Cloudformation VPC S3 interface endpoint with PrivateDnsEnabled and PrivateDnsOnlyForInboundResolverEndpoint set to false

0

So im trying to create S3 VPC interface endpoint using Cloudformation.

there is a field called "PrivateDnsOnlyForInboundResolverEndpoint" which is set to true automatically by default if I enable "private DNS names" to true.

I want to create the endpoint with private DNS names enabled but PrivateDnsOnlyForInboundResolverEndpoint set to false, for some reason I`m not able to to that.

There is no mention for it in the https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-vpcendpoint.html

Also, it seems to be available only for the AWS cli https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html

Any suggestions ?

My current template looks like so:

AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFormation template to create VPC interface endpoint for S3
Parameters:
  VPCId:
    Type: String
    Description: VPC to create the endpoint in
  SubnetId1:
    Type: String
    Description: Subnet ID for endpoint
Resources:
  S3VPCEndpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      VpcId: !Ref VPCId
      SubnetIds: [!Ref SubnetId1]
      ServiceName: 'com.amazonaws.us-east-2.s3'
      VpcEndpointType: Interface
      PrivateDnsEnabled: true

I would imagine it would like so:

DnsOptions:
  PrivateDnsOnlyForInboundResolverEndpoint: false
Shahar
asked a year ago1738 views
3 Answers
1

This can be achieved by invoking a lambda function from CloudFormation template with below steps.

1/ Create a lambda function with IAM permissions which can take input from CloudFormation, create vpc endpoint and return response to CloudFormation. https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/ec2/client/create_vpc_endpoint.html 2/ Update CloudFormation template to invoke this lambda function

Ref: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/walkthrough-custom-resources-lambda-lookup-amiids.html

AWS
answered a year ago
  • I dont think this is to way to solve it.. not even for a workaround.

0

I agree with you. It seems that there is no way to specify "PrivateDnsOnlyForInboundResolverEndpoint" field via AWS CloudFormation. You may use Former2 to confirm whether such field existis or not by scanning existing VPCEndpoint resource.

profile picture
EXPERT
answered a year ago
  • Well, I did that before posting.. So I can confirm no such field exists.

0

I also have this problem and have resorted to just manually creating the endpoints outside of the CF template. Cloudformation has a surprising number of bugs and limited features/properties of resources missing etc.

To add more context, I specifically have this problem 'PrivateDnsOnlyForInboundResolverEndpoint' only for the S3 endpoint interface type. I have successfully created an ec2 endpoint interface without a problem. My new solution is to use a Gateway endpoint for S3 instead.

answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions