feat(ec2): support the new SupportedRegions property for AWS::EC2::VPCEndpointService (#33959)

### Issue # (if applicable)

N/A

### Reason for this change

Supporting the new L1 property in the L2 construct

### Description of changes

Added a new L2 prop - `allowedRegions` - which is of type `string[]`. It gets passed to the L1 `SupportedRegions` property.

### Describe any new or updated permissions being added

none

### Description of how you validated changes

Unit tests and integ test

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: samson-keung

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-service.js.snapshot/TestStackLoadBalancer.assets.json

@@ -512,6 +512,9 @@
     ],
     "SupportedIpAddressTypes": [
      "ipv4"
+    ],
+    "SupportedRegions": [
+     "us-east-2"
     ]
    }
   }

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-service.js.snapshot/TestStackLoadBalancer.template.json

@@ -17,7 +17,8 @@ class TestStack extends cdk.Stack {
       vpcEndpointServiceLoadBalancers: [loadBalancer],
       acceptanceRequired: true,
       contributorInsights: true,
-      supportedIpAddressTypes: [ec2.IpAddressType.IPV4], // change to ipv4 and re-run
+      supportedIpAddressTypes: [ec2.IpAddressType.IPV4],
+      allowedRegions: ['us-east-2'],
     });
   }
 }

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-service.js.snapshot/VpcEndpointserviceDefaultTestDeployAssert1FF764BE.assets.json

@@ -1134,6 +1134,18 @@ new ec2.VpcEndpointService(this, 'EndpointService', {
 });
 ```
 
+You can restrict access to your endpoint service to specific AWS regions:
+
+```ts
+declare const networkLoadBalancer: elbv2.NetworkLoadBalancer;
+
+new ec2.VpcEndpointService(this, 'EndpointService', {
+  vpcEndpointServiceLoadBalancers: [networkLoadBalancer],
+  // Allow service consumers from these regions only
+  allowedRegions: ['us-east-1', 'eu-west-1'],
+});
+```
+
 Endpoint services support private DNS, which makes it easier for clients to connect to your service by automatically setting up DNS in their VPC.
 You can enable private DNS on an endpoint service like so:
 

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-service.js.snapshot/cdk.out

@@ -103,6 +103,11 @@ export class VpcEndpointService extends Resource implements IVpcEndpointService
    */
   private readonly supportedIpAddressTypes?: IpAddressType[];
 
+  /**
+   * The Regions from which service consumers can access the service.
+   */
+  private readonly allowedRegions?: string[];
+
   /**
    * The id of the VPC Endpoint Service, like vpce-svc-xxxxxxxxxxxxxxxx.
    * @attribute
@@ -132,6 +137,7 @@ export class VpcEndpointService extends Resource implements IVpcEndpointService
     this.acceptanceRequired = props.acceptanceRequired ?? true;
     this.contributorInsightsEnabled = props.contributorInsights;
     this.supportedIpAddressTypes = props.supportedIpAddressTypes;
+    this.allowedRegions = props.allowedRegions;
 
     if (props.allowedPrincipals && props.whitelistedPrincipals) {
       throw new Error('`whitelistedPrincipals` is deprecated; please use `allowedPrincipals` instead');
@@ -144,6 +150,7 @@ export class VpcEndpointService extends Resource implements IVpcEndpointService
       acceptanceRequired: this.acceptanceRequired,
       contributorInsightsEnabled: this.contributorInsightsEnabled,
       supportedIpAddressTypes: this.supportedIpAddressTypes?.map(type => type.toString()),
+      supportedRegions: this.allowedRegions,
     });
 
     this.vpcEndpointServiceId = this.endpointService.ref;
@@ -220,4 +227,10 @@ export interface VpcEndpointServiceProps {
    * @default - No specific IP address types configured
    */
   readonly supportedIpAddressTypes?: IpAddressType[];
+
+  /**
+   * The Regions from which service consumers can access the service.
+   * @default - No Region restrictions
+   */
+  readonly allowedRegions?: string[];
 }

packages/@aws-cdk-testing/framework-integ/test/aws-ec2/test/integ.vpc-endpoint-service.js.snapshot/integ.json

@@ -229,5 +229,101 @@ describe('vpc endpoint service', () => {
         SupportedIpAddressTypes: ['ipv4', 'ipv6'],
       });
     });
+
+    test('without specifying allowed regions', () => {
+      // GIVEN
+      const stack = new Stack();
+
+      // WHEN
+      const lb = new DummyEndpointLoadBalacer('arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a');
+      new VpcEndpointService(stack, 'EndpointService', {
+        vpcEndpointServiceLoadBalancers: [lb],
+        acceptanceRequired: false,
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpointService', {
+        NetworkLoadBalancerArns: ['arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a'],
+        AcceptanceRequired: false,
+      });
+
+      // Verify SupportedRegions is not present when not specified
+      const template = Template.fromStack(stack);
+      const resources = template.findResources('AWS::EC2::VPCEndpointService');
+      const resourceKey = Object.keys(resources)[0];
+      expect(resources[resourceKey].Properties.SupportedRegions).toBeUndefined();
+    });
+
+    test('with a single allowed region', () => {
+      // GIVEN
+      const stack = new Stack();
+
+      // WHEN
+      const lb = new DummyEndpointLoadBalacer('arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a');
+      new VpcEndpointService(stack, 'EndpointService', {
+        vpcEndpointServiceLoadBalancers: [lb],
+        acceptanceRequired: false,
+        allowedRegions: ['us-east-1'],
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpointService', {
+        NetworkLoadBalancerArns: ['arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a'],
+        AcceptanceRequired: false,
+        SupportedRegions: ['us-east-1'],
+      });
+    });
+
+    test('with multiple allowed regions', () => {
+      // GIVEN
+      const stack = new Stack();
+
+      // WHEN
+      const lb = new DummyEndpointLoadBalacer('arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a');
+      new VpcEndpointService(stack, 'EndpointService', {
+        vpcEndpointServiceLoadBalancers: [lb],
+        acceptanceRequired: false,
+        allowedRegions: ['us-east-1', 'us-west-1', 'eu-west-1'],
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpointService', {
+        NetworkLoadBalancerArns: ['arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a'],
+        AcceptanceRequired: false,
+        SupportedRegions: ['us-east-1', 'us-west-1', 'eu-west-1'],
+      });
+    });
+
+    test('with combined options including allowed regions', () => {
+      // GIVEN
+      const stack = new Stack();
+
+      // WHEN
+      const lb = new DummyEndpointLoadBalacer('arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a');
+      new VpcEndpointService(stack, 'EndpointService', {
+        vpcEndpointServiceLoadBalancers: [lb],
+        acceptanceRequired: true,
+        allowedRegions: ['us-east-1', 'us-west-2'],
+        supportedIpAddressTypes: [IpAddressType.IPV4],
+        contributorInsights: true,
+        allowedPrincipals: [new ArnPrincipal('arn:aws:iam::123456789012:root')],
+      });
+
+      // THEN
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpointService', {
+        NetworkLoadBalancerArns: ['arn:aws:elasticloadbalancing:us-east-1:123456789012:loadbalancer/net/Test/9bn6qkf4e9jrw77a'],
+        AcceptanceRequired: true,
+        SupportedRegions: ['us-east-1', 'us-west-2'],
+        SupportedIpAddressTypes: ['ipv4'],
+        ContributorInsightsEnabled: true,
+      });
+
+      Template.fromStack(stack).hasResourceProperties('AWS::EC2::VPCEndpointServicePermissions', {
+        ServiceId: {
+          Ref: 'EndpointServiceED36BE1F',
+        },
+        AllowedPrincipals: ['arn:aws:iam::123456789012:root'],
+      });
+    });
   });
 });