ec2: look up AWS managed Prefix Lists

[alanraison]

There is currently no way to lookup the IP of an AWS-managed Prefix List (i.e. those for S3 and DynamoDB).

Use Case

In order to use an S3 or DynamoDB Gateway endpoint, with a Security Group which allows only specific outbound access, it is necessary to lookup the com.amazonaws.<region>.s3 or com.amazonaws.<region>.dynamodb Prefix List's ID. This is currently not possible.

Proposed Solution

Add the ability to look up a Prefix List by prefix list ID. I don't know if this requires changes in Cloudformation.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[njlynch]

There is no current CloudFormation support for this. The guidance I have seen elsewhere is to use a Custom Resource to do the lookup. See the description of #13668 for one example of doing that lookup via a Custom Resource.

This is something we could conceivably integrate into the CDK, but it's not clear yet how broad an impact it would have or where it would live. I am unassigning and marking this issue as p2, which means that we are unable to work on this immediately.

We use +1s to help prioritize our work, and are happy to revaluate this issue based on community feedback. You can reach out to the cdk.dev community on Slack to solicit support for reprioritization. In the meantime, I hope the linked workaround helps!

[ramiro]

See also #9568.

[markoperich]

+1

[havenith]

+1

[gottschalkj-fmr]

+1

[github-actions]

This issue has received a significant amount of attention so we are automatically upgrading its priority. A member of the community will see the re-prioritization and provide an update on the issue.

[falkvonohlen]

+1

[igormukhin]

+1

[tisauro]

+1

[elginlam-amazon]

+1

[markrekveld]

+1

[dennisschaaf]

+1

[mvs5465]

Does anyone know if you can reference prefix lists using CfnResourceShare?

[acatala-sistrol]

+1

[antoniordz96]

+1

[mrgum]

+1

[VitalyUsik]

+1

[corymhall]

This looks like something we might want to add a fromLookup method that uses synth time lookups.

[cjkent]

+1

[deepak3082]

+1

[WinterYukky]

If this value is an immutable value for each region, I think it's also conceivable to set it to Region info :)
https://docs.aws.amazon.com/cdk/api/v2/docs/region-info-readme.html

[sotoiwa]

Related: #24921

[mrgrain]

Region fact is fine, but I think we should start adding these kind of slowly (never) changing automated look-ups things into
https://github.com/cdklabs/awscdk-service-spec so it can be re-used here.

[bericp1]

+1

[cogwirrel]

As a workaround until this is implemented properly, I used AwsCustomResource to achieve the same result. Sharing it here in case it's useful :)

import { IPrefixList, PrefixList } from 'aws-cdk-lib/aws-ec2';
import { Effect, PolicyStatement } from 'aws-cdk-lib/aws-iam';
import { AwsCustomResource, AwsCustomResourcePolicy, PhysicalResourceId } from 'aws-cdk-lib/custom-resources';
import { Construct } from 'constructs';

export interface AwsManagedPrefixListProps {
  /**
   * Name of the aws managed prefix list.
   * See: https://docs.aws.amazon.com/vpc/latest/userguide/working-with-aws-managed-prefix-lists.html#available-aws-managed-prefix-lists
   * eg. com.amazonaws.global.cloudfront.origin-facing
   */
  readonly name: string;
}

export class AwsManagedPrefixList extends Construct {
  public readonly prefixList: IPrefixList;

  constructor(scope: Construct, id: string, { name }: AwsManagedPrefixListProps) {
    super(scope, id);

    const prefixListId = new AwsCustomResource(this, 'GetPrefixListId', {
      onUpdate: {
        service: '@aws-sdk/client-ec2',
        action: 'DescribeManagedPrefixListsCommand',
        parameters: {
          Filters: [
            {
              Name: 'prefix-list-name',
              Values: [name],
            },
          ],
        },
        physicalResourceId: PhysicalResourceId.of(`${id}-${this.node.addr.slice(0, 16)}`),
      },
      policy: AwsCustomResourcePolicy.fromStatements([
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: ['ec2:DescribeManagedPrefixLists'],
          resources: ['*'],
        }),
      ]),
    }).getResponseField('PrefixLists.0.PrefixListId');

    this.prefixList = PrefixList.fromPrefixListId(this, 'PrefixList', prefixListId);
  }
}

With example usage:

const cfOriginFacingPrefixList = new AwsManagedPrefixList(this, 'CloudfrontOriginPrefixList', {
  name: 'com.amazonaws.global.cloudfront.origin-facing',
}).prefixList;

[danib-ntt-sky]

+1

[werebear73-tritelph]

+1 - the workaround doesn't work on .NET (see above mention)

[ggzik-copperleaf]

+1, We ran into the same issue (also using cdk in dotnet) and used the Custom Resource solution as well:

private string GetPrefixListId(string stackId, IEnvironment env, string prefixListName)
{
    var customResourceName = $"{stackId}-GetPrefixListId";
    return new AwsCustomResource(this, "GetPrefixListId", new AwsCustomResourceProps {
        FunctionName = customResourceName,
        LogRetention = RetentionDays.ONE_DAY,
        OnUpdate = new AwsSdkCall {
            Service = "@aws-sdk/client-ec2",
            Action = "DescribeManagedPrefixListsCommand",
            Parameters = new Dictionary<string, object> {
                {
                    "Filters", new Dictionary<string, object>[] {
                        new Dictionary<string, object> {
                            { "Name", "prefix-list-name" },
                            { "Values", new string[] { prefixListName } }
                        }
                    }
                },
            },
            PhysicalResourceId = PhysicalResourceId.Of($"{stackId}-{Node.Addr.Substring(0, 16)}"),
        },
        Policy = AwsCustomResourcePolicy.FromStatements(new[] {
            new PolicyStatement(new PolicyStatementProps {
                Effect = Effect.ALLOW,
                Actions = new[] { "ec2:DescribeManagedPrefixLists" },
                Resources = new[] { "*" }, // ec2:DescribeManagedPrefixLists must be executed against resource *
                Conditions = new Dictionary<string, object> {{
                    "StringEquals", new Dictionary<string, string> {
                        { "aws:PrincipalAccount", env.Account },
                        { "aws:RequestedRegion", env.Region }
                    }
                }}
            }),
        }),
    }).GetResponseField("PrefixLists.0.PrefixListId");
}

Note that the policy has to use Resource: * because that is the only resource ec2:DescribeManagedPrefixLists, so to make it a bit more secure we added conditions to scope the action down to within our account.

[zvonimir-bednarcik]

+1

[isunli]

+1

[alexbaileymembr]

We are going to implement the workaround above but have a slightly different use case of needing to lookup prefix lists by name. It's only ID available at the moment which varies between accounts, regions etc. It would be good to know if a FromLookup or FromName option at Synth time is the way to go. If it is, then I'd feel more comfortable taking a stab at this.

[carlo-vassallo]

+1