {
+          ServiceId: serviceId,
+        },
+        physicalResourceId: PhysicalResourceId.of(Fn.join(':', [name, value])),
+      },
+      policy: AwsCustomResourcePolicy.fromSdkCalls({
+        resources: AwsCustomResourcePolicy.ANY_RESOURCE,
+      }),
+    });
+    // Only verify after the record has been created
+    startVerification.node.addDependency(verificationRecord);
+
+    // Finally, don't do any of the above before the endpoint service is created
+    this.node.addDependency(props.endpointService);
+  }
+
+  private validateParams(props: VpcEndpointServiceDomainNameProps): void {
+    if (VpcEndpointServiceDomainName.endpointServices.includes(props.endpointService)) {
+      throw new Error(
+        'Cannot create a VpcEndpointServiceDomainName for service ' +
+        props.endpointService.node.uniqueId +
+        ', another VpcEndpointServiceDomainName is already associated with it');
+    }
+  }
+}
+
+/**
+ * Generate a random hex string
+ */
+function randomString(): string {
+  return Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 8);
+}

packages/@aws-cdk/aws-route53-patterns/package.json

@@ -65,32 +65,40 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/assert": "0.0.0",
+    "@types/nodeunit": "^0.0.31",
     "cdk-build-tools": "0.0.0",
     "cdk-integ-tools": "0.0.0",
     "cfn2ts": "0.0.0",
     "jest": "^26.4.2",
+    "nodeunit": "^0.11.3",
     "pkglint": "0.0.0"
   },
   "dependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudfront": "0.0.0",
+    "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-route53": "0.0.0",
     "@aws-cdk/aws-route53-targets": "0.0.0",
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/custom-resources": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
     "constructs": "^3.0.4"
   },
   "homepage": "https://github.com/aws/aws-cdk",
   "peerDependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudfront": "0.0.0",
+    "@aws-cdk/aws-ec2": "0.0.0",
+    "@aws-cdk/aws-elasticloadbalancingv2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-route53": "0.0.0",
     "@aws-cdk/aws-route53-targets": "0.0.0",
     "@aws-cdk/aws-s3": "0.0.0",
     "@aws-cdk/core": "0.0.0",
+    "@aws-cdk/custom-resources": "0.0.0",
     "@aws-cdk/region-info": "0.0.0",
     "constructs": "^3.0.4"
   },