FargateToS3: Is it possible to disable and make it optional to add an interface/gateway endpoint to the VPC for S3?

[princeanire]

Hi
is it possible for the FargateToS3 solution construct to make it optional and disable the creation of interface/gateway endpoint to the VPC for S3 service when using the construct,

Use Case

there are use cases and situations that S3 Interface endpoint and/or S3 Gateway is already created and added to the VPC before the solution construct is used - when deploying the cloudformatoin template the there would be an error as the rtb entity to s3 endpoint/s are already included or interface/gateway endpoint is already added before

Proposed Solution

make adding an interface/gateway endpoint to the VPC optional but by default the solutions constructs adds the interface endpoint, so that the user can disable it in use cases that the s3 interface endpoint for s3 is already included before

Other

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[biffgaut]

Interesting topic. While looking into it, I notice 2 things:

• I can create 2 constructs with endpoints in the same VPC in my stack (I use aws-lambda-s3, but the VPC behavior should be the same.
• I can make it break by importing an existing VPC in the account that already has an S3 endpoint, but the error I see is not creating the actual endpoint, but a collision regarding the Route Table

Is this what you see?

[princeanire]

Yep, we encounter collision regarding the Route Table

it errors that a route entry to the S3 prefix list already exists - our workaround to this is that we manually delete the route table entry synthesized by our AWS cdk and then manually deploy it through cloudformation, manually process and we have to do this multiple times through our multiple deployments

[princeanire]

i'm new to aws cdk - it would helpful if there is a way to let was cdk that an existing s3 gateway/interfance endpoint already exists to the vpc and disable the creation aswell - disabling the creation of route table entry to the s3 prefix list in effect

probably I'm creating the constructs wrong, it would be helpful if you can provide workaround on the collision or error we encounter regarding the route table

[biffgaut]

I believe you are creating the construct correctly. There is a technique called escape hatches that allow you to alter the behavior of a construct. If you can navigate the VPC at the L2 level to get to the L2 RouteTable construct, then use escape hatches to alter the RouteTable you might be able to avoid the issue. I'll also try to give that a try.

[princeanire]

Hey @biffgaut, thanks for bringing up escape hatches! It looks like this isn't really a feature request after all. The docs actually cover my situation pretty well, especially with the escape hatches. So, I'll go ahead and close this. Thanks again!