feat(ec2): explicit mapPublicIpOnLaunch configuration for public subnets (#17346)

hguillermo · web-flow · commit a1685c620718 · 2021-11-29T16:48:14.000Z
**Issue (Fixes #14194, #16838 When creating a VPC you can define a SubnetConfiguration but it is not possible to define `mapPublicIpOnLaunch` for public subnets. VPC Example: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, }, ] }); ``` Proposal: ``` const vpc = new ec2.Vpc(this, 'vpc-id', { maxAzs: 2, subnetConfiguration: [ { name: 'private-subnet-1', subnetType: ec2.SubnetType.PRIVATE, cidrMask: 24, }, { name: 'public-subnet-1', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24, mapPublicIpOnLaunch: false, // or true }, ] }); ```
diff --git a/packages/@aws-cdk/aws-ec2/lib/vpc.ts b/packages/@aws-cdk/aws-ec2/lib/vpc.ts
@@ -1013,6 +1013,13 @@ export interface SubnetConfiguration {
    * @default false
    */
   readonly reserved?: boolean;
+
+  /**
+   * Controls if a public IP is associated to an instance at launch
+   *
+   * @default true in Subnet.Public, false in Subnet.Private or Subnet.Isolated.
+   */
+  readonly mapPublicIpOnLaunch?: boolean;
 }
 
 /**
@@ -1452,12 +1459,23 @@ export class Vpc extends VpcBase {
         return;
       }
 
+      // mapPublicIpOnLaunch true in Subnet.Public, false in Subnet.Private or Subnet.Isolated.
+      let mapPublicIpOnLaunch = false;
+      if (subnetConfig.subnetType !== SubnetType.PUBLIC && subnetConfig.mapPublicIpOnLaunch !== undefined) {
+        throw new Error(`${subnetConfig.subnetType} subnet cannot include mapPublicIpOnLaunch parameter`);
+      }
+      if (subnetConfig.subnetType === SubnetType.PUBLIC) {
+        mapPublicIpOnLaunch = (subnetConfig.mapPublicIpOnLaunch !== undefined)
+          ? subnetConfig.mapPublicIpOnLaunch
+          : true;
+      }
+
       const name = subnetId(subnetConfig.name, index);
       const subnetProps: SubnetProps = {
         availabilityZone: zone,
         vpcId: this.vpcId,
         cidrBlock: this.networkBuilder.addSubnet(cidrMask),
-        mapPublicIpOnLaunch: (subnetConfig.subnetType === SubnetType.PUBLIC),
+        mapPublicIpOnLaunch: mapPublicIpOnLaunch,
       };
 
       let subnet: Subnet;
diff --git a/packages/@aws-cdk/aws-ec2/test/vpc.test.ts b/packages/@aws-cdk/aws-ec2/test/vpc.test.ts
@@ -434,6 +434,82 @@ describe('vpc', () => {
 
     });
 
+    test('with public subnets MapPublicIpOnLaunch is true if parameter mapPublicIpOnLaunch is true', () => {
+      const stack = getTestStack();
+      new Vpc(stack, 'VPC', {
+        maxAzs: 1,
+        subnetConfiguration: [
+          {
+            cidrMask: 24,
+            name: 'ingress',
+            subnetType: SubnetType.PUBLIC,
+            mapPublicIpOnLaunch: true,
+          },
+        ],
+      });
+      expect(stack).toCountResources('AWS::EC2::Subnet', 1);
+      expect(stack).not.toHaveResource('AWS::EC2::NatGateway');
+      expect(stack).toHaveResource('AWS::EC2::Subnet', {
+        MapPublicIpOnLaunch: true,
+      });
+    });
+    test('with public subnets MapPublicIpOnLaunch is false if parameter mapPublicIpOnLaunch is false', () => {
+      const stack = getTestStack();
+      new Vpc(stack, 'VPC', {
+        maxAzs: 1,
+        subnetConfiguration: [
+          {
+            cidrMask: 24,
+            name: 'ingress',
+            subnetType: SubnetType.PUBLIC,
+            mapPublicIpOnLaunch: false,
+          },
+        ],
+      });
+      expect(stack).toCountResources('AWS::EC2::Subnet', 1);
+      expect(stack).not.toHaveResource('AWS::EC2::NatGateway');
+      expect(stack).toHaveResource('AWS::EC2::Subnet', {
+        MapPublicIpOnLaunch: false,
+      });
+    });
+    test('with private subnets throw exception if parameter mapPublicIpOnLaunch is defined', () => {
+      const stack = getTestStack();
+      expect(() => {
+        new Vpc(stack, 'VPC', {
+          maxAzs: 1,
+          subnetConfiguration: [
+            {
+              name: 'public',
+              subnetType: SubnetType.PUBLIC,
+            },
+            {
+              name: 'private',
+              subnetType: SubnetType.PRIVATE_WITH_NAT,
+              mapPublicIpOnLaunch: true,
+            },
+          ],
+        });
+      }).toThrow(/subnet cannot include mapPublicIpOnLaunch parameter/);
+    });
+    test('with isolated subnets throw exception if parameter mapPublicIpOnLaunch is defined', () => {
+      const stack = getTestStack();
+      expect(() => {
+        new Vpc(stack, 'VPC', {
+          maxAzs: 1,
+          subnetConfiguration: [
+            {
+              name: 'public',
+              subnetType: SubnetType.PUBLIC,
+            },
+            {
+              name: 'private',
+              subnetType: SubnetType.PRIVATE_ISOLATED,
+              mapPublicIpOnLaunch: true,
+            },
+          ],
+        });
+      }).toThrow(/subnet cannot include mapPublicIpOnLaunch parameter/);
+    });
     test('maxAZs defaults to 3 if unset', () => {
       const stack = getTestStack();
       new Vpc(stack, 'VPC');
@@ -1817,4 +1893,4 @@ function hasTags(expectedTags: Array<{Key: string, Value: string}>): (props: any
       throw e;
     }
   };
-}
+}
