CDK 为 VPCPeering 启用 DNS 解析

Question

我通过 VPC 对等连接将一个 aws 账户中的 lambda 连接到另一个 aws 账户中的 RDS 实例。这工作正常，但需要 VPC 对等互连启用 DNS 解析选项。

默认情况下，DNS 解析设置为：从接受方 VPC 到私有 IP 的 DNS 解析：禁用。

这可以通过 AWS 控制台和 CLI 来完成。我无法使用 AWS CDK 实现相同的目标。
https://docs.aws.amazon.com/vpc/latest/peering/modify-peering-connections.html

CfnVPCPeeringConnection 似乎没有这个选项。 https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-ec2.CfnVPCPeeringConnection.html

有没有其他方法可以通过 CDK 实现这一目标？

  const cfnVPCPeeringConnection :CfnVPCPeeringConnection  =
    new CfnVPCPeeringConnection(
        stack,
        "vpcPeeringId",
        {
            peerVpcId : "<vpcId of acceptor account>",
            vpcId :  "<reference of the Id>",
            peerOwnerId : "<aws acc number>",
            peerRegion : "<region>",
            peerRoleArn :"<arn created in the acceptor account>"",
        }
    );
    
    //update route tables
    rdsConnectorVpc.isolatedSubnets.forEach(({ routeTable: { routeTableId } }, index) => {
        new CfnRoute(this.parentStack, 'PrivateSubnetPeeringConnectionRoute' + index, {
            destinationCidrBlock: '<CIDR>',
            routeTableId,
            vpcPeeringConnectionId: cfnVPCPeeringConnection.ref,
        })
    });

Answer 1

您可以使用 AWS CDK 中的 CustomResource 构造来实现它：

import * as cdk from "@aws-cdk/core";
import ec2 = require("@aws-cdk/aws-ec2");
import iam = require("@aws-cdk/aws-iam");
import { AwsCustomResource, AwsCustomResourcePolicy, AwsSdkCall, PhysicalResourceId } from "@aws-cdk/custom-resources";
import { RetentionDays } from "@aws-cdk/aws-logs";

export interface AllowVPCPeeringDNSResolutionProps {
    vpcPeering: ec2.CfnVPCPeeringConnection,
}

export class AllowVPCPeeringDNSResolution extends cdk.Construct {

    constructor(scope: cdk.Construct, id: string, props: AllowVPCPeeringDNSResolutionProps) {
        super(scope, id);

        const onCreate:AwsSdkCall = {
            service: "EC2",
            action: "modifyVpcPeeringConnectionOptions",
            parameters: {
                VpcPeeringConnectionId: props.vpcPeering.ref, 
                AccepterPeeringConnectionOptions: {
                    AllowDnsResolutionFromRemoteVpc: true,
                },
                RequesterPeeringConnectionOptions: {
                    AllowDnsResolutionFromRemoteVpc: true
                }
            },
            physicalResourceId: PhysicalResourceId.of(`allowVPCPeeringDNSResolution:${props.vpcPeering.ref}`)
        };
        const onUpdate = onCreate;
        const onDelete:AwsSdkCall = {
            service: "EC2",
            action: "modifyVpcPeeringConnectionOptions",
            parameters: {
                VpcPeeringConnectionId: props.vpcPeering.ref, 
                AccepterPeeringConnectionOptions: {
                    AllowDnsResolutionFromRemoteVpc: false,
                },
                RequesterPeeringConnectionOptions: {
                    AllowDnsResolutionFromRemoteVpc: false
                }
            },
        };

        const customResource = new AwsCustomResource(this, "allow-peering-dns-resolution", {
            policy: AwsCustomResourcePolicy.fromStatements([
                new iam.PolicyStatement({
                    effect: iam.Effect.ALLOW,
                    resources: ["*"],
                    actions: [
                        "ec2:ModifyVpcPeeringConnectionOptions",
                    ]
                }),
            ]),
            logRetention: RetentionDays.ONE_DAY,
            onCreate,
            onUpdate,
            onDelete,
        });

        customResource.node.addDependency(props.vpcPeering);

    }
}

并像这样使用它：

[...]

const peerConnection = new ec2.CfnVPCPeeringConnection(this, "peerConnection", {
    vpcId: destinationVPC.vpcId,
    peerVpcId: lambdaVPCToDestinationVPC.vpcId,
});

new AllowVPCPeeringDNSResolution(this, "peerConnectionDNSResolution", {
    vpcPeering: peerConnection,
});

[...]