From 3ad10a0b7098cd57c522cab36aee3651419005fc Mon Sep 17 00:00:00 2001 From: Matthew Moore Date: Fri, 29 Jan 2021 09:04:09 +0000 Subject: [PATCH] feat(elbv2): allow control of ingress rules on redirect listener fixes #12766 --- .../aws-elasticloadbalancingv2/README.md | 3 +++ .../lib/alb/application-load-balancer.ts | 17 ++++++++++++- .../test/alb/listener.test.ts | 25 +++++++++++++++++++ 3 files changed, 44 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md index ac397ba62bd94..5312e65c406e0 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/README.md @@ -182,6 +182,9 @@ lb.addRedirect({ If you do not provide any options for this method, it redirects HTTP port 80 to HTTPS port 443. +By default all ingress traffic will be allowed on the source port. If you want to be more selective with your +ingress rules then set `open: false` and use the listener's `connections` object to selectively grant access to the listener. + ## Defining a Network Load Balancer Network Load Balancers are defined in a similar way to Application Load diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts index 8f0ccf963cc5b..4ad4dcb5fa081 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts @@ -119,7 +119,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic return this.addListener(`Redirect${sourcePort}To${targetPort}`, { protocol: props.sourceProtocol ?? ApplicationProtocol.HTTP, port: sourcePort, - open: true, + open: props.open ?? true, defaultAction: ListenerAction.redirect({ port: targetPort, protocol: props.targetProtocol ?? ApplicationProtocol.HTTPS, @@ -665,4 +665,19 @@ export interface ApplicationLoadBalancerRedirectConfig { */ readonly targetPort?: number; + /** + * Allow anyone to connect to this listener + * + * If this is specified, the listener will be opened up to anyone who can reach it. + * For internal load balancers this is anyone in the same VPC. For public load + * balancers, this is anyone on the internet. + * + * If you want to be more selective about who can access this load + * balancer, set this to `false` and use the listener's `connections` + * object to selectively grant access to the listener. + * + * @default true + */ + readonly open?: boolean; + } \ No newline at end of file diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts index b9de0961423ec..d717847ca46e9 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts @@ -690,6 +690,31 @@ describe('tests', () => { }); }); + test('Can supress default ingress rules on a simple redirect response', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + }); + + // WHEN + loadBalancer.addRedirect({ open: false }); + + // THEN + expect(stack).not.toHaveResourceLike('AWS::EC2::SecurityGroup', { + SecurityGroupIngress: [ + { + CidrIp: '0.0.0.0/0', + Description: 'Allow from anyone on port 80', + IpProtocol: 'tcp', + }, + ], + }); + + }); + test('Can add simple redirect responses with custom values', () => { // GIVEN const stack = new cdk.Stack();