Skip to content

Commit 0dd765e

Browse files
blaikochblaikoch
committed
fix(ec2): add VPC endpoint naming conventions for some isolated regions
Add correct VPC endpoint prefixes for several AWS isolated regions: - us-iso-east-1, us-iso-west-1: gov.ic.c2s - us-isob-east-1, us-isob-west-1: gov.sgov.sc2s - us-isof-south-1, us-isof-east-1: gov.ic.hci.csp This ensures VPC endpoints are correctly named for services in these isolated regions, matching the actual AWS service endpoint conventions. Includes comprehensive unit tests using test.each patterns for better maintainability and coverage.
1 parent 90ad834 commit 0dd765e

File tree

2 files changed

+135
-0
lines changed

2 files changed

+135
-0
lines changed

packages/aws-cdk-lib/aws-ec2/lib/vpc-endpoint.ts

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -849,11 +849,32 @@ export class InterfaceVpcEndpointAwsService implements IInterfaceVpcEndpointServ
849849
'servicecatalog', 'sms', 'sqs', 'states', 'sts', 'sync-states', 'synthetics', 'transcribe', 'transcribestreaming', 'transfer',
850850
'workspaces', 'xray'],
851851
'eusc-de-east-1': ['ecr.dkr', 'ecr.api', 'execute-api', 'securityhub'],
852+
'us-iso-east-1': ['application-autoscaling', 'athena', 'autoscaling', 'comprehend', 'diode-messaging',
853+
'diode-messaging-proxy', 'ebs', 'ec2', 'ecr.api', 'ecr.dkr', 'elasticfilesystem', 'elasticfilesystem-fips',
854+
'execute-api', 'sagemaker.api', 'sagemaker.runtime', 'sns', 'sqs', 'textract', 'textract-fips', 'transcribe',
855+
'workspaces'],
856+
'us-iso-west-1': ['autoscaling', 'ebs', 'ec2', 'ecr.api', 'ecr.dkr', 'elasticfilesystem', 'elasticfilesystem-fips',
857+
'execute-api', 'monitoring', 'sns', 'sqs', 'workspaces'],
858+
'us-isob-east-1': ['application-autoscaling', 'autoscaling', 'diode-messaging', 'diode-messaging-proxy', 'ebs',
859+
'ec2', 'ecr.api', 'ecr.dkr', 'elasticfilesystem', 'elasticfilesystem-fips', 'execute-api', 'sagemaker.api',
860+
'sagemaker.runtime', 'sns', 'sqs', 'workspaces'],
861+
'us-isob-west-1': ['ecr.api', 'ecr.dkr', 'elasticfilesystem-fips', 'execute-api'],
862+
'us-isof-south-1': ['ebs', 'ecr.api', 'ecr.dkr', 'execute-api'],
863+
'us-isof-east-1': ['ebs', 'ecr.api', 'ecr.dkr', 'execute-api'],
852864
};
853865
if (VPC_ENDPOINT_SERVICE_EXCEPTIONS[region]?.includes(name)) {
854866
switch (region) {
855867
case 'eusc-de-east-1':
856868
return 'eu.amazonaws';
869+
case 'us-iso-east-1':
870+
case 'us-iso-west-1':
871+
return 'gov.ic.c2s';
872+
case 'us-isob-east-1':
873+
case 'us-isob-west-1':
874+
return 'gov.sgov.sc2s';
875+
case 'us-isof-south-1':
876+
case 'us-isof-east-1':
877+
return 'gov.ic.hci.csp';
857878
case 'cn-north-1':
858879
case 'cn-northwest-1':
859880
return 'cn.com.amazonaws';

packages/aws-cdk-lib/aws-ec2/test/vpc-endpoint.test.ts

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -891,6 +891,120 @@ describe('vpc endpoint', () => {
891891
});
892892
});
893893

894+
test.each([
895+
['us-iso-east-1', 'gov.ic.c2s'],
896+
['us-iso-west-1', 'gov.ic.c2s'],
897+
])('test vpc interface endpoint with %s prefix can be created correctly in %s', (region: string, prefix: string) => {
898+
// GIVEN
899+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
900+
const vpc = new Vpc(stack, 'VPC');
901+
902+
// WHEN
903+
vpc.addInterfaceEndpoint('ECR Endpoint', {
904+
service: InterfaceVpcEndpointAwsService.ECR,
905+
});
906+
907+
// THEN
908+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
909+
ServiceName: `${prefix}.${region}.ecr.api`,
910+
});
911+
});
912+
913+
test.each([
914+
['us-iso-east-1'],
915+
['us-iso-west-1'],
916+
])('test vpc interface endpoint without gov.ic.c2s prefix can be created correctly in %s', (region: string) => {
917+
// GIVEN
918+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
919+
const vpc = new Vpc(stack, 'VPC');
920+
921+
// WHEN
922+
vpc.addInterfaceEndpoint('ECS Endpoint', {
923+
service: InterfaceVpcEndpointAwsService.ECS,
924+
});
925+
926+
// THEN
927+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
928+
ServiceName: `com.amazonaws.${region}.ecs`,
929+
});
930+
});
931+
932+
test.each([
933+
['us-isob-east-1', 'gov.sgov.sc2s'],
934+
['us-isob-west-1', 'gov.sgov.sc2s'],
935+
])('test vpc interface endpoint with %s prefix can be created correctly in %s', (region: string, prefix: string) => {
936+
// GIVEN
937+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
938+
const vpc = new Vpc(stack, 'VPC');
939+
940+
// WHEN
941+
vpc.addInterfaceEndpoint('ECR Endpoint', {
942+
service: InterfaceVpcEndpointAwsService.ECR,
943+
});
944+
945+
// THEN
946+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
947+
ServiceName: `${prefix}.${region}.ecr.api`,
948+
});
949+
});
950+
951+
test.each([
952+
['us-isob-east-1'],
953+
['us-isob-west-1'],
954+
])('test vpc interface endpoint without gov.sgov.sc2s prefix can be created correctly in %s', (region: string) => {
955+
// GIVEN
956+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
957+
const vpc = new Vpc(stack, 'VPC');
958+
959+
// WHEN
960+
vpc.addInterfaceEndpoint('ECS Endpoint', {
961+
service: InterfaceVpcEndpointAwsService.ECS,
962+
});
963+
964+
// THEN
965+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
966+
ServiceName: `com.amazonaws.${region}.ecs`,
967+
});
968+
});
969+
970+
test.each([
971+
['us-isof-south-1', 'gov.ic.hci.csp'],
972+
['us-isof-east-1', 'gov.ic.hci.csp'],
973+
])('test vpc interface endpoint with %s prefix can be created correctly in %s', (region: string, prefix: string) => {
974+
// GIVEN
975+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
976+
const vpc = new Vpc(stack, 'VPC');
977+
978+
// WHEN
979+
vpc.addInterfaceEndpoint('ECR Endpoint', {
980+
service: InterfaceVpcEndpointAwsService.ECR,
981+
});
982+
983+
// THEN
984+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
985+
ServiceName: `${prefix}.${region}.ecr.api`,
986+
});
987+
});
988+
989+
test.each([
990+
['us-isof-south-1'],
991+
['us-isof-east-1'],
992+
])('test vpc interface endpoint without gov.ic.hci.csp prefix can be created correctly in %s', (region: string) => {
993+
// GIVEN
994+
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region } });
995+
const vpc = new Vpc(stack, 'VPC');
996+
997+
// WHEN
998+
vpc.addInterfaceEndpoint('ECS Endpoint', {
999+
service: InterfaceVpcEndpointAwsService.ECS,
1000+
});
1001+
1002+
// THEN
1003+
Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpoint', {
1004+
ServiceName: `com.amazonaws.${region}.ecs`,
1005+
});
1006+
});
1007+
8941008
test('test codeartifact vpc interface endpoint in us-west-2', () => {
8951009
// GIVEN
8961010
const stack = new Stack(undefined, 'TestStack', { env: { account: '123456789012', region: 'us-west-2' } });

0 commit comments

Comments
 (0)