Skip to content

fix(elasticache): security group for ServerlessCache does not use default endpoint port #35738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 5 commits into from
Jan 5, 2026
Merged

fix(elasticache): security group for ServerlessCache does not use default endpoint port #35738

mergify merged 5 commits into from
Jan 5, 2026

Conversation

@go-to-k
Copy link
Contributor

@go-to-k go-to-k commented Oct 14, 2025
edited
Loading

Issue # (if applicable)

N/A

Reason for this change

A security group ingress for the new ServerlessCache construct does not use an endpoint port.

The following CDK code generates an INVALID CFn template with null for FromPort and ToPort:

    const cache = new ServerlessCache(this, 'ServerlessCache', {
      vpc,
    });
    const sg = new SecurityGroup(this, 'SecurityGroup', {
      vpc,
    });
    sg.connections.allowToDefaultPort(cache);
  "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": {
   "Type": "AWS::EC2::SecurityGroupIngress",
   "Properties": {
    // ...
    // ...
    "FromPort": null,
    // ...
    // ...
    "ToPort": null
   },

An expected template:

  "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": {
   "Type": "AWS::EC2::SecurityGroupIngress",
   "Properties": {
    // ...
    // ...
    "FromPort": {
     "Fn::GetAtt": [
      "Cache18F6EE16",
      "Endpoint.Port"
     ]
    },
    // ...
    // ...
    "ToPort": {
     "Fn::GetAtt": [
      "Cache18F6EE16",
      "Endpoint.Port"
     ]
    }
   }
  },

FYI: The method cache.connections.defaultPort?.toRuleJson() outputs {"Value":{"ipProtocol":"tcp","fromPort":null,"toPort":null}}. But we expect {"Value":{"ipProtocol":"tcp","fromPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]},"toPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]}}}.

Description of changes

Use Token.asNumber for the defaultPort of Connections in ServerlessCache:

    this.connections = new ec2.Connections({
      securityGroups: this.securityGroups,
-      defaultPort: ec2.Port.tcp(Lazy.number({ produce: () => parseInt(this.serverlessCacheEndpointPort) })),
+      defaultPort: ec2.Port.tcp(Token.asNumber(this.serverlessCacheEndpointPort)),
    });

Describe any new or updated permissions being added

Description of how you validated changes

Both an unit test and an integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 14, 2025 09:25
@github-actions github-actions bot added distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 labels Oct 14, 2025
@go-to-k go-to-k changed the title fix(elasticache): security group for ServerlessCache does not use endpoint port fix(elasticache): security group for ServerlessCache does not use default endpoint port Oct 14, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 14, 2025
mazyu36
mazyu36 approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix!

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 14, 2025
@github-actions github-actions bot mentioned this pull request Nov 1, 2025
Open
@gasolima gasolima added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Dec 18, 2025
@gasolima gasolima had a problem deploying to deployment-integ-test December 18, 2025 15:12 — with GitHub Actions Failure
gasolima
gasolima previously approved these changes Dec 18, 2025
View reviewed changes
@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Dec 18, 2025
@gasolima gasolima removed the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Dec 18, 2025
@gasolima gasolima added the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Dec 18, 2025
@mergify mergify bot dismissed gasolima’s stale review December 18, 2025 17:39

Pull request has been modified.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results48 ran48 passed
TestResult
No test annotations available

@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025
edited
Loading

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

TestsPassed ✅SkippedFailed
Security Guardian Results with resolved templates48 ran48 passed
TestResult
No test annotations available

@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Dec 18, 2025
@go-to-k
Copy link
Contributor Author

go-to-k commented Dec 19, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Dec 19, 2025

update

✅ Branch has been successfully updated

@mergify mergify bot had a problem deploying to deployment-integ-test December 19, 2025 02:06 Error
@go-to-k
Copy link
Contributor Author

go-to-k commented Dec 19, 2025

@gasolima Thanks for your approval. Could you please approve again?

@gasolima
Copy link
Contributor

gasolima commented Dec 19, 2025

@go-to-k approved, i was testing the new workflow that deploy the integration test 😅 and it worked!

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Dec 19, 2025
@go-to-k
Copy link
Contributor Author

go-to-k commented Dec 23, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Dec 23, 2025

update

✅ Branch has been successfully updated

@mergify mergify bot had a problem deploying to deployment-integ-test December 23, 2025 06:40 Failure
@go-to-k
Copy link
Contributor Author

go-to-k commented Dec 25, 2025

@gasolima Could you please merge?

@gasolima gasolima removed the pr/needs-integration-tests-deployment Requires the PR to deploy the integration test snapshots. label Jan 5, 2026
@mergify
Copy link
Contributor

mergify bot commented Jan 5, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Jan 5, 2026
edited
Loading

Merge Queue Status

✅ The pull request has been merged at 9d2091d

This pull request spent 40 minutes 35 seconds in the queue, including 40 minutes 24 seconds running CI.
The checks were run in-place.

Required conditions to merge

@mergify
Copy link
Contributor

mergify bot commented Jan 5, 2026

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 79d91ad into aws:main Jan 5, 2026
22 of 23 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 5, 2026

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 5, 2026
@go-to-k go-to-k deleted the fix-elasticache-port branch January 5, 2026 16:58
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@gasolima gasolima gasolima approved these changes

+1 more reviewer

@mazyu36 mazyu36 mazyu36 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@go-to-k @gasolima @mazyu36 @aws-cdk-automation