aws-servicecatalog: VPC product created with L2 ec2.Vpc not generating subnets

[ryan-roberts-bt]

Describe the bug

VPC product created with L2 aws-ec2.Vpc construct with subnet configuration supplied in a aws-servicecatalog.ProductStack class ignores the subnet configuration supplied when generating the template.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

All configuration options supplied to the aws-ec2.Vpc construct should be adhered to when the product cloudformation template is synthesized

Current Behavior

Subnet configuration is ignored and no subnets are created in the synthesized template

Reproduction Steps

from aws_cdk import (
    Stack,
    aws_servicecatalog as servicecatalog,
    aws_ec2 as ec2,
    aws_iam as iam,
    CfnParameter,
)
from constructs import Construct

class VpcServiceCatalogPortfolioStack(Stack):

    def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None:
        super().__init__(scope, construct_id, **kwargs)

        vpc_portfolio = servicecatalog.Portfolio(self, "VPC_Portfolio",
                                            display_name="VPC Portfolio",
                                            provider_name="Engineering Team",
                                            description="Pre-configured VPCs available for various use cases including connectivity to the internet and other tenants.",
                                        )
        
        isolated_vpc_stack_history = servicecatalog.ProductStackHistory(self, "IsolatedVpcStackHistory",
                                                                        product_stack=IsolatedVpc(self, "Isolated_VPC"),
                                                                        current_version_name="v1",
                                                                        current_version_locked=False,
                                                                        )
        
        isolated_vpc_product = servicecatalog.CloudFormationProduct(self, "IsolatedVpcProduct",
                                                                    product_name="Isolated/Sandbox VPC",
                                                                    owner="Engineering",
                                                                    product_versions=[
                                                                        isolated_vpc_stack_history.current_version()
                                                                    ]
                                                                    )
        
        vpc_portfolio.add_product(isolated_vpc_product)
        
        launch_role = iam.Role.from_role_name(self, "LaunchRole",
                                              role_name="RES-ServiceCatalog-VPC-Launch")
        
        vpc_portfolio.set_local_launch_role(isolated_vpc_product, launch_role)


class IsolatedVpc(servicecatalog.ProductStack):
    def __init__(self, scope, id):
        super().__init__(scope, id)
        
        availability_zone_param = CfnParameter(self, "AvailabilityZoneNumber",
                                               description="The number of availability zones that this VPC should span",
                                               type="Number",
                                               min_value=1,
                                               max_value=3,
                                               )
        
        
        vpc = ec2.Vpc(self, "VPC",
                      ip_addresses=ec2.IpAddresses.cidr("10.254.0.0/22"),
                      max_azs=availability_zone_param.value_as_number,
                      subnet_configuration=[
                          ec2.SubnetConfiguration(
                              cidr_mask=24,
                              name='private',
                              subnet_type=ec2.SubnetType.PRIVATE_ISOLATED
                          ),
                          ec2.SubnetConfiguration(
                              cidr_mask=24,
                              name='public',
                              subnet_type=ec2.SubnetType.PUBLIC
                          )],
                      enable_dns_support=True,
                      enable_dns_hostnames=True,
                      restrict_default_security_group=False,
                      create_internet_gateway=True,
                      vpn_gateway=False
                      )

Possible Solution

No response

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.199.0

AWS CDK CLI version

2.1007.0

Node.js Version

22.15.0

OS

Windows 11

Language

Python

Language Version

3.12.3

Other information

No response

[ykethan]

Hey @ryan-roberts-bt, thank you for reaching out. I was able to reproduce this behavior using the following

Reproduction

import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as servicecatalog from 'aws-cdk-lib/aws-servicecatalog';
import { Construct } from 'constructs';

class VpcProductStack extends servicecatalog.ProductStack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const availabilityZoneParam = new cdk.CfnParameter(
      this,
      'AvailabilityZoneNumber',
      {
        description:
          'The number of availability zones that this VPC should span',
        type: 'Number',
        minValue: 1,
        maxValue: 3,
        default: 2,
      }
    );

    const vpc = new ec2.Vpc(this, 'VPC', {
      ipAddresses: ec2.IpAddresses.cidr('10.254.0.0/22'),
      maxAzs: 2,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: 'private',
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
        {
          cidrMask: 24,
          name: 'public',
          subnetType: ec2.SubnetType.PUBLIC,
        },
      ],
      enableDnsSupport: true,
      enableDnsHostnames: true,
      restrictDefaultSecurityGroup: false,
      createInternetGateway: true,
      vpnGateway: false,
    });
  }
}

export class ReproductionStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const portfolio = new servicecatalog.Portfolio(this, 'VpcPortfolio', {
      displayName: 'VPC Portfolio',
      providerName: 'Engineering Team',
      description: 'Pre-configured VPCs - reproducing subnet issue',
    });

    const productStackHistory = new servicecatalog.ProductStackHistory(
      this,
      'VpcProductStackHistory',
      {
        productStack: new VpcProductStack(this, 'VpcProductStack'),
        currentVersionName: 'v1',
        currentVersionLocked: false,
      }
    );

    const product = new servicecatalog.CloudFormationProduct(
      this,
      'VpcProduct',
      {
        productName: 'VPC with Subnets',
        owner: 'Engineering',
        productVersions: [productStackHistory.currentVersion()],
      }
    );

    portfolio.addProduct(product);
  }
}

The issue occurs when maxAzs is set to a CloudFormation parameter reference within a servicecatalog.ProductStack. When maxAzs is a literal number, it does appear to generate correctly.

FAILS: Using Parameter for maxAzs

class VpcProductStack extends servicecatalog.ProductStack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const availabilityZoneParam = new cdk.CfnParameter(this, 'AvailabilityZoneNumber', {
      type: 'Number',
      default: 2,
    });

    const vpc = new ec2.Vpc(this, 'VPC', {
      ipAddresses: ec2.IpAddresses.cidr('10.254.0.0/22'),
      maxAzs: availabilityZoneParam.valueAsNumber, // Parameter reference
      subnetConfiguration: [/* ... */]
    });
  }
} 

In generated template: Only VPC and IGW generated, No subnet resources

WORKS: Using Literal Number for maxAzs

class VpcProductStack extends servicecatalog.ProductStack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const vpc = new ec2.Vpc(this, 'VPC', {
      ipAddresses: ec2.IpAddresses.cidr('10.254.0.0/22'),
      maxAzs: 2, // Literal number 
      subnetConfiguration: [/* ... */]
    });
  }
}

In generated template: VPC + ALL subnets generated properly using Fn::Select(0, Fn::GetAZs())

WORKS: Using Explicit Availability Zones

class VpcProductStack extends servicecatalog.ProductStack {
  constructor(scope: Construct, id: string) {
    super(scope, id);

    const az1Param = new cdk.CfnParameter(this, 'AvailabilityZone1', {
      type: 'String', default: 'us-east-1a',
    });
    const az2Param = new cdk.CfnParameter(this, 'AvailabilityZone2', {
      type: 'String', default: 'us-east-1b',
    });

    const vpc = new ec2.Vpc(this, 'VPC', {
      ipAddresses: ec2.IpAddresses.cidr('10.254.0.0/22'),
      availabilityZones: [az1Param.valueAsString, az2Param.valueAsString], // pass the parameters as strings
      subnetConfiguration: [/* ... */]
    });
  }
}

In generated template: VPC + ALL subnets generated with parameter references for AZ names

Could you try setting MaxAz's with a literal value or define explicit availability zone on the vpc and let us know if this mitigates the issue?

[ryan-roberts-bt]

Thanks for reproducing @ykethan.

I confirm that setting MaxAzs to a literal number results in the subnets being generated correctly in the template.