ec2: specifying EC2 private IP with associate public IP enabled generates invalid CFn

[hoppersoft]

Describe the bug

When both associatePublicIpAddress and privateIpAddress properties are supplied to the EC2 Instance construct, an invalid CloudFormation template is generated due to the presence of both PrivateIpAddess and NetworkInterfaces properties on the AWS::EC2::Instance resource.

Expected Behavior

The value of the privateIpAddress property should be added to the generated NetworkInterface, omitting the resource-level PrivateIpAddress property.

Current Behavior

The generated template leaves the PrivateIpAddress property populated but also includes a NetworkInterfaces property, resulting in a deployment error: "Network interfaces and an instance-level private IP address may not be specified on the same request"

Reproduction Steps

1. Create an EC2 instance (using Typescript syntax below):

new Instance(stack, 'Instance', {
      vpc,
      vpcSubnets: { subnetType: SubnetType.PUBLIC },
      securityGroup,
      machineImage: new AmazonLinuxImage(),
      instanceType: InstanceType.of(InstanceClass.T3, InstanceSize.LARGE),
      privateIpAddress: privateIpAddress,
      associatePublicIpAddress: true,
    });

2. Run cdk synth, capturing the output.
3. Attempt to cdk deploy - this will result in the "Network interfaces and an instance-level private IP address may not be specified on the same request" error and rollback.
4. (Extra credit) Inspect the AWS::EC2::Instance resource; you should see something like the below:

  <Resource ID>:
    Type: AWS::EC2::Instance
    Properties:
      #
      # Omitting other properties for brevity
      NetworkInterfaces:
        - AssociatePublicIpAddress: true
          DeviceIndex: "0"
          GroupSet:
            - Fn::GetAtt:
                - <Security Group ID>
                - GroupId
          SubnetId:
            Ref: <Subnet ID>
      PrivateIpAddress: 10.0.1.10

Possible Solution

The logic used to detect the use of associatePublicIpAddress should also include moving the value of privateIpAddress to the NetworkInterface object.

Additional Information/Context

No response

CDK CLI Version

2.85.0 (build 4e0d726)

Framework Version

No response

Node.js Version

18.0.0

OS

Windows, Mac

Language

Typescript

Language Version

5.1.3

Other information

No response

[pahud]

Per cloudformation doc

You cannot specify this option and the network interfaces option in the same request.

I believe CDK should throw when both this option and network interfaces option are specified.

[hoppersoft]

@pahud: as mentioned in #17127, you cannot specify the network interfaces in the construct props. The solution I'm proposing aligns with the current behavior of associatePublicIpAddress where a NetworkInterface is automatically created and moves the private IP to that ENI.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[hoppersoft]

@mrgrain I see that this change has been merged in, and I also see that the changelog indicates that the change was incorporated into 2.87.0 (build 9fca790). However, when I test locally, I'm still seeing the invalid EC2 resource being generated. I would debug it, but since I have no mapfiles (see #20561) to walk through the code, I can't. Is there a chance an old copy of aws-cdk-lib is being shipped in 2.87.0?