-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ec2: look up AWS managed Prefix Lists #15115
Comments
There is no current CloudFormation support for this. The guidance I have seen elsewhere is to use a Custom Resource to do the lookup. See the description of #13668 for one example of doing that lookup via a Custom Resource. This is something we could conceivably integrate into the CDK, but it's not clear yet how broad an impact it would have or where it would live. I am unassigning and marking this issue as We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. In the meantime, I hope the linked workaround helps! |
See also #9568. |
+1 |
2 similar comments
+1 |
+1 |
This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue. |
+1 |
4 similar comments
+1 |
+1 |
+1 |
+1 |
+1 |
Does anyone know if you can reference prefix lists using |
+1 |
1 similar comment
+1 |
+1 |
1 similar comment
+1 |
This looks like something we might want to add a |
+1 |
1 similar comment
+1 |
If this value is an immutable value for each region, I think it's also conceivable to set it to Region info :) |
Related: #24921 |
Region fact is fine, but I think we should start adding these kind of slowly (never) changing automated look-ups things into |
+1 |
As a workaround until this is implemented properly, I used import { IPrefixList, PrefixList } from 'aws-cdk-lib/aws-ec2';
import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from 'aws-cdk-lib/custom-resources';
import { Construct } from 'constructs';
export interface AwsManagedPrefixListProps {
/**
* Name of the aws managed prefix list.
* See: https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists
* eg. com.amazonaws.global.cloudfront.origin-facing
*/
readonly name: string;
}
export class AwsManagedPrefixList extends Construct {
public readonly prefixList: IPrefixList;
constructor(scope: Construct, id: string, { name }: AwsManagedPrefixListProps) {
super(scope, id);
const prefixListId = new AwsCustomResource(this, 'GetPrefixListId', {
onUpdate: {
service: '@aws-sdk/client-ec2',
action: 'DescribeManagedPrefixListsCommand',
parameters: {
Filters: [
{
Name: 'prefix-list-name',
Values: [name],
},
],
},
physicalResourceId: PhysicalResourceId.of(`${id}-${this.node.addr.slice(0, 16)}`),
},
policy: AwsCustomResourcePolicy.fromStatements([
new PolicyStatement({
effect: Effect.ALLOW,
actions: ['ec2:DescribeManagedPrefixLists'],
resources: ['*'],
}),
]),
}).getResponseField('PrefixLists.0.PrefixListId');
this.prefixList = PrefixList.fromPrefixListId(this, 'PrefixList', prefixListId);
}
} With example usage: const cfOriginFacingPrefixList = new AwsManagedPrefixList(this, 'CloudfrontOriginPrefixList', {
name: 'com.amazonaws.global.cloudfront.origin-facing',
}).prefixList; |
+1 |
+1 - the workaround doesn't work on .NET (see above mention) |
+1, We ran into the same issue (also using cdk in dotnet) and used the Custom Resource solution as well: private string GetPrefixListId(string stackId, IEnvironment env, string prefixListName)
{
var customResourceName = $"{stackId}-GetPrefixListId";
return new AwsCustomResource(this, "GetPrefixListId", new AwsCustomResourceProps {
FunctionName = customResourceName,
LogRetention = RetentionDays.ONE_DAY,
OnUpdate = new AwsSdkCall {
Service = "@aws-sdk/client-ec2",
Action = "DescribeManagedPrefixListsCommand",
Parameters = new Dictionary<string, object> {
{
"Filters", new Dictionary<string, object>[] {
new Dictionary<string, object> {
{ "Name", "prefix-list-name" },
{ "Values", new string[] { prefixListName } }
}
}
},
},
PhysicalResourceId = PhysicalResourceId.Of($"{stackId}-{Node.Addr.Substring(0, 16)}"),
},
Policy = AwsCustomResourcePolicy.FromStatements(new[] {
new PolicyStatement(new PolicyStatementProps {
Effect = Effect.ALLOW,
Actions = new[] { "ec2:DescribeManagedPrefixLists" },
Resources = new[] { "*" }, // ec2:DescribeManagedPrefixLists must be executed against resource *
Conditions = new Dictionary<string, object> {{
"StringEquals", new Dictionary<string, string> {
{ "aws:PrincipalAccount", env.Account },
{ "aws:RequestedRegion", env.Region }
}
}}
}),
}),
}).GetResponseField("PrefixLists.0.PrefixListId");
} Note that the policy has to use |
+1 |
1 similar comment
+1 |
We are going to implement the workaround above but have a slightly different use case of needing to lookup prefix lists by name. It's only ID available at the moment which varies between accounts, regions etc. It would be good to know if a |
+1 |
There is currently no way to lookup the IP of an AWS-managed Prefix List (i.e. those for S3 and DynamoDB).
Use Case
In order to use an S3 or DynamoDB Gateway endpoint, with a Security Group which allows only specific outbound access, it is necessary to lookup the
com.amazonaws.<region>.s3
orcom.amazonaws.<region>.dynamodb
Prefix List's ID. This is currently not possible.Proposed Solution
Add the ability to look up a Prefix List by prefix list ID. I don't know if this requires changes in Cloudformation.
This is a 🚀 Feature Request
The text was updated successfully, but these errors were encountered: