Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-ec2): SubnetSelection Returns - Error: Cannot create a VPC Endpoint with no subnets #32460

Closed
1 task
zachaws opened this issue Dec 10, 2024 · 5 comments
Closed
1 task

(aws-ec2): SubnetSelection Returns - Error: Cannot create a VPC Endpoint with no subnets #32460

zachaws opened this issue Dec 10, 2024 · 5 comments
Assignees
@GavinZZ
Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p1

Comments

@zachaws
Copy link

zachaws commented Dec 10, 2024

Describe the bug

When creating a Interface VPC Endpoint and using the availabilityZones filter on the Subnets property you will get a "Error: Cannot create a VPC Endpoint with no subnets" message when no context is present in cdk.context.json.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

The availabilityZones is a property of the SubnetSelection interface. The expectation here is that setting an availability zone will filter all the subnets and only specify the ones that match that availability zone.

Current Behavior

Currently, the following validation error is being returned: "Error: Cannot create a VPC Endpoint with no subnets."

Reproduction Steps

Using the following code snippet, perform a cdk synth and ensure your cdk.context.json file is empty.

const vpc = new ec2.Vpc(this, 'ReplicationVPC', {
      maxAzs: 3,
      cidr: '10.0.0.0/16',
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'Public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
        {
          cidrMask: 24,
          name: 'Private Egress',
          subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS,
        },
        {
          cidrMask: 24,
          name: 'Private Isolated',
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });

    const InterfaceEndpoint = new ec2.InterfaceVpcEndpoint(this, 'Replication Endpoint', {
      vpc: vpc,
      service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
      subnets: {
        availabilityZones: ["us-east-1a"]
      }
    });

Possible Solution

No response

Additional Information/Context

When creating the VPC, use the availabilityZones property instead of the maxAzs property. When the VPC created makes use of the availabilityZones property, this error does not occur.

Testing with other constructs that implement the SubnetSelection interface, I confirmed that with an empty cdk.context.json and specifying the availabilityZones property, no subnets will be returned.

CDK CLI Version

2.171.0

Framework Version

No response

Node.js Version

v22.2.0

OS

macOS

Language

TypeScript

Language Version

No response

Other information

No response
@zachaws zachaws added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Dec 10, 2024
@github-actions github-actions bot added the @aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud label Dec 10, 2024
@khushail khushail changed the title InterfaceVpcEndpoint: SubnetSelection Returns - Error: Cannot create a VPC Endpoint with no subnets (aws-ec2): SubnetSelection Returns - Error: Cannot create a VPC Endpoint with no subnets Dec 10, 2024
@ashishdhingra
Copy link
Contributor

ashishdhingra commented Dec 10, 2024
edited
Loading

Reproducible after running cdk context --clear. Temporarily using availabilityZones property (matching with the region for current configured AWS credentials and region) populates cdk.context.json like below (as an example):

{
  "availability-zones:account=<<ACCOUNT-ID>>:region=us-east-2": [
    "us-east-2a",
    "us-east-2b",
    "us-east-2c"
  ]
}

Thereafter, reverting to use maxAzs property works fine.

The error occurs when defining InterfaceEndpoint with availabilityZones filter and cdk.context.json is empty:

const InterfaceEndpoint = new ec2.InterfaceVpcEndpoint(this, 'Replication Endpoint', {
      vpc: vpc,
      service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER,
      subnets: {
        availabilityZones: ["us-east-1a"]
      }
    });

@ashishdhingra ashishdhingra added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Dec 10, 2024
@pahud
Copy link
Contributor

pahud commented Dec 11, 2024

internal: P176585888

@pahud pahud added p1 and removed p2 labels Dec 11, 2024
@ashishdhingra
Copy link
Contributor

internal: P176585888

Thanks @pahud for reviewing the priority.

@GavinZZ GavinZZ self-assigned this Dec 11, 2024
@GavinZZ
Copy link
Contributor

GavinZZ commented Dec 31, 2024
edited
Loading

Hello thanks for creating an issue. I deep dived into this problem and here's my finding:

Summary

In your example, you specified the availability zone for VPC endpoint, thus CDK will filter your subnets that match the availability zone in this line. What happened was that CDK was not able to find a subnet that match the availability zone and thus returning the error message that you saw.

Possible reason

If your CDK stack specifies AWS account and region and they are not unresolved values, what will happen is that CDK will look for context value in your cdk.context.json file for the above content to determine the availability zones of the subnets you create, otherwise this value is a token value during synthesis and only become actual values during deployment.

"availability-zones:account=<account_id>:region=<region>": [
    "us-west-2a",
    "us-west-2b",
    "us-west-2c",
    "us-west-2d"
  ],

This will allow CDK to determine the availability zone of the subnets created.

On the other hand, if your CDK stack is region and account agnostic (i.e. CDK can't determine the stack region or account), it will look for context value aws:cdk:availability-zones:fallback to determine the availability zone.

Workaround

You can either use the method mentioned by @ashishdhingra to reset the availability context values or you can manually specify the context value by adding the following manually to your cdk.context.json file.

"availability-zones:account=<account_id>:region=<region>": [
    "us-west-2a",
    "us-west-2b",
    "us-west-2c",
    "us-west-2d"
],
"aws:cdk:availability-zones:fallback": [
    "us-west-2a",
    "us-west-2b",
    "us-west-2c",
    "us-west-2d"
]

I'm going to mark this issue as resolved, feel free to reopen this or create a new issue if you have additional question or need additional support. Happy new year!

@GavinZZ GavinZZ closed this as completed Dec 31, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@GavinZZ GavinZZ

Labels
@aws-cdk/aws-ec2 Related to Amazon Elastic Compute Cloud bug This issue is a bug. effort/medium Medium work item – several days of effort p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pahud @GavinZZ @ashishdhingra @zachaws