fix(elasticloadbalancingv2): add validation on application listeners for certificates on HTTP protocol #34233
Conversation
…s for certificates on HTTP protocol
github-actions
bot
added
the
beginning-contributor
aws-cdk-automation
added
the
pr/needs-community-review
|
@wmattei Could you please merge the newest main branch? It results that |
aws-cdk-automation
added
pr/needs-maintainer-review
| @@ -263,6 +263,10 @@ export class ApplicationListener extends BaseListener implements IApplicationLis | |||
| throw new ValidationError('At least one of \'port\' or \'protocol\' is required', scope); | |||
| } | |||
|
|
|||
| if (protocol === ApplicationProtocol.HTTP && props.certificates?.length) { | |||
There was a problem hiding this comment.
hi @wmattei , does this cause any failure if these values are passed to CFN ? if yes then okay to add it in CDK, if not then this can lead to a breaking change for the users.
There was a problem hiding this comment.
@shikha372 it causes an error during deployment.
If I pass certificates to a listener on protocol HTTP I get the following error during deployment:
2:49:19 PM | UPDATE_FAILED | AWS::ElasticLoadBalancingV2::Listener | backendbackendlbba...listen
er805306FF55
Resource handler returned message: "A certificate cannot be specified for HTTP listeners (Service: ElasticL
oadBalancingV2, Status Code: 400, Request ID: 90e1f770-456b-4639-bd83-39ef554c8d0f) (SDK Attempt Count: 1)"
(RequestToken: f6460b90-6dc1-63d3-cad3-259db82be7a1, HandlerErrorCode: InvalidRequest)
There was a problem hiding this comment.
Thank you, what do you think about throwing a warning here instead of an error, do not want to cause an unintended breaking change for the existing customers.
There was a problem hiding this comment.
We could do that, but I am not sure about the experience of seeing a warning during synth only to the see the deploy fail if the warning is ignore.
Do we have things like this happening on other resources/constructs?
There was a problem hiding this comment.
yeah, we've warnings in other constructs/resources as well, if the check is already being handled by CFN, i think we should be good to just let them know before deployment with the warning which they can either bypass or choose to act upon, it doesn't become a blocker for any existing stack that are using such configuration.
There was a problem hiding this comment.
There was a problem hiding this comment.
Got it! Ok, updated the PR, let me know what you think.
Not sure if the warning id needs to be defined somewhere else?
shikha372
changed the title
|
Exemption Request: This PR does not contain any change to synthesized stacks, it just adds a new warning. |
aws-cdk-automation
added
the
pr-linter/exemption-requested
shikha372
added
pr-linter/exempt-integ-test
aws-cdk-automation
removed
the
pr/needs-maintainer-review
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
This pull request has been removed from the queue for the following reason: The pull request can't be updated. You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again. |
aws-cdk-automation
added
the
pr/needs-maintainer-review
|
@shikha372 I think I will need your review again (: |
|
@shikha372 I think I am bit lost on what needs to be done on this PR. The approval was dismissed. Is there anything I must do? Thanks |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
|
@shikha372 mergify seems to be dismissing your approval 🤔 |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
aws-cdk-automation
removed
the
pr/needs-maintainer-review
Issue # (if applicable)
Reason for this change
ElasticLoadBalancerV2 throw a 400 error if you try to append a certificate to a listener on port 80 (or protocol HTTP).
This PR brings this same validation to CDK
Description of changes
Added a new check for the application protocol and the length of certificates, and if there is any certificate, throw a validation error.
Also, added a test for this case.
Describe any new or updated permissions being added
Description of how you validated changes
Checklist
My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license