chore(ec2): add missing vpc endpoints

[msambol]

I used this doc for the "friendly" names and tried to make them as close as possible to the AWS service names.

Closes #29523.

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[msambol]

@nmussy Here's another thing you could automate with your tool. :)

[nmussy]

Thanks for letting me know! I'll probably release the first version later today or tomorrow

[nmussy]

@msambol Just did a quick run of using DescribeVpcEndpointServices, and there are quite a few more missing:

appmesh
b2bi
bedrock
bedrock-agent
bedrock-agent-runtime
bedrock-runtime
cleanrooms
codewhisperer
console
data-servicediscovery
data-servicediscovery-fips
datazone
ds
dynamodb
eks-auth
emrwal.prod
entityresolution
guardduty-data
guardduty-data-fips
iot.credentials
iot.fleethub.api
iotfleetwise
license-manager-user-subscriptions
managedblockchain-query
managedblockchain.bitcoin.mainnet
managedblockchain.bitcoin.testnet
mediaconnect
medical-imaging
neptune-graph
networkmonitor
organizations
organizations-fips
payment-cryptography.controlplane
payment-cryptography.dataplane
pca-connector-ad
personalize
personalize-events
personalize-runtime
pinpoint
runtime-medical-imaging
s3express
scn
servicediscovery
servicediscovery-fips
signin
simspaceweaver
streaming-rekognition
streaming-rekognition-fips
swf
swf-fips
thinclient.api
timestream-influxdb
tnb
trustedadvisor
vpc-lattice

I haven't validated them yet, but if you want to wait until the CLI is available, you can complete this PR with it? If not, I'll just open another one later 👍

[msambol]

@nmussy I'll knock it out quickly, thanks for the list. 👍🏼

One note for you tool.. Make sure you check GatewayVpcEndpointAwsService. DynamoDB is there.

[nmussy]

No worries, and thanks for the heads up!

…

On Mon, Mar 18, 2024, 15:38 Michael Sambol ***@***.***> wrote: @nmussy <https://github.com/nmussy> I'll knock it out quickly, thanks for the list. 👍🏼 One note for you tool.. Make sure you check GatewayVpcEndpointAwsService. DynamoDB is there. — Reply to this email directly, view it on GitHub <#29524 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AATDXYFIDF7CTPYIKVAY5VDYY336TAVCNFSM6AAAAABE2ZQVOSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBUGA4TMNZXGQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[msambol]

This one is named weird but I don't have much choice.

[nmussy]

Might be worth deprecating APP_MESH and recreating APP_MESH_ENVOY_MANAGEMENT, or even APPMESH_ENVOY_MANAGEMENT

[msambol]

Updated this as well

[msambol]

I don't like this name either but I don't have much choice.

[nmussy]

Same here, deprecate PINPOINT, and point to a correctly renamed PINPOINT_SMS_VOICE_V2

[msambol]

But then call InterfaceVpcEndpointAwsService('pinpoint'); what?

[nmussy]

I guess PINPOINT_V1 or something similar, but with both PINPOINT and PINPOINT_V1 being valid, I would expect PINPOINT to be InterfaceVpcEndpointAwsService('pinpoint');. I feel like also renaming it would lower the chances of confusion.

[msambol]

let me know what you think of that...

[nmussy]

Yeah I think this is the solution less likely to cause pitfalls for future users, even if it doesn't feel great. Thanks 👍

[nmussy]

Hey @msambol, I found a few more missing, some only available in certain regions:

Available in us-east-2:

codecatalyst.git
codecatalyst.packages
repostspace
sagemaker-geospatial

Available in eu-central-1:

inspector-scan

I couldn't find any documentation about this service, but it's currently being listed, might be worth adding it with the io.spotinst.vpce prefix:

io.spotinst.vpce.us-east-1.privatelink-api

Finally, I am unable to list the two following endpoints. They should still be available according to the docs, so no need to deprecate them. I'm unsure if they're never supposed to be listed by DescribeVpcEndpointServices, or if my account isn't set up to access these services

• migrationhub-strategy (docs)

$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.us-east-1.migrationhub-strategy

An error occurred (InvalidServiceName) when calling the DescribeVpcEndpointServices operation: The Vpc Endpoint Service 'com.amazonaws.us-east-1.migrationhub-strategy' does not exist

• sms-fips (docs)

aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.us-east-1.sms-fips

An error occurred (InvalidServiceName) when calling the DescribeVpcEndpointServices operation: The Vpc Endpoint Service 'com.amazonaws.us-east-1.sms-fips' does not exist

[nmussy]

We also have an issue with global endpoints, e.g. S3_MULTI_REGION_ACCESS_POINTS. They are not supposed to have a region prefix (docs), but currently do in the CDK:

$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=com.amazonaws.s3-global.accesspoint | jq '.ServiceDetails[] | .ServiceName'

"com.amazonaws.s3-global.accesspoint"

new CfnOutput(this, "endpoint", {
	value: ec2.InterfaceVpcEndpointAwsService.S3_MULTI_REGION_ACCESS_POINTS.name,
});

// TestDeployStack.endpoint = com.amazonaws.eu-west-1.s3-global.accesspoint

The region is currently always prefixed:

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

Line 510 in 0fee99b

this.name = `${prefix || defaultEndpointPrefix}.${region}.${name}${defaultEndpointSuffix}`;

I haven't checked if there are other existing cases, but aws.api.global.codecatalyst is currently missing from the endpoint list, and will run into the same issue (docs)

[msambol]

I'll get the other ones added. Let's save the global endpoints work for another PR.

[msambol]

@nmussy Mind checking this again? Also, io.spotinst.vpce.us-east-1.privatelink-api is an AWS Marketplace service. I don't think we should add that?

[nmussy]

@nmussy Mind checking this again?

LGTM 👍

Also, io.spotinst.vpce.us-east-1.privatelink-api is an AWS Marketplace service. I don't think we should add that?

io.spotinst.vpce.us-east-1.privatelink-api is definitely being listed by DescribeVpcEndpointServices, no idea why. I agree though, it probably should be ignored, I'll add an exception for it to my tool.

$ aws ec2 describe-vpc-endpoint-services --region=us-east-1 --service-names=io.spotinst.vpce.us-east-1.privatelink-api | jq '.ServiceDetails[] | .ServiceName'

"io.spotinst.vpce.us-east-1.privatelink-api"

[paulhcsun]

Thanks @msambol! And thanks for reviewing @nmussy!

[paulhcsun]

mildly annoying that the naming doesn't match up here but it is what it is 🤷‍♂️

[paulhcsun]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 66af188
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).