Skip to content

Commit

Permalink
feat(apprunner): support vpc ingress connection (#30623)
Browse files Browse the repository at this point in the history
### Issue # (if applicable)

Closes #22850.

### Reason for this change
To support VPC Ingress Connection  for making App Runner Service private and only accessible from within a VPC.



### Description of changes
* Add `isPubliclyAccessible` property to the `Service` class
* Add `VpcIngressConnection` class



### Description of how you validated changes
Add unit tests and integ tests


### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
mazyu36 authored Oct 30, 2024
1 parent 579041e commit 048e753
Show file tree
Hide file tree
Showing 17 changed files with 2,857 additions and 0 deletions.
37 changes: 37 additions & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,43 @@ new apprunner.Service(this, 'Service', {
});
```

## VPC Ingress Connection

To make your App Runner service private and only accessible from within a VPC use the `isPubliclyAccessible` property and associate it to a `VpcIngressConnection` resource.

To set up a `VpcIngressConnection`, specify a VPC, a VPC Interface Endpoint, and the App Runner service.
Also you must set `isPubliclyAccessible` property in ther `Service` to `false`.

For more information, see [Enabling Private endpoint for incoming traffic](https://docs.aws.amazon.com/apprunner/latest/dg/network-pl.html).

```typescript
import * as ec2 from 'aws-cdk-lib/aws-ec2';

declare const vpc: ec2.Vpc;

const interfaceVpcEndpoint = new ec2.InterfaceVpcEndpoint(this, 'MyVpcEndpoint', {
vpc,
service: ec2.InterfaceVpcEndpointAwsService.APP_RUNNER_REQUESTS,
privateDnsEnabled: false,
});

const service = new apprunner.Service(this, 'Service', {
source: apprunner.Source.fromEcrPublic({
imageConfiguration: {
port: 8000,
},
imageIdentifier: 'public.ecr.aws/aws-containers/hello-app-runner:latest',
}),
isPubliclyAccessible: false, // set false
});

new apprunner.VpcIngressConnection(this, 'VpcIngressConnection', {
vpc,
interfaceVpcEndpoint,
service,
});
```

## Dual Stack

To use dual stack (IPv4 and IPv6) for your incoming public network configuration, set `ipAddressType` to `IpAddressType.DUAL_STACK`.
Expand Down
1 change: 1 addition & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/lib/index.ts
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,4 @@ export * from './auto-scaling-configuration';
export * from './observability-configuration';
export * from './service';
export * from './vpc-connector';
export * from './vpc-ingress-connection';
10 changes: 10 additions & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/lib/service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -732,6 +732,15 @@ export interface ServiceProps {
*/
readonly vpcConnector?: IVpcConnector;

/**
* Specifies whether your App Runner service is publicly accessible.
*
* If you use `VpcIngressConnection`, you must set this property to `false`.
*
* @default true
*/
readonly isPubliclyAccessible?: boolean;

/**
* Settings for the health check that AWS App Runner performs to monitor the health of a service.
*
Expand Down Expand Up @@ -1310,6 +1319,7 @@ export class Service extends cdk.Resource implements iam.IGrantable {
egressType: this.props.vpcConnector ? 'VPC' : 'DEFAULT',
vpcConnectorArn: this.props.vpcConnector?.vpcConnectorArn,
},
ingressConfiguration: props.isPubliclyAccessible !== undefined ? { isPubliclyAccessible: props.isPubliclyAccessible } : undefined,
ipAddressType: this.props.ipAddressType,
},
healthCheckConfiguration: this.props.healthCheck ?
Expand Down
168 changes: 168 additions & 0 deletions packages/@aws-cdk/aws-apprunner-alpha/lib/vpc-ingress-connection.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,168 @@
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as cdk from 'aws-cdk-lib/core';
import { Construct } from 'constructs';
import { IService } from './service';
import { CfnVpcIngressConnection } from 'aws-cdk-lib/aws-apprunner';

/**
* Properties of the AppRunner VPC Ingress Connection
*/
export interface VpcIngressConnectionProps {
/**
* The name for the VPC Ingress Connection.
*
* @default - a name generated by CloudFormation
*/
readonly vpcIngressConnectionName?: string;

/**
* The service to connect.
*/
readonly service: IService;

/**
* The VPC for the VPC Ingress Connection.
*/
readonly vpc: ec2.IVpc;

/**
* The VPC Interface Endpoint for the VPC Ingress Connection.
*/
readonly interfaceVpcEndpoint: ec2.IInterfaceVpcEndpoint;
}

/**
* Attributes for the App Runner VPC Ingress Connection
*/
export interface VpcIngressConnectionAttributes {
/**
* The Amazon Resource Name (ARN) of the VPC Ingress Connection.
*/
readonly vpcIngressConnectionArn: string;

/**
* The name of the VPC Ingress Connection.
*/
readonly vpcIngressConnectionName: string;

/**
* The domain name associated with the VPC Ingress Connection resource.
*/
readonly domainName: string;

/**
* The current status of the VPC Ingress Connection.
*/
readonly status: string;
}

/**
* Represents the App Runner VPC Ingress Connection.
*/
export interface IVpcIngressConnection extends cdk.IResource {
/**
* The Amazon Resource Name (ARN) of the VPC Ingress Connection.
* @attribute
*/
readonly vpcIngressConnectionArn: string;

/**
* The name of the VPC Ingress Connection.
* @attribute
*/
readonly vpcIngressConnectionName: string;
}

/**
* The App Runner VPC Ingress Connection
*
* @resource AWS::AppRunner::VpcIngressConnection
*/
export class VpcIngressConnection extends cdk.Resource implements IVpcIngressConnection {
/**
* Import from VPC Ingress Connection from attributes.
*/
public static fromVpcIngressConnectionAttributes(scope: Construct, id: string, attrs: VpcIngressConnectionAttributes): IVpcIngressConnection {
const vpcIngressConnectionArn = attrs.vpcIngressConnectionArn;
const domainName = attrs.domainName;
const status = attrs.status;
const vpcIngressConnectionName = attrs.vpcIngressConnectionName;

class Import extends cdk.Resource implements IVpcIngressConnection {
public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
public readonly domainName = domainName;
public readonly status = status;
public readonly vpcIngressConnectionName = vpcIngressConnectionName;
}

return new Import(scope, id);
}

/**
* Imports an App Runner VPC Ingress Connection from its ARN
*/
public static fromArn(scope: Construct, id: string, vpcIngressConnectionArn: string): IVpcIngressConnection {
const resourceParts = cdk.Fn.split('/', vpcIngressConnectionArn);

const vpcIngressConnectionName = cdk.Fn.select(0, resourceParts);

class Import extends cdk.Resource implements IVpcIngressConnection {
public readonly vpcIngressConnectionName = vpcIngressConnectionName;
public readonly vpcIngressConnectionArn = vpcIngressConnectionArn;
}

return new Import(scope, id);
}

/**
* The ARN of the VPC Ingress Connection.
* @attribute
*/
readonly vpcIngressConnectionArn: string;

/**
* The domain name associated with the VPC Ingress Connection resource.
* @attribute
*/
readonly domainName: string;

/**
* The current status of the VPC Ingress Connection.
* @attribute
*/
readonly status: string;

/**
* The name of the VPC Ingress Connection.
* @attribute
*/
readonly vpcIngressConnectionName: string;

public constructor(scope: Construct, id: string, props: VpcIngressConnectionProps) {
super(scope, id, {
physicalName: props.vpcIngressConnectionName,
});

if (
props.vpcIngressConnectionName !== undefined &&
!cdk.Token.isUnresolved(props.vpcIngressConnectionName) &&
!/^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}$/.test(props.vpcIngressConnectionName)
) {
throw new Error(`vpcIngressConnectionName must match the \`^[A-Za-z0-9][A-Za-z0-9\-_]{3,39}\` pattern, got ${props.vpcIngressConnectionName}`);
}

const resource = new CfnVpcIngressConnection(this, 'Resource', {
ingressVpcConfiguration: {
vpcEndpointId: props.interfaceVpcEndpoint.vpcEndpointId,
vpcId: props.vpc.vpcId,
},
serviceArn: props.service.serviceArn,
vpcIngressConnectionName: this.physicalName,
});

this.vpcIngressConnectionArn = resource.attrVpcIngressConnectionArn;
this.vpcIngressConnectionName = resource.ref;
this.domainName = resource.attrDomainName;
this.status = resource.attrStatus;
}
}

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 048e753

Please sign in to comment.