Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-ec2: Internet Gateway created when public subnets are reserved #28593

Closed
dontirun opened this issue Jan 5, 2024 · 2 comments · Fixed by #28607
Closed

aws-ec2: Internet Gateway created when public subnets are reserved #28593

dontirun opened this issue Jan 5, 2024 · 2 comments · Fixed by #28607
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p2

Comments

@dontirun
Copy link
Contributor

dontirun commented Jan 5, 2024

Describe the bug

An internet gateway is created for a VPC where address space is reserved for public subnets, but the public subnets do not actually exist

Expected Behavior

An internet Gateway is not created for the Vpc when the address space for public subnets are reserved, but no public subnets actually exist

Current Behavior

An internet gateway is created for a VPC where address space is reserved for public subnets, but the public subnets do not actually exist

Reproduction Steps

import * as cdk from 'aws-cdk-lib';
import { SubnetType, Vpc } from 'aws-cdk-lib/aws-ec2';
export class MyStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);
    new Vpc(this, 'vpc', {
      subnetConfiguration: [
        {
          name: 'Isolated',
          subnetType: SubnetType.PRIVATE_ISOLATED,
          cidrMask: 22,
        },
        {
          name: 'Public',
          subnetType: SubnetType.PUBLIC,
          cidrMask: 26,
          reserved: true,
        },
      ],
    });
  }
};
const app = new cdk.App();
new MyStack(app, 'test');
app.synth();

CloudFormation Output

Resources:
  vpcA2121C38:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      InstanceTenancy: default
      Tags:
        - Key: Name
          Value: test/vpc
    Metadata:
      aws:cdk:path: test/vpc/Resource
  vpcIsolatedSubnet1Subnet8B28CEB3:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone:
        Fn::Select:
          - 0
          - Fn::GetAZs: ""
      CidrBlock: 10.0.0.0/22
      MapPublicIpOnLaunch: false
      Tags:
        - Key: aws-cdk:subnet-name
          Value: Isolated
        - Key: aws-cdk:subnet-type
          Value: Isolated
        - Key: Name
          Value: test/vpc/IsolatedSubnet1
      VpcId:
        Ref: vpcA2121C38
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet1/Subnet
  vpcIsolatedSubnet1RouteTable0D6B2D3D:
    Type: AWS::EC2::RouteTable
    Properties:
      Tags:
        - Key: Name
          Value: test/vpc/IsolatedSubnet1
      VpcId:
        Ref: vpcA2121C38
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet1/RouteTable
  vpcIsolatedSubnet1RouteTableAssociation172210D4:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: vpcIsolatedSubnet1RouteTable0D6B2D3D
      SubnetId:
        Ref: vpcIsolatedSubnet1Subnet8B28CEB3
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet1/RouteTableAssociation
  vpcIsolatedSubnet2Subnet2C6B375C:
    Type: AWS::EC2::Subnet
    Properties:
      AvailabilityZone:
        Fn::Select:
          - 1
          - Fn::GetAZs: ""
      CidrBlock: 10.0.4.0/22
      MapPublicIpOnLaunch: false
      Tags:
        - Key: aws-cdk:subnet-name
          Value: Isolated
        - Key: aws-cdk:subnet-type
          Value: Isolated
        - Key: Name
          Value: test/vpc/IsolatedSubnet2
      VpcId:
        Ref: vpcA2121C38
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet2/Subnet
  vpcIsolatedSubnet2RouteTable3455CBFC:
    Type: AWS::EC2::RouteTable
    Properties:
      Tags:
        - Key: Name
          Value: test/vpc/IsolatedSubnet2
      VpcId:
        Ref: vpcA2121C38
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet2/RouteTable
  vpcIsolatedSubnet2RouteTableAssociation8A8FAF70:
    Type: AWS::EC2::SubnetRouteTableAssociation
    Properties:
      RouteTableId:
        Ref: vpcIsolatedSubnet2RouteTable3455CBFC
      SubnetId:
        Ref: vpcIsolatedSubnet2Subnet2C6B375C
    Metadata:
      aws:cdk:path: test/vpc/IsolatedSubnet2/RouteTableAssociation
  vpcIGWE57CBDCA:
    Type: AWS::EC2::InternetGateway
    Properties:
      Tags:
        - Key: Name
          Value: test/vpc
    Metadata:
      aws:cdk:path: test/vpc/IGW
  vpcVPCGW7984C166:
    Type: AWS::EC2::VPCGatewayAttachment
    Properties:
      InternetGatewayId:
        Ref: vpcIGWE57CBDCA
      VpcId:
        Ref: vpcA2121C38
    Metadata:
      aws:cdk:path: test/vpc/VPCGW
  CDKMetadata:
    Type: AWS::CDK::Metadata
    Properties:
      Analytics: v2:deflate64:H4sIAAAAAAAA/02PTQ+CMAyGf4v3MYXExCvhYLwZMFzNGDWWj85sHcQQ/rtDSfDUt0+bp2ki4/gkDzs1ukjXbdRhJaeClW5FQHfQiZzKlxbZg8prJq4WB8VQ+IqAF7il3HiGm6o62PjGUueMRsVoaBlfiMGGhXOQjeq96tcu5XD/2QPxLHJwxlv9df7nzFCNi20WZGqQjdsP4ZH4GH5pHGJkPTH2IPNf/QDK5AK06AAAAA==
    Metadata:
      aws:cdk:path: test/CDKMetadata/Default
    Condition: CDKMetadataAvailable

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.118.0 (build a40f2ec)

Framework Version

No response

Node.js Version

Node.js v18.15.0

OS

Osx

Language

TypeScript

Language Version

No response

Other information

No response
@dontirun dontirun added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jan 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Jan 5, 2024
@dontirun dontirun changed the title aws-ec2: Internet Gateway created for reserved subnet aws-ec2: Internet Gateway created when public subnets are reserved Jan 5, 2024
@pahud
Copy link
Contributor

pahud commented Jan 5, 2024

Yes it makes sense to me. Thanks for the report.

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 5, 2024
@go-to-k go-to-k mentioned this issue Jan 7, 2024
Merged
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@mergify mergify bot closed this as completed in #28607 Mar 1, 2024
mergify bot pushed a commit that referenced this issue Mar 1, 2024
@go-to-k
fix(ec2): internet gateway is created even if public subnets are rese…
985c7e4 
…rved (#28607)

This PR fixes that Internet Gateway will be created even if (all) public subnets are reserved.

The `reserved` option is for not actually creating subnet resources. So IGW should not be created if all public subnets are reserved, because there is no public subnets in the VPC.

It would be appropriate to consider the `reserved` option since [we originally did not want to create an IGW if there was no public subnets](https://github.com/aws/aws-cdk/blob/v2.118.0/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L1493-L1497).

Also, if this bug is not fixed, it will go to the [code where the NatGateway is created](https://github.com/aws/aws-cdk/blob/v2.118.0/packages/aws-cdk-lib/aws-ec2/lib/vpc.ts#L1513-L1517) without public subnets. (This will be stopped with another error, but...)

Closes #28593.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

github-actions bot commented Mar 1, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(ec2): internet gateway is created even if public subnets are reserved go-to-k/aws-cdk
2 participants
@pahud @dontirun