feat(kinesisanalytics-flink): VPC support for Flink applications #24442
Conversation
Looking around the code base vpcSubnets seems to be the most popular name for this property, used by ecs Fargate and Lambda.
github-actions
bot
added
effort/medium
There was a problem hiding this comment.
The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.
A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.
| /** | ||
| * Choose which VPC subnets to use. | ||
| * | ||
| * @default SubnetType.PRIVATE_WITH_EGRESS subnets |
There was a problem hiding this comment.
| * @default SubnetType.PRIVATE_WITH_EGRESS subnets | |
| * @default - SubnetType.PRIVATE_WITH_EGRESS subnets |
| /** | ||
| * Deploy the Flink application in a VPC. | ||
| * | ||
| * @default no VPC |
There was a problem hiding this comment.
| * @default no VPC | |
| * @default - no VPC |
There was a problem hiding this comment.
I just pushed a change which adds hyphens for these kinds of @default phrases to the entire file.
| /** | ||
| * Security groups to use with a provided VPC. | ||
| * | ||
| * @default a new security group is created for this application. |
There was a problem hiding this comment.
| * @default a new security group is created for this application. | |
| * @default - a new security group is created for this application. |
| constructor(scope: Construct, id: string, attrs: { applicationArn: string, applicationName: string }) { | ||
| constructor(scope: Construct, id: string, attrs: { applicationArn: string, securityGroups?: ec2.ISecurityGroup[] }) { |
There was a problem hiding this comment.
why has applicationName been removed?
I'd rather avoid removing this arg entirely, as doing so is a breaking change
There was a problem hiding this comment.
Import is an internal class that has never been exported so I don't think it's a breaking change. I think you may have missed that this code is in the Import class because the diff view isn't wide enough to show the class Import declaration.
There was a problem hiding this comment.
ahh I see, yep I'd missed that. Thanks
| this.applicationName = attrs.applicationName; | ||
| const applicationName = core.Stack.of(scope).splitArn(attrs.applicationArn, core.ArnFormat.SLASH_RESOURCE_NAME).resourceName; | ||
| if (!applicationName) { | ||
| throw new Error(`applicationArn for fromApplicationArn (${attrs.applicationArn}) must include resource name`); | ||
| } | ||
| this.applicationName = applicationName; |
There was a problem hiding this comment.
why are we getting this from the arn now? This worked when it was in the Import class, because that ARN was always an actual ARN. This ARN is almost certainly not an actual string, it's instead a Token, which means we can't validate this at synth time
There was a problem hiding this comment.
Before this code was in the Application.fromApplicationName static method and now it's in the Import constructor. So I think this will still work. I think this is the same code path as before but with a slight refactoring.
Also I have tests for fromApplicationName and applicationArn that didn't change in this PR. Let me know if there is some edge case I'm missing.
|
@comcalvi, thanks for the review! I added some changes to:
And I replied to your comments about the changes to the |
| * @default sum over 5 minutes | ||
| * @default - sum over 5 minutes |
| constructor(scope: Construct, id: string, attrs: { applicationArn: string, applicationName: string }) { | ||
| constructor(scope: Construct, id: string, attrs: { applicationArn: string, securityGroups?: ec2.ISecurityGroup[] }) { |
There was a problem hiding this comment.
ahh I see, yep I'd missed that. Thanks
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
…#24442) The Kinesis Data Analytics team added support for [deploying Flink applications in a VPC](https://docs.aws.amazon.com/kinesisanalytics/latest/java/vpc.html). This feature is also available in CloudFormation. Deploying Flink in a VPC allows the application to reach services like Redis and other databases. This PR adds support for configuring `VpcConfigurations` with `vpcSubets` (subnetSelection) and securityGroups following similar patterns for resources like `lambda.Function` that support optional deployment in a VPC. Some design decisions: - Name the subnet selection prop `vpcSubnets`. Some resources call the subnet selection property `subnetSelection` but `vpcSubnets` seemed more popular and is used by the Lambda and ECS modules. - Only support passing an array of security groups. Some resources support adding a single SecurityGroup or SecurityGroupId properties but it appears this [usage is deprecated](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-lambda/lib/function.ts#L170) in favor of always passing an array of SecurityGroups. - I added a `fromApplicationAttributes` factory that includes `securityGroups`. This seemed like an appropriate time to add this method given there was another property to pass besides ARN and name. However I didn't go down the path of including a role in `fromApplicationAttributes` yet in order to keep this PR focused. - ~~I thought about adding a section to the readme about using VPCs, but I didn't notice a section like that in the [Lambda readme](https://github.com/aws/aws-cdk/blob/main/packages/%40aws-cdk/aws-lambda/README.md) for instance. My current thinking is that the conventions for VPC-bound resources are so consistent it probably doesn't warrant more documentation~~ @aws-cdk-automation did not buy this rational. I'd like to follow-up with a PR to move code into more files as the > 1K lines of code in `application.ts` is getting a little unweildy. I wanted to avoid moving code around in this PR to make it easier to review. Closes aws#21104. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
The Kinesis Data Analytics team added support for deploying Flink applications in a VPC. This feature is also available in CloudFormation. Deploying Flink in a VPC allows the application to reach services like Redis and other databases.
This PR adds support for configuring
VpcConfigurationswithvpcSubets(subnetSelection) and securityGroups following similar patterns for resources likelambda.Functionthat support optional deployment in a VPC.Some design decisions:
vpcSubnets. Some resources call the subnet selection propertysubnetSelectionbutvpcSubnetsseemed more popular and is used by the Lambda and ECS modules.fromApplicationAttributesfactory that includessecurityGroups. This seemed like an appropriate time to add this method given there was another property to pass besides ARN and name. However I didn't go down the path of including a role infromApplicationAttributesyet in order to keep this PR focused.I thought about adding a section to the readme about using VPCs, but I didn't notice a section like that in the Lambda readme for instance. My current thinking is that the conventions for VPC-bound resources are so consistent it probably doesn't warrant more documentation@aws-cdk-automation did not buy this rational.I'd like to follow-up with a PR to move code into more files as the > 1K lines of code in
application.tsis getting a little unweildy. I wanted to avoid moving code around in this PR to make it easier to review.Closes #21104.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license