feat(ecs-patterns): allow setting TLS listener for NLB patterns

[iamhopaul123]

fix #6263

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[piradeepk]

Should this also be updated for the NLBService?

Pull request has been modified.

[piradeepk]

The PR looks great! I think this is more of a feature than a chore, so you’ll need to add an example to the README.

[dejonghe]

Is this only blocked by a readme?
Is this the right README? https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-ecs-patterns
ALB's support this functionality but there's nothing in the README about it. I'd be more than happy to write something up but do not under stand the direction.
This is a critical feature for any non HTTP app that need public TLS by default.

[iamhopaul123]

Is this only blocked by a readme?
Is this the right README? https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-ecs-patterns
ALB's support this functionality but there's nothing in the README about it. I'd be more than happy to write something up but do not under stand the direction.
This is a critical feature for any non HTTP app that need public TLS by default.

No this is blocked because public TLS listener with domain still won't work with this PR.

[dejonghe]

Is this only blocked by a readme?
Is this the right README? https://github.com/aws/aws-cdk/tree/master/packages/%40aws-cdk/aws-ecs-patterns
ALB's support this functionality but there's nothing in the README about it. I'd be more than happy to write something up but do not under stand the direction.
This is a critical feature for any non HTTP app that need public TLS by default.

No this is blocked because public TLS listener with domain still won't work with this PR.

Understood. Thanks for the response.

[gitpod-io]

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: a58bd97
• Result: FAILED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[iamhopaul123]

won't be able to work on it for a while. close for now.

[dannyalan]

Following. This has just tripped me up too. Is there anything we can do to help move this along?

[js-timbirkett]

For anyone who finds this... I made use of the ECS patterns as they're really useful, and got TLS termination working like this:

.....

    const tlsCertificate = new DnsValidatedCertificate(this, 'SFTPWebCert', {
      domainName: `sftp.${props.zone.zoneName}`,
      hostedZone: props.zone,
    });
    
    const cluster = new ecs.Cluster(this, 'SFTPCluster', { vpc: props.vpc });

    const sftpService = new ecsPatterns.NetworkMultipleTargetGroupsFargateService(this, 'SFTPService', {
      cluster,
      serviceName: 'sftpgo',
      desiredCount: 1,
      cpu: 256,
      memoryLimitMiB: 512,
      taskImageOptions: {
        containerName: 'sftpgo',
        image: ecs.ContainerImage.fromRegistry("ghcr.io/drakkan/sftpgo:v2.2.2"),
      },
      loadBalancers: [
        {
          name: 'sftpgo',
          domainName: `sftp.${props.zone.zoneName}.`,
          domainZone: props.zone,
          publicLoadBalancer: true,
          listeners: [
            {
              name: 'sftp',
              port: 2022,
            },
          ],
        }
      ],
      targetGroups: [
        {
          containerPort: 2022,
          listener: 'sftp',
        },
      ],
    });
    
    // As it isn't possible to configure TLS through the listeners in above,
    // we must resort to configuring them manually.
     
    const container = sftpService.taskDefinition.findContainer('sftpgo');
    
    container.addPortMappings({
      containerPort: 8080,
    });

    const webListener = sftpService.loadBalancer.addListener('web', {
      port: 443,
      certificates: [ { certificateArn: tlsCertificate.certificateArn } ],
      sslPolicy: elbv2.SslPolicy.RECOMMENDED,
      alpnPolicy: elbv2.AlpnPolicy.HTTP1_ONLY,
    });
    
    sftpService.service.registerLoadBalancerTargets({
      containerName: 'sftpgo',
      containerPort: 8080,
      newTargetGroupId: 'sftpgo-web',
      listener: ecs.ListenerConfig.networkListener(webListener, {
        port: 8080,
        protocol: 'TCP',
      }),
    });
    
    // Although this opens ports to everywhere, the Fargate container is not
    // exposed directly to the outside world. All traffic is handled by the NLBs.
    sftpService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(2022), 'SSH/SFTP');
    sftpService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(8080), 'Web UI');
    
    .....

I pass in the Route53 zone and VPC from other stacks. The main thing here is that I make use of NetworkMultipleTargetGroupsFargateService, but only configure one port for TCP forwarding. I then use available functions to configure the TLS listener, expose ports, attach to target groups etc... this took me about 6 hours to work out 🙈