feat(aws-ec2): add VPC context provider #1168
Conversation
Add a context provider for looking up existing VPCs in an account. This is useful if the VPC is defined outside of your CDK app, such as in a different CDK app, by hand or in a CloudFormation template. Addresses some need of #1095.
rix0rrr
force-pushed
the
huijbers/vpc-context
branch
from
89d5266
to
631eeb1
Compare
packages/@aws-cdk/aws-ec2/README.md
Outdated
| #### Sharing VPCs across stacks | ||
|
|
||
| If you are creating multiple `Stack`s inside the same CDK application, | ||
| you can reuse a VPC from one Stack in another by using `export()` and |
There was a problem hiding this comment.
No, I don't think that's correct.
| @@ -0,0 +1,21 @@ | |||
| export const VPC_PROVIDER = 'vpc-provider'; | |||
|
|
|||
| export interface VpcContextQuery { | |||
| const tags: {[key: string]: string} | undefined = args.tags; | ||
| const isDefault: boolean | undefined = args.isDefault; | ||
|
|
||
| // Builter request filter |
|
|
||
| // Builter request filter | ||
| const filters: AWS.EC2.Filter[] = []; | ||
| if (vpcId) { filters.push({ Name: 'vpc-id', Values: [vpcId] }); } |
There was a problem hiding this comment.
Why not just expose the filters API in the context provider API and move the logic of building the filters to the construct library?
There was a problem hiding this comment.
@rix0rrr might still be recovering from when I used the word filter and he really didn't like it, but this context is different and I won't give him too hard a time if filter comes back.
There was a problem hiding this comment.
I guess I wanted as narrow an API as possible. But yeah, I suppose it makes it easier to add features in the future.
There was a problem hiding this comment.
Just feels like we can expose this to the user and give them more power without sacrificing too much usability (maybe we can add a bunch of sugar methods for the common use cases)
| azs.sort(); | ||
|
|
||
| const subnets: Subnet[] = listedSubnets.map(subnet => { | ||
| let type = getTag('aws-cdk:SubnetType', subnet.Tags); |
There was a problem hiding this comment.
I think we try to standardize around something like aws:cdk:subnet-type
There was a problem hiding this comment.
can we set an aws: tag? or does it have to be aws-cdk?
There was a problem hiding this comment.
Don't believe we can set the aws: tag.
| // - Type tag, we tag subnets with their type | ||
| // - Name tag, we tag subnets with their subnet group name | ||
| // - MapPublicIpOnLaunch in absence of tags => must be a Public subnet, anything else is either Isolated or Private | ||
|
|
There was a problem hiding this comment.
Also mention that"type" is used as a name if we don't have a name tag
There was a problem hiding this comment.
The actual source of truth for this is the route table. I was thinking the logic would be check for our Type tag and trust that CDK is the source of truth if it exists. If that is not there pull the route tables. If a route exists to an IGW (public), only NAT (private), neither (isolated). Yes there are egress only gateways and I'm not sure if those are public or private, my vote is private.
There was a problem hiding this comment.
I know, but that seemed like overcomplicating.
So for non-CDK-exported VPCs we only support public/private nets, for CDK-exported VPCs we support isolated subnets as well. Seems like a fair compromise.
There was a problem hiding this comment.
I happen to know my legacy VPCs do not set MapPublicIpOnLaunch to true for public subnets. I'm not positive if it was a secure by default argument or a non-repudiation (the non EIP public IPs are never in Cloud Trail). I do agree this is more complicated, and if we launch without it and let the community drive the request I'm probably ok.
There was a problem hiding this comment.
I would argue in those cases you can always add the tags manually.
| const SUBNETTYPE_TAG = 'aws-cdk:SubnetType'; | ||
| const SUBNETNAME_TAG = 'aws-cdk:SubnetName'; | ||
|
|
||
| function subnetTypeTagValue(type: SubnetType) { |
There was a problem hiding this comment.
This makes me think we should have used String enums for this type.
There was a problem hiding this comment.
Maybe so. It's not too onerous to have this function I think.
|
|
||
| // Builter request filter | ||
| const filters: AWS.EC2.Filter[] = []; | ||
| if (vpcId) { filters.push({ Name: 'vpc-id', Values: [vpcId] }); } |
There was a problem hiding this comment.
@rix0rrr might still be recovering from when I used the word filter and he really didn't like it, but this context is different and I won't give him too hard a time if filter comes back.
| // - Type tag, we tag subnets with their type | ||
| // - Name tag, we tag subnets with their subnet group name | ||
| // - MapPublicIpOnLaunch in absence of tags => must be a Public subnet, anything else is either Isolated or Private | ||
|
|
There was a problem hiding this comment.
The actual source of truth for this is the route table. I was thinking the logic would be check for our Type tag and trust that CDK is the source of truth if it exists. If that is not there pull the route tables. If a route exists to an IGW (public), only NAT (private), neither (isolated). Yes there are egress only gateways and I'm not sure if those are public or private, my vote is private.
| azs.sort(); | ||
|
|
||
| const subnets: Subnet[] = listedSubnets.map(subnet => { | ||
| let type = getTag('aws-cdk:SubnetType', subnet.Tags); |
There was a problem hiding this comment.
can we set an aws: tag? or does it have to be aws-cdk?
| /** | ||
| * Group subnets of the same type together, and order by AZ | ||
| */ | ||
| function groupSubnets(subnets: Subnet[]): SubnetGroups { |
There was a problem hiding this comment.
It's not even optional :)
| Purpose: 'WebServices' | ||
| } | ||
| }); | ||
| const vpc = VpcNetworkRef.import(this, 'VPC', provider.vpcProps); |
There was a problem hiding this comment.
Should we also include the VpcNetwork.importFromContext usage in this example?
|
|
||
| /** | ||
| * Properties for looking up an existing VPC. | ||
| * |
There was a problem hiding this comment.
Reference AWS docs page that describes the query API
| } | ||
|
|
||
| // These values will be used to recover the config upon provider import |
There was a problem hiding this comment.
Mention the name of the context provider class here
| * Query region | ||
| */ | ||
| region?: string; | ||
|
|
There was a problem hiding this comment.
It's not, though I suppose I could model it differently.
| * Query region | ||
| */ | ||
| region?: string; | ||
|
|
There was a problem hiding this comment.
I would put this under filters: any[] to avoid the need to define this in 100% places.
|
|
||
| // Builter request filter | ||
| const filters: AWS.EC2.Filter[] = []; | ||
| if (vpcId) { filters.push({ Name: 'vpc-id', Values: [vpcId] }); } |
There was a problem hiding this comment.
Just feels like we can expose this to the user and give them more power without sacrificing too much usability (maybe we can add a bunch of sugar methods for the common use cases)
Add a context provider for looking up existing VPCs in an account. This
is useful if the VPC is defined outside of your CDK app, such as in a
different CDK app, by hand or in a CloudFormation template.
Addresses some need of #1095.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.