-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(ecs): fargate on ALB without cyclic dependencies #4111
Conversation
Thanks so much for taking the time to contribute to the AWS CDK ❤️ We will shortly assign someone to review this pull request and help get it
|
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
This fixes your case, where you have a Shared ALB and you want to attach multiple services to it in downstream stacks. It would break the other case, where you have an existing service in a shared stack and you want to route to it from an ALB in a downstream stack. We have to do some thinking about this :x. |
@rix0rrr Ah I see, it will end up going cyclical in the other direction. what if we delayed the processing of Connectables until a later phase, then evaluate the dependency graph and choose which direction to draw them? |
@rix0rrr What if we updated the methods in Connections like these: aws-cdk/packages/@aws-cdk/aws-ec2/lib/connections.ts Lines 125 to 143 in 3d693e6
So that instead of modifying the SG's right away, we just store them locally temporarily. Then in the following method: aws-cdk/packages/@aws-cdk/core/lib/stack.ts Lines 497 to 522 in 3d693e6
We loop through all node children (recursively), and ask for those egress/ingress mappings, and depending on which way the dependency graph is built:
|
Thinking about it some more, in the case of Fargate the other case can't actually happen, because it'll always be the case that the Service points to the load balancer. And that'll be the case for most reasonable services we care about. |
I am inclined to accept this patch. If we need to support control of SGs in both directions, we will extend Could you add a test to make sure the new behavior works, so we can codify it? |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
@rix0rrr done :) |
👍 |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Create the security group rules in the stack of the Load Balancing Target, rather than the stack of the Load Balancer itself. This is better in nearly all interesting cases, where we have long-running services that register themselves into a potentially shared ALB.
Ran into the bug on #3689, I believe this is the correct solution.
When registering target groups to a listener > alb, the default behavior is to update the LB security group with outbound permissions to the item being targeted. If I understand the code correctly, this seems backwards as most LB will not likely have restrictive outbound rules. Instead, I believe most people would expect instead the security groups assigned to target (IP, instance, Lambda, etc), would have an INBOUND rule that allows access from the LB.
Not sure the implications of this change, but allowed me to create a shared LB/listener in Stack A, and then later launch Fargate services and register them with path patterns on that listener in Stack B.
cc @jgondron @rix0rrr