Merge branch 'mr/trespeuch/vpc-no-priv-subnets' into 'master'

pierretr · pierretr · commit 254952fea58f · 2025-11-13T10:07:58.000Z
Add option to create VPCv2 without private subnets

See merge request it/e3-aws!84
diff --git a/src/e3/aws/troposphere/ec2/__init__.py b/src/e3/aws/troposphere/ec2/__init__.py
@@ -679,6 +679,7 @@ def __init__(
         cidr_block: str | None = None,
         interface_endpoints: list[tuple[str, PolicyDocument | None]] | None = None,
         s3_endpoint_policy_document: PolicyDocument | None = None,
+        with_private_subnets: bool = True,
     ) -> None:
         """Initialize an VPCv2 instance.
 
@@ -691,6 +692,8 @@ def __init__(
             tuples for each interface endpoint to create in the VPC endpoints subnet.
         :param s3_endpoint_policy_document: policy for the s3 endpoint. If none is
             given no s3 endpoint is created.
+        :param with_private_subnets: If True create a private subnet and a NAT
+            gateway per AZ.
         """
         self.name_prefix = name_prefix
         self.availability_zones = availability_zones
@@ -712,9 +715,11 @@ def __init__(
             prefixlen_diff=int.bit_length(number_of_subnet_slots)
         )
         # Assign networks to private and public subnets
-        self.private_subnet_ip_networks = {
-            az: next(self.subnet_ip_networks) for az in availability_zones
-        }
+        self.private_subnet_ip_networks = (
+            {az: next(self.subnet_ip_networks) for az in availability_zones}
+            if with_private_subnets
+            else {}
+        )
         self.public_subnet_ip_networks = {
             az: next(self.subnet_ip_networks) for az in availability_zones
         }
@@ -916,15 +921,19 @@ def s3_gateway_endpoint(self) -> ec2.VPCEndpoint | None:
         Note that this endpoint is also needed when using ECR as ECR stores
         images on S3.
         """
+        # Compute resources requiring access to the Gateway endpoint
+        # are expected to run in the private subnets if they exist.
+        route_tables: ec2.RouteTable
+        if self.private_subnets:
+            route_tables = self.private_subnet_route_tables.values()
+        else:
+            route_tables = [self.public_subnets_route_table]
         return (
             ec2.VPCEndpoint(
                 name_to_id(f"{self.name_prefix}S3Endpoint"),
                 PolicyDocument=self.s3_endpoint_policy_document.as_dict,
                 # Attach the endpoints to all private subnets
-                RouteTableIds=[
-                    Ref(private_subnet_rt)
-                    for private_subnet_rt in self.private_subnet_route_tables.values()
-                ],
+                RouteTableIds=[Ref(subnet_rt) for subnet_rt in route_tables],
                 ServiceName=f"com.amazonaws.{self.region}.s3",
                 VpcEndpointType="Gateway",
                 VpcId=Ref(self.vpc),
@@ -1012,16 +1021,21 @@ def resources(self, stack: Stack) -> list[AWSObject]:
             self.internet_gateway_attachment,
             self.public_subnets_route_table,
             self.public_route_to_internet,
-            *self.private_subnets.values(),
             *self.public_subnets.values(),
-            *self.nat_eips.values(),
-            *self.nat_gateways.values(),
-            *self.private_subnet_route_tables.values(),
-            *self.private_routes_to_internet.values(),
-            *self.private_route_table_assocs.values(),
             *self.public_route_table_assocs.values(),
             self.vpc,
         ]
+        if self.private_subnets:
+            res.extend(
+                [
+                    *self.private_subnets.values(),
+                    *self.nat_eips.values(),
+                    *self.nat_gateways.values(),
+                    *self.private_subnet_route_tables.values(),
+                    *self.private_routes_to_internet.values(),
+                    *self.private_route_table_assocs.values(),
+                ]
+            )
         if self.interface_endpoints_subnet:
             res.append(self.interface_endpoints_subnet)
         if self.s3_gateway_endpoint:
diff --git a/tests/tests_e3_aws/troposphere/ec2/ec2_test.py b/tests/tests_e3_aws/troposphere/ec2/ec2_test.py
@@ -205,3 +205,26 @@ def test_vpc_v2_with_endpoints(stack: Stack) -> None:
         expected_template = json.load(fd)
 
     assert stack.export()["Resources"] == expected_template
+
+
+def test_vpc_v2_without_priv_subnets(stack: Stack) -> None:
+    """Test VPCv2 without private subnets."""
+    s3_endpoint_pd = PolicyDocument(
+        statements=[
+            Allow(action=["s3:PutObject", "s3:GetObject"], resource="*", principal="*"),
+            Allow(action="s3:ListBucket", resource="*", principal="*"),
+        ]
+    )
+    vpc = VPCv2(
+        name_prefix="TestVPC",
+        availability_zones=["eu-west-1a", "eu-west-1b"],
+        # When there is no private subnet, we expect the route to the gateway endpoint
+        # to be added to the public subnet route table instead of the private route
+        # tables
+        s3_endpoint_policy_document=s3_endpoint_pd,
+        with_private_subnets=False,
+    )
+    stack.add(vpc)
+    with open(os.path.join(TEST_DIR, "vpc_v2_without_priv_subnets.json")) as fd:
+        expected_template = json.load(fd)
+    assert stack.export()["Resources"] == expected_template
diff --git a/tests/tests_e3_aws/troposphere/ec2/vpc_v2_without_priv_subnets.json b/tests/tests_e3_aws/troposphere/ec2/vpc_v2_without_priv_subnets.json
@@ -0,0 +1,139 @@
+{
+    "TestVPCInternetGW": {
+        "Type": "AWS::EC2::InternetGateway"
+    },
+    "TestVPCInternetGWAttachment": {
+        "Properties": {
+            "InternetGatewayId": {
+                "Ref": "TestVPCInternetGW"
+            },
+            "VpcId": {
+                "Ref": "TestVPCVPC"
+            }
+        },
+        "Type": "AWS::EC2::VPCGatewayAttachment"
+    },
+    "TestVPCPublicRouteTable": {
+        "Properties": {
+            "VpcId": {
+                "Ref": "TestVPCVPC"
+            }
+        },
+        "Type": "AWS::EC2::RouteTable"
+    },
+    "TestVPCPublicRouteToInternet": {
+        "Properties": {
+            "RouteTableId": {
+                "Ref": "TestVPCPublicRouteTable"
+            },
+            "DestinationCidrBlock": "0.0.0.0/0",
+            "GatewayId": {
+                "Ref": "TestVPCInternetGW"
+            }
+        },
+        "Type": "AWS::EC2::Route"
+    },
+    "TestVPCPublicSubnetA": {
+        "Properties": {
+            "VpcId": {
+                "Ref": "TestVPCVPC"
+            },
+            "CidrBlock": "10.10.0.0/19",
+            "Tags": [
+                {
+                    "Key": "Name",
+                    "Value": "TestVPCPublicSubnetA"
+                }
+            ],
+            "AvailabilityZone": "eu-west-1a"
+        },
+        "Type": "AWS::EC2::Subnet"
+    },
+    "TestVPCPublicSubnetB": {
+        "Properties": {
+            "VpcId": {
+                "Ref": "TestVPCVPC"
+            },
+            "CidrBlock": "10.10.32.0/19",
+            "Tags": [
+                {
+                    "Key": "Name",
+                    "Value": "TestVPCPublicSubnetB"
+                }
+            ],
+            "AvailabilityZone": "eu-west-1b"
+        },
+        "Type": "AWS::EC2::Subnet"
+    },
+    "TestVPCPublicRouteTableAssocA": {
+        "Properties": {
+            "RouteTableId": {
+                "Ref": "TestVPCPublicRouteTable"
+            },
+            "SubnetId": {
+                "Ref": "TestVPCPublicSubnetA"
+            }
+        },
+        "Type": "AWS::EC2::SubnetRouteTableAssociation"
+    },
+    "TestVPCPublicRouteTableAssocB": {
+        "Properties": {
+            "RouteTableId": {
+                "Ref": "TestVPCPublicRouteTable"
+            },
+            "SubnetId": {
+                "Ref": "TestVPCPublicSubnetB"
+            }
+        },
+        "Type": "AWS::EC2::SubnetRouteTableAssociation"
+    },
+    "TestVPCVPC": {
+        "Properties": {
+            "CidrBlock": "10.10.0.0/16",
+            "EnableDnsHostnames": true,
+            "EnableDnsSupport": true,
+            "Tags": [
+                {
+                    "Key": "Name",
+                    "Value": "TestVPCVPC"
+                }
+            ]
+        },
+        "Type": "AWS::EC2::VPC"
+    },
+    "TestVPCS3Endpoint": {
+        "Properties": {
+            "PolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Principal": "*",
+                        "Action": [
+                            "s3:PutObject",
+                            "s3:GetObject"
+                        ],
+                        "Resource": "*"
+                    },
+                    {
+                        "Effect": "Allow",
+                        "Principal": "*",
+                        "Action": "s3:ListBucket",
+                        "Resource": "*"
+                    }
+                ]
+            },
+            "RouteTableIds": [
+                {
+                    "Ref": "TestVPCPublicRouteTable"
+                }
+            ],
+            "ServiceName": "com.amazonaws.eu-west-1.s3",
+            "VpcEndpointType": "Gateway",
+            "VpcId": {
+                "Ref": "TestVPCVPC"
+            }
+        },
+        "Type": "AWS::EC2::VPCEndpoint"
+    }
+}
