Commits on May 15, 2018

1. Add a workaround for CloudFormation update issues …

   A bug in how CloudFormation processes updates for LBs can result in
   complete misconfiguration. The AWS::ElasticLoadBalancingV2::Listener
   resource must have exactly one certificate in the CertificateArn
   property, which is then treated as the default certificate. All the rest
   are managed in a separate resource of type
   AWS::ElasticLoadBalancingV2::ListenerCertificate. Unfortunately, the
   update is not performed atomically. CloudFormation updates the Listener
   first, and only after it's done it creates a new ListenerCertificate
   resource and deletes the old one.
   
   However, if the previously default certificate swaps positions with one
   from the ListenerCertificate list, the resulting race conditions in AWS
   will result in a completely broken configuration. One of the
   certificates will be completely missing from the LB and you might or
   might not get update errors on the CF stack.
   
   Implement the workaround suggested by AWS support, which is to change
   the name of the ListenerCertificate resource instead of updating an
   existing one. To make the resource name predictable, certificate ARNs
   are now sorted and their hash is used in the resource name. A nice side
   effect is that the default certificate will always be a wildcard one
   instead of an arbitrary one.
   
   Additionally, the first certificate is now present in both Listener and
   ListenerCertificate resources. This doesn't seem to break anything, but
   will stop CloudFormation from deleting the default certificate if it
   stops being the default one.
   
   Signed-off-by: Alexey Ermakov <alexey.ermakov@zalando.de>

   

   aermakov-zalando committed May 15, 2018
   Configuration menu

   • View commit details
   • Copy full SHA for bf9ff06
   • Browse repository at this point

   Copy the full SHA

   bf9ff06 View commit details

   Browse the repository at this point in the history