Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

(aws-elasticsearch): Vpc.fromLookup returns dummy VPC if the L2 elasticsearch.Domain availabilityZoneCount is set to 3

See original GitHub issue

If the L2 elasticsearch.Domain construct is used with vpcOptions and zoneAwareness, and availabilityZoneCount is set to 3, trying to retrieve a VPC via ec2.Vpc.fromLookup fails silently and instead uses a “dummy” VPC with an id of “vpc-12345”. The actual error thrown is “When providing vpc options you need to provide a subnet for each AZ you are using”, but this is due to the dummy VPC only having 2 subnets instead of the required 3. Interestingly, if the availabilityZoneCount is set to 2, the vpc lookup works fine and doesn’t get the dummy VPC. The actual VPC I’m using for this contains 4 private subnets (one for each availability zone in our VPC), but the issue occurs even if I limit the vpcOptions.subnets to 3. This occurs if you try to synth, deploy, or use any command that compiles the cloudformation template. If I instead use the L1 elasticsearch.CfnDomain construct with the same properties, the fromLookup works as expected.

Reproduction Steps

  • The cdk.context.json must first be removed (no traces of previous Vpc.fromLookups).
  • Use synth on a stack containing the code below
const vpc = ec2.Vpc.fromLookup(this, "VPC", {
    vpcId: "a-valid-vpcid"
});

var esSg = new ec2.SecurityGroup(this, "ESSecurityGroup", {
    vpc
});

new Domain(this, "ESDomain", {
    version: ElasticsearchVersion.V7_7,
    vpcOptions: {
        securityGroups: [esSg],
        subnets: vpc.privateSubnets
    },
    zoneAwareness: {
        enabled: true,
        availabilityZoneCount: 3
    }
});

What did you expect to happen?

The lookup should find the VPC and populate the cdk.context.json. The synth should successfully show the resource template with the correct subnets and values.

What actually happened?

An error is thrown, “When providing vpc options you need to provide a subnet for each AZ you are using” due to the VPC lookup silently failing and instead giving dummy data.

Environment

  • CDK CLI Version: 1.78.0
  • Framework Version:
  • Node.js Version: 14.15.0
  • OS: Windows 10 (10.0.18363 Build 18363)
  • Language (Version): TypeScript (3.8.0)

Other

There are numerous open bug reports that are similar to this regarding Vpc.FromLookup returning dummy data, but none of them fit this exact scenario. For reference, here are a few that might be related:

This is 🐛 Bug Report

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:9
  • Comments:9 (1 by maintainers)

github_iconTop GitHub Comments

1reaction
zomgbrecommented, Jan 26, 2022

Same issue using OpenSearch Domain, however mine is: [“dummy1a”,“dummy1b”] “When providing vpc options you need to provide a subnet for each AZ you are using.”

0reactions
greenpaucommented, Dec 13, 2022

The way to overcome this is to iterate over the private subnets and then use subnetFilters. See below:

            const vpcSubnets: string[] = [];
            props.vpc.privateSubnets.forEach((subnet) => {
                vpcSubnets.push(subnet.subnetId);
            });

            const domain = new cdk.aws_opensearchservice.Domain(this, "Domain", {
                vpc: props.vpc,
                vpcSubnets: [
                    {
                        // subnetType: cdk.aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
                        // onePerAz: true,
                        subnetFilters: [cdk.aws_ec2.SubnetFilter.byIds(vpcSubnets)],
                    },
                ],
Read more comments on GitHub >

github_iconTop Results From Across the Web

AWS::Elasticsearch::Domain - AWS CloudFormation
ElasticsearchClusterConfig is a property of the AWS::Elasticsearch::Domain resource that configures the cluster of an Amazon OpenSearch Service domain.
Read more >
awslabs/aws-cdk - Gitter
im trying to look up subnets but i get a dummy vpc all the time vpc-12345 ... commands passed to an EC2 instance...
Read more >
awselasticsearch - Go Packages
awselasticsearch. package ... Returns `true` if a construct is a stack element (i.e. part of the synthesized ... Create a new `AWS::Elasticsearch::Domain`.
Read more >
elasticsearch-in-vpc-only - Amazon Config
Checks if Elasticsearch domains are in an Amazon Virtual Private Cloud (Amazon VPC). The rule is NON_COMPLIANT if an Elasticsearch domain endpoint is ......
Read more >
Cannot configure 'vpcSubnets' without configuring a VPC
The issue I was experiencing was that I was illogically specifying a subnet selection on AWS Lambda functions that were outside of a...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

(rds): cannot make RDS non publicly accessible

Next page

(aws-ecr-assets): DockerImageAsset fails to upload to ECR as the repo is not created