fix(aws-ecs-patterns): add missing redirectHTTP dependency on default ALB listener

aemada-aws · aemada-aws · commit 7b9a07baa21f · 2025-05-21T14:11:03.000+02:00
diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-https.js.snapshot/aws-ecs-integ-alb-fg-https.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-ecs-patterns/test/fargate/integ.alb-fargate-service-https.js.snapshot/aws-ecs-integ-alb-fg-https.template.json
@@ -535,7 +535,8 @@
     },
     "Port": 80,
     "Protocol": "HTTP"
-   }
+   },
+   "DependsOn": ["myServiceLBPublicListenerC78AE8A0","myServiceLBPublicListenerECSGroup17E9BBC1"]
   },
   "myServiceCertificate152F9DDA": {
    "Type": "AWS::CertificateManager::Certificate",
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts b/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/application-load-balanced-service-base.ts
@@ -14,7 +14,7 @@ import {
 import { IRole } from '../../../aws-iam';
 import { ARecord, IHostedZone, RecordTarget, CnameRecord } from '../../../aws-route53';
 import { LoadBalancerTarget } from '../../../aws-route53-targets';
-import { CfnOutput, Duration, Stack, Token, ValidationError } from '../../../core';
+import { Annotations, CfnOutput, Duration, Stack, Token, ValidationError } from '../../../core';
 
 /**
  * Describes the type of DNS record the service should create
@@ -530,17 +530,48 @@ export abstract class ApplicationLoadBalancedServiceBase extends Construct {
     if (this.certificate !== undefined) {
       this.listener.addCertificates('Arns', [ListenerCertificate.fromCertificateManager(this.certificate)]);
     }
+
     if (props.redirectHTTP) {
-      this.redirectListener = loadBalancer.addListener('PublicRedirectListener', {
-        protocol: ApplicationProtocol.HTTP,
-        port: 80,
-        open: props.openListener ?? true,
-        defaultAction: ListenerAction.redirect({
-          port: props.listenerPort?.toString() || '443',
-          protocol: ApplicationProtocol.HTTPS,
-          permanent: true,
-        }),
-      });
+      // Check if the load balancer was created by this construct
+      if (loadBalancer instanceof ApplicationLoadBalancer) {
+        // Create a new HTTP listener on port 80 that redirects to HTTPS
+        this.redirectListener = loadBalancer.addListener('PublicRedirectListener', {
+          protocol: ApplicationProtocol.HTTP,
+          port: 80,
+          open: props.openListener ?? true,
+          defaultAction: ListenerAction.redirect({
+            protocol: ApplicationProtocol.HTTPS,
+            port: props.listenerPort?.toString() || '443',
+            permanent: true,
+          }),
+        });
+
+        // Ensure the redirect listener is created after the main listener
+        this.redirectListener.node.addDependency(this.listener);
+
+        // Validate that there are no conflicting port 80 listeners during synth
+        loadBalancer.node.addValidation({
+          validate: () => {
+            const port80Listeners = loadBalancer.listeners.filter(listener =>
+              listener.port === 80,
+            );
+
+            if (port80Listeners.some(port80Listener => port80Listener !== this.redirectListener)) {
+              return [
+                'Cannot automatically configure redirectHTTP: A listener already exists on port 80.',
+              ];
+            }
+            return [];
+          },
+        });
+      } else {
+        // If the ALB was imported then we cannot reliably add the redirect action as we can't find the port 80 listener.
+        Annotations.of(this).addWarning(
+          'Cannot automatically configure port 80 HTTP redirect with redirectHTTP: ' +
+          'The construct cannot reliably determine if a port 80 listener already exists. ' +
+          'Please configure the redirect manually on the port 80 listener.',
+        );
+      }
     }
 
     let domainName = loadBalancer.loadBalancerDnsName;
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts b/packages/aws-cdk-lib/aws-ecs-patterns/test/fargate/load-balanced-fargate-service.test.ts
@@ -1,11 +1,11 @@
-import { Match, Template } from '../../../assertions';
+import { Annotations, Match, Template } from '../../../assertions';
 import { AutoScalingGroup } from '../../../aws-autoscaling';
 import { Certificate, CertificateValidation } from '../../../aws-certificatemanager';
 import * as ec2 from '../../../aws-ec2';
 import { MachineImage } from '../../../aws-ec2';
 import * as ecs from '../../../aws-ecs';
 import { AsgCapacityProvider } from '../../../aws-ecs';
-import { ApplicationLoadBalancer, ApplicationProtocol, NetworkLoadBalancer, SslPolicy } from '../../../aws-elasticloadbalancingv2';
+import { ApplicationLoadBalancer, ApplicationProtocol, ListenerAction, NetworkLoadBalancer, SslPolicy } from '../../../aws-elasticloadbalancingv2';
 import * as iam from '../../../aws-iam';
 import * as route53 from '../../../aws-route53';
 import * as cloudmap from '../../../aws-servicediscovery';
@@ -1111,6 +1111,150 @@ describe('ApplicationLoadBalancedFargateService', () => {
     });
   });
 
+  test('creates a separate redirect listener when listenerPort is not 80', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    const zone = new route53.PublicHostedZone(stack, 'HostedZone', { zoneName: 'example.com' });
+
+    // WHEN
+    const service = new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      domainName: 'api.example.com',
+      domainZone: zone,
+      protocol: ApplicationProtocol.HTTPS,
+      redirectHTTP: true,
+      listenerPort: 8443,
+    });
+
+    // THEN
+    // Verify that we have two listeners - one for HTTPS and one for HTTP redirect
+    Template.fromStack(stack).resourceCountIs('AWS::ElasticLoadBalancingV2::Listener', 2);
+
+    // Verify the HTTPS listener is on port 8443
+    Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+      Port: 8443,
+      Protocol: 'HTTPS',
+    });
+
+    // Verify the HTTP redirect listener is on port 80
+    Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+      Port: 80,
+      Protocol: 'HTTP',
+      DefaultActions: [
+        Match.objectLike({
+          Type: 'redirect',
+          RedirectConfig: {
+            Protocol: 'HTTPS',
+            Port: '8443',
+            StatusCode: 'HTTP_301',
+          },
+        }),
+      ],
+    });
+
+    // Verify the dependency between listeners
+    expect(service.redirectListener?.node.dependencies[0]).toBe(service.listener);
+  });
+
+  test('throws error when trying to use redirectHTTP with listener on port 80', () => {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app);
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    const zone = new route53.PublicHostedZone(stack, 'HostedZone', { zoneName: 'example.com' });
+
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      domainName: 'api.example.com',
+      domainZone: zone,
+      protocol: ApplicationProtocol.HTTPS,
+      redirectHTTP: true,
+      listenerPort: 80,
+    });
+
+    // THEN
+    expect(() => {
+      app.synth();
+    }).toThrow('Validation failed with the following errors:\n  [Default/Service/LB] Cannot automatically configure redirectHTTP: A listener already exists on port 80.');
+  });
+
+  test('adds validation for existing port 80 listeners not owned by the construct', () => {
+    // GIVEN
+    const app = new cdk.App();
+    const stack = new cdk.Stack(app);
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    const zone = new route53.PublicHostedZone(stack, 'HostedZone', { zoneName: 'example.com' });
+
+    // Create a load balancer with an existing port 80 listener
+    const lb = new ApplicationLoadBalancer(stack, 'ALB', { vpc, internetFacing: true });
+    lb.addListener('ExistingPort80Listener', {
+      port: 80,
+      protocol: ApplicationProtocol.HTTP,
+      defaultAction: ListenerAction.redirect({ port: '1000' }),
+    });
+
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      domainName: 'api.example.com',
+      domainZone: zone,
+      protocol: ApplicationProtocol.HTTPS,
+      redirectHTTP: true,
+      loadBalancer: lb,
+    });
+    // THEN
+    expect(() => {
+      app.synth();
+    }).toThrow('Validation failed with the following errors:\n  [Default/ALB] Cannot automatically configure redirectHTTP: A listener already exists on port 80.');
+  });
+
+  test('adds warning for imported load balancers', () => {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'VPC');
+    const cluster = new ecs.Cluster(stack, 'Cluster', { vpc });
+    const zone = new route53.PublicHostedZone(stack, 'HostedZone', { zoneName: 'example.com' });
+
+    // Create an imported load balancer
+    const importedLb = ApplicationLoadBalancer.fromApplicationLoadBalancerAttributes(stack, 'ImportedALB', {
+      loadBalancerArn: 'arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/my-load-balancer/50dc6c495c0c9188',
+      securityGroupId: 'sg-123456789',
+      loadBalancerDnsName: 'my-load-balancer-1234567890.us-west-2.elb.amazonaws.com',
+      loadBalancerCanonicalHostedZoneId: 'some-hosted-zone',
+      vpc,
+    });
+
+    // WHEN
+    new ecsPatterns.ApplicationLoadBalancedFargateService(stack, 'Service', {
+      cluster,
+      taskImageOptions: {
+        image: ecs.ContainerImage.fromRegistry('test'),
+      },
+      domainName: 'api.example.com',
+      domainZone: zone,
+      protocol: ApplicationProtocol.HTTPS,
+      redirectHTTP: true,
+      loadBalancer: importedLb,
+    });
+
+    // THEN
+    // Verify that a warning is added
+    const annotations = Annotations.fromStack(stack);
+    annotations.hasWarning('/Default/Service', 'Cannot automatically configure port 80 HTTP redirect with redirectHTTP: The construct cannot reliably determine if a port 80 listener already exists. Please configure the redirect manually on the port 80 listener.');
+  });
+
   test('errors when setting HTTPS protocol but not domain name', () => {
     // GIVEN
     const stack = new cdk.Stack();
