Skip to content

fix(ec2): add ipv6CidrBlockCreated property to VPC for IPv6 CIDR block dependency #36745

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pahud wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

fix(ec2): add ipv6CidrBlockCreated property to VPC for IPv6 CIDR block dependency #36745

pahud wants to merge 4 commits into from
+1,522 −0

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Jan 20, 2026
edited
Loading

Issue # (if applicable)

Closes #36714.

Reason for this change

When using a dual-stack VPC and referencing vpc.vpcIpv6CidrBlocks to create dependent resources (like security groups), CloudFormation deployments may fail with race conditions because there's no explicit dependency on the AWS::EC2::VPCCidrBlock resource. Users experience intermittent deployment failures with:

Status: CREATE_FAILED
Status Reason: Template error: Fn::Select cannot select nonexistent value at index 0

The workaround required internal knowledge of the construct:

const vpcCidrBlock = vpc.node.findChild('ipv6cidr') as CfnVPCCidrBlock;
securityGroup.node.addDependency(vpcCidrBlock);

Description of changes

Added a new ipv6CidrBlockCreated: IDependable property to the VPC construct that allows users to establish a dependency on the IPv6 CIDR block being allocated before creating resources that reference vpcIpv6CidrBlocks.

  • Added ipv6CidrBlockCreated property to IVpc interface
  • Added ipv6CidrBlockCreated property to VpcBase abstract class
  • Implemented ipv6CidrBlockCreated in Vpc class with DependencyGroup that contains the IPv6 CIDR block resource
  • Added ipv6CidrBlockCreated to ImportedVpc and LookedUpVpc classes (empty DependencyGroup)
  • Follows the existing internetConnectivityEstablished pattern

Usage Example:

const vpc = new Vpc(this, 'DualStackVpc', {
  ipProtocol: IpProtocol.DUAL_STACK,
});

const sg = new SecurityGroup(this, 'SG', { vpc });
sg.addIngressRule(
  Peer.ipv6(Fn.select(0, vpc.vpcIpv6CidrBlocks)),
  Port.tcp(443)
);

// Add dependency to ensure IPv6 CIDR block exists first
sg.node.addDependency(vpc.ipv6CidrBlockCreated);

This is NOT a breaking change - this is an additive change that does not affect existing behavior.

Describe any new or updated permissions being added

N/A - No IAM permission changes.

Description of how you validated changes

  • Unit tests: Added 5 new unit tests in vpc.test.ts:
    • ipv6CidrBlockCreated is defined for dual-stack VPCs
    • ipv6CidrBlockCreated is defined for IPv4-only VPCs (empty DependencyGroup)
    • resources depending on ipv6CidrBlockCreated have correct DependsOn for dual-stack VPCs
    • resources depending on ipv6CidrBlockCreated have no DependsOn for IPv4-only VPCs
    • imported VPCs have ipv6CidrBlockCreated property (empty DependencyGroup)
  • Integration test: Added integ.vpc-ipv6-cidr-block-dependency.ts that:
    • Creates a dual-stack VPC with IPv6 enabled
    • Creates a SecurityGroup with an IPv6 CIDR ingress rule using vpc.vpcIpv6CidrBlocks
    • Adds dependency on vpc.ipv6CidrBlockCreated to prevent the race condition
    • Deployed successfully to AWS and verified the DependsOn is correctly set in CloudFormation

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
fix(ec2): add ipv6CidrBlockCreated property to VPC for IPv6 CIDR bloc…
9efb1dd 
…k dependency

Closes aws#36714.

When using a dual-stack VPC and referencing vpc.vpcIpv6CidrBlocks to create
dependent resources (like security groups), CloudFormation deployments may
fail with race conditions because there's no explicit dependency on the
AWS::EC2::VPCCidrBlock resource.

This change adds a new ipv6CidrBlockCreated: IDependable property to the VPC
construct that allows users to establish a dependency on the IPv6 CIDR block
being allocated before creating resources that reference vpcIpv6CidrBlocks.

Usage:
  const vpc = new Vpc(this, 'VPC', { ipProtocol: IpProtocol.DUAL_STACK });
  const sg = new SecurityGroup(this, 'SG', { vpc });
  sg.addIngressRule(Peer.ipv6(Fn.select(0, vpc.vpcIpv6CidrBlocks)), Port.tcp(443));
  sg.node.addDependency(vpc.ipv6CidrBlockCreated);

- Added ipv6CidrBlockCreated property to IVpc interface
- Added ipv6CidrBlockCreated property to VpcBase abstract class
- Implemented ipv6CidrBlockCreated in Vpc class with DependencyGroup
- Added ipv6CidrBlockCreated to ImportedVpc and LookedUpVpc (empty DependencyGroup)
- Added 5 unit tests
- Added integration test
@github-actions github-actions bot added the bug This issue is a bug. label Jan 20, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team January 20, 2026 19:57
@github-actions github-actions bot added effort/medium Medium work item – several days of effort p2 labels Jan 20, 2026
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Jan 20, 2026
@pahud pahud mentioned this pull request Jan 20, 2026
Open
pahud added 2 commits January 21, 2026 15:59
@pahud
feat(ec2): add ipv6CidrBlockCreated property to VpcV2 for IPv6 CIDR b…
5409c4e 
…lock dependency

- Add abstract `ipv6CidrBlockCreated` property to VpcV2Base class
- Implement `ipv6CidrBlockCreated` property in VpcV2 class as IDependable
- Initialize `ipv6CidrBlockCreated` as empty DependencyGroup in VpcV2 constructor
- Add comprehensive JSDoc comments explaining IPv6 CIDR block dependency behavior
- Enable consumers to depend on IPv6 CIDR block allocation for proper resource ordering
@pahud
Merge branch 'main' into fix-36714
e46cdd5
@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results48 ran48 passed
TestResult
No test annotations available

@github-actions
Copy link
Contributor

github-actions bot commented Jan 21, 2026
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates48 ran48 passed
TestResult
No test annotations available

@pahud
test(ec2): update vpc-ipv6-cidr-block-dependency integration test sna…
1160dc2 
…pshots

- Update CloudFormation template hash and asset references in snapshot files
- Add guard suppression rule for EC2_NO_OPEN_SECURITY_GROUPS in security group metadata
- Expand analytics data in manifest.json with detailed construct configuration properties
- Replace wildcard analytics data with explicit property values for VPC and subnet constructs
- Update manifest version from 49.0.0 to 50.0.0
- Regenerate snapshots to reflect changes in IPv6 CIDR block dependency test
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-ec2: VPC Construct - Use of vpc.vpcIpv6CidrBlocks does not model VPCCidrBlock dependency in CFN

1 participant

@pahud