(elasticloadbalancingv2): #13332 is a breaking change! #13437
Comments
akefirad
added
guidance
github-actions
bot
added
the
@aws-cdk/aws-elasticloadbalancingv2
|
Confirmed. The first certificate in the list will be gone, if one upgrades to v1.92.0. |
peterwoodworth
added
bug
|
Some potential learnings so far: It appears that as-is, the For the original bugs (#13150 and #13329), the issue was that if the listener was updated from having 2 to 3 certificates (requiring an update of the ListenerCertificate resource), one of the certificates would be dropped. Here, doing an upgrade from v1.91.0 to v1.92.0 means that any users that have successfully deployed with two certs attached to a single -- Deployed successfully (all at once, no updates) on v1.91.0 -- -- v1.92.0 -- -- cdk diff -- In the above, the The code was written to be backwards-compatible, such that if only two certificates were attached to a listener, no logical IDs would change. I suspect that is what needs to change here; if we create a new logical ID for both certificates, both should get "clean" (single-cert) resources, and both should update appropriately. |
|
🤔 I don't think so there's a solution for this. Your suggestion wouldn't solve the issue either (didn't test it through). I suspect it removes both certificates at the last step which is deleting the old resource. |
|
I just emulated the patch on my test stack, and it appears to work: -- patch -- const listenerCert1 = listener.node.findChild('SSLCert') as elbv2.ApplicationListenerCertificate;
(listenerCert1.node.defaultChild as elbv2.CfnListenerCertificate).overrideLogicalId('LBListenerSSLCertOverride1234')-- cdk diff -- By deploying the above, all |
|
Interesting! How come |
I am assuming that the CloudFormation resource (
I believe the difference is the lack of and/or undefined support for an array of certificate ARNs in the I can't say with 100% certainty, but I believe -- between the docs and my testing -- that Updates are not handled well when there are multiple certificates attached to a single |
… ALB if more than 2 certificates exist Support for multiple certificates attached to a single ALB listener was originally implemented by putting all certificates in an array on a single `ListenerCertificate` resource. The docs state that only one certificate may be specified, although multiple certificates do appear to work initially. Initial resource creation of a `ListenerCertificate` with multiple certificates appears to succeed, but subsequent updates to this resource (to either add or remove certificates) yields undefined and undesireable behavior. The fix in #13332 attempted to fix this by creating a new `ListenerCertificate` per certificate, and -- at my direction -- maintained partial backwards compatibility by keeping the original ID for the first `ListenerCertificate` resource. However, this has the effect of triggering an update to the existing resource, which does not appear to work correctly. By forcing a logical ID change for all `ListenerCertificate` resources, we can force all existing resources to be deleted, and new resources created. This avoids doing any updates on any `ListenerCertificate` resources with an array of certificates, which appears to side-step the undefined behavior. fixes #13437
Interestingly I remember the opposite. I forgot the exact details of my experience. But this is what I recall:
Two things that is different with your example/suggestion
Let me know if I can help with anything. |
… ALB if more than 2 certificates exist (#13490) Support for multiple certificates attached to a single ALB listener was originally implemented by putting all certificates in an array on a single `ListenerCertificate` resource. The docs state that only one certificate may be specified, although multiple certificates do appear to work initially. Initial resource creation of a `ListenerCertificate` with multiple certificates appears to succeed, but subsequent updates to this resource (to either add or remove certificates) yields undefined and undesireable behavior. The fix in #13332 attempted to fix this by creating a new `ListenerCertificate` per certificate, and -- at my direction -- maintained partial backwards compatibility by keeping the original ID for the first `ListenerCertificate` resource. However, this has the effect of triggering an update to the existing resource, which does not appear to work correctly. By forcing a logical ID change for all `ListenerCertificate` resources, we can force all existing resources to be deleted, and new resources created. This avoids doing any updates on any `ListenerCertificate` resources with an array of certificates, which appears to side-step the undefined behavior. fixes #13437 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
|
@njlynch I think this is not gonna work if the order of execution is not deterministic, meaning if |
|
@akefirad - It is deterministic, and the
I think the additional certificate was removed, not because of the order of operations, but because any Here's a screenshot from my patch-tested update to my stack. You can see here that my new ListenerCertificate resources were created first, and then the existing one was deleted in the cleanup phase. This resulted in the correct configuration on my listener.
Please give my patch above a try for yourself. |
|
Seems to work. Thanks for the support! |
❓ General Issue
#13332 is a breaking change!
The Question
I believe #13332 fixing (#13150) is a breaking change since it adds the resource (with certificates) and then remove the old one (with same certificate), which results to removing the existing certificates.
I can't think of anything other than, doing the migration is two deployment or adding the missing certificates manually after the deployment. Both causes some disruption to the service (endpoints are gonna be unavailable for a couple of seconds/minutes).
I'd suggest to update the release note accordingly.
The text was updated successfully, but these errors were encountered: