Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws_elasticloadbalancingv2): TargetGroupListenerAction.bind not called when chained with another ListenerAction #18944

Open
franswah opened this issue Feb 11, 2022 · 3 comments
Open

(aws_elasticloadbalancingv2): TargetGroupListenerAction.bind not called when chained with another ListenerAction #18944

franswah opened this issue Feb 11, 2022 · 3 comments
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. p2

Comments

@franswah
Copy link

franswah commented Feb 11, 2022
edited

What is the problem?

I am trying to add a default action to my Application Listener which uses OIDC authentication before forwarding to a target group. This is the code snippet copied exactly from the CDK documentation:

declare const listener: elbv2.ApplicationListener;
declare const myTargetGroup: elbv2.ApplicationTargetGroup;

listener.addAction('DefaultAction', {
  action: elbv2.ListenerAction.authenticateOidc({
    authorizationEndpoint: 'https://example.com/openid',
    // Other OIDC properties here
    clientId: '...',
    clientSecret: SecretValue.secretsManager('...'),
    issuer: '...',
    tokenEndpoint: '...',
    userInfoEndpoint: '...',

    // Next
    next: elbv2.ListenerAction.forward([myTargetGroup]),
  }),
});

However, since addAction is not called directly with the TargetGroupListenerAction, the listener never calls bind on the Forward action, and so the target group is not registered with the listener.

bind is only called on the action directly passed to addAction, and the OIDC Listener Action has the default no-op bind implementation without calling bind on the "next" action.

This doesn't seem to be a problem for deploying the application listener with the expected set of actions. However, if I want to reference this target group elsewhere in my CDK, for example to create a dashboard with metrics, CDK throws an error due to no listener being registered with the target group.

Reproduction Steps

Follow example for creating OIDC default action chained with a forward action https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-target-group.ts#L242.

Call myTargetGroup.metric(...) after doing so.

What did you expect to happen?

Target group is registered with the Application Listener and I can use the TargetGroup.metric convenience method.

What actually happened?

TargetGroup.metric throws an error stating it is not bound to an application load balancer/listener.

CDK CLI Version

1.139.0

Framework Version

No response

Node.js Version

12.19.0

OS

macOS

Language

Typescript

Language Version

No response

Other information

No response
@franswah franswah added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2022
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Feb 11, 2022
@NGL321 NGL321 added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2022
@nihakue
Copy link

nihakue commented Aug 30, 2022

Are there any workarounds? I'm still wrapping my head around the problem but it seems like connections are also missing in this case. When I added a ListenerAction.authenticateOidc in front of a forward action, I saw that my cloudformation template removed the connections to and from my target security group.

@nihakue
Copy link

nihakue commented Aug 30, 2022

Possibly related to #19035

@nihakue
Copy link

nihakue commented Sep 2, 2022

The workaround (a dummy action) in #19035 worked around this issue as well.

@WinterYukky WinterYukky mentioned this issue Mar 8, 2023
Merged
mergify bot pushed a commit that referenced this issue May 5, 2023
@WinterYukky
fix(elasticloadbalancingv2): ALB auth return internal server error (#…
75212eb 
…24510)

## Summary
Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.

## Why is this PR needed?
Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
<img width="593" alt="image" src="https://user-images.githubusercontent.com/49480575/223705838-a047e14c-95f5-4c8e-9003-0bbdf6b9d281.png">

This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls

## Related issues
Following opened issues were fixed by #21939, but related this PR.
Closes  #19035 #18944.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. p2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nihakue @NGL321 @franswah @corymhall