-
Notifications
You must be signed in to change notification settings - Fork 4.2k
fix(elasticloadbalancingv2): add validation on application listeners for certificates on HTTP protocol #34233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(elasticloadbalancingv2): add validation on application listeners for certificates on HTTP protocol #34233
Conversation
…s for certificates on HTTP protocol
@wmattei Could you please merge the newest main branch? It results that |
@@ -263,6 +263,10 @@ export class ApplicationListener extends BaseListener implements IApplicationLis | |||
throw new ValidationError('At least one of \'port\' or \'protocol\' is required', scope); | |||
} | |||
|
|||
if (protocol === ApplicationProtocol.HTTP && props.certificates?.length) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hi @wmattei , does this cause any failure if these values are passed to CFN ? if yes then okay to add it in CDK, if not then this can lead to a breaking change for the users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@shikha372 it causes an error during deployment.
If I pass certificates to a listener on protocol HTTP I get the following error during deployment:
2:49:19 PM | UPDATE_FAILED | AWS::ElasticLoadBalancingV2::Listener | backendbackendlbba...listen
er805306FF55
Resource handler returned message: "A certificate cannot be specified for HTTP listeners (Service: ElasticL
oadBalancingV2, Status Code: 400, Request ID: 90e1f770-456b-4639-bd83-39ef554c8d0f) (SDK Attempt Count: 1)"
(RequestToken: f6460b90-6dc1-63d3-cad3-259db82be7a1, HandlerErrorCode: InvalidRequest)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you, what do you think about throwing a warning here instead of an error, do not want to cause an unintended breaking change for the existing customers.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could do that, but I am not sure about the experience of seeing a warning during synth only to the see the deploy fail if the warning is ignore.
Do we have things like this happening on other resources/constructs?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, we've warnings in other constructs/resources as well, if the check is already being handled by CFN, i think we should be good to just let them know before deployment with the warning which they can either bypass or choose to act upon, it doesn't become a blocker for any existing stack that are using such configuration.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it! Ok, updated the PR, let me know what you think.
Not sure if the warning id needs to be defined somewhere else?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(This review is outdated)
Exemption Request: This PR does not contain any change to synthesized stacks, it just adds a new warning. |
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This pull request has been removed from the queue for the following reason: The pull request can't be updated. You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again. |
@shikha372 I think I will need your review again (: |
@shikha372 I think I am bit lost on what needs to be done on this PR. The approval was dismissed. Is there anything I must do? Thanks |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@shikha372 mergify seems to be dismissing your approval 🤔 |
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
Comments on closed issues and PRs are hard for our team to see. |
Issue # (if applicable)
Reason for this change
ElasticLoadBalancerV2 throw a 400 error if you try to append a certificate to a listener on port 80 (or protocol HTTP).
This PR brings this same validation to CDK
Description of changes
Added a new check for the application protocol and the length of certificates, and if there is any certificate, throw a validation error.
Also, added a test for this case.
Describe any new or updated permissions being added
Description of how you validated changes
Checklist
My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license