Skip to content

Add rule E3064: duplicate Interface VPC Endpoint with PrivateDnsEnabled#4492

Merged
kddejong merged 1 commit into
aws-cloudformation:mainfrom
kddejong:fix/issue/4352
May 7, 2026
Merged

Add rule E3064: duplicate Interface VPC Endpoint with PrivateDnsEnabled#4492
kddejong merged 1 commit into
aws-cloudformation:mainfrom
kddejong:fix/issue/4352

Conversation

@kddejong
Copy link
Copy Markdown
Contributor

@kddejong kddejong commented Apr 30, 2026

Summary

Add rule E3064 to detect when multiple AWS::EC2::VPCEndpoint resources in the same template have the same VpcId, ServiceName, VpcEndpointType: Interface, and PrivateDnsEnabled: true. AWS rejects the second endpoint at deploy time with a conflicting DNS domain error, causing a stack rollback.

What was tested

  • Deployed test stacks to AWS (us-east-1) confirming the EC2 API rejects duplicate Interface endpoints with Private DNS enabled in the same VPC — for any service, not just execute-api
  • Verified edge cases: different VPCs (allowed), different services (allowed), mixed PrivateDnsEnabled (allowed), Gateway type duplicates (separate failure mode)

Test cases (12)

  • First endpoint in VPC (valid)
  • Same service, different VPC (valid)
  • Different service, same VPC (valid)
  • PrivateDnsEnabled false (valid)
  • Gateway type duplicate (valid — different failure mode)
  • Mutually exclusive conditions via Fn::If on PrivateDnsEnabled (valid)
  • Fn::If on VpcId matching saved in same condition (error)
  • Fn::If on PrivateDnsEnabled resolving to false (valid)
  • Same conditions on both endpoints (error)
  • Plain duplicate, no conditions (error)
  • Fn::If on ServiceName matching saved in same condition (error)
  • Hardcoded VPC ID duplicate (error)

Fixes #4352

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 30, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 98.43750% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.51%. Comparing base (a1b97ea) to head (03de5f2).

Files with missing lines Patch % Lines
.../resources/ectwo/VpcEndpointPrivateDnsDuplicate.py 98.43% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4492      +/-   ##
==========================================
+ Coverage   93.49%   93.51%   +0.02%     
==========================================
  Files         460      461       +1     
  Lines       15037    15101      +64     
  Branches     2907     2924      +17     
==========================================
+ Hits        14059    14122      +63     
  Misses        599      599              
- Partials      379      380       +1
Flag Coverage Δ
unittests 93.51% <98.43%> (+0.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@kddejong
Add rule E3064: duplicate Interface VPC Endpoint with PrivateDnsEnabled
03de5f2 
Detect when multiple AWS::EC2::VPCEndpoint resources in the same
template share the same VpcId, ServiceName, VpcEndpointType: Interface,
and PrivateDnsEnabled: true. AWS rejects the second endpoint with a
conflicting DNS domain error.

Fixes aws-cloudformation#4352
@kddejong kddejong merged commit ce341bb into aws-cloudformation:main May 7, 2026
21 checks passed
@kddejong kddejong deleted the fix/issue/4352 branch May 7, 2026 15:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

New rule: warn on duplicate execute-api Interface VPC Endpoints with Private DNS enabled in same VPC

1 participant

@kddejong