Skip to content

Commit ed4df80

Browse files
author
Tiago Queiroz
committed
fix(route53): add vpce:AllowMultiRegion permission to VpcEndpointServiceDomainName
When using VpcEndpointServiceDomainName with a VpcEndpointService that has cross-region PrivateLink enabled via allowedRegions, the custom resource Lambda fails because the IAM policy is missing the vpce:AllowMultiRegion permission. This change updates the EnableDns custom resource to use an explicit policy with both ec2:ModifyVpcEndpointServiceConfiguration and vpce:AllowMultiRegion permissions, scoped to the specific VPC endpoint service resource. Fixes #36216
1 parent 073185d commit ed4df80

File tree

9 files changed

+1775
-235
lines changed

9 files changed

+1775
-235
lines changed

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/AwsCdkVpcEndpointDnsIntegTestDefaultTestDeployAssertFB27EF1F.assets.json

Lines changed: 7 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/AwsCdkVpcEndpointDnsIntegTestDefaultTestDeployAssertFB27EF1F.template.json

Lines changed: 2 additions & 2 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/asset.c11608a15785084ea1afe65826e575ee316add10c8b1bb373e93297e26aec564.bundle/index.js renamed to packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/asset.ca235e6258b11c240506ff06f79037eca461b8d0d9464a947a386d38d8163515.bundle/index.js

Lines changed: 1685 additions & 173 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/aws-cdk-vpc-endpoint-dns-integ.assets.json

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/aws-cdk-vpc-endpoint-dns-integ.template.json

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -481,7 +481,10 @@
481481
"PolicyDocument": {
482482
"Statement": [
483483
{
484-
"Action": "ec2:ModifyVpcEndpointServiceConfiguration",
484+
"Action": [
485+
"ec2:ModifyVpcEndpointServiceConfiguration",
486+
"vpce:AllowMultiRegion"
487+
],
485488
"Effect": "Allow",
486489
"Resource": {
487490
"Fn::Join": [

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/manifest.json

Lines changed: 12 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/@aws-cdk-testing/framework-integ/test/aws-route53/test/integ.vpc-endpoint-service-domain-name.js.snapshot/tree.json

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

packages/aws-cdk-lib/aws-route53/lib/vpc-endpoint-service-domain-name.ts

Lines changed: 19 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
import { Construct } from 'constructs';
22
import { IVPCEndpointServiceRef } from '../../aws-ec2';
3+
import * as iam from '../../aws-iam';
34
import { Fn, Names, Stack } from '../../core';
45
import { ValidationError } from '../../core/lib/errors';
56
import { md5hash } from '../../core/lib/helpers-internal';
@@ -109,25 +110,28 @@ export class VpcEndpointServiceDomainName extends Construct {
109110
RemovePrivateDnsName: true,
110111
},
111112
};
113+
const serviceArn = Fn.join(':', [
114+
'arn',
115+
Stack.of(this).partition,
116+
'ec2',
117+
Stack.of(this).region,
118+
Stack.of(this).account,
119+
Fn.join('/', ['vpc-endpoint-service', serviceId]),
120+
]);
121+
112122
const enable = new AwsCustomResource(this, 'EnableDns', {
113123
onCreate: enablePrivateDnsAction,
114124
onUpdate: enablePrivateDnsAction,
115125
onDelete: removePrivateDnsAction,
116-
policy: AwsCustomResourcePolicy.fromSdkCalls({
117-
resources: [
118-
Fn.join(':', [
119-
'arn',
120-
Stack.of(this).partition,
121-
'ec2',
122-
Stack.of(this).region,
123-
Stack.of(this).account,
124-
Fn.join('/', [
125-
'vpc-endpoint-service',
126-
serviceId,
127-
]),
128-
]),
129-
],
130-
}),
126+
policy: AwsCustomResourcePolicy.fromStatements([
127+
new iam.PolicyStatement({
128+
actions: [
129+
'ec2:ModifyVpcEndpointServiceConfiguration',
130+
'vpce:AllowMultiRegion',
131+
],
132+
resources: [serviceArn],
133+
}),
134+
]),
131135
// APIs are available in 2.1055.0
132136
installLatestAwsSdk: false,
133137
});

packages/aws-cdk-lib/aws-route53/test/vpc-endpoint-service-domain-name.test.ts

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import { Template } from '../../assertions';
1+
import { Match, Template } from '../../assertions';
22
import { IVpcEndpointServiceLoadBalancer, VpcEndpointService } from '../../aws-ec2';
33
import { Stack } from '../../core';
44
import { PublicHostedZone, VpcEndpointServiceDomainName } from '../lib';
@@ -278,3 +278,44 @@ test('endpoint domain name property equals input domain name', () => {
278278
});
279279
expect(dn.domainName).toEqual('name-test.aws-cdk.dev');
280280
});
281+
282+
test('EnableDns custom resource policy includes vpce:AllowMultiRegion permission scoped to endpoint service', () => {
283+
// GIVEN
284+
const testVpces = new VpcEndpointService(stack, 'TestVPCES', {
285+
vpcEndpointServiceLoadBalancers: [nlb],
286+
});
287+
288+
// WHEN
289+
new VpcEndpointServiceDomainName(stack, 'EndpointDomain', {
290+
endpointService: testVpces,
291+
domainName: 'my-stuff.aws-cdk.dev',
292+
publicHostedZone: zone,
293+
});
294+
295+
// THEN
296+
Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
297+
PolicyDocument: {
298+
Statement: Match.arrayWith([
299+
Match.objectLike({
300+
Action: [
301+
'ec2:ModifyVpcEndpointServiceConfiguration',
302+
'vpce:AllowMultiRegion',
303+
],
304+
Effect: 'Allow',
305+
Resource: {
306+
'Fn::Join': Match.arrayWith([
307+
':',
308+
Match.arrayWith([
309+
'arn',
310+
{ Ref: 'AWS::Partition' },
311+
'ec2',
312+
{ Ref: 'AWS::Region' },
313+
{ Ref: 'AWS::AccountId' },
314+
]),
315+
]),
316+
},
317+
}),
318+
]),
319+
},
320+
});
321+
});

0 commit comments

Comments
 (0)