feat(apigatewayv2): vpc link and private integrations

[ayush987goyal]

VpcLink and HttpProxyPrivateIntegration.

References in AWS docs:
VpcLink
Integration-1
Integration-2

closes #10119

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[nija-at]

Thanks for submitting this PR. First round of comments.

Pull request has been modified.

[ayush987goyal]

Hi @nija-at ,

I have modified the previous implementation to a more specific one by also adding the usage with HttpProxyPrivateIntegration.

Some open things that I need help on:

1. A better example in the readme.
2. A better way to collect targets in HttpProxyPrivateIntegration. Currently I have implemented it to take the ARNs directly.
3. A way to verify the integration test stack. (integration tested by deployment but verification was not done)

[nija-at]

Good job on the first iteration of this PR. Most of this code is conformant to the CDK style and how we model this!

I've not gone through the code in detail but some high level comments around code and class organization that will need to be first addressed.

Pull request has been modified.

[ayush987goyal]

There is still an open question on a way to verify the integration tests stack (which currently just tests the deployment)

[nija-at]

The above one will be a tricky implementation since the current modelling of integration themselves are
not as constructs. So we will have to create the VpcLink in the Route construct where the bind method of
integrations are called.

We do this in several places already. Here's one example - https://github.com/aws/aws-cdk/blob/master/packages/@aws-cdk/aws-lambda-destinations/lib/lambda.ts#L38-L57

We might then also have to touch the defaultIntegration and HttpApi for the new Route behaviour and
would need to see how we do this for non-private integration. Therefore I have decided to go ahead
without this change for now and we could take it as part of further enhancements.

I'm not sure I'm following this. Could you explain a bit better?

It's fine if you want this to be done later but I would like to understand what's preventing this better.

If it was simple, it could be a nice customer experience.

[nija-at]

See my comments below. The main one is about splitting off into its own package.

Also, take a look at this one - #10531 (comment)

[nija-at]

There is still an open question on a way to verify the integration tests stack (which currently just tests the deployment)

You can run the integ test using yarn integ integ.custom-domain.js. This will deploy and then destroy the stack. If all goes well, it will report success.

Credentials can be configured using any means that you do for the AWS CLI.

[ayush987goyal]

There is still an open question on a way to verify the integration tests stack (which currently just tests the deployment)

You can run the integ test using yarn integ integ.custom-domain.js. This will deploy and then destroy the stack. If all goes well, it will report success.

Credentials can be configured using any means that you do for the AWS CLI.

Yeah I was able to test the deployment successfully. I was specifically talking about the verification steps we mention at the top of the integ-tests file. I was looking for a way to verify these stacks basically.

[nija-at]

Yeah I was able to test the deployment successfully. I was specifically talking about the verification steps we mention at the top of the integ-tests file. I was looking for a way to verify these stacks basically.

We currently don't have a way to run those tests in the CDK. These should contain steps on verification beyond deployment.

As an example, in your case, it should deploy a stack that creates an ALB that returns '200' status code, which is then integrated to an HttpApi construct. The steps should simply be call curl on the API endpoint and it should return '200'.
This internally will verify that the request goes to the ALB successfully and the response is correctly received.

Hope that makes it clear.

[gitpod-io]

Pull request has been modified.

[ayush987goyal]

Hi @nija-at ,

I have implemented the integrations by taking into account your suggestions and separated out the packages as well.

The ServiceDiscoveryPrivateIntegration still requires a vpcLink to be supplied mandatorily (unlike the ALB and NLB integrations) since there is no way to extract out the VPC from the Serivce or the Namespace.

[nija-at]

Wow! IMPRESSIVE.

Thanks for all the work here. I'm sure you had a few hoops to jump through.

Mostly adjustments to README and naming conventions, besides one or two other comments. This has been great!

Pull request has been modified.

[nija-at]

we should also error when both are provided and they don't point to the same vpc

[ayush987goyal]

Is that validation required? We are currently ignoring the passed vpc if the vpcLink is supplied. Basically vpcLink trumps the vpc.

Also, the vpcLink in v2 can point to multiple VPCs in theory (since it takes subnets and securityGroups). In this case it might not make sense to compare the VPCs.

Thoughts?

[nija-at]

Accepting a property and not using it is usually confusing. "Why was my vpc not used?" would be a complaint I expect to hear.

How about just failing if both are presented? It'll make the requirement that only one should be passed clear.

[ayush987goyal]

Yeah, sounds good.

[ayush987goyal]

This should not be required anymore since we are not accepting vpc as a prop (it is passed around internally by integrations)

[nija-at]

How come?
In the case of HttpAlbIntegration, we accept an ALB and a VPCLink. If the ALB is in a different vpc from the vpc link, it's useful to error, no?

[ayush987goyal]

Oh that way.

But in that case the intent was explicit to use the passed vpcLink right? We are not explicitly taking the vpc as a prop. We are inferring.

Also, as mentioned before, the vpcLink in v2 is not bound to just one vpc in theory. It revolves around subnets and securityGroups. We have just provided a convenience to pass a vpc to create the vpcLink. So comparing the vpc of vpcLink and ALB listener might not be ideal.

Thoughts?

[nija-at]

I see. Ok, let's leave it as is for now. See how this pans out.

[gitpod-io]

[nija-at]

I've taken the liberty to pare down the file names to make it more terse and moved the http-private.ts into a private/ folder, like we do in other parts of the CDK construct library. Let me know if you're ok with this.

The code looks great otherwise.

[ayush987goyal]

Thanks for these changes. They look good to me.

[nija-at]

All the good stuff 🙌

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 3855ada
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[shivlaks]

heads up: I believe this also requires aws/jsii#2172 as the usage of @internal for HttpPrivateIntegration and VpcLinkConfigurationOptions is causing downstream compilation failures currently.

may need to temporarily revert this.

[ayush987goyal]

@shivlaks @nija-at Please go ahead with the solution you seem fit.

[shivlaks]

@shivlaks @nija-at Please go ahead with the solution you seem fit.

@ayush987goyal perfect. we're going to temporarily revert this and merge this back in when the next release of jsii is consumed in the cdk. stay tuned!