Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws-elasticloadbalancingv2: ApplicationListener open prop does not account for LB type DUAL_STACK_WITHOUT_PUBLIC_IPV4 #32197

Open
1 task
clareliguori opened this issue Nov 19, 2024 · 1 comment · May be fixed by #32203
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p2

Comments

@clareliguori
Copy link
Member

clareliguori commented Nov 19, 2024

Describe the bug

The automatically generated security group ingress rules for an ALB are incorrect when 1) an ApplicationLoadBalancer IP address type is set to DUAL_STACK_WITHOUT_PUBLIC_IPV4 and 2) a listener on the LB is set to allow anyone to connect to the load balancer on the listener port open: true. The generated rules only allow IPV4 inbound traffic and no IPV6 inbound traffic, which effectively allows no external traffic.

Support for DUAL_STACK_WITHOUT_PUBLIC_IPV4 was added in CDK v2.159.0, but missed this change.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     },
     {
      "CidrIp": "::/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Current Behavior

Example security group ingress rules:

    "SecurityGroupIngress": [
     {
      "CidrIp": "0.0.0.0/0",
      "Description": "Allow from anyone on port 80",
      "FromPort": 80,
      "IpProtocol": "tcp",
      "ToPort": 80
     }
    ],

Reproduction Steps

I'm using the ECS patterns module, which automatically generated the load balancer:

new patterns.ApplicationLoadBalancedFargateService(this, 'Service', {
      cluster,
      desiredCount: 1,
      domainName,
      domainZone,
      protocol: ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      assignPublicIp: false,
      ipAddressType: elb.IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4,
      taskImageOptions: {
...

Possible Solution

I have what I believe is a fix, but I still need to update tests and validate:

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
index 07cfb949f3..35ba804721 100644
--- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
+++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -303,7 +303,8 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
 
     if (props.open !== false) {
       this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
-      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+      if (this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK ||
+        this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4) {
         this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
       }
     }

Additional Information/Context

No response

CDK CLI Version

2.164.1

Framework Version

No response

Node.js Version

v20.18.0

OS

Linux

Language

TypeScript

Language Version

5.6.2

Other information

No response

@clareliguori clareliguori added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Nov 19, 2024
@khushail khushail added needs-reproduction This issue needs reproduction. p2 and removed needs-triage This issue or PR still needs to be triaged. labels Nov 19, 2024
@khushail khushail self-assigned this Nov 19, 2024
@khushail khushail added investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed needs-reproduction This issue needs reproduction. labels Nov 26, 2024
@khushail
Copy link
Contributor

Hi @clareliguori , thanks for reporting this. The issue is reproducible with given code snippet -

    const albv2 = new patterns.ApplicationLoadBalancedFargateService(this, 'MyFargateService', {
      taskImageOptions: {
        image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"),
      },
      cluster: clusterv2,
      desiredCount: 1,
      publicLoadBalancer: true,
      domainName: 'mydomain.com',
      domainZone: route53.HostedZone.fromLookup(this, 'MyHostedZone', { domainName: 'mydomain.com' }),
      protocol: elbv2.ApplicationProtocol.HTTPS,
      redirectHTTP: true,
      sslPolicy: elbv2.SslPolicy.RECOMMENDED_TLS
    });

generated template -

Screenshot 2024-11-26 at 1 51 39 PM

Appreciate your PR contribution! Thanks.

@khushail khushail added effort/small Small work item – less than a day of effort and removed investigating This issue is being investigated and/or work is in progress to resolve the issue. labels Nov 26, 2024
@khushail khushail removed their assignment Nov 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p2
Projects
None yet
2 participants