fix(elbv2): fix cross-stack use of ALB (#4111)

parisholley · rix0rrr · commit 7dfd6be78157 · 2019-09-18T15:52:50.000+02:00
Create the security group rules in the stack of the Load Balancing Target, rather than the stack of the Load Balancer itself. This is better in nearly all interesting cases, where we have long-running services that register themselves into a potentially shared ALB.
diff --git a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
@@ -535,4 +535,4 @@ export enum PropagatedTagSource {
    * Do not propagate
    */
   NONE = 'NONE'
-}
+}
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -249,7 +249,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
    * Don't call this directly. It is called by ApplicationTargetGroup.
    */
   public registerConnectable(connectable: ec2.IConnectable, portRange: ec2.Port): void {
-    this.connections.allowTo(connectable, portRange, 'Load balancer to target');
+    connectable.connections.allowFrom(this.loadBalancer, portRange, 'Load balancer to target');
   }
 
   /**
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.security-groups.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.security-groups.ts
@@ -99,6 +99,43 @@ export = {
     test.done();
   },
 
+  'ingress is added to child stack SG instead of parent stack'(test: Test) {
+    // GIVEN
+    const fixture = new TestFixture(true);
+
+    const parentGroup = new elbv2.ApplicationTargetGroup(fixture.stack, 'TargetGroup', {
+      vpc: fixture.vpc,
+      port: 8008,
+      targets: [new FakeSelfRegisteringTarget(fixture.stack, 'Target', fixture.vpc)],
+    });
+
+    // listener requires at least one rule for ParentStack to create
+    fixture.listener.addTargetGroups('Default', { targetGroups: [parentGroup] });
+
+    const childStack = new cdk.Stack(fixture.app, 'childStack');
+
+    // WHEN
+    const childGroup = new elbv2.ApplicationTargetGroup(childStack, 'TargetGroup', {
+      // We're assuming the 2nd VPC is peered to the 1st, or something.
+      vpc: fixture.vpc,
+      port: 8008,
+      targets: [new FakeSelfRegisteringTarget(childStack, 'Target', fixture.vpc)],
+    });
+
+    new elbv2.ApplicationListenerRule(childStack, 'ListenerRule', {
+      listener: fixture.listener,
+      targetGroups: [childGroup],
+      priority: 100,
+      hostHeader: 'www.foo.com'
+    });
+
+    // THEN
+    expectSameStackSGRules(fixture.stack);
+    expectedImportedSGRules(childStack);
+
+    test.done();
+  },
+
   'SG peering works on exported/imported load balancer'(test: Test) {
     // GIVEN
     const fixture = new TestFixture(false);

Original file line number	Diff line number	Diff line change
`@@ -249,7 +249,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis`
`249`	`249`	`* Don't call this directly. It is called by ApplicationTargetGroup.`
`250`	`250`	`*/`
`251`	`251`	`public registerConnectable(connectable: ec2.IConnectable, portRange: ec2.Port): void {`
`252`		`- this.connections.allowTo(connectable, portRange, 'Load balancer to target');`
	`252`	`+ connectable.connections.allowFrom(this.loadBalancer, portRange, 'Load balancer to target');`
`253`	`253`	`}`
`254`	`254`
`255`	`255`	`/**`