Skip to content

feat(ecs-patterns): add listener port as a property for network/application load balanced services #4825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mergify merged 20 commits into from
Nov 7, 2019
Merged

feat(ecs-patterns): add listener port as a property for network/application load balanced services #4825

mergify merged 20 commits into from
Nov 7, 2019

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Nov 2, 2019
edited by piradeepk
Loading

Allow users to specify the listener port as input to application/network load balanced fargate/ecs services.

  • If a port is specified, both the target group and listener port will be overridden.
  • If a port is not specified, the target group port will be defaulted to 80 and the listener port will default to 80 if the protocol is HTTP or 443 if the protocol is HTTPS.

Fixes: #4793

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
- feat(ecs-patterns): allow to specify different NLB listener port ot…
14de430 
…her than the default 80(fix #4793)

- feat(ecs-patterns): public facing NLB fronted fargate tasks with assignPublicIp enabled should allow all ipv4 traffic to the ingress port on the fargate task
@pahud pahud requested a review from SoManyHs as a code owner November 2, 2019 17:05
@pahud pahud changed the title - feat(ecs-patterns): allow to specify different NLB listener port feat(ecs-patterns): allow to specify different NLB listener port Nov 2, 2019
@mergify
Copy link
Contributor

mergify bot commented Nov 2, 2019

Thanks so much for taking the time to contribute to the AWS CDK ❤️

We will shortly assign someone to review this pull request and help get it
merged. In the meantime, please take a minute to make sure you follow this
checklist:

  • PR title type(scope): text
    • type: fix, feat, refactor go into CHANGELOG, chore is hidden
    • scope: name of module without aws- or cdk- prefix or postfix (e.g. s3 instead of aws-s3-deployment)
    • text: use all lower-case, do not end with a period, do not include issue refs
  • PR Description
    • Rationale: describe rationale of change and approach taken
    • Issues: indicate issues fixed via: fixes #xxx or closes #xxx
    • Breaking?: last paragraph: BREAKING CHANGE: <describe what changed + link for details>
  • Testing
    • Unit test added. Prefer to add a new test rather than modify existing tests
    • CLI or init templates change? Re-run/add CLI integration tests
  • Documentation
    • README: update module README to describe new features
    • API docs: public APIs must be documented. Copy from official AWS docs when possible
    • Design: for significant features, follow design process

@pahud pahud mentioned this pull request Nov 2, 2019
Open
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 2, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@SomayaB SomayaB added the @aws-cdk/aws-ecs Related to Amazon Elastic Container label Nov 4, 2019
@piradeepk piradeepk self-requested a review November 4, 2019 17:56
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 4, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@karlpatr
Copy link

karlpatr commented Nov 4, 2019

assignPublicIp enabled should allow all ipv4 traffic

I disagree with this statement. I have multiple AWS services that are meant to be accessed only from inside a corporate VPN. It has public IPs because the traffic comes from outside the AWS account, but the access to the service behind the NLB is still restricted with a prefix list specifying the corporate IP block.

I don't use the patterns helper functions, but if this change is accepted the configuration I support will be impossible to build because the assumption made is not globally true.

I strongly encourage making any change that automatically reduces the security of a system for convenience explicitly opt-in.

@piradeepk
Copy link
Contributor

piradeepk commented Nov 4, 2019

assignPublicIp enabled should allow all ipv4 traffic

I disagree with this statement. I have multiple AWS services that are meant to be accessed only from inside a corporate VPN. It has public IPs because the traffic comes from outside the AWS account, but the access to the service behind the NLB is still restricted with a prefix list specifying the corporate IP block.

I don't use the patterns helper functions, but if this change is accepted the configuration I support will be impossible to build because the assumption made is not globally true.

I strongly encourage making any change that automatically reduces the security of a system for convenience explicitly opt-in.

I'm in agreement here, I don't think the use-case you handle can be described as the general use-case. I would rather not reduce the security levels of the construct and would leave it up to the user to do it after the fact if they prefer.

Since your PR is it's around allowing different listener ports (nlb/alb), please reduce the scope of this PR to only allow a listener port to be input to the construct and make any additional changes in a separate PR.

piradeepk
piradeepk previously requested changes Nov 4, 2019
View reviewed changes
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 4, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot dismissed piradeepk’s stale review November 4, 2019 21:01

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 4, 2019

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud pahud changed the title feat(ecs-patterns): allow to specify different NLB listener port feat(ecs-patterns): allow to specify different NLB and ALB listener port Nov 5, 2019
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 5, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud pahud requested a review from piradeepk November 5, 2019 03:28
@pahud pahud mentioned this pull request Nov 5, 2019
Closed
piradeepk
piradeepk previously requested changes Nov 5, 2019
View reviewed changes
@mergify mergify bot dismissed piradeepk’s stale review November 5, 2019 16:22

Pull request has been modified.

@mergify mergify bot dismissed piradeepk’s stale review November 5, 2019 19:08

Pull request has been modified.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 5, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@piradeepk
Copy link
Contributor

piradeepk commented Nov 5, 2019

Can you also add a unit test to test when you specify a different port?

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 5, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

pahud added 3 commits November 6, 2019 08:17
@pahud
add the testing
5e1caf4
@pahud
Merge branch 'issue4793' of github.com:pahud/aws-cdk into issue4793
04faa95
@pahud
add more tests:
73525c7 
✔ setting NLB special listener port to create the listener
✔ setting ALB special listener port to create the listener
✔ setting ALB HTTPS protocol to create the listener on 443
✔ setting ALB HTTP protocol to create the listener on 80
✔ setting ALB without any protocol or listenerPort to create the listener on 80
@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 6, 2019

AWS CodeBuild CI Report

  • Result: FAILED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 6, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 6, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud
Copy link
Contributor Author

pahud commented Nov 6, 2019

Hi @pkandasamy91

All tests passed including some additional test coverage(73525c7). Can you kindly review it again?

@pahud pahud requested a review from piradeepk November 6, 2019 01:27
@piradeepk
Copy link
Contributor

piradeepk commented Nov 6, 2019

@pahud, thanks for adding the tests, but you have yet to resolve the comments from the previous review.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 6, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 7, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@pahud
Copy link
Contributor Author

pahud commented Nov 7, 2019

@pkandasamy91

Just fixed the lines as suggested and all tests passed.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented Nov 7, 2019

AWS CodeBuild CI Report

  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@piradeepk piradeepk changed the title feat(ecs-patterns): allow to specify different NLB and ALB listener port feat(ecs-patterns): add listener port as a property for network and application load balanced services Nov 7, 2019
@piradeepk piradeepk changed the title feat(ecs-patterns): add listener port as a property for network and application load balanced services feat(ecs-patterns): add listener port as a property for network/application load balanced services Nov 7, 2019
piradeepk
piradeepk approved these changes Nov 7, 2019
View reviewed changes
Copy link
Contributor

@piradeepk piradeepk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ship it! Thanks for taking the time to contribute and resolve this issue!

@mergify
Copy link
Contributor

mergify bot commented Nov 7, 2019

Thank you for contributing! Your pull request is now being automatically merged.

@mergify mergify bot merged commit 20b8e5d into aws:master Nov 7, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SoManyHs SoManyHs Awaiting requested review from SoManyHs

1 more reviewer

@piradeepk piradeepk piradeepk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@piradeepk piradeepk

Labels

@aws-cdk/aws-ecs Related to Amazon Elastic Container

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NetworkLoadBalancedFargateService to support listener other than tcp80

6 participants

@pahud @aws-cdk-automation @karlpatr @piradeepk @SomayaB @SoManyHs