Skip to content

Instantly share code, notes, and snippets.

@lfittl

lfittl/custom-vpc-peering-dns.ts

Created December 30, 2021 06:21
Show Gist options
  • Save lfittl/78aef8a950bd1210fa67275994cb394d to your computer and use it in GitHub Desktop.
Save lfittl/78aef8a950bd1210fa67275994cb394d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
custom-vpc-peering-dns.ts
/* Based on https://stackoverflow.com/questions/65213615/cdk-to-enable-dns-resolution-for-vpcpeering */
import { custom_resources } from 'aws-cdk-lib';
import { aws_ec2 as ec2, aws_iam as iam, aws_logs as logs } from 'aws-cdk-lib';
import { Construct } from 'constructs';
export interface AllowVPCPeeringDNSResolutionProps {
vpcPeering: ec2.CfnVPCPeeringConnection,
}
export class AllowVPCPeeringDNSResolution extends Construct {
constructor(scope: Construct, id: string, props: AllowVPCPeeringDNSResolutionProps) {
super(scope, id);
const onCreate: custom_resources.AwsSdkCall = {
service: "EC2",
action: "modifyVpcPeeringConnectionOptions",
parameters: {
VpcPeeringConnectionId: props.vpcPeering.ref,
AccepterPeeringConnectionOptions: {
AllowDnsResolutionFromRemoteVpc: true,
},
RequesterPeeringConnectionOptions: {
AllowDnsResolutionFromRemoteVpc: true
}
},
physicalResourceId: custom_resources.PhysicalResourceId.of(`allowVPCPeeringDNSResolution:${props.vpcPeering.ref}`)
};
const onUpdate = onCreate;
const onDelete: custom_resources.AwsSdkCall = {
service: "EC2",
action: "modifyVpcPeeringConnectionOptions",
parameters: {
VpcPeeringConnectionId: props.vpcPeering.ref,
AccepterPeeringConnectionOptions: {
AllowDnsResolutionFromRemoteVpc: false,
},
RequesterPeeringConnectionOptions: {
AllowDnsResolutionFromRemoteVpc: false
}
},
};
const customResource = new custom_resources.AwsCustomResource(this, "allow-peering-dns-resolution", {
policy: custom_resources.AwsCustomResourcePolicy.fromStatements([
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
resources: ["*"],
actions: [
"ec2:ModifyVpcPeeringConnectionOptions",
]
}),
]),
logRetention: logs.RetentionDays.ONE_DAY,
onCreate,
onUpdate,
onDelete,
});
customResource.node.addDependency(props.vpcPeering);
}
}
@hunoz
Copy link

hunoz commented May 3, 2024

For anyone finding this, if the accepter is in another account, this worked for me:

const onCreate: AwsSdkCall = {
                service: 'EC2',
                action: 'ModifyVpcPeeringConnectionOptions',
                region: 'us-east-1',
                assumedRoleArn: peerRoleArn,
                parameters: {
                    VpcPeeringConnectionId: peeringConnection.ref,
                    AccepterPeeringConnectionOptions: {
                        AllowDnsResolutionFromRemoteVpc: true,
                    },
                },
                physicalResourceId: PhysicalResourceId.of(`allowVPCPeeringDNSResolution-${peeringConnection.ref}`),
            };

Change the region as needed. You'll need to do two separate AwsCustomResources, one for the accepter side with the assumedRoleArn and one for the requester side, without assumedRoleArn. Also make sure your AwsCustomResource policy statement has sts:AssumeRole so that it can assume the peer role.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment