Error with array of subnet ids on VpcEndpoint

Terraform CDK for Terraform
1

I’m testing out cdktf typescript with the aws provider and trying to create a new VPC and an array of Subnets. It works fine with this sample code before I add the VpcEndpoint. But as soon as I add VpcEndpoint I get the below error. Any help would be appreciated.

Summary: 0 created, 0 updated, 0 destroyed.
[2022-01-18T00:34:37.901] [ERROR] default - ╷
│ Error: An Interface VPC Endpoint must always have at least one Security Group
│
│   with aws_vpc_endpoint.sample-vpc_ecr-endpoint-dkr_0E500A74,
│   on cdk.tf.json line 385, in resource.aws_vpc_endpoint.sample-vpc_ecr-endpoint-dkr_0E500A74:
│  385:       }
│
╵

╷
│ Error: An Interface VPC Endpoint must always have at least one Security Group
⠹ Deploying Stack: development
Resources
 ⠋ AWS_VPC_ENDPOINT     sample-vpc_ecr-e aws_vpc_endpoint.sample-vpc_ecr-endp
                        ndpoint-dkr         oint-dkr_0E500A74

Summary: 0 created, 0 updated, 0 destroyed.
non-zero exit code 1

Inspecting the privateSubnets array and I’m getting so it appears to be populate correctly

Inspecting the [
  '${TfToken[TOKEN.62]}',
  '${TfToken[TOKEN.63]}',
  '${TfToken[TOKEN.64]}',
  '${TfToken[TOKEN.65]}'
]

   const = "100.75.0.0/16";
   const privateCidrBlocks = ["100.75.0.0/19", "100.75.32.0/19", "100.75.64.0/19", "100.75.96.0/19"];
   const availabilityZones = new datasources.DataAwsAvailabilityZones(this, "avaiability-zones", {
      state: "available"
   });
   
   const sampleVpc = new vpc.Vpc(this,"sample-vpc", {
      cidrBlock: cidr,
      enableDnsHostnames: true,
      tags: {
        Name: "sample-vpc"
      }
   });

    const privateSubnets = privateCidrBlocks.map((cidr, index) => {
      let privateSubnet = new vpc.Subnet(this, `private_${index}`, {
        vpcId: sampleVpc.id,
        cidrBlock: cidr,
        availabilityZone: Fn.element(availabilityZones.names, index),
        mapPublicIpOnLaunch: false,
        tags: {
          Name: `sample-private-subnet-${Fn.element(availabilityZones.names, index)}`
        }
      });

      return privateSubnet;
    });

    new vpc.VpcEndpoint(this, "ecr-endpoint-dkr", {
      vpcId: sampleVpc.id,
      serviceName: "com.amazonaws.us-west-2.ecr.dkr",
      vpcEndpointType: "Interface",
      privateDnsEnabled: true,
      subnetIds: privateSubnets.map(subnet => Token.asString(subnet.id))
    });
2

You need to set securityGroupIds on VpcEndpoint since you are using an Interface endpoint. Take a look here for more information.

1 Like
3

Thanks you, you are absolutely right and that fixed it. That’s what I get for trying to read error messages sleep deprived, I was reading security group but thinking subnet :man_facepalming:

Much appreciated :smiley: