From a42cd4ef269402e93957c2fe9af6217dba315739 Mon Sep 17 00:00:00 2001 From: James Fleming Date: Mon, 27 Jan 2020 21:29:50 +0000 Subject: [PATCH 1/3] feat(ec2): default setting for VpcEndpoint PrivateDNS depends on service type --- package-lock.json | 111 ++++++++++++++++++ package.json | 1 + packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts | 21 +++- .../aws-ec2/test/test.vpc-endpoint.ts | 23 +++- .../integ.interface-vpc-endpoint-target.ts | 3 +- .../interface-vpc-endpoint-target.test.ts | 3 +- 6 files changed, 157 insertions(+), 5 deletions(-) create mode 100644 package-lock.json diff --git a/package-lock.json b/package-lock.json new file mode 100644 index 0000000000000..b222f8982da1b --- /dev/null +++ b/package-lock.json @@ -0,0 +1,111 @@ +{ + "name": "aws-cdk", + "version": "1.22.0", + "lockfileVersion": 1, + "requires": true, + "dependencies": { + "balanced-match": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz", + "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c=", + "dev": true + }, + "brace-expansion": { + "version": "1.1.11", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz", + "integrity": "sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==", + "dev": true, + "requires": { + "balanced-match": "^1.0.0", + "concat-map": "0.0.1" + } + }, + "concat-map": { + "version": "0.0.1", + "resolved": "https://registry.npmjs.org/concat-map/-/concat-map-0.0.1.tgz", + "integrity": "sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=", + "dev": true + }, + "eslint-plugin-es": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-es/-/eslint-plugin-es-3.0.0.tgz", + "integrity": "sha512-6/Jb/J/ZvSebydwbBJO1R9E5ky7YeElfK56Veh7e4QGFHCXoIXGH9HhVz+ibJLM3XJ1XjP+T7rKBLUa/Y7eIng==", + "dev": true, + "requires": { + "eslint-utils": "^2.0.0", + "regexpp": "^3.0.0" + } + }, + "eslint-plugin-node": { + "version": "11.0.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-node/-/eslint-plugin-node-11.0.0.tgz", + "integrity": "sha512-chUs/NVID+sknFiJzxoN9lM7uKSOEta8GC8365hw1nDfwIPIjjpRSwwPvQanWv8dt/pDe9EV4anmVSwdiSndNg==", + "dev": true, + "requires": { + "eslint-plugin-es": "^3.0.0", + "eslint-utils": "^2.0.0", + "ignore": "^5.1.1", + "minimatch": "^3.0.4", + "resolve": "^1.10.1", + "semver": "^6.1.0" + } + }, + "eslint-utils": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/eslint-utils/-/eslint-utils-2.0.0.tgz", + "integrity": "sha512-0HCPuJv+7Wv1bACm8y5/ECVfYdfsAm9xmVb7saeFlxjPYALefjhbYoCkBjPdPzGH8wWyTpAez82Fh3VKYEZ8OA==", + "dev": true, + "requires": { + "eslint-visitor-keys": "^1.1.0" + } + }, + "eslint-visitor-keys": { + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-1.1.0.tgz", + "integrity": "sha512-8y9YjtM1JBJU/A9Kc+SbaOV4y29sSWckBwMHa+FGtVj5gN/sbnKDf6xJUl+8g7FAij9LVaP8C24DUiH/f/2Z9A==", + "dev": true + }, + "ignore": { + "version": "5.1.4", + "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.1.4.tgz", + "integrity": "sha512-MzbUSahkTW1u7JpKKjY7LCARd1fU5W2rLdxlM4kdkayuCwZImjkpluF9CM1aLewYJguPDqewLam18Y6AU69A8A==", + "dev": true + }, + "minimatch": { + "version": "3.0.4", + "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz", + "integrity": "sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==", + "dev": true, + "requires": { + "brace-expansion": "^1.1.7" + } + }, + "path-parse": { + "version": "1.0.6", + "resolved": "https://registry.npmjs.org/path-parse/-/path-parse-1.0.6.tgz", + "integrity": "sha512-GSmOT2EbHrINBf9SR7CDELwlJ8AENk3Qn7OikK4nFYAu3Ote2+JYNVvkpAEQm3/TLNEJFD/xZJjzyxg3KBWOzw==", + "dev": true + }, + "regexpp": { + "version": "3.0.0", + "resolved": "https://registry.npmjs.org/regexpp/-/regexpp-3.0.0.tgz", + "integrity": "sha512-Z+hNr7RAVWxznLPuA7DIh8UNX1j9CDrUQxskw9IrBE1Dxue2lyXT+shqEIeLUjrokxIP8CMy1WkjgG3rTsd5/g==", + "dev": true + }, + "resolve": { + "version": "1.15.0", + "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.15.0.tgz", + "integrity": "sha512-+hTmAldEGE80U2wJJDC1lebb5jWqvTYAfm3YZ1ckk1gBr0MnCqUKlwK1e+anaFljIl+F5tR5IoZcm4ZDA1zMQw==", + "dev": true, + "requires": { + "path-parse": "^1.0.6" + } + }, + "semver": { + "version": "6.3.0", + "resolved": "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz", + "integrity": "sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==", + "dev": true + } + } +} diff --git a/package.json b/package.json index 0f639e7cddfdc..d3c7438351054 100644 --- a/package.json +++ b/package.json @@ -14,6 +14,7 @@ }, "devDependencies": { "conventional-changelog-cli": "^2.0.31", + "eslint-plugin-node": "^11.0.0", "fs-extra": "^8.1.0", "jsii-diff": "^0.21.2", "jsii-pacmak": "^0.21.2", diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts index 6285f94966929..3ea5dea9c8241 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts @@ -201,6 +201,11 @@ export interface IInterfaceVpcEndpointService { * The port of the service. */ readonly port: number; + + /** + * Whether Private DNS is supported by default. + */ + readonly privateDnsDefault: boolean; } /** @@ -218,9 +223,15 @@ export class InterfaceVpcEndpointService implements IInterfaceVpcEndpointService */ public readonly port: number; + /** + * Whether Private DNS is supported by default. + */ + public readonly privateDnsDefault: boolean; + constructor(name: string, port?: number) { this.name = name; this.port = port || 443; + this.privateDnsDefault = false; } } @@ -279,9 +290,15 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ */ public readonly port: number; + /** + * Whether Private DNS is supported by default. + */ + public readonly privateDnsDefault: boolean; + constructor(name: string, prefix?: string, port?: number) { this.name = `${prefix || 'com.amazonaws'}.${Aws.REGION}.${name}`; this.port = port || 443; + this.privateDnsDefault = true; } } @@ -298,7 +315,7 @@ export interface InterfaceVpcEndpointOptions { * Whether to associate a private hosted zone with the specified VPC. This * allows you to make requests to the service using its default DNS hostname. * - * @default true + * @default set by the instance of IInterfaceVpcEndpointService */ readonly privateDnsEnabled?: boolean; @@ -429,7 +446,7 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn const subnetIds = subnets.subnetIds; const endpoint = new CfnVPCEndpoint(this, 'Resource', { - privateDnsEnabled: props.privateDnsEnabled !== undefined ? props.privateDnsEnabled : true, + privateDnsEnabled: props.privateDnsEnabled !== undefined ? props.privateDnsEnabled : props.service.privateDnsDefault, policyDocument: Lazy.anyValue({ produce: () => this.policyDocument }), securityGroupIds: securityGroups.map(s => s.securityGroupId), serviceName: props.service.name, diff --git a/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts index fa538a49b67a6..164d5b175e318 100644 --- a/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/test/test.vpc-endpoint.ts @@ -345,10 +345,31 @@ export = { // THEN expect(stack).to(haveResource('AWS::EC2::VPCEndpoint', { - ServiceName: "com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc" + ServiceName: "com.amazonaws.vpce.us-east-1.vpce-svc-uuddlrlrbastrtsvc", + PrivateDnsEnabled: false })); test.done(); }, + 'marketplace partner service interface endpoint'(test: Test) { + // GIVEN + const stack = new Stack(); + const vpc = new Vpc(stack, 'VpcNetwork'); + + // WHEN + vpc.addInterfaceEndpoint('YourService', { + service: {name: "com.amazonaws.vpce.us-east-1.vpce-svc-mktplacesvcwprdns", + port: 443, + privateDnsDefault: true} + }); + + // THEN + expect(stack).to(haveResource('AWS::EC2::VPCEndpoint', { + ServiceName: "com.amazonaws.vpce.us-east-1.vpce-svc-mktplacesvcwprdns", + PrivateDnsEnabled: true + })); + + test.done(); + } } }; diff --git a/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts b/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts index 340679fb5b081..a763273046f7a 100644 --- a/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts +++ b/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts @@ -17,7 +17,8 @@ const interfaceVpcEndpoint = new ec2.InterfaceVpcEndpoint(stack, 'InterfaceEndpo vpc, service: { name: 'com.amazonaws.us-west-2.sms', - port: 80 + port: 80, + privateDnsDefault: false }, privateDnsEnabled: false, subnets: { diff --git a/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts b/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts index 17ce7651c1e9f..8e94debf09587 100644 --- a/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts +++ b/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts @@ -13,7 +13,8 @@ test('use InterfaceVpcEndpoint as record target', () => { vpc, service: { name: 'com.amazonaws.us-west-2.workspaces', - port: 80 + port: 80, + privateDnsDefault: true } }); const zone = new route53.PrivateHostedZone(stack, 'PrivateZone', { From 143371da410b1ef6d183718a9088011bd0e89fc9 Mon Sep 17 00:00:00 2001 From: James Fleming Date: Tue, 28 Jan 2020 21:30:35 +0000 Subject: [PATCH 2/3] Making interface property privateDnsDefault optional, and default to true --- packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts | 22 ++++++++++++------- .../integ.interface-vpc-endpoint-target.ts | 3 +-- .../interface-vpc-endpoint-target.test.ts | 3 +-- 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts index 3ea5dea9c8241..feb0ba20c1b13 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts @@ -205,7 +205,7 @@ export interface IInterfaceVpcEndpointService { /** * Whether Private DNS is supported by default. */ - readonly privateDnsDefault: boolean; + readonly privateDnsDefault?: boolean; } /** @@ -226,7 +226,7 @@ export class InterfaceVpcEndpointService implements IInterfaceVpcEndpointService /** * Whether Private DNS is supported by default. */ - public readonly privateDnsDefault: boolean; + public readonly privateDnsDefault?: boolean; constructor(name: string, port?: number) { this.name = name; @@ -293,7 +293,7 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ /** * Whether Private DNS is supported by default. */ - public readonly privateDnsDefault: boolean; + public readonly privateDnsDefault?: boolean; constructor(name: string, prefix?: string, port?: number) { this.name = `${prefix || 'com.amazonaws'}.${Aws.REGION}.${name}`; @@ -315,7 +315,8 @@ export interface InterfaceVpcEndpointOptions { * Whether to associate a private hosted zone with the specified VPC. This * allows you to make requests to the service using its default DNS hostname. * - * @default set by the instance of IInterfaceVpcEndpointService + * @default set by the instance of IInterfaceVpcEndpointService, or true if + * not defined by the instance of IInterfaceVpcEndpointService */ readonly privateDnsEnabled?: boolean; @@ -444,16 +445,21 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn const subnets = props.vpc.selectSubnets({ ...props.subnets, onePerAz: true }); const subnetIds = subnets.subnetIds; - - const endpoint = new CfnVPCEndpoint(this, 'Resource', { - privateDnsEnabled: props.privateDnsEnabled !== undefined ? props.privateDnsEnabled : props.service.privateDnsDefault, + const endpointProps = { + privateDnsEnabled: true, policyDocument: Lazy.anyValue({ produce: () => this.policyDocument }), securityGroupIds: securityGroups.map(s => s.securityGroupId), serviceName: props.service.name, vpcEndpointType: VpcEndpointType.INTERFACE, subnetIds, vpcId: props.vpc.vpcId - }); + }; + if (props.privateDnsEnabled !== undefined) { + endpointProps.privateDnsEnabled = props.privateDnsEnabled; + } else if (props.service.privateDnsDefault !== undefined) { + endpointProps.privateDnsEnabled = props.service.privateDnsDefault; + } + const endpoint = new CfnVPCEndpoint(this, 'Resource', endpointProps); this.vpcEndpointId = endpoint.ref; this.vpcEndpointCreationTimestamp = endpoint.attrCreationTimestamp; diff --git a/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts b/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts index a763273046f7a..340679fb5b081 100644 --- a/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts +++ b/packages/@aws-cdk/aws-route53-targets/test/integ.interface-vpc-endpoint-target.ts @@ -17,8 +17,7 @@ const interfaceVpcEndpoint = new ec2.InterfaceVpcEndpoint(stack, 'InterfaceEndpo vpc, service: { name: 'com.amazonaws.us-west-2.sms', - port: 80, - privateDnsDefault: false + port: 80 }, privateDnsEnabled: false, subnets: { diff --git a/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts b/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts index 8e94debf09587..17ce7651c1e9f 100644 --- a/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts +++ b/packages/@aws-cdk/aws-route53-targets/test/interface-vpc-endpoint-target.test.ts @@ -13,8 +13,7 @@ test('use InterfaceVpcEndpoint as record target', () => { vpc, service: { name: 'com.amazonaws.us-west-2.workspaces', - port: 80, - privateDnsDefault: true + port: 80 } }); const zone = new route53.PrivateHostedZone(stack, 'PrivateZone', { From c4c85506cfdcc4e0b9636b43334418e207380120 Mon Sep 17 00:00:00 2001 From: James Fleming Date: Mon, 3 Feb 2020 15:20:18 +0000 Subject: [PATCH 3/3] Review feedback --- package.json | 1 - packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts | 19 ++++++------------- 2 files changed, 6 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index b95b0ca8f7df2..e3ac6297419cf 100644 --- a/package.json +++ b/package.json @@ -14,7 +14,6 @@ }, "devDependencies": { "conventional-changelog-cli": "^2.0.31", - "eslint-plugin-node": "^11.0.0", "fs-extra": "^8.1.0", "jsii-diff": "^0.21.2", "jsii-pacmak": "^0.21.2", diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts index feb0ba20c1b13..84fe0939fe4fd 100644 --- a/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts +++ b/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts @@ -226,12 +226,11 @@ export class InterfaceVpcEndpointService implements IInterfaceVpcEndpointService /** * Whether Private DNS is supported by default. */ - public readonly privateDnsDefault?: boolean; + public readonly privateDnsDefault?: boolean = false; constructor(name: string, port?: number) { this.name = name; this.port = port || 443; - this.privateDnsDefault = false; } } @@ -293,12 +292,11 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ /** * Whether Private DNS is supported by default. */ - public readonly privateDnsDefault?: boolean; + public readonly privateDnsDefault?: boolean = true; constructor(name: string, prefix?: string, port?: number) { this.name = `${prefix || 'com.amazonaws'}.${Aws.REGION}.${name}`; this.port = port || 443; - this.privateDnsDefault = true; } } @@ -445,21 +443,16 @@ export class InterfaceVpcEndpoint extends VpcEndpoint implements IInterfaceVpcEn const subnets = props.vpc.selectSubnets({ ...props.subnets, onePerAz: true }); const subnetIds = subnets.subnetIds; - const endpointProps = { - privateDnsEnabled: true, + + const endpoint = new CfnVPCEndpoint(this, 'Resource', { + privateDnsEnabled: props.privateDnsEnabled ?? props.service.privateDnsDefault ?? true, policyDocument: Lazy.anyValue({ produce: () => this.policyDocument }), securityGroupIds: securityGroups.map(s => s.securityGroupId), serviceName: props.service.name, vpcEndpointType: VpcEndpointType.INTERFACE, subnetIds, vpcId: props.vpc.vpcId - }; - if (props.privateDnsEnabled !== undefined) { - endpointProps.privateDnsEnabled = props.privateDnsEnabled; - } else if (props.service.privateDnsDefault !== undefined) { - endpointProps.privateDnsEnabled = props.service.privateDnsDefault; - } - const endpoint = new CfnVPCEndpoint(this, 'Resource', endpointProps); + }); this.vpcEndpointId = endpoint.ref; this.vpcEndpointCreationTimestamp = endpoint.attrCreationTimestamp;