Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[synthetics] Make it possible to set vpcConfig in synthetics.Canary for vpc private API testing #9954

Closed
2 tasks
frjtrifork opened this issue Aug 25, 2020 · 5 comments · Fixed by #18447
Closed
2 tasks

[synthetics] Make it possible to set vpcConfig in synthetics.Canary for vpc private API testing #9954

frjtrifork opened this issue Aug 25, 2020 · 5 comments · Fixed by #18447
Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1

Comments

@frjtrifork
Copy link

frjtrifork commented Aug 25, 2020
edited
Loading

When creating a Canary using synthetics.Canary there is no way to set the vpc config which is needed for invocations of VPC-private APIs.

If you create the canary using CfnCanary you can configure the VpcConfig in the https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-synthetics.CfnCanaryProps.html

So there is a workaround, but by using CfnCanary you have to create the role, permission, s3 bucket (artifacts) etc. by hand also - so you end up with a lot of cdk code for even simple canaries.

Use Case

We have a number of VPC private APIs we would like to make canaries for.
Configuring api testing of vpc private api calls without this option when using the synthetics.Canary - and using CfnCanary is quite verbose / easy to get wrong in comparison to having the synthetics.Canary auto-create them.

Proposed Solution

Add vpcConfig option to the synthetics.CanaryProps

Other

If it is not an option to add vpc config to the synthetics.Canary, then please provide an example of how to use the vpc config in the CfnCanary.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@frjtrifork frjtrifork added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Aug 25, 2020
@github-actions github-actions bot added the @aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics label Aug 25, 2020
@NetaNir NetaNir added effort/medium Medium work item – several days of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 25, 2020
@1davidmichael
Copy link
Contributor

Another solution is to use overrides but is almost as much work as CfnCanary.

        canary_cfn = canary.node.default_child
        canary_cfn.add_property_override("VPCConfig.VpcId", vpc.vpc_id)

        # Get a list of private subnet id strings
        private_subnet_ids = []
        for subnet in vpc.private_subnets:
            private_subnet_ids.append(subnet.subnet_id)
        canary_cfn.add_property_override("VPCConfig.SubnetIds", private_subnet_ids)
        canary_cfn.add_property_override("VPCConfig.SecurityGroupIds", [canary_sg.security_group_id])

Note that you will also need to configure a role for the Synthetic which has permissions to create Lambdas in a VPC to utilize this.

@nbaillie
Copy link
Contributor

nbaillie commented Sep 10, 2020
edited
Loading

Just to help others, as i had initially made a typo on this and caused me some delays.

To add the permissions as described above i used:
canary.role.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSLambdaVPCAccessExecutionRole'))

@mariomerco
Copy link

You can also create an instance of CfnCanary.VPCConfigProperty and pass it to the vpc_config property of the CfnCanary:

vpc_config = synthetics.CfnCanary.VPCConfigProperty (
    security_group_ids = ["sg-0715f7256c15ac074"],
    subnet_ids = ["subnet-088d506ff2c332ea55", "subnet-0d1d4e2ba3067d113", "subnet-0099c4e2daa304307"],
    vpc_id = "vpc-09597deba63ce2c57"
)

self.canary.node.default_child.vpc_config = vpc_config

@marius-jakobi
Copy link

With escape hatches in Typescript:

const cfnCanary = canary.node.defaultChild as synthetics.CfnCanary

cfnCanary.vpcConfig = {
      vpcId: vpc.vpcId,
      securityGroupIds: [securityGroupId],
      subnetIds: [subnetId]
}

@NetaNir NetaNir removed their assignment Jun 21, 2021
@RichiCoder1 RichiCoder1 mentioned this issue Jan 14, 2022
Merged
@mergify mergify bot closed this as completed in #18447 Mar 15, 2022
mergify bot pushed a commit that referenced this issue Mar 15, 2022
@RichiCoder1
feat(synthetics): add vpc configuration (#18447)
c991e92 
This PR adds vpc support to synthetics and is a continuation of #11865.

See [Running a canary on a vpc](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_VPC.html).

Fixes #9954

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-synthetics Related to Amazon CloudWatch Synthetics effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(synthetics): add vpc configuration RichiCoder1/aws-cdk
6 participants
@1davidmichael @frjtrifork @mariomerco @NetaNir @nbaillie @marius-jakobi