Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(ec2): Endpoint service AZ lookup fails for InterfaceVpcEndpointAwsService #8372

Closed
flemjame-at-amazon opened this issue Jun 4, 2020 · 0 comments · Fixed by #8386
Closed

bug(ec2): Endpoint service AZ lookup fails for InterfaceVpcEndpointAwsService #8372

flemjame-at-amazon opened this issue Jun 4, 2020 · 0 comments · Fixed by #8386
Assignees
@rix0rrr
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p1

Comments

@flemjame-at-amazon
Copy link
Contributor

This bug is a case that wasn't caught in testing of #7521 - if the provided service name has tokens in it, synthesis fails with the error:

software.amazon.jsii.JsiiException: Cannot determine scope for context provider endpoint-service-availability-zones.
This usually happens when one or more of the provider props have unresolved tokens

InterfaceVpcEndpointAwsService objects have tokens in their name which makes them unusable with this functionality.

In this case the serviceName ends up being something like:
com.amazonaws.${Token[AWS::Region.4]}.execute-api

Reproduction Steps

Create an InterfaceVpcEndpoint, with the service being an InterfaceVpcEndpointAwsService, and synthesize the template.

Vpc vpc = new Vpc(this, "VPC", VpcProps.builder().build());
new InterfaceVpcEndpoint(this, "API Gateway VPC Endpoint", InterfaceVpcEndpointProps.builder()
    .service(InterfaceVpcEndpointAwsService.APIGATEWAY)
    .vpc(vpc)
    .lookupSupportedAzs(true)
    .build());

Below is the code that defines the name. InterfaceVpcEndpointAwsService are region-agnostic, which is why they have a token in the name. Unfortunately this breaks AZ lookup for these services.

aws-cdk/packages/@aws-cdk/aws-ec2/lib/vpc-endpoint.ts

Line 317 in a4797b4

this.name = `${prefix || 'com.amazonaws'}.${Aws.REGION}.${name}`;

Error Log

software.amazon.jsii.JsiiException: Cannot determine scope for context provider endpoint-service-availability-zones.
This usually happens when one or more of the provider props have unresolved tokens

Environment

  • CLI Version : 1.39
  • Framework Version: 1.39
  • OS : MacOS Mojave
  • Language (Version): all

Other

My proposed solution would be to resolve the AWS.Region token in the InterfaceVpcEndpoint class, before doing the lookup. The AZ lookup already requires the account and region to be set, so we will know the region in advance.

I am not sure how to resolve an AWS.Region token. I've tried using the resolve functionality in the Stack class, but it doesn't return the region, just an object:

process.stdout.write(Stack.of(this).resolve(props.service.name));

[object Object]

This is 🐛 Bug Report
@flemjame-at-amazon flemjame-at-amazon added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 4, 2020
@flemjame-at-amazon flemjame-at-amazon mentioned this issue Jun 4, 2020
Merged
@SomayaB SomayaB added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jun 5, 2020
@SomayaB SomayaB added the in-progress This issue is being actively worked on. label Jun 5, 2020
@rix0rrr rix0rrr added the p1 label Jun 8, 2020
@mergify mergify bot closed this as completed in #8386 Jul 8, 2020
mergify bot pushed a commit that referenced this issue Jul 8, 2020
@flemjame-at-amazon
fix(ec2): VpcEndpoint AZ lookup fails for AWS services (#8386)
54e5c36 
fix(ec2): VpcEndpoint AZ lookup fails for AWS services
----

This closes #8372

InterfaceVpcEndpointAwsService objects currently use the `AWS.Region` token to define the service name. This results in an unresolved string, which cannot be resolved until CloudFormation deployment time.

When using the `lookupSupportedAzs` functionality, a ContextProvider makes AWS calls (DescribeVpcEndpointServices) in which it passes the service name, to look up the AZs. ContextProviders cannot be given tokens. Hence, passing in an InterfaceVpcEndpointAwsService results in a synthesis-time failure.

This ticket switches InterfaceVpcEndpointAwsService from using AWS.Region to a Lazy string which resolves to the stack's region. For region-agnostic stacks, the behavior is unchanged. For stacks with a specified region, the region is resolved.

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@flemjame-at-amazon flemjame-at-amazon mentioned this issue Aug 5, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. in-progress This issue is being actively worked on. needs-triage This issue or PR still needs to be triaged. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): VpcEndpoint AZ lookup fails for AWS services flemjame-at-amazon/aws-cdk
3 participants
@rix0rrr @SomayaB @flemjame-at-amazon