'Creating a VPC Interface Endpoint for SQS in Cloud Formation

I was wondering if it is possible to create a Resource in my CloudFormation file to create a VPC Endpoint for SQS. I was able to do this for SQS and DynamoDB, but I believe it is because they were Gateway endpoints.

For now I have defined my SQS resource as:

SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 'sqs:*'
            Resource:
              - '*'
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
        - !Ref PublicSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface

Though, when I try to create the stack I get the error:

enter image description here

It seems like it is possible from reading this blog post from AWS. Though I can't find any examples or documentation. Any ideas?

amazon-vpc


Solution 1:[1]

So to sum it all up:

  SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface
      SecurityGroupIds:
        - !Ref PrivateSubnetInstanceSG # has to allow traffic from your VPC
      PrivateDnsEnabled: true

Background

I figured it out, for DynamoDB and S3, which use Gateway Endpoints, the PolicyDocument property has to be defined. For all other services, This doesn't need to be defined. So for SQS first I thought all that is needed is:

 SQSEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      ServiceName: !Join 
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .sqs
      SubnetIds:
        - !Ref PrivateSubnet
        - !Ref PublicSubnet
      VpcId: !Ref 'VPC'
      VpcEndpointType: Interface

But that still wasn't working, even though the interface endpoint was setup, I had to:

  1. set the PrivateDnsEnabled property to true so that you can use the AWS CLI as the AWS CLI uses the public endpoint, and setting the PrivateDnsEnabled allows the private endpoint to automatically be mapped to the public one

  2. set the SecurityGroupsIds to have a security group that allows Inbound traffic from your VPC. If this instance set, the default security group is used and it only allows inbound traffic from sources that have the default security group, meaning that SQS won't be able to send traffic back to your instance

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Alex R

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function