aws-cdk: Cannot find right method to import existing vpc with ec2.Vpc.fromLookup or ec2.Vpc.fromVpcAttributes

Issue: I am trying to import an existing vpc to deploy few lambda, ecs and albs in private subnets. Running into issues when trying to import the vpc using ec2.Vpc.fromLookup or ec2.Vpc.fromVpcAttributes.

The existing vpcid, azs, privatesubnets are exported as dev-vpcId. - value: ‘vpc-xxxxx’ dev-azs - value: ‘us-east-1a,us-east-1b’ dev-privateSubnets - ‘subnet-xxxx,subnet-yyyy’

    const vpc = ec2.Vpc.fromVpcAttributes(this,'vpc',{
      vpcId: Fn.importValue(envName+'-vpcId'),
      availabilityZones: Fn.split(',',Fn.importValue(envName+'-azs')),
      privateSubnetIds: Fn.split(',',Fn.importValue(envName+'-privateSubnets')),
    })

Error

...../node_modules/@aws-cdk/core/lib/private/resolve.ts:94
      throw new Error('Found an encoded list token string in a scalar string context. Use \'Fn.select(0, list)\' (not \'list[0]\') to extract elements from token lists.');
            ^
Error: Found an encoded list token string in a scalar string context. Use 'Fn.select(0, list)' (not 'list[0]') to extract elements from token lists.

with ec2.Vpc.fromLookup() we cannot use import values

    const vpc = ec2.Vpc.fromLookup(this, 'vpc',{
      vpcId: Fn.importValue(envName+'-vpcId')
    })

Error

..../node_modules/@aws-cdk/aws-ec2/lib/vpc.ts:1040
      routerId: natGatewayId,
            ^
Error: All arguments to Vpc.fromLookup() must be concrete (no Tokens)

Please advise on the right method to import an existing vpc with details from the export values.

This is a 📕 documentation issue

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 3
Comments: 27 (15 by maintainers)

Commits related to this issue

docs: note that `cdk.context.json` must be committed (#12565) Many people don't commit or want to commit `cdk.context.json`, and are subsequently annoyed that they can't use `Vpc.fromLookup()` in a ... — committed to aws/aws-cdk by rix0rrr 3 years ago
fix(ec2): Vpc.fromVpcAttributes cannot be used with EKS This PR has a fix similar to #12040, and introduces more explanations and safeguards around the mechanism of importing a VPC using `fromVpcAttr... — committed to aws/aws-cdk by rix0rrr 3 years ago
fix(ec2): Vpc.fromVpcAttributes cannot be used with EKS (#12569) This PR has a fix similar to #12040, and introduces more explanations and safeguards around the mechanism of importing a VPC using `... — committed to aws/aws-cdk by rix0rrr 3 years ago
docs: note that `cdk.context.json` must be committed (#12565) Many people don't commit or want to commit `cdk.context.json`, and are subsequently annoyed that they can't use `Vpc.fromLookup()` in a ... — committed to mohanrajendran/aws-cdk by rix0rrr 3 years ago
fix(ec2): Vpc.fromVpcAttributes cannot be used with EKS (#12569) This PR has a fix similar to #12040, and introduces more explanations and safeguards around the mechanism of importing a VPC using `... — committed to mohanrajendran/aws-cdk by rix0rrr 3 years ago

Most upvoted comments

Please advise if there is any update on this issue / recommendation on importing an existing vpc without hardcoding the vpcid and subnetid’s.

Tag your VPC and use fromLookup to look up by tag.

rix0rrr on Jan 18, 2021

@rix0rrr, my original question was not related to EKS at all, it is in general how to import an already existing vpc without hardcoding the vpcid in the code. Specifically either passing the values of vpcid, private subnet id’s via CFN Export values or SSM params.

It appears the issue was closed incorrectly related to a different issue about EKS.

pandrel on Jan 21, 2021

Fn.importValue executed during CloudFormation run , but ec2.Vpc.fromLookup runs before CF stack is submitted.

I’d try to give up Fn.importValue and hardcode map { dev: 'vpc-xxx', prod: 'vpc-yyyy' } and use these directly in ec2.Vpc.fromLookup

redbaron on Dec 21, 2020

@pandrel Have you found the fix for this problem. I am currently facing the same issue.

I am using the ec2.Vpc.fromLookup() with tags option to import an existing vpc.

example:

    const envName = 'dev' // passed from construct stack props but using fixed value for example
    const vpc = ec2.Vpc.fromLookup(this, 'vpc', {
      tags: { 'envName': envName}
    })

pandrel-aws on Sep 7, 2021

@rix0rrr the fromLookup() method does not work for cross-account deployments…at least in my use case, we are trying to deploy from a tooling account to dev/prod accounts

adriantaut on Jan 18, 2021

struggling with the same problem with the newer versions of CDK (1.82.0), when attempting to spin up an EKS cluster. It might be related with https://github.com/aws/aws-cdk/issues/11945 since this worked with 1.76.0. Maybe it’s worth mentioning, the VPC has both public/private subnets, thus public/private Routing Tables. Please find my code below:

const vpc = Vpc.fromVpcAttributes(scope, 'DefaultVpc', {
    vpcId: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/VpcId`),
    availabilityZones: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/AvailabilityZones`),
    privateSubnetIds: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/PrivateSubnetIds`),
    privateSubnetRouteTableIds: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/PrivateSubnetRouteTableIds`),
    publicSubnetIds: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/PublicSubnetIds`),
    publicSubnetRouteTableIds: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/PublicSubnetRouteTableIds`),
  });

const cluster = new eks.Cluster(this, 'DetestadrCluster', {
     vpc: vpc,
     defaultCapacity: 0,
     version: eks.KubernetesVersion.V1_18
});

Throwing the same error when resolving the template:

/Users/tauta/gitlab/aws/2.0aws/cdk/detestadr-configrepo-aws-ppb/cdk/node_modules/@aws-cdk/core/lib/private/resolve.ts:94
      throw new Error('Found an encoded list token string in a scalar string context. Use \'Fn.select(0, list)\' (not \'list[0]\') to extract elements from token lists.');

In addition, spinning an ECS cluster has no issues:

        const ecsCluster = new ecs.Cluster(this, 'EcsCluster', {
            clusterName: `blablablaCluster`,
            vpc: vpc,
        });

adriantaut on Jan 5, 2021

@rix0rrr my mistake, was just trying to make the code as easy as possible, the actual implementation relies on a getVpc() method we have and it looks like:

/**
 * Return the default VPC in any account, relying on SSM parameters created by the Cloud Foundations VPC stack (/platform/vpc/*)
 */
export function getVpc(scope: Construct, vpcName?: string, usePublic?: boolean) {
  const vpc = vpcName ?? 'default';
  const basePath = `/platform/vpc/${vpc}`;

  let publicSubnetIds = undefined;
  let publicSubnetRouteTableIds = undefined;

  const getStringListParam = (name: string) => {
    return Fn.split(',', ssm.StringParameter.valueForStringParameter(scope, `${basePath}/${name}`));
  };

  if (usePublic ?? false) {
    publicSubnetIds = getStringListParam('PublicSubnetIds');
    publicSubnetRouteTableIds = getStringListParam('PublicSubnetRouteTableIds');
  }

  return Vpc.fromVpcAttributes(scope, 'DefaultVpc', {
    vpcId: ssm.StringParameter.valueForStringParameter(scope, `${basePath}/VpcId`),
    // TODO: this will only work if there is a subnet in each AZ within the region
    availabilityZones: getStringListParam('AvailabilityZones'),
    privateSubnetIds: getStringListParam('PrivateSubnetIds'),
    privateSubnetRouteTableIds: getStringListParam('PrivateSubnetRouteTableIds'),
    publicSubnetIds,
    publicSubnetRouteTableIds,
  });
}

And this was very appreciated with CDK and helpful having the ability to synthesize account-agnostic CFN templates.

adriantaut on Jan 18, 2021

Please advise if there is any update on this issue / recommendation on importing an existing vpc without hardcoding the vpcid and subnetid’s.

pandrel on Dec 31, 2020