feat(ec2): add support for vpc endpoints

[jogold]

Add support for both gateway and interface VPC endpoints. Static members are
exposed for all AWS service endpoints.

As gateway endpoints reference route tables, they currently cannot be added to
imported VPC networks.

BREAKING CHANGE: subnetIds is now replaced by selectSubnets which returns an object containing subnetIds.
BREAKING CHANGE: vpnRoutePropagation now expects a SubnetSelection[]

---

Pull Request Checklist

• Testing
  • Unit test added (prefer not to modify an existing test, otherwise, it's probably a breaking change)
  • CLI change?: coordinate update of integration tests with team
  • cdk-init template change?: coordinated update of integration tests with team
• Docs
  • jsdocs: All public APIs documented
  • README: README and/or documentation topic updated
• Title and Description
  • Change type: title prefixed with fix, feat will appear in changelog
  • Title: use lower-case and doesn't end with a period
  • Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
  • Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
• Sensitive Modules (requires 2 PR approvers)
  • IAM Policy Document (in @aws-cdk/aws-iam)
  • EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
  • Grant APIs (only if not based on official documentation with a reference)

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

[RomainMuller]

Would be nice if @rix0rrr could also review this.

[RomainMuller]

This looks like it should be an interface?

[RomainMuller]

SageMakerNotebook
        └─ missing 'r'

[RomainMuller]

Somehow I would rather name those EC2, ECR, SNS, ... The PascalCased name hurts my eyes.

[jogold]

Agree with you but when looking at other packages I find lots of PascalCased names:
https://github.com/awslabs/aws-cdk/blob/7001f7723cde611f0d8cd9c182f92120b09579c3/packages/%40aws-cdk/aws-sns/lib/subscription.ts#L89-L93
https://github.com/awslabs/aws-cdk/blob/7001f7723cde611f0d8cd9c182f92120b09579c3/packages/%40aws-cdk/aws-applicationautoscaling/lib/scalable-target.ts#L227-L246

[jogold]

Your call

[RomainMuller]

Hmm. I guess consistency is good. 🤷🏻‍♂️
Thanks for pointing those out 👍🏻

[eladb]

Pascal case is our standard. Otherwise jsii languages cannot delineate words when they convert cases.

[RomainMuller]

Would say A VPC endpoint for an AWS service

[jogold]

An AWS VPC endpoint service? This is a service not an endpoint...

[RomainMuller]

I kinda think of those as "services that provide VPC endpoints"... But maybe my mental model is wrong here... This is actually why I was calling for @rix0rrr to have a look, too... I feel he might be a little more into this domain than I am.

[RomainMuller]

Does this really need to be an array?

[jogold]

For a VPC with isolated and private subnets, the user could want to add endpoint routing to the route tables of both subnet types.

[jogold]

See the same kind of discussion here for VPN routing #1899 (comment).

If possible, I would like to refactor here to also use a SubnetSelection[]:
https://github.com/awslabs/aws-cdk/blob/7001f7723cde611f0d8cd9c182f92120b09579c3/packages/%40aws-cdk/aws-ec2/lib/vpc.ts#L141-L147

[RomainMuller]

I wonder if it wouldn't be a better approach to make the SubnetSelection able to represent "private + isolated", don't you think?

[jogold]

You mean changing the SubnetSelection interface to:

export interface SubnetSelection {
  readonly subnetType?: SubnetType[];

  readonly subnetName?: string[];
}

We also have to support a list of subnetNames if the user created the VpcNetwork with a specific subnetConfiguration

[eladb]

+1 on extending SubnetSelection. That's our go-to

[eladb]

This needs to be an IVpcEndpointService (if something implements it begins with an "I").

[eladb]

Pascal case is our standard. Otherwise jsii languages cannot delineate words when they convert cases.

[eladb]

Do we need to use some URL suffix token that's partition-aware (it's @RomainMuller's turf...)

[jogold]

This is AWS::URLSuffix but reversed... don't know how does this look like for China regions...

[eladb]

@RomainMuller our resident expert on the topic, thoughts?

[rix0rrr]

It's probably going to be different yet again for noncommercial regions (one of those things that looks like a domain name but really isn't). I think this needs to be in RegionInfo.

[RomainMuller]

Well all the documentation says is that those are formatted as com.amazonaws.<region>.<service>... And I couldn't find a reference table with more concrete information. So at this point I'd be willing to assume those are always formatted like so until proven wrong...

[eladb]

+1 on extending SubnetSelection. That's our go-to

[eladb]

Should we rename this to selectSubnets (to reflect SubnetSelection)

[eladb]

Can we put this in a subclass of stack so that first argument is always this instead of stack (which is non-idiomatic). I know we have many examples like that, but we should start somewhere...

[eladb]

indicate that this is just an alternative API

[eladb]

explain why this is needed

[eladb]

Copy & paste some official docs that explain what VPC endpoints are and why would I want to use them

[jogold]

Just discovered that some interface endpoints also have a policy document (e.g. CodeCommit), this needs further investigation because the CF documentation is not clear (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2-vpcendpoint-policydocument)

[jogold]

Strange... this build (https://travis-ci.org/awslabs/aws-cdk/builds/514128209#L1573) should be failing during the build phase but it's not (lerna success - @aws-cdk/aws-codebuild https://travis-ci.org/awslabs/aws-cdk/builds/514128209#L1702). Ultimately it fails during the test phase for decdk.

[eladb]

Looks good to me!

@PaulMaddox @leepa any chance you guys can take a quick look?

[eladb]

Please use the vpcEndpoint prefix. It hints that this is a deploy-time attribute (soon more formally)

[eladb]

Can we deprecate subnetIds? seems like those can be mapped from the subnet objects?

[eladb]

If we still need it let’s rename to selectSubnetIds but I would just deprecate.

[jogold]

You mean adding @deprecated in JSDoc and removing all calls to this method?

[eladb]

Yap

[rix0rrr]

Nooo don't!

[rix0rrr]

I've put effort into precisely into deprecating access to subnet objects and just getting IDs instead, because that is basically all the class consumers ever need from this class anyway. The previous interface was wider than anyone needed, and uncomfortable for imported VPCs.

[eladb]

Can you elaborate why returning IDs is a better API? It is in contradiction with one of our design tents to use strong types instead of IDs.

[rix0rrr]

First of all: convenience. A subnet is never what a consumer needs. It always needs a list of subnet IDs, to pass to CloudFormation. Why would you make a consumer grub around in the innards of my data structures, to do exactly the same operation in all places where it's called? I might as well do that for you.

Second of all: it allows us more flexilibity around exports and imports. The function:

function subnetIds(): string[];

Can be satisfied by a { Fn::ImportValue: Export } or a { Ref: Parameter }. The function:

function subnets(): ISubnet[]

Can not. Because of this, it's super convoluted to export/import VPCs across stacks today. It could all be dramatically simplified if we hadn't painted ourselves into a corner with an API that promises too much, for no good reason because all consumers do is map across those subnets to get the IDs anyway!

And if we're invoking design principles: it violates the Law of Demeter. The VPC is your abstraction, and you shouldn't depend on how it's implemented.

[rix0rrr]

Sorry, I apparently should have paid attention to this PR earlier. Why do we need access to subnet objects? I just spent #2025 limiting access to it.

[rix0rrr]

Also, I don't agree with the change of subnetType => subnetTypes. This is quite a big breaking change for existing consumers. What are the use cases for selecting multiple subnet types, and can we not achieve them another way?

[rix0rrr]

Apart from the VPC endpoint support, I don't like the API-complicating changes that are being introduced here to VpcNetwork. Please tell me why they are necessary.

[jogold]

@rix0rrr here are a few examples where selecting multiple subnet types are needed:

• VPC subnets for AWS EKS clusters (already uses a SubnetSelection[])
• Route propagation for VPN routes
• Routing for VPC gateway endpoints

My first proposal was to simply use a SubnetSelection[] for those cases. see #2104 (comment). Then @eladb and @RomainMuller came with the idea of extending the subnet selection mechanism.

I let you guys decide on this.

PS: it's pretty easy to revert

[jogold]

For the route tables, I don't think you need to get the route tables out, do you?

We need to specify the route table ids in AWS::EC2::VPCEndpoint (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html#cfn-ec2-vpcendpoint-routetableids). Do you suggest adding public selectSubnetRouteTableIds?

[rix0rrr]

Do you suggest adding public selectSubnetRouteTableIds?

No, I would suggest adding an addEndpoint() method. Again, tell, don't ask.

[rix0rrr]

RDS for Multi AZ

How were you thinking about this? DBInstace.MultiAZ seems to be a true/false property. So it's specifically for non-multi AZ instances that you would need an AZ, no?

[rix0rrr]

By the way, something else I would also be very okay with if we want to model the result of subnet selection as an object, is something like this:

const selection = vpc.selectSubnets({ subnetType: Public });
const ids = selection.subnetIds;
const azs = selection.availabilityZones;

// And even
selection.addRoute(...);
selection.addGateway(...);
selection.addInterface(...);

[jogold]

How were you thinking about this? DBInstace.MultiAZ seems to be a true/false property. So it's specifically for non-multi AZ instances that you would need an AZ, no?

I was thinking about improving this:
https://github.com/awslabs/aws-cdk/blob/0f6ce563f40ff8909401ba478c98cd7731a333b5/packages/%40aws-cdk/aws-rds/lib/cluster.ts#L240-L243

same use case here:
https://github.com/awslabs/aws-cdk/blob/fd1729977c969a6b22c0b5ffe66d8b71115b1501/packages/%40aws-cdk/aws-ec2/lib/vpc-endpoint.ts#L392-L396

[rix0rrr]

I think these are not created equal. In the first case, I feel like the comment is a little misleading.

• For a constructed VPC (as they exist today), the property is correct by construction: there will be exactly one returned subnet per AZ.
• For an imported VPC this might not be the case, but also the property is untestable in the general case: the AZs could be unknown at construction time, they could be { Fn::Select: [0, { Fn::GetAZs }]} or even { Ref: AZParameter1 }, and there's no way you could test at construction time whether the requirement is satisfied.

What I'm saying is, the comment makes things sound more dire than they actually are. If we wanted this feature, the right place to enforce this functionality would be at the VPC level:

// Make VpcNetwork guarantee this property if it can
const ids = vpc.selectSubnetIds({ ...props.subnets, atLeast2UniqueAZs: true });

But this only becomes relevant if subnet selection becomes more expressive than it is today. Today 1 subnet would map to 1 AZ, and at least 2 of one maps to at least 2 of the other.

---

For the VPC Endpoint case, the story is similar. Either the property you're looking for (exactly one subnet per AZ... though maybe the actual constraint is at most one subnet per AZ?) is either guaranteed by construction, or is untestable anyway.

[jogold]

For the VPC Endpoint case, the story is similar. Either the property you're looking for (exactly one subnet per AZ... though maybe the actual constraint is at most one subnet per AZ?) is either guaranteed by construction, or is untestable anyway.

This is not always guaranteed by construction, see the following test case I wrote https://github.com/awslabs/aws-cdk/blob/fd1729977c969a6b22c0b5ffe66d8b71115b1501/packages/%40aws-cdk/aws-ec2/test/test.vpc-endpoint.ts#L297

From the console experience, I think it is one subnet per AZ (if I specify 2 subnets then I need those to be in 2 different AZs, availabilityZones.length must equal subnetIds.length no?)

No, I would suggest adding an addEndpoint() method.

This method has been implemented at the VpcNetwork level (see addInterfaceEndpoint and addGatewayEndpoint)

In order to go forward with this PR, could you have a look at the latest changes from today and tell me what you would like to be adapted?

[rix0rrr]

This is not always guaranteed by construction, see the following test case I wrote

Oh, you are right of course, for some reason I was thinking about selecting subnets by name and missed this case. In any case, I still think the solution is to put the selection logic inside VpcNetwork. Maybe add something like a oneSubnetPerAz?: boolean to the selection.

This method has been implemented at the VpcNetwork level (see addInterfaceEndpoint and addGatewayEndpoint)

Well that is perfect. I only went down this discussion because of the following exchange:

For the route tables, I don't think you need to get the route tables out, do you?

We need to specify the route table ids in AWS::EC2::VPCEndpoint

Your response made me assume we needed the route table IDs outside the VPC construct. If route table IDs are an implementation detail used inside the VPC to implement the functions you mentioned before, we don't have a problem at all.

could you have a look at the latest changes from today

Will do.

[rix0rrr]

How about the change that I just pushed? I think it's an okay compromise. All I ask is that we treat the subnets as one group of things, to keep the API surface small and not rely too much on implementation details. It does deprecate selectSubnetIds() again, which is a thread I didn't pull all the way through.

Also added dealing with the case where the VpcSubnets would be imported, which wasn't deal with before as far as I could see, all IVpcSubnets were cast to VpcSubnets and their routeTableId attribute read, but that cast was not necessarily valid.

[rix0rrr]

Right now I did the oneSubnetPerAz: true trick to make sure that worked out correctly, which magically restricts the selection. If that is undesirable we can turn it into an assertion as well (throw if the selection matches multiple subnet groups).

[jogold]

@rix0rrr added a fix to onePerAz because it was overwritten in reifySelectionDefaults.

Do you want to leave the calls to selectSubnetIds in the other packages? Renaming subnetIds to selectSubnetIds is already a breaking change so we are actually deprecating something that did not exist...

[rix0rrr]

Do you want to leave the calls to selectSubnetIds in the other packages

If you're volunteering to update them, not at all :)

[rix0rrr]

Also thanks for fixing my hasty updates

[jogold]

Do you want to leave the calls to selectSubnetIds in the other packages

If you're volunteering to update them, not at all :)

Will update, this also means that subnetIds gets removed (not deprecated) from aws-ec2, right?