fix(elbv2): fix cross-stack use of ALB (#4111)

Create the security group rules in the stack of the Load Balancing Target, rather than the stack of the Load Balancer itself. This is better in nearly all interesting cases, where we have long-running services that register themselves into a potentially shared ALB.
aws · Sep 18, 2019 · 7dfd6be · 7dfd6be
1 parent 8911e7a
commit 7dfd6be
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts b/packages/@aws-cdk/aws-ecs/lib/base/base-service.ts
@@ -535,4 +535,4 @@ export enum PropagatedTagSource {
    * Do not propagate
    */
   NONE = 'NONE'
-}
+}
diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -249,7 +249,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
    * Don't call this directly. It is called by ApplicationTargetGroup.
    */
   public registerConnectable(connectable: ec2.IConnectable, portRange: ec2.Port): void {
-    this.connections.allowTo(connectable, portRange, 'Load balancer to target');
+    connectable.connections.allowFrom(this.loadBalancer, portRange, 'Load balancer to target');
   }
 
   /**

diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.security-groups.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.security-groups.ts
@@ -99,6 +99,43 @@ export = {
     test.done();
   },
 
+  'ingress is added to child stack SG instead of parent stack'(test: Test) {
+    // GIVEN
+    const fixture = new TestFixture(true);
+
+    const parentGroup = new elbv2.ApplicationTargetGroup(fixture.stack, 'TargetGroup', {
+      vpc: fixture.vpc,
+      port: 8008,
+      targets: [new FakeSelfRegisteringTarget(fixture.stack, 'Target', fixture.vpc)],
+    });
+
+    // listener requires at least one rule for ParentStack to create
+    fixture.listener.addTargetGroups('Default', { targetGroups: [parentGroup] });
+
+    const childStack = new cdk.Stack(fixture.app, 'childStack');
+
+    // WHEN
+    const childGroup = new elbv2.ApplicationTargetGroup(childStack, 'TargetGroup', {
+      // We're assuming the 2nd VPC is peered to the 1st, or something.
+      vpc: fixture.vpc,
+      port: 8008,
+      targets: [new FakeSelfRegisteringTarget(childStack, 'Target', fixture.vpc)],
+    });
+
+    new elbv2.ApplicationListenerRule(childStack, 'ListenerRule', {
+      listener: fixture.listener,
+      targetGroups: [childGroup],
+      priority: 100,
+      hostHeader: 'www.foo.com'
+    });
+
+    // THEN
+    expectSameStackSGRules(fixture.stack);
+    expectedImportedSGRules(childStack);
+
+    test.done();
+  },
+
   'SG peering works on exported/imported load balancer'(test: Test) {
     // GIVEN
     const fixture = new TestFixture(false);