Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SES VPC Endpoints] Incorrect Service Name for HTTPS VPC Endpoints #31669

Open
1 task
vinmvn opened this issue Oct 5, 2024 · 5 comments
Open
1 task

[SES VPC Endpoints] Incorrect Service Name for HTTPS VPC Endpoints #31669

vinmvn opened this issue Oct 5, 2024 · 5 comments
Labels
@aws-cdk/aws-ses Related to Amazon Simple Email Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@vinmvn
Copy link

vinmvn commented Oct 5, 2024
edited
Loading

Describe the bug

When creating SES VPC endpoints using AWS CDK, the generated endpoints are for com.amazonaws.ap-southeast-2.email-smtp, rather than the expected com.amazonaws.ap-southeast-2.email service name, which supports HTTPS for SES.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The SES VPC endpoint generated by the CDK should have the service name com.amazonaws.ap-southeast-2.email, which corresponds to the HTTPS service, not the SMTP service. The SES service endpoint in the CDK is generating an endpoint with com.amazonaws.ap-southeast-2.email-smtp, which is incorrect when HTTPS is intended.

Current Behavior

The code snippet below creates an SES VPC endpoint in CDK, but the generated resource references the com.amazonaws.ap-southeast-2.email-smtp service:

ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESEMAILENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.SES,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)

The expected resource should reference com.amazonaws.ap-southeast-2.email, but instead, the output is:

"serviceName": "com.amazonaws.ap-southeast-2.email-smtp"

Reproduction Steps

Both of these CDK code generates same serviceName - (ec2.InterfaceVpcEndpointAwsService.EMAIL_SMTP and ec2.InterfaceVpcEndpointAwsService.SES)

ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESSMTPENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.SES,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)
ses_vpc_endpoint = ec2.InterfaceVpcEndpoint(
    self, "SESSMTPENDPOINTTEST",
    vpc=vpc,
    service=ec2.InterfaceVpcEndpointAwsService.EMAIL_SMTP,
    private_dns_enabled=True,
    subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_ISOLATED)
)

Upon synthesis, both the resources the generated o CloudFormation stack results in same serviceName:

"serviceName": "com.amazonaws.ap-southeast-2.email-smtp"

Possible Solution

The CDK should generate the correct service name when ec2.InterfaceVpcEndpointAwsService.SES is used. The service name should point to the HTTPS endpoint com.amazonaws.ap-southeast-2.email, rather than the SMTP service.

Additional Information/Context

No response

CDK CLI Version

2.121.1

Framework Version

No response

Node.js Version

v20.17.0

OS

macOS Sonoma 14.5

Language

Python

Language Version

3.10.13

Other information

No response
@vinmvn vinmvn added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Oct 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ses Related to Amazon Simple Email Service label Oct 5, 2024
@pahud
Copy link
Contributor

pahud commented Oct 6, 2024

aws-cdk/packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

Line 569 in 5e7e61f

public static readonly SES = new InterfaceVpcEndpointAwsService('email-smtp');

This is actually deprecated. I guess we need InterfaceVpcEndpointAwsService.EMAIL but I can't find any document about this. Are you able to provide any links to the document about the HTTPS endpoint?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Oct 6, 2024
@Hakai-Shin
Copy link

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_ec2.InterfaceVpcEndpointAwsService.html#static-sesspan-classapi-icon-api-icon-deprecated-titlethis-api-element-is-deprecated-its-use-is-not-recommended%EF%B8%8Fspan

@mazyu36
Copy link
Contributor

mazyu36 commented Oct 6, 2024
edited
Loading

Based on the documentation, the current email-smtp appears to be correct. The "email" does not exist.​​​​​​​​​​​​​​​​

https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
image

@vinmvn
Copy link
Author

vinmvn commented Oct 6, 2024

Here's the documentation about HTTPS endpoint. https://docs.aws.amazon.com/general/latest/gr/ses.html .

@capuns
Copy link

capuns commented Oct 7, 2024

@vinmvn unfortunately SES does not support VPC Endpoints for the SES API. The endpoints you mentioned are the public endpoints. In order to use the API you'd need to use the public endpoint or use the SES SMTP option which provides an VPCE.

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Oct 11, 2024
@github-actions github-actions bot mentioned this issue Nov 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ses Related to Amazon Simple Email Service bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pahud @mazyu36 @capuns @Hakai-Shin @vinmvn