Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

aws-elasticloadbalancingv2: false warning about not being able to register listener on imported target group #31103

Open
1 task
robert-hanuschke opened this issue Aug 14, 2024 · 1 comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p3

Comments

@robert-hanuschke
Copy link

robert-hanuschke commented Aug 14, 2024

Describe the bug

When importing an application load balancer and a target group from another stack and registering a new listener on it using addListener, there is a warning printed during cdk deploy stating that registering the listener is not possible.

Deployment finishes successfully and the listener is registered on the load balancer pointing to the target group though.

Was there possibly a fix implemented but the warning not removed?

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

no warning after cdk deploy as task is executed contrary to what is stated

Current Behavior

% cdk deploy --all
[Warning at /IssueListenerStack/target-group] Cannot register listener on imported target group -- security groups might need to be updated manually [ack: @aws-cdk/aws-elbv2:albTargetGroupCannotRegisterListener]

Reproduction Steps

ALB & target group stack:

import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import { CfnOutput } from "aws-cdk-lib";

import * as ec2 from "aws-cdk-lib/aws-ec2";
import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";

export class IssueAlbStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const vpc = new ec2.Vpc(this, "vpc", {
      ipAddresses: ec2.IpAddresses.cidr("10.55.0.0/16"),
      maxAzs: 2,
      natGateways: 0,
      subnetConfiguration: [
        {
          cidrMask: 24,
          name: "private",
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        },
      ],
    });

    const albSecurityGroup = new ec2.SecurityGroup(this, "alb-security-group", {
      vpc,
      allowAllOutbound: true,
    });

    const applicationLoadBalancer = new elbv2.ApplicationLoadBalancer(
      this,
      "internal-alb",
      {
        vpc,
        internetFacing: false,
        vpcSubnets: vpc.selectSubnets({
          subnetType: ec2.SubnetType.PRIVATE_ISOLATED,
        }),
        securityGroup: albSecurityGroup,
      }
    );

    applicationLoadBalancer.addListener("http-listener", {
      port: 80,
      protocol: elbv2.ApplicationProtocol.HTTP,
      defaultAction: elbv2.ListenerAction.fixedResponse(404, {
        contentType: "text/plain",
        messageBody: "Not Found",
      }),
    });
    new CfnOutput(this, "alb-arn", {
      value: applicationLoadBalancer.loadBalancerArn,
      exportName: `${this.stackName}-alb-arn`,
    });
    new CfnOutput(this, "alb-security-group-id", {
      value: albSecurityGroup.securityGroupId,
      exportName: `${this.stackName}-alb-security-group-id`,
    });
    new CfnOutput(this, "alb-hosted-zone-id", {
      value: applicationLoadBalancer.loadBalancerCanonicalHostedZoneId,
      exportName: `${this.stackName}-alb-hosted-zone-id`,
    });
    new CfnOutput(this, "alb-dns-name", {
      value: applicationLoadBalancer.loadBalancerDnsName,
      exportName: `${this.stackName}-alb-dns-name`,
    });

    const targetGroup = new elbv2.ApplicationTargetGroup(
        this,
        "s3-target-group",
        {
          targetType: elbv2.TargetType.IP,
          protocol: elbv2.ApplicationProtocol.HTTP,
          port: 443,
          vpc: vpc,
          healthCheck: {
            path: "/",
            healthyHttpCodes: "200,307,405",
            port: "80",
            protocol: elbv2.Protocol.HTTP,
          },
        }
      );
      new CfnOutput(this, "target-group-arn", {
        value: targetGroup.targetGroupArn,
        exportName: `${this.stackName}-target-group-arn`,
      });
  }
}

Listener stack:

import * as cdk from "aws-cdk-lib";
import { Construct } from "constructs";
import * as elbv2 from "aws-cdk-lib/aws-elasticloadbalancingv2";
import { Fn } from "aws-cdk-lib";

export class IssueListenerStack extends cdk.Stack {
  constructor(
    scope: Construct,
    id: string,
    { albStackName }: { albStackName: string },
    props?: cdk.StackProps
  ) {
    super(scope, id, props);

    const applicationLoadBalancer =
      elbv2.ApplicationLoadBalancer.fromApplicationLoadBalancerAttributes(
        this,
        `alb`,
        {
          loadBalancerArn: Fn.importValue(`${albStackName}-alb-arn`),
          securityGroupId: Fn.importValue(
            `${albStackName}-alb-security-group-id`
          ),
          loadBalancerCanonicalHostedZoneId: Fn.importValue(
            `${albStackName}-alb-hosted-zone-id`
          ),
          loadBalancerDnsName: Fn.importValue(`${albStackName}-alb-dns-name`),
        }
      );
    const targetGroup = elbv2.ApplicationTargetGroup.fromTargetGroupAttributes(
      this,
      `target-group`,
      {
        targetGroupArn: Fn.importValue(`${albStackName}-target-group-arn`),
      }
    );

    const listener = applicationLoadBalancer.addListener(`listener`, {
      port: 443,
      protocol: elbv2.ApplicationProtocol.HTTP,
      defaultTargetGroups: [targetGroup],
    });
    listener.addAction("redirect", {
      action: elbv2.ListenerAction.redirect({
        port: "#{port}",
        protocol: "HTTP",
        host: "#{host}",
        path: "/#{path}index.html",
        query: "#{query}",
        permanent: true,
      }),
      conditions: [
        elbv2.ListenerCondition.hostHeaders([`test.example.org`]),
        elbv2.ListenerCondition.pathPatterns(["*/"]),
      ],
      priority: 3,
    });
    listener.addAction("static", {
      action: elbv2.ListenerAction.forward([targetGroup]),
      conditions: [elbv2.ListenerCondition.hostHeaders([`test.example.org`])],
      priority: 4,
    });
  }
}

Stack instantiation in bin/, using albStackName as parameter for the listener stack so Fn.importValue works (make sure to fill in your region and account)

const issueAlbStack = new IssueAlbStack(app, "IssueAlbStack", {
  env: {
    region: "<region>",
    account: "<accountId>",
  },
});

const issueListenerStack = new IssueListenerStack(app, "IssueListenerStack", {
  albStackName: issueAlbStack.stackName,
}, {
  env: {
    region: "<region>",
    account: "<accountId>",
  },
});
issueListenerStack.addDependency(issueAlbStack);

Possible Solution

Remove warning if no longer relevant

Additional Information/Context

No response

CDK CLI Version

2.151.0 (build b8289e2)

Framework Version

2.151.0

Node.js Version

v20.11.0

OS

macOS 14.5

Language

TypeScript

Language Version

TypeScript (5.5.4)

Other information

No response

@robert-hanuschke robert-hanuschke added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 14, 2024
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Aug 14, 2024
@ashishdhingra ashishdhingra self-assigned this Aug 14, 2024
@ashishdhingra ashishdhingra added needs-reproduction This issue needs reproduction. p3 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 14, 2024
@ashishdhingra
Copy link
Contributor

Reproducible using customer provided code.
Below is output of cdk deploy --all:

[Warning at /IssueListenerStack/target-group] Cannot register listener on imported target group -- security groups might need to be updated manually [ack: @aws-cdk/aws-elbv2:albTargetGroupCannotRegisterListener]

✨  Synthesis time: 4.18s

IssueAlbStack:  start: Building 2046c0298e6e2188090192a5ab1d0538c4725a02cfe85445c6a7d3688ef6d967:139480602983-us-east-2
IssueAlbStack:  success: Built 2046c0298e6e2188090192a5ab1d0538c4725a02cfe85445c6a7d3688ef6d967:139480602983-us-east-2
IssueListenerStack:  start: Building 7a8a555d37f039a14d5104cb4b72a4218d7bd1be0d0cf54e7195514fad45e0d9:139480602983-us-east-2
IssueListenerStack:  success: Built 7a8a555d37f039a14d5104cb4b72a4218d7bd1be0d0cf54e7195514fad45e0d9:139480602983-us-east-2
IssueAlbStack:  start: Publishing 2046c0298e6e2188090192a5ab1d0538c4725a02cfe85445c6a7d3688ef6d967:<<account-id-redacted>>-us-east-2
IssueAlbStack:  success: Published 2046c0298e6e2188090192a5ab1d0538c4725a02cfe85445c6a7d3688ef6d967:<<account-id-redacted>>-us-east-2
IssueAlbStack
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬──────────────────────────────┬────────┬──────────────────────────────┬───────────────────────────────┬───────────┐
│   │ Resource                     │ Effect │ Action                       │ Principal                     │ Condition │
├───┼──────────────────────────────┼────────┼──────────────────────────────┼───────────────────────────────┼───────────┤
│ + │ ${Custom::VpcRestrictDefault │ Allow  │ sts:AssumeRole               │ Service:lambda.amazonaws.com  │           │
│   │ SGCustomResourceProvider/Rol │        │                              │                               │           │
│   │ e.Arn}                       │        │                              │                               │           │
├───┼──────────────────────────────┼────────┼──────────────────────────────┼───────────────────────────────┼───────────┤
│ + │ arn:aws:ec2:us-east-2:139480 │ Allow  │ ec2:AuthorizeSecurityGroupEg │ AWS:${Custom::VpcRestrictDefa │           │
│   │ 602983:security-group/${vpc. │        │ ress                         │ ultSGCustomResourceProvider/R │           │
│   │ DefaultSecurityGroup}        │        │ ec2:AuthorizeSecurityGroupIn │ ole}                          │           │
│   │                              │        │ gress                        │                               │           │
│   │                              │        │ ec2:RevokeSecurityGroupEgres │                               │           │
│   │                              │        │ s                            │                               │           │
│   │                              │        │ ec2:RevokeSecurityGroupIngre │                               │           │
│   │                              │        │ ss                           │                               │           │
└───┴──────────────────────────────┴────────┴──────────────────────────────┴───────────────────────────────┴───────────┘
IAM Policy Changes
┌───┬────────────────────────────────────────────────────────┬─────────────────────────────────────────────────────────┐
│   │ Resource                                               │ Managed Policy ARN                                      │
├───┼────────────────────────────────────────────────────────┼─────────────────────────────────────────────────────────┤
│ + │ ${Custom::VpcRestrictDefaultSGCustomResourceProvider/R │ {"Fn::Sub":"arn:${AWS::Partition}:iam::aws:policy/servi │
│   │ ole}                                                   │ ce-role/AWSLambdaBasicExecutionRole"}                   │
└───┴────────────────────────────────────────────────────────┴─────────────────────────────────────────────────────────┘
Security Group Changes
┌───┬───────────────────────────────┬─────┬────────────┬─────────────────┐
│   │ Group                         │ Dir │ Protocol   │ Peer            │
├───┼───────────────────────────────┼─────┼────────────┼─────────────────┤
│ + │ ${alb-security-group.GroupId} │ In  │ TCP 80     │ Everyone (IPv4) │
│ + │ ${alb-security-group.GroupId} │ Out │ Everything │ Everyone (IPv4) │
└───┴───────────────────────────────┴─────┴────────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Do you wish to deploy these changes (y/n)? y
IssueAlbStack: deploying... [1/2]
IssueAlbStack: creating CloudFormation changeset...

 ✅  IssueAlbStack

✨  Deployment time: 191.63s

Outputs:
IssueAlbStack.albarn = arn:aws:elasticloadbalancing:us-east-2:<<account-id-redacted>>:loadbalancer/app/IssueA-inter-8u8jFwGwA7Wg/361706860d860004
IssueAlbStack.albdnsname = internal-IssueA-inter-8u8jFwGwA7Wg-694836157.us-east-2.elb.amazonaws.com
IssueAlbStack.albhostedzoneid = Z3AADJGX6KTTL2
IssueAlbStack.albsecuritygroupid = sg-0c33b3fffa4ddf68c
IssueAlbStack.targetgrouparn = arn:aws:elasticloadbalancing:us-east-2:<<account-id-redacted>>:targetgroup/IssueA-s3tar-DQNOLDB7PPTT/bc6fd9a469effac9
Stack ARN:
arn:aws:cloudformation:us-east-2:<<account-id-redacted>>:stack/IssueAlbStack/658dd970-5b49-11ef-897a-06cb59586075

✨  Total time: 195.82s

IssueListenerStack:  start: Publishing 7a8a555d37f039a14d5104cb4b72a4218d7bd1be0d0cf54e7195514fad45e0d9:139480602983-us-east-2
IssueListenerStack:  success: Published 7a8a555d37f039a14d5104cb4b72a4218d7bd1be0d0cf54e7195514fad45e0d9:139480602983-us-east-2
IssueListenerStack
This deployment will make potentially sensitive changes according to your current security approval level (--require-approval broadening).
Please confirm you intend to make the following modifications:

Security Group Changes
┌───┬───────────────────────────────────────────────────────────┬─────┬──────────┬─────────────────┐
│   │ Group                                                     │ Dir │ Protocol │ Peer            │
├───┼───────────────────────────────────────────────────────────┼─────┼──────────┼─────────────────┤
│ + │ {"Fn::ImportValue":"IssueAlbStack-alb-security-group-id"} │ In  │ TCP 443  │ Everyone (IPv4) │
└───┴───────────────────────────────────────────────────────────┴─────┴──────────┴─────────────────┘
(NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

Do you wish to deploy these changes (y/n)? y
IssueListenerStack: deploying... [2/2]
IssueListenerStack: creating CloudFormation changeset...

 ✅  IssueListenerStack

✨  Deployment time: 19.02s

Stack ARN:
arn:aws:cloudformation:us-east-2:<<account-id-redacted>>:stack/IssueListenerStack/e55be5c0-5b49-11ef-8b6d-028590b2ac95

✨  Total time: 23.21s
Screenshot 2024-08-15 at 2 07 46 PM

Warning is raised here in code. This needs to be revisited.

@ashishdhingra ashishdhingra added effort/small Small work item – less than a day of effort and removed needs-reproduction This issue needs reproduction. labels Aug 15, 2024
@ashishdhingra ashishdhingra removed their assignment Aug 15, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. effort/small Small work item – less than a day of effort p3
Projects
None yet
Development

No branches or pull requests

2 participants