Skip to content

Commit

Permalink
fix(ec2): fixing vpc endpoint pattern for ecr and ecr docker (aws#31434)
Browse files Browse the repository at this point in the history
### Issue # (if applicable)

Closes #.
Internal Tracking ticket P150271569

### Reason for this change

Expected Endpoints for ECR in some isolated regions are as below

gov.ic.hci.csp.us-isof-name.ecr.api,
gov.ic.hci.csp.us-isof-name.ecr.dkr,
uk.adc-e.cloud.eu-isoe-name.ecr.api,
 uk.adc-e.cloud.eu-isoe-name.ecr.dkr,

### Description of changes

As discussed with the ECR Service team, endpoints for the service are being generated in reverse order of the domain suffix.
Since some of the endpoints for other services are still using `com.amazonaws` , added fix only for the partitions and service(ECR) flagged.
 
Cannot do for cn regions on the basis of suffix as both regions have different services under exceptions.

### Description of how you validated changes

Added unit test for validation of endpoint, keeping the region names as `us-isoe-test-1` as the regions are in build stage and could be confidential.

No changes to integration test as the fix is for isolated regions.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
shikha372 authored Sep 17, 2024
1 parent b6ad97f commit 95c49ab
Show file tree
Hide file tree
Showing 2 changed files with 46 additions and 1 deletion.
16 changes: 15 additions & 1 deletion packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import { ISubnet, IVpc, SubnetSelection } from './vpc';
import * as iam from '../../aws-iam';
import * as cxschema from '../../cloud-assembly-schema';
import { Aws, ContextProvider, IResource, Lazy, Resource, Stack, Token } from '../../core';
import { PARTITION_MAP } from '../../region-info/build-tools/fact-tables';

/**
* A VPC endpoint.
Expand Down Expand Up @@ -666,8 +667,21 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ
'redshift', 'redshift-data', 's3', 'sagemaker.api', 'sagemaker.featurestore-runtime', 'sagemaker.runtime', 'securityhub',
'servicecatalog', 'sms', 'sqs', 'states', 'sts', 'sync-states', 'synthetics', 'transcribe', 'transcribestreaming', 'transfer',
'workspaces', 'xray'],
'us-isof-': ['ecr.api', 'ecr.dkr'],
'eu-isoe-': ['ecr.api', 'ecr.dkr'],
};
if (VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name)) {

const regionPartition = region.split('-').slice(0, 2).join('-');
const partitionDetails = PARTITION_MAP[`${regionPartition}-`];

// Check for specific service name under isolated region prefix
const serviceInExceptions = VPC_ENDPOINT_SERVICE_EXCEPTIONS[`${regionPartition}-`]?.includes(name);

if (serviceInExceptions) {
// Endpoints generated in reverse of domain suffix for the services mentioned in map
const reverseString = partitionDetails.domainSuffix.split('.').reverse().join('.');
return reverseString;
} else if (VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name)) {
return 'cn.com.amazonaws';
} else {
return 'com.amazonaws';
Expand Down
31 changes: 31 additions & 0 deletions packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -694,6 +694,37 @@ describe('vpc endpoint', () => {
});

});

test.each([
['us-isof-test-1', 'gov.ic.hci.csp'],
['eu-isoe-test-1', 'uk.adc-e.cloud'],
['us-east-1', 'com.amazonaws'],
['us-gov-west-1', 'com.amazonaws'],
['cn-northwest-1', 'cn.com.amazonaws'],
['cn-north-1', 'cn.com.amazonaws'],
])('test vpc interface endpoint for ECR can be created correctly in all regions', (region : string, domain: string) => {
//GIVEN
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: region } });
const vpc = new Vpc(stack, 'VPC');

//WHEN
vpc.addInterfaceEndpoint('ECR Endpoint', {
service: InterfaceVpcEndpointAwsService.ECR,
});

vpc.addInterfaceEndpoint('ECR Docker Endpoint', {
service: InterfaceVpcEndpointAwsService.ECR_DOCKER,
});

//THEN
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
ServiceName: `${domain}.${region}.ecr.api`,
});
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
ServiceName: `${domain}.${region}.ecr.dkr`,
});
});

test.each([
['transcribe', InterfaceVpcEndpointAwsService.TRANSCRIBE],
])('test vpc interface endpoint with .cn suffix for %s can be created correctly in China regions', (name: string, given: InterfaceVpcEndpointAwsService) => {
Expand Down

0 comments on commit 95c49ab

Please sign in to comment.