fix(ec2): dual-stack vpc without private subnets creates EgressOnlyInternetGateway (under feature flag) #34437
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
bug
aws-cdk-automation
previously requested changes
May 12, 2025
maharajhaider
changed the title
maharajhaider
changed the title
maharajhaider
force-pushed
the
fix-ec2-dual-stack-redundant-egress
branch
from
82ac2e3 to
a0d833f
Compare
added 8 commits
May 12, 2025 15:56
maharajhaider
force-pushed
the
fix-ec2-dual-stack-redundant-egress
branch
from
7332c64 to
427b4a2
Compare
added 2 commits
May 12, 2025 16:02
maharajhaider
changed the title
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
paulhcsun
changed the title
paulhcsun
changed the title
|
For the PR title please change it to describe the bug and not the actual fix. |
maharajhaider
changed the title
paulhcsun
reviewed
May 13, 2025
| @@ -137,6 +137,7 @@ export const DYNAMODB_TABLE_RETAIN_TABLE_REPLICA = '@aws-cdk/aws-dynamodb:retain | |||
| export const LOG_USER_POOL_CLIENT_SECRET_VALUE = '@aws-cdk/cognito:logUserPoolClientSecretValue'; | |||
| export const PIPELINE_REDUCE_CROSS_ACCOUNT_ACTION_ROLE_TRUST_SCOPE = '@aws-cdk/pipelines:reduceCrossAccountActionRoleTrustScope'; | |||
| export const S3_TRUST_KEY_POLICY_FOR_SNS_SUBSCRIPTIONS = '@aws-cdk/s3-notifications:addS3TrustKeyPolicyForSnsSubscriptions'; | |||
| export const ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC = '@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC'; | |||
There was a problem hiding this comment.
nit: I know it's not consistent but the convention is to prefix the service here with aws-. Also we should prefix the constant with the module name EC2- and update the name of the feature flag to more accurately reflect the behaviour.
Suggested change
| export const ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC = '@aws-cdk/ec2:removeEgressOnlyGatewayFromPublicSubnetVPC'; | |
| export const EC2_REQUIRE_PRIVATE_SUBNETS_FOR_EGRESSONLYINTERNETGATEWAY = '@aws-cdk/aws-ec2:requirePrivateSubnetsForEgressOnlyInternetGateway'; |
| @@ -1576,6 +1577,17 @@ export const FLAGS: Record<string, FlagInfo> = { | |||
| }, | |||
|
|
|||
| ////////////////////////////////////////////////////////////////////// | |||
| [ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC]: { | |||
| type: FlagType.BugFix, | |||
| summary: 'Remove EgressOnlyGateway resource when a a double stack vpc has only public subnets', | |||
There was a problem hiding this comment.
This doesn't seem entirely correct. Rather than "removing EgressOnlyGateway when a stack only has public subnets", a more accurate summary could be "When enabled, the EgressOnlyGateway resource is only created if private subnets are defined in the VPC."
| @@ -1649,7 +1649,13 @@ export class Vpc extends VpcBase { | |||
| } | |||
|
|
|||
| // Create an Egress Only Internet Gateway and attach it if necessary | |||
| if (this.useIpv6 && this.privateSubnets) { | |||
|
|
|||
| const redundantEgressOnlyGatewayRemovalFeatureFlag = | |||
There was a problem hiding this comment.
nit: variable name
Suggested change
| const redundantEgressOnlyGatewayRemovalFeatureFlag = | |
| const isRequirePrivateSubnetsForEgressOnlyIgw = |
| @@ -2747,6 +2747,90 @@ describe('vpc', () => { | |||
| }, | |||
| }); | |||
| }); | |||
| test('(default)EgressOnlyInternetGateWay is created when no private subnet configured in dual stack', () => { | |||
There was a problem hiding this comment.
Instead of (default) EgressOnlyIGW.... maybe change this to say "EgressOnlyIGW is created when....in dual stack when feature flag is enabled."
| // THEN | ||
| Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1); | ||
| }); | ||
| test('(default)EgressOnlyInternetGateWay is created when private subnet configured in dual stack', () => { |
| Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1); | ||
| }); | ||
|
|
||
| test('(feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is created when private subnet configured in dual stack', () => { |
There was a problem hiding this comment.
nit:
Suggested change
| test('(feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is created when private subnet configured in dual stack', () => { | |
| test('EgressOnlyInternetGateWay is created when private subnet configured in dual stack when feature flag is enabled', () => { |
| // THEN | ||
| Template.fromStack(stack).resourceCountIs('AWS::EC2::EgressOnlyInternetGateway', 1); | ||
| }); | ||
| test(' (feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is not created when private subnet configured in dual stack', () => { |
There was a problem hiding this comment.
Suggested change
| test(' (feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is not created when private subnet configured in dual stack', () => { | |
| test(' (feature flag ENABLE_E2_REMOVE_EGRESSONLYGATEWAY_FROM_PUBLIC_SUBNET_VPC)EgressOnlyInternetGateWay is not created when no private subnets are configured in dual stack', () => { |
paulhcsun
added
the
pr-linter/exempt-integ-test
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #30981.
Reason for this change
-> EgressOnlyInternetGateway was been created even without any private subnets
Description of changes
-> Fixed the condition that determins if a EgressOnlyInternetGateway will be created
-> Added feature flag
Describe any new or updated permissions being added
N/A
Description of how you validated changes
I added two new unit tests that checks if EgressOnlyInternetGateway is created without a private subnet
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license