Created
December 30, 2021 06:21
-
-
Save lfittl/78aef8a950bd1210fa67275994cb394d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Based on https://stackoverflow.com/questions/65213615/cdk-to-enable-dns-resolution-for-vpcpeering */ | |
| import { custom_resources } from 'aws-cdk-lib'; | |
| import { aws_ec2 as ec2, aws_iam as iam, aws_logs as logs } from 'aws-cdk-lib'; | |
| import { Construct } from 'constructs'; | |
| export interface AllowVPCPeeringDNSResolutionProps { | |
| vpcPeering: ec2.CfnVPCPeeringConnection, | |
| } | |
| export class AllowVPCPeeringDNSResolution extends Construct { | |
| constructor(scope: Construct, id: string, props: AllowVPCPeeringDNSResolutionProps) { | |
| super(scope, id); | |
| const onCreate: custom_resources.AwsSdkCall = { | |
| service: "EC2", | |
| action: "modifyVpcPeeringConnectionOptions", | |
| parameters: { | |
| VpcPeeringConnectionId: props.vpcPeering.ref, | |
| AccepterPeeringConnectionOptions: { | |
| AllowDnsResolutionFromRemoteVpc: true, | |
| }, | |
| RequesterPeeringConnectionOptions: { | |
| AllowDnsResolutionFromRemoteVpc: true | |
| } | |
| }, | |
| physicalResourceId: custom_resources.PhysicalResourceId.of(`allowVPCPeeringDNSResolution:${props.vpcPeering.ref}`) | |
| }; | |
| const onUpdate = onCreate; | |
| const onDelete: custom_resources.AwsSdkCall = { | |
| service: "EC2", | |
| action: "modifyVpcPeeringConnectionOptions", | |
| parameters: { | |
| VpcPeeringConnectionId: props.vpcPeering.ref, | |
| AccepterPeeringConnectionOptions: { | |
| AllowDnsResolutionFromRemoteVpc: false, | |
| }, | |
| RequesterPeeringConnectionOptions: { | |
| AllowDnsResolutionFromRemoteVpc: false | |
| } | |
| }, | |
| }; | |
| const customResource = new custom_resources.AwsCustomResource(this, "allow-peering-dns-resolution", { | |
| policy: custom_resources.AwsCustomResourcePolicy.fromStatements([ | |
| new iam.PolicyStatement({ | |
| effect: iam.Effect.ALLOW, | |
| resources: ["*"], | |
| actions: [ | |
| "ec2:ModifyVpcPeeringConnectionOptions", | |
| ] | |
| }), | |
| ]), | |
| logRetention: logs.RetentionDays.ONE_DAY, | |
| onCreate, | |
| onUpdate, | |
| onDelete, | |
| }); | |
| customResource.node.addDependency(props.vpcPeering); | |
| } | |
| } |
Does this work for cross account VPC peering? I tried this with cross account VPC peering and I'm getting this -User xxxxxxxxx does not have permission to modify the accepter side peering options. Is there anything I may be doing wrong?
For anyone finding this, if the accepter is in another account, this worked for me:
const onCreate: AwsSdkCall = {
service: 'EC2',
action: 'ModifyVpcPeeringConnectionOptions',
region: 'us-east-1',
assumedRoleArn: peerRoleArn,
parameters: {
VpcPeeringConnectionId: peeringConnection.ref,
AccepterPeeringConnectionOptions: {
AllowDnsResolutionFromRemoteVpc: true,
},
},
physicalResourceId: PhysicalResourceId.of(`allowVPCPeeringDNSResolution-${peeringConnection.ref}`),
};
Change the region as needed. You'll need to do two separate AwsCustomResources, one for the accepter side with the assumedRoleArn and one for the requester side, without assumedRoleArn. Also make sure your AwsCustomResource policy statement has sts:AssumeRole so that it can assume the peer role.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks, that's helpful!