(elbv2): cyclic dependency on TLS network load balancer listener #15328

fschaeffler · 2021-06-28T14:26:11Z

We have two different stacks. The resources between the two stacks are as follows.

Stack A

Application Load Balancer
Application Load Balancer Default Listener
Network Load Balancer
Network Load Balancer Listener

Stack B

Application Load Balancer Target Group
Network Load Balancer Target Group

Stack A: source code - working

const vpc = new ec2.Vpc(this, 'VPC', {
    natGateways: 2,
    subnetConfiguration: [
        {
            name: 'Public',
            subnetType: ec2.SubnetType.PUBLIC
        },
        {
            name: 'Private',
            subnetType: ec2.SubnetType.PRIVATE
        }
    ]
})

const alb = new elbv2.ApplicationLoadBalancer(
    this,
    'ALB',
    { vpc, internetFacing: true }
)

const nlb = new elbv2.NetworkLoadBalancer(
    this,
    'NLB',
    { vpc, internetFacing: true }
)

const albDefaultListener = alb.addListener('ALBDefaultListener', {
    protocol: ApplicationProtocol.HTTPS,
    certificates: [certificate],
    defaultAction: ListenerAction.fixedResponse(200)
})

const nlbTargetGroup = new NetworkTargetGroup(this, 'NLBTargetGroup', {
    port: 80,
    vpc,
    targetType: TargetType.IP
})

const nlbDefaultListener = nlb.addListener('NLBDefaultListener', {
    port: 8443,
    defaultTargetGroups: [nlbTargetGroup]
})

Stack B: source code

albDefaultListener.addTargets('ALBTarget', {
    protocol: ApplicationProtocol.HTTP,
    conditions: [
        ListenerCondition.hostHeaders([`${app}${domainTag}.*`])
    ],
    priority: 1,
    targets: [
        service.loadBalancerTarget({
            containerName: 'Container'
        })
    ]
})

nlbDefaultListener.addTargets('NLBTarget', {
    port: 80,
    protocol: Protocol.TCP,
    targets: [
        service.loadBalancerTarget({
            containerName: 'Container'
        })
    ]
})

The issue that I'm facing is that if I want to use SSL/TLS on the load balancer listener, I'm running into dependency issues. It seems that there must be some small difference of how the application load balancer is doing it, because there it's already working.

Stack A: source code - failing

// const nlbDefaultListener = nlbDefaultListener.addListener('NLBDefaultListener', {
//     port: 8443,
//     defaultTargetGroups: [nlbTargetGroup]
// })

const nlbDefaultListener = nlbDefaultListener.addListener('NLBDefaultListener', {
    port: 8443,
    defaultTargetGroups: [nlbTargetGroup],
    protocol: Protocol.TLS,
    certificates: [certificate]
})

Error message

Error: Resolution error: Resolution error: Unable to resolve object tree with circular reference. Path: /Resources/${Token[AppServerStageDev.NLB.AppServerStageDevNLBListenerAPIServer.Resource.LogicalID.209]}/Properties/certificates/0/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host..
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:63:15)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
Subprocess exited with error 1

AWS CDK versions & dependencies

The use Node.js version is 14.17.1.

"@aws-cdk/aws-certificatemanager": "1.110.0",
"@aws-cdk/aws-ec2": "1.110.0",
"@aws-cdk/aws-ecs": "1.110.0",
"@aws-cdk/aws-ecs-patterns": "1.110.0",
"@aws-cdk/aws-elasticloadbalancingv2": "1.110.0",
"@aws-cdk/aws-route53": "1.110.0",
"@aws-cdk/aws-route53-targets": "1.110.0",
"@aws-cdk/core": "1.110.0",
"aws-cdk": "1.110.0"

The text was updated successfully, but these errors were encountered:

fschaeffler · 2021-06-29T08:02:24Z

Both, the ALB and NLB, addListener method take certificates as a parameter with the type of IListenerCertificate[]. However, the issue comes from how the certificate(s) are defined.

For the examples below, the instance of certificate is of the Type acm.Certificate.

not working

✔️ ALB.addListener with { certificates: [certificate] }
✖️ NLB.addListener with { certificates: [certificate] }

working

✔️ ALB.addListener with { certificates: [certificate] }
✔️ NLB.addListener with { certificates: [{ certificateArn: certificate.certificateArn }] }

abonstu · 2021-09-15T09:17:03Z

Man this was doing my head in! Nice catch and well described 👍

This PR does a couple of things to update the NetworkListener to be on par with ApplicationListener. 1. Add a NetworkListenerCertificate construct that allows you to associate multiple certificates with a listener. 2. Add a `addCertificates` method to `NetworkListener` similar to the same method on the `ApplicationListener`. This is needed because even though the `certificates` property on a `Listener`is an array, it expects only one certificate. To add more than one you have to create an `AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality was added to `ApplicationListner` via #13490. fixes #8918, #15328 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This PR does a couple of things to update the NetworkListener to be on par with ApplicationListener. 1. Add a NetworkListenerCertificate construct that allows you to associate multiple certificates with a listener. 2. Add a `addCertificates` method to `NetworkListener` similar to the same method on the `ApplicationListener`. This is needed because even though the `certificates` property on a `Listener`is an array, it expects only one certificate. To add more than one you have to create an `AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality was added to `ApplicationListner` via aws#13490. fixes aws#8918, aws#15328 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

github-actions · 2023-05-24T20:06:29Z

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

fschaeffler added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jun 28, 2021

github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Jun 28, 2021

github-actions bot assigned njlynch Jun 28, 2021

njlynch added effort/small Small work item – less than a day of effort p1 and removed needs-triage This issue or PR still needs to be triaged. labels Jul 5, 2021

njlynch removed their assignment Jul 5, 2021

corymhall self-assigned this Mar 8, 2022

corymhall mentioned this issue Mar 8, 2022

fix(elbv2): unable to add multiple certificates to NLB #19289

Merged

corymhall removed their assignment May 24, 2022

github-actions bot closed this as completed May 29, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

(elbv2): cyclic dependency on TLS network load balancer listener #15328

(elbv2): cyclic dependency on TLS network load balancer listener #15328

fschaeffler commented Jun 28, 2021

fschaeffler commented Jun 29, 2021

abonstu commented Sep 15, 2021

github-actions bot commented May 24, 2023

(elbv2): cyclic dependency on TLS network load balancer listener #15328

(elbv2): cyclic dependency on TLS network load balancer listener #15328

Comments

fschaeffler commented Jun 28, 2021

fschaeffler commented Jun 29, 2021

abonstu commented Sep 15, 2021

github-actions bot commented May 24, 2023