From 5710dd98fb63c394f3f079cf526bc6b0a7150a4e Mon Sep 17 00:00:00 2001 From: Michael C-C <35992239+Michae1CC@users.noreply.github.com> Date: Fri, 17 May 2024 12:17:47 +1000 Subject: [PATCH] fix(elbv2): unable to deploy template with IPv4 load balancer when denyAllIgwTraffic set (#29956) ### Issue # (if applicable) Closes #30247 . ### Reason for this change Integ test for NLB attributes ([integ.nlb-attributes.ts](https://github.com/aws/aws-cdk/blob/4f1c94b27ef7f4ceccea0ff39625c0e8add31c9f/packages/%40aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.ts)) fails to deploy due to an error. The error occurs when `denyAllIgwTraffic` is explicitly set for load balancers with Ipv4 addressing, the `ipv6.deny_all_igw_traffic` attribute is set. ### Description of changes - Remove the denyAllIgwTraffic setting from integ.nlb-attribute.ts - Instead, set denyAllIgwTraffic in integ.nlb.dualstack.internal.ts. - Raise an error during synthesis if `denyAllIgwTraffic` is set on a load balancer that does not use dual stack addressing. ### Description of how you validated changes - Added new unit tests for different combinations of `denyAllIgwTraffic` and `ipAddressType` - Updated existing integration test ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- .../aws-cdk-nlb-attributes-integ.assets.json | 4 +- ...aws-cdk-nlb-attributes-integ.template.json | 4 -- .../cdk.out | 0 .../integ.json | 0 .../manifest.json | 2 +- ...efaultTestDeployAssert2D727654.assets.json | 0 ...aultTestDeployAssert2D727654.template.json | 0 .../tree.json | 4 -- ...-attributes.ts => integ.nlb.attributes.ts} | 1 - ...efaultTestDeployAssertEEBE69CB.assets.json | 2 +- ...aws-cdk-nlb-dualstack-internal.assets.json | 6 +- ...s-cdk-nlb-dualstack-internal.template.json | 4 ++ .../cdk.out | 2 +- .../integ.json | 2 +- .../manifest.json | 4 +- .../tree.json | 8 ++- .../test/integ.nlb.dualstack.internal.ts | 1 + .../lib/shared/base-load-balancer.ts | 7 +- .../test/alb/load-balancer.test.ts | 67 +++++++++++++++++-- .../test/nlb/load-balancer.test.ts | 50 ++++++++++++-- 20 files changed, 134 insertions(+), 34 deletions(-) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/aws-cdk-nlb-attributes-integ.assets.json (74%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/aws-cdk-nlb-attributes-integ.template.json (99%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/cdk.out (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/integ.json (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/manifest.json (98%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/nlbattlibutesintegDefaultTestDeployAssert2D727654.assets.json (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/nlbattlibutesintegDefaultTestDeployAssert2D727654.template.json (100%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.js.snapshot => integ.nlb.attributes.js.snapshot}/tree.json (99%) rename packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/{integ.nlb-attributes.ts => integ.nlb.attributes.ts} (96%) diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json similarity index 74% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json index e77f03c32cea8..735a50310b09e 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.assets.json @@ -1,7 +1,7 @@ { "version": "36.0.0", "files": { - "fde94b9ee2e36931660662e5ad6718e40f59c205fc43297b7480bf3e57157358": { + "07d7b501e39a18940f72d7c69e969b9cbae9ae21f85424c29235d75d73d23868": { "source": { "path": "aws-cdk-nlb-attributes-integ.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "fde94b9ee2e36931660662e5ad6718e40f59c205fc43297b7480bf3e57157358.json", + "objectKey": "07d7b501e39a18940f72d7c69e969b9cbae9ae21f85424c29235d75d73d23868.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json similarity index 99% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json index 92f24238a0511..6b0938a571195 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/aws-cdk-nlb-attributes-integ.template.json @@ -403,10 +403,6 @@ "Key": "load_balancing.cross_zone.enabled", "Value": "true" }, - { - "Key": "ipv6.deny_all_igw_traffic", - "Value": "true" - }, { "Key": "dns_record.client_routing_policy", "Value": "partial_availability_zone_affinity" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/cdk.out similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/cdk.out rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/cdk.out diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/integ.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/integ.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/integ.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/manifest.json similarity index 98% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/manifest.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/manifest.json index 7e9b4e6aa18a8..a1c96857eb6ba 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/manifest.json @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/fde94b9ee2e36931660662e5ad6718e40f59c205fc43297b7480bf3e57157358.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/07d7b501e39a18940f72d7c69e969b9cbae9ae21f85424c29235d75d73d23868.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.assets.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.assets.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.assets.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.template.json similarity index 100% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.template.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/nlbattlibutesintegDefaultTestDeployAssert2D727654.template.json diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/tree.json similarity index 99% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/tree.json rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/tree.json index dfe987eaa13bc..0d0cf8680c4d7 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.js.snapshot/tree.json @@ -670,10 +670,6 @@ "key": "load_balancing.cross_zone.enabled", "value": "true" }, - { - "key": "ipv6.deny_all_igw_traffic", - "value": "true" - }, { "key": "dns_record.client_routing_policy", "value": "partial_availability_zone_affinity" diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.ts similarity index 96% rename from packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.ts rename to packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.ts index 2e83d346c4095..83e16ffc528fb 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb-attributes.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.attributes.ts @@ -15,7 +15,6 @@ new elbv2.NetworkLoadBalancer(stack, 'NLB', { vpc, crossZoneEnabled: true, deletionProtection: false, - denyAllIgwTraffic: true, clientRoutingPolicy: elbv2.ClientRoutingPolicy.PARTIAL_AVAILABILITY_ZONE_AFFINITY, }); diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/NlbDualstackInternalIntegDefaultTestDeployAssertEEBE69CB.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/NlbDualstackInternalIntegDefaultTestDeployAssertEEBE69CB.assets.json index 7e57dba7c952d..95c2a18a0ed15 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/NlbDualstackInternalIntegDefaultTestDeployAssertEEBE69CB.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/NlbDualstackInternalIntegDefaultTestDeployAssertEEBE69CB.assets.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "files": { "21fbb51d7b23f6a6c262b46a9caee79d744a3ac019fd45422d988b96d44b2a22": { "source": { diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.assets.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.assets.json index 5b5dd05701922..7b0baaeaa53c3 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.assets.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.assets.json @@ -1,7 +1,7 @@ { - "version": "33.0.0", + "version": "36.0.0", "files": { - "64398efb6ed2890dc81c5e8a78e224af3c1405160bdb68c84b0536ee84347f02": { + "5e1cb71a2ebbd6ad655a1f43c8a197eb6843007ae7194b8c2fdc559d4699d13a": { "source": { "path": "aws-cdk-nlb-dualstack-internal.template.json", "packaging": "file" @@ -9,7 +9,7 @@ "destinations": { "current_account-current_region": { "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}", - "objectKey": "64398efb6ed2890dc81c5e8a78e224af3c1405160bdb68c84b0536ee84347f02.json", + "objectKey": "5e1cb71a2ebbd6ad655a1f43c8a197eb6843007ae7194b8c2fdc559d4699d13a.json", "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}" } } diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.template.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.template.json index 68c70c40d5f6e..3d80ec8f9a6db 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.template.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/aws-cdk-nlb-dualstack-internal.template.json @@ -210,6 +210,10 @@ { "Key": "deletion_protection.enabled", "Value": "false" + }, + { + "Key": "ipv6.deny_all_igw_traffic", + "Value": "true" } ], "Scheme": "internal", diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/cdk.out b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/cdk.out index 560dae10d018f..1f0068d32659a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/cdk.out +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/cdk.out @@ -1 +1 @@ -{"version":"33.0.0"} \ No newline at end of file +{"version":"36.0.0"} \ No newline at end of file diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/integ.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/integ.json index 07a78b1505bf6..c7657b896692a 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/integ.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/integ.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "testCases": { "NlbDualstackInternalInteg/DefaultTest": { "stacks": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/manifest.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/manifest.json index 17d35be6e3256..b3922336a291f 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/manifest.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/manifest.json @@ -1,5 +1,5 @@ { - "version": "33.0.0", + "version": "36.0.0", "artifacts": { "aws-cdk-nlb-dualstack-internal.assets": { "type": "cdk:asset-manifest", @@ -18,7 +18,7 @@ "validateOnSynth": false, "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}", "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}", - "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/64398efb6ed2890dc81c5e8a78e224af3c1405160bdb68c84b0536ee84347f02.json", + "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/5e1cb71a2ebbd6ad655a1f43c8a197eb6843007ae7194b8c2fdc559d4699d13a.json", "requiresBootstrapStackVersion": 6, "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version", "additionalDependencies": [ diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/tree.json b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/tree.json index 5556d279c8312..a97ba4b53756c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/tree.json +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.js.snapshot/tree.json @@ -317,6 +317,10 @@ { "key": "deletion_protection.enabled", "value": "false" + }, + { + "key": "ipv6.deny_all_igw_traffic", + "value": "true" } ], "scheme": "internal", @@ -446,7 +450,7 @@ "path": "NlbDualstackInternalInteg/DefaultTest/Default", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } }, "DeployAssert": { @@ -492,7 +496,7 @@ "path": "Tree", "constructInfo": { "fqn": "constructs.Construct", - "version": "10.2.70" + "version": "10.3.0" } } }, diff --git a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.ts b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.ts index f58ef54ee3178..cbb5ebe76d77c 100644 --- a/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.ts +++ b/packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.nlb.dualstack.internal.ts @@ -31,6 +31,7 @@ const subnetIpv6CidrBlocks = cdk.Fn.cidr(vpcIpv6CidrBlock, 256, '64'); const lb = new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc, + denyAllIgwTraffic: true, ipAddressType: elbv2.IpAddressType.DUAL_STACK, }); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts index c04757e4cd11b..03cc66dc1744b 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/shared/base-load-balancer.ts @@ -1,4 +1,5 @@ import { Construct } from 'constructs'; +import { IpAddressType } from './enums'; import { Attributes, ifUndefined, mapTagMapToCxschema, renderAttributes } from './util'; import * as ec2 from '../../../aws-ec2'; import * as iam from '../../../aws-iam'; @@ -251,7 +252,11 @@ export abstract class BaseLoadBalancer extends Resource { } if (baseProps.denyAllIgwTraffic !== undefined) { - this.setAttribute('ipv6.deny_all_igw_traffic', baseProps.denyAllIgwTraffic.toString()); + if (additionalProps.ipAddressType === IpAddressType.DUAL_STACK) { + this.setAttribute('ipv6.deny_all_igw_traffic', baseProps.denyAllIgwTraffic.toString()); + } else { + throw new Error(`'denyAllIgwTraffic' may only be set on load balancers with ${IpAddressType.DUAL_STACK} addressing.`); + } } this.loadBalancerCanonicalHostedZoneId = resource.attrCanonicalHostedZoneId; diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts index bb3293a799d5b..930f3a2a18923 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/alb/load-balancer.test.ts @@ -84,7 +84,6 @@ describe('tests', () => { idleTimeout: cdk.Duration.seconds(1000), dropInvalidHeaderFields: true, clientKeepAlive: cdk.Duration.seconds(200), - denyAllIgwTraffic: true, preserveHostHeader: true, xAmznTlsVersionAndCipherSuiteHeaders: true, preserveXffClientPort: true, @@ -99,10 +98,6 @@ describe('tests', () => { Key: 'deletion_protection.enabled', Value: 'true', }, - { - Key: 'ipv6.deny_all_igw_traffic', - Value: 'true', - }, { Key: 'routing.http2.enabled', Value: 'false', @@ -171,6 +166,26 @@ describe('tests', () => { }).toThrow('\'clientKeepAlive\' must be between 60 and 604800 seconds. Got: 100 milliseconds'); }); + test.each([ + [false, undefined], + [true, undefined], + [false, elbv2.IpAddressType.IPV4], + [true, elbv2.IpAddressType.IPV4], + ])('throw error for denyAllIgwTraffic set to %s for Ipv4 (default) addressing.', (denyAllIgwTraffic, ipAddressType) => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + // THEN + expect(() => { + new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + denyAllIgwTraffic: denyAllIgwTraffic, + ipAddressType: ipAddressType, + }); + }).toThrow(`'denyAllIgwTraffic' may only be set on load balancers with ${elbv2.IpAddressType.DUAL_STACK} addressing.`); + }); + describe('Desync mitigation mode', () => { test('Defensive', () => { // GIVEN @@ -971,6 +986,27 @@ describe('tests', () => { }); }); + test('Can create internet-facing dualstack ApplicationLoadBalancer with denyAllIgwTraffic set to false', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + // WHEN + new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + denyAllIgwTraffic: false, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internet-facing', + Type: 'application', + IpAddressType: 'dualstack', + }); + }); + test('Can create internal dualstack ApplicationLoadBalancer', () => { // GIVEN const stack = new cdk.Stack(); @@ -989,5 +1025,26 @@ describe('tests', () => { IpAddressType: 'dualstack', }); }); + + test.each([undefined, false])('Can create internal dualstack ApplicationLoadBalancer with denyAllIgwTraffic set to true', (internetFacing) => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + // WHEN + new elbv2.ApplicationLoadBalancer(stack, 'LB', { + vpc, + denyAllIgwTraffic: true, + internetFacing: internetFacing, + ipAddressType: elbv2.IpAddressType.DUAL_STACK, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internal', + Type: 'application', + IpAddressType: 'dualstack', + }); + }); }); }); diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts index 06aedaadf5be4..95bc432eb022a 100644 --- a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts +++ b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/test/nlb/load-balancer.test.ts @@ -80,7 +80,6 @@ describe('tests', () => { new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc, crossZoneEnabled: true, - denyAllIgwTraffic: true, clientRoutingPolicy: elbv2.ClientRoutingPolicy.PARTIAL_AVAILABILITY_ZONE_AFFINITY, }); @@ -91,10 +90,6 @@ describe('tests', () => { Key: 'load_balancing.cross_zone.enabled', Value: 'true', }, - { - Key: 'ipv6.deny_all_igw_traffic', - Value: 'true', - }, { Key: 'dns_record.client_routing_policy', Value: 'partial_availability_zone_affinity', @@ -488,6 +483,26 @@ describe('tests', () => { }).toThrow('Load balancer name: "my load balancer" must contain only alphanumeric characters or hyphens.'); }); + test.each([ + [false, undefined], + [true, undefined], + [false, elbv2.IpAddressType.IPV4], + [true, elbv2.IpAddressType.IPV4], + ])('throw error for denyAllIgwTraffic set to %s for Ipv4 (default) addressing.', (denyAllIgwTraffic, ipAddressType) => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + // THEN + expect(() => { + new elbv2.NetworkLoadBalancer(stack, 'NLB', { + vpc, + denyAllIgwTraffic: denyAllIgwTraffic, + ipAddressType: ipAddressType, + }); + }).toThrow(`'denyAllIgwTraffic' may only be set on load balancers with ${elbv2.IpAddressType.DUAL_STACK} addressing.`); + }); + test('imported network load balancer with no vpc specified throws error when calling addTargets', () => { // GIVEN const stack = new cdk.Stack(); @@ -1074,7 +1089,28 @@ describe('tests', () => { }); }); - test('Can create internal dualstack NetworkLoadBalancer', () => { + test('Can create internet-facing dualstack NetworkLoadBalancer with denyAllIgwTraffic set to false', () => { + // GIVEN + const stack = new cdk.Stack(); + const vpc = new ec2.Vpc(stack, 'Stack'); + + // WHEN + new elbv2.NetworkLoadBalancer(stack, 'LB', { + vpc, + denyAllIgwTraffic: false, + internetFacing: true, + ipAddressType: elbv2.IpAddressType.DUAL_STACK, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::LoadBalancer', { + Scheme: 'internet-facing', + Type: 'network', + IpAddressType: 'dualstack', + }); + }); + + test.each([undefined, false])('Can create internal dualstack NetworkLoadBalancer with denyAllIgwTraffic set to true', (internetFacing) => { // GIVEN const stack = new cdk.Stack(); const vpc = new ec2.Vpc(stack, 'Stack'); @@ -1082,6 +1118,8 @@ describe('tests', () => { // WHEN new elbv2.NetworkLoadBalancer(stack, 'LB', { vpc, + denyAllIgwTraffic: true, + internetFacing: internetFacing, ipAddressType: elbv2.IpAddressType.DUAL_STACK, });