Merge pull request #17 from jplock/jp-gh4

[fix] Support VPCs without NATGW
aws-samples · Aug 26, 2024 · 4c900a8 · 4c900a8
2 parents 3f1497c + 6a3058e
commit 4c900a8
Showing 1 changed file with 36 additions and 9 deletions.
diff --git a/vpc_template.yml b/vpc_template.yml
@@ -17,13 +17,6 @@ Parameters:
     Type: String
     Description: VPC CIDR Block
     Default: 10.0.0.0/16
-  pEnableNatGateways:
-    Type: String
-    Description: Enable NAT Gateways (required)
-    Default: "true"
-    AllowedValues:
-      - "true" # required until an aws-nitro-enclaves-acm release with https://github.com/aws/aws-nitro-enclaves-acm/pull/130
-      # - "false"
   pEnableRemoteAccess:
     Type: String
     Description: Enable Remote Access through SSM (optional)
@@ -51,17 +44,21 @@ Metadata:
       - Label:
           default: Network Configuration
         Parameters:
-          - pEnableNatGateways
           - pDomainName
       - Label:
           default: Remote Access Configuration
         Parameters:
           - pEnableRemoteAccess
 
 Conditions:
-  cUseNatGateways: !Equals [!Ref pEnableNatGateways, "true"]
   cEnableRemoteAccess: !Equals [!Ref pEnableRemoteAccess, "true"]
   cEnableDnsFirewall: !Equals [!Ref pEnableDnsFirewall, "true"]
+  cNorthVirginiaRegion: !Equals [!Ref "AWS::Region", "us-east-1"]
+  cChinaPartition: !Equals [!Ref "AWS::URLSuffix", "amazonaws.com.cn"]
+  cIamVpceSupported: !Or
+    - !Condition cNorthVirginiaRegion
+    - !Condition cChinaPartition
+  cUseNatGateways: !Not [!Condition cIamVpceSupported]
 
 Resources:
   rVpc:
@@ -584,6 +581,36 @@ Resources:
       VpcEndpointType: Interface
       VpcId: !Ref rVpc
 
+  rVpcEndpointIam:
+    Type: "AWS::EC2::VPCEndpoint"
+    Condition: cIamVpceSupported
+    Properties:
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Sid: AllowRequestsByAccountIdentitiesToAccountResources
+            Effect: Allow
+            Principal:
+              AWS: "*"
+            Action: "iam:GetRole"  # used by https://github.com/aws/aws-nitro-enclaves-acm/blob/main/src/vtok_agent/src/imds.rs#L206-L212
+            Resource: "*"
+            Condition:
+              StringEquals:
+                "aws:PrincipalAccount": !Ref "AWS::AccountId"
+                "aws:ResourceAccount": !Ref "AWS::AccountId"
+      PrivateDnsEnabled: true
+      ServiceName: !If
+        - cChinaPartition
+        - "cn.com.amazonaws.iam"
+        - "com.amazonaws.iam"
+      SecurityGroupIds:
+        - !Ref rVpcEndpointSecurityGroup
+      SubnetIds:
+        - !Ref rPrivateSubnet3  # EC2 Subnet AZ1
+        - !Ref rPrivateSubnet4  # EC2 Subnet AZ2
+      VpcEndpointType: Interface
+      VpcId: !Ref rVpc
+
   rAllDomainsList:
     Type: "AWS::Route53Resolver::FirewallDomainList"
     Condition: cEnableDnsFirewall