(aws_apigatewayv2): (VpcLink creation failing due to share subnet and security-group-id)

[alaws-USGS]

Describe the bug

During the 'creating CloudFormation changeset' stage of deployment, the deployment fails during the creation step for the VpcLink for a reason that should not be an issue.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

THe VpcLink should be able to be created during deployment as I pass to it an existing VPC with security groups.

Current Behavior

The deployment fails.

Resource handler returned message: "For a shared subnet, at least one security-group-id should be provided. (Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: 50573051-75a5-438c-a6d9
-e9edd75c414c; Proxy: null)" (RequestToken: 33c819bd-427f-6b00-72cc-fff30d2a1d9e, HandlerErrorCode: GeneralServiceException)

Reproduction Steps

from aws_cdk import (
    Stack,
    aws_ec2 as ec2,
    aws_ecs as ecs,
    aws_ecs_patterns as ecs_patterns,
    aws_apigatewayv2_integrations as integrations,
    aws_apigatewayv2 as apigwv2,
)
from constructs import Construct


class ECSFargateStack(Stack):
    """Define deployment stack for ECS and Fargate"""

    def __init__(
        self,
        scope: Construct,
        construct_id: str,
        vpc_id: str = None,
        certificate_arn: str = None,
        security_group_ids: list = None,
        **kwargs,
    ):
        super().__init__(scope, construct_id, **kwargs)

        # bring in VPC information from existing VPC
        vpc = ec2.Vpc.from_lookup(self, id="vpc", vpc_id=vpc_id)

        # create ECS cluster
        cluster = ecs.Cluster(self, id="ffdb-cluster", vpc=vpc)

        #  Use L3 construct to handle boiler plate
        ecs_fargate = ecs_patterns.ApplicationLoadBalancedFargateService(
            self,
            id="ff-db-alb-fargate-service_pattern",
            cluster=cluster,  # ensure we are using
            desired_count=1,  # number of tasks to keep running on the service
            load_balancer_name="ff-db-alb",  # name of the load balancer
            task_image_options=ecs_patterns.ApplicationLoadBalancedTaskImageOptions(
                image=ecs.ContainerImage.from_registry("myecr/my-container:latest"),
            ),
            cpu=1024,  # 1 vCPU, used by task
            memory_limit_mib=2048,  # 2 GB
            public_load_balancer=False,
            service_name="ff-db-service",
        )

        # create a VPC link
        vpc_link = apigwv2.VpcLink(
            self,
            id="ff-db-vpc-link",
            vpc=vpc,
        )

        # create an HTTP API
        http_api = apigwv2.HttpApi(
            self,
            id="ff-db-http-api",
            create_default_stage=True,
            default_integration=integrations.HttpAlbIntegration(
                id="ff-db-alb-integration",
                listener=ecs_fargate.listener,
            ),
        )

        # add a route to the HTTP API that forwards requests to the ALB
        http_api.add_routes(
            path="/{proxy+}",
            methods=[apigwv2.HttpMethod.ANY],
            integration=integrations.HttpAlbIntegration(
                id="ff-db-alb-integration",
                listener=ecs_fargate.listener,
            ),
        )

Possible Solution

No response

Additional Information/Context

I am trying to create an ECS Fargate stack with a private application load balancer to deploy an API. I want to create an integration between the private ALB and the Fargate service for an HTTP API to forward requests over.

I am trying to implement the tutorial on creating an HTTP API with a VPC Link using AWS CDK.

CDK CLI Version

2.1007.0 (build d3f6c3c)

Framework Version

No response

Node.js Version

v22.14.0

OS

Ubuntu 22.04.5 LTS

Language

Python

Language Version

3.11.9

Other information

No response

[pahud]

Hi, I've looked into this issue and analyzed the relevant AWS CDK code.

Root Cause:

The error message BadRequestException: For a shared subnet, at least one security-group-id should be provided occurs because the apigwv2.VpcLink construct requires security groups to be explicitly associated, especially when using an imported VPC (ec2.Vpc.from_lookup).

The CDK construct (aws-cdk/packages/aws-cdk-lib/aws-apigatewayv2/lib/http/vpc-link.ts) does not automatically infer or use the security groups (like the default security group) from the IVpc object provided via from_lookup. When the security_groups parameter is omitted in the VpcLink constructor, the resulting CloudFormation template lacks the required SecurityGroupIds property for the AWS::ApiGatewayV2::VpcLink resource, leading to the deployment failure.

Workaround:

You need to explicitly provide at least one security group when creating the VpcLink. You can achieve this by looking up an existing security group within your imported VPC (e.g., the default security group or another appropriate one) and passing it to the constructor:

from aws_cdk import (
    Stack,
    aws_ec2 as ec2,
    # ... other imports
    aws_apigatewayv2 as apigwv2,
)
from constructs import Construct

class ECSFargateStack(Stack):
    def __init__(
        self,
        # ... (other parameters)
        **kwargs,
    ):
        super().__init__(scope, construct_id, **kwargs)

        # 1. Look up the VPC
        vpc = ec2.Vpc.from_lookup(self, id="vpc", vpc_id=vpc_id)

        # 2. Look up a Security Group (ensure it allows necessary traffic)
        # Example: Using the default security group ID from the imported VPC
        default_security_group = ec2.SecurityGroup.from_lookup_by_id(
            self, "ImportedDefaultSG", vpc.vpc_default_security_group
        )
        # Or lookup by a specific known ID:
        # specific_sg = ec2.SecurityGroup.from_lookup_by_id(self, "SpecificSG", "sg-xxxxxxxxxxxxxxxxx")

        # ... (ECS Cluster and Service creation) ...

        # 3. Create the VPC link - PROVIDE THE SECURITY GROUP(S)
        vpc_link = apigwv2.VpcLink(
            self,
            id="ff-db-vpc-link",
            vpc=vpc,
            # Explicitly add the security group(s) in a list
            security_groups=[default_security_group] # Or [specific_sg], or a list of multiple SGs
        )

        # ... (HTTP API and Route creation) ...

By adding the security_groups parameter with a valid ISecurityGroup object (or a list of them), the CDK will correctly generate the SecurityGroupIds in the CloudFormation template, resolving the issue.

Let me know if this works for you.

[alaws-USGS]

Hi @pahud, I have tried both of these methods and found an issue and a solution!

First, ec2.Vpc.from_lookup() returns an IVpc object, which does not have the vpc_default_security_group attribute. I had tried this previously and ran into this.

Second, supplying the id of the security group worked! I realized when I had tried it before I hadn't then enclosed it in a list!

I will say it would be great if the VpcLink could automatically pull security groups from an existing Vpc. Thanks for you help!