(ALB + Cognito): Missing connection between SecurityGroup of ALB and SecurityGroup of service. #12994
Comments
JPLemelin
added
bug
|
@JPLemelin - Thanks for the bug report, and for the detailed information. Nothing is immediately jumping out at me here. If possible, I'd love to take you up on your offer to build a quick reproducible project with this bug. It would help a lot on being able to quickly hone in on what's going wrong here. |
njlynch
added
effort/medium
|
@njlynch I added a repo here https://github.com/JPLemelin/aws-cdk-issue-12994 I also add output folder (cdk.out) of
The main diff betweem
+ "serviceSecurityGroupfrombaseInfraprodalbsg2960D4B48057A0CF64": {
+ "Type": "AWS::EC2::SecurityGroupIngress",
+ "Properties": {
+ "IpProtocol": "tcp",
+ "Description": "Load balancer to target",
+ "FromPort": 80,
+ "GroupId": {
+ "Fn::GetAtt": [
+ "serviceSecurityGroupF051F0EB",
+ "GroupId"
+ ]
+ },
+ "SourceSecurityGroupId": {
+ "Fn::ImportValue": "baseInfra-prod:ExportsOutputFnGetAttalbsg40B076C4GroupId00309A0E"
+ },
+ "ToPort": 80
+ },
+ "Metadata": {
+ "aws:cdk:path": "service-sample-without-cognito-prod/service/SecurityGroup/from baseInfraprodalbsg2960D4B4:80"
+ }
+ },
+ "serviceSecurityGroupbaseInfraprodalbsg2960D4B480from1B1F44EE": {
+ "Type": "AWS::EC2::SecurityGroupEgress",
+ "Properties": {
+ "GroupId": {
+ "Fn::ImportValue": "baseInfra-prod:ExportsOutputFnGetAttalbsg40B076C4GroupId00309A0E"
+ },
+ "IpProtocol": "tcp",
+ "Description": "Load balancer to target",
+ "DestinationSecurityGroupId": {
+ "Fn::GetAtt": [
+ "serviceSecurityGroupF051F0EB",
+ "GroupId"
+ ]
+ },
+ "FromPort": 80,
+ "ToPort": 80
+ },
+ "Metadata": {
+ "aws:cdk:path": "service-sample-without-cognito-prod/service/SecurityGroup/baseInfraprodalbsg2960D4B4:80 from"
+ }
+ },
|
|
I'm experiencing the same issue. I have not been able to fully trace the issue yet, but I'm wondering @njlynch, do you know if the |
|
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
the
closing-soon
|
I update the repo with CDK v2 https://github.com/JPLemelin/aws-cdk-issue-12994/tree/cdk-v2 The issue still present under CDK v2.28.1 |
github-actions
bot
removed
the
closing-soon
) When you add an action to a listener the `bind` method is called, and one of the things that is typically done is to configure security group ingress. When you chain actions together, i.e. ```ts listener.addAction('first-action', { action: ListenerAction.authenticateOidc({ next: ListenerAction.forward([secondAction]), ..., }), }); ``` Bind is never called for the second action (i.e. `next`) which means the security group ingress rules are not created. This PR updates the `ListenerAction.bind` method to call `bind` for any `next` action that is configured. fixes #12994 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
…#21939) When you add an action to a listener the `bind` method is called, and one of the things that is typically done is to configure security group ingress. When you chain actions together, i.e. ```ts listener.addAction('first-action', { action: ListenerAction.authenticateOidc({ next: ListenerAction.forward([secondAction]), ..., }), }); ``` Bind is never called for the second action (i.e. `next`) which means the security group ingress rules are not created. This PR updates the `ListenerAction.bind` method to call `bind` for any `next` action that is configured. fixes aws#12994 ---- ### All Submissions: * [ ] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) ### Adding new Unconventional Dependencies: * [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies) ### New Features * [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)? * [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)? *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
I'm using ALB and ECS Service (Fargate in my case) splitted in different stack at TargetGroup level (like this)
When i'm using action of Forward in listner everything is fine 👌
When i'm using action of
AuthenticateCognitoActionbefore theForwardaction(I'm using cognito auth in from of alb, similar to this)
and in my service stack the
service.attachToApplicationTargetGroup(props.albTargetGroup)will not generate theAWS::EC2::SecurityGroupIngressto accept connection from ALB to the service.Reproduction Steps
What did you expect to happen?
In the service stack, I expect a resource type
AWS::EC2::SecurityGroupIngresswho will refer to the ALB SecurityGroupWhat actually happened?
In the service stack, the resource
AWS::EC2::SecurityGroupIngressis missing !Environment
Other
Currently i'm bypassing the problem by exporting albSG from ALB Stack and manually adding connection between them
PS: If it's necessary, I can also build a full CDK project with this bug.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: