Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

(aws_elasticloadbalancingv2): TargetGroupListenerAction.bind not called when chained with another ListenerAction #18944

Open
franswah opened this issue Feb 11, 2022 · 5 comments
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. p3

Comments

@franswah
Copy link

franswah commented Feb 11, 2022

What is the problem?

I am trying to add a default action to my Application Listener which uses OIDC authentication before forwarding to a target group. This is the code snippet copied exactly from the CDK documentation:

declare const listener: elbv2.ApplicationListener;
declare const myTargetGroup: elbv2.ApplicationTargetGroup;

listener.addAction('DefaultAction', {
  action: elbv2.ListenerAction.authenticateOidc({
    authorizationEndpoint: 'https://example.com/openid',
    // Other OIDC properties here
    clientId: '...',
    clientSecret: SecretValue.secretsManager('...'),
    issuer: '...',
    tokenEndpoint: '...',
    userInfoEndpoint: '...',

    // Next
    next: elbv2.ListenerAction.forward([myTargetGroup]),
  }),
});

However, since addAction is not called directly with the TargetGroupListenerAction, the listener never calls bind on the Forward action, and so the target group is not registered with the listener.

bind is only called on the action directly passed to addAction, and the OIDC Listener Action has the default no-op bind implementation without calling bind on the "next" action.

This doesn't seem to be a problem for deploying the application listener with the expected set of actions. However, if I want to reference this target group elsewhere in my CDK, for example to create a dashboard with metrics, CDK throws an error due to no listener being registered with the target group.

Reproduction Steps

Follow example for creating OIDC default action chained with a forward action https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-target-group.ts#L242.

Call myTargetGroup.metric(...) after doing so.

What did you expect to happen?

Target group is registered with the Application Listener and I can use the TargetGroup.metric convenience method.

What actually happened?

TargetGroup.metric throws an error stating it is not bound to an application load balancer/listener.

CDK CLI Version

1.139.0

Framework Version

No response

Node.js Version

12.19.0

OS

macOS

Language

Typescript

Language Version

No response

Other information

No response

@franswah franswah added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Feb 11, 2022
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Feb 11, 2022
@NGL321 NGL321 added p2 and removed needs-triage This issue or PR still needs to be triaged. labels Feb 14, 2022
@nihakue
Copy link

nihakue commented Aug 30, 2022

Are there any workarounds? I'm still wrapping my head around the problem but it seems like connections are also missing in this case. When I added a ListenerAction.authenticateOidc in front of a forward action, I saw that my cloudformation template removed the connections to and from my target security group.

@nihakue
Copy link

nihakue commented Aug 30, 2022

Possibly related to #19035

@nihakue
Copy link

nihakue commented Sep 2, 2022

The workaround (a dummy action) in #19035 worked around this issue as well.

mergify bot pushed a commit that referenced this issue May 5, 2023
…24510)

## Summary
Allow HTTPS outbound traffic for security groups attached to the Application Load Balancer if the Application Load Balancer is configured with an authentication configuration.

## Why is this PR needed?
Application Load Balancer authentication requires HTTPS outbound traffic.
However, the security group attached to the ApplicationLoadBalancer does not allow traffic to the outside, so the code as described in the documentation will not work by itself.
<img width="593" alt="image" src="https://user-images.githubusercontent.com/49480575/223705838-a047e14c-95f5-4c8e-9003-0bbdf6b9d281.png">

This issue is also documented.
https://aws.amazon.com/premiumsupport/knowledge-center/elb-configure-authentication-alb/?nc1=h_ls

## Related issues
Following opened issues were fixed by #21939, but related this PR.
Closes  #19035 #18944.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@ashishdhingra
Copy link
Contributor

@franswah Good afternoon. I noticed that the relates issue #19035 is closed. Could you please confirm if this is still an issue with CDK v2; OR if this could be closed.

Thanks,
Ashish

@ashishdhingra ashishdhingra added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Jun 6, 2024
Copy link

github-actions bot commented Jun 9, 2024

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Jun 9, 2024
@pahud pahud added p3 and removed p2 closing-soon This issue will automatically close in 4 days unless further comments are made. response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 bug This issue is a bug. p3
Projects
None yet
Development

No branches or pull requests

6 participants