GovCloud - Unable to create an S3 InterfaceEndpoint due to Private DNS flag can't be set directly

[therealdoug]

Describe the bug
We are trying to deploy S3 Interface Endpoints in a shared VPC so that we can utilize a high bandwidth DirectConnect. Since GovCloud does not support central endpoints, we cannot use PrivateDNS for these interface endpoints. In the Console, there is a a DNS settings screen that allows you to directly set the PrivateDNS flag; however in LZA this flag appears to be directly tied to the interfaceEndpoints.central parameter in:

network-vpc-endpoints-stack.ts and line 709

To Reproduce
Create an S3 interface endpoint with central: false and deploy to Gov Cloud

vpcs:
  - name: Test-GovCloud-vpc
    account: TestAccount123
    region: us-gov-west-1
    gatewayEndpoints:
      endpoints:
        - service: s3
    interfaceEndpoints: 
      central: false
      endpoints:
        - service: s3
      subnets:
        - Subnet-A
        - Subnet-B

Expected behavior
S3 Interface is created and associated to the defined subnets

Please complete the following information about the solution:

• Version: [v1.6.0]

To get the version of the solution, you can look at the description of the created AWS CloudFormation stack used to install the LZA (AWSAccelerator-InstallerStack). For example, "(SO0199) Landing Zone Accelerator on AWS. Version 1.5.1.". If the description does not contain the version information, you can look at the Parameters of the stack for the RepositoryBranchName as that should contain the version number.

• Region: [eg, us-east-1]

us-gov-west1, us-gov-east-1

• Was the solution modified from the version published on this repository?

N/A

• If the answer to the previous question was yes, are the changes available on GitHub?

N/A

• Have you checked your service quotas for the services this solution uses?

N/A

• Were there any errors in the CloudWatch Logs?

❌ AWSAccelerator-NetworkVpcEndpointsStack-xxx-us-gov-west-1 failed: Error: The stack named AWSAccelerator-NetworkVpcEndpointsStack-xxx-us-gov-west-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Private DNS is currently not supported for the service com.amazonaws.us-gov-west-1.s3 (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameter; Request ID: 6eaf71ae-3f71-xxx-xxx-5ef81ac4704b; Proxy: null)

❌ Deployment failed: Error: The stack named AWSAccelerator-NetworkVpcEndpointsStack-xxx-us-gov-west-1 failed to deploy: UPDATE_ROLLBACK_COMPLETE: Private DNS is currently not supported for the service com.amazonaws.us-gov-west-1.s3 (Service: AmazonEC2; Status Code: 400; Error Code: InvalidParameter; Request ID: 6eaf71ae-3f71-xxx-xxx-5ef81ac4704b; Proxy: null)

Screenshots

Additional context

It appears the parameter for the PrivateDNS flag is attached to the central endpoints parameter. I think it makes more sense to directly expose the privateDnsEnabled flag in the contstructor so that it can be set directly. Or there may need to be additional logic to determine which AWS partition the config is being deployed to.

[JimToupet]

We're not in the GovCloud partition but we need this too. I'll open a feature request.