Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(elasticloadbalancingv2): should allow more than 2 certificates #13332

Merged
merged 5 commits into from
Mar 2, 2021

Conversation

andreialecu
Copy link
Contributor

Fixes #13150

Interestingly, even though the Certificates field is of type Array, the documentation says: You can specify one certificate per resource.


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@andreialecu
Copy link
Contributor Author

Not sure why CI is failing, but it doesn't seem related to the changes in this PR.

Checking if ruby is installed... which: no ruby in (/codebuild/output/src536429546/src/github.com/aws/aws-cdk/node_modules/.bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/codebuild/user/bin)
Missing dependency: ruby. Install ruby >= 2.5.1

njlynch
njlynch previously requested changes Mar 1, 2021
Copy link
Contributor

@njlynch njlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution!

In addition to the below comment about IDs, can you add a test for this? Ideally we'd add 3 certs, and verify both ApplicationListenerCertificate were created.

@njlynch
Copy link
Contributor

njlynch commented Mar 1, 2021

Not sure why CI is failing, but it doesn't seem related to the changes in this PR.

Agreed; looks like either a general breakage or a solar-flare-induced hiccup. I'd say you can safely ignore it. You can run the tests just for this module by running lt in the module's directory. (See https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md#useful-aliases for the alias setup).

@gitpod-io
Copy link

gitpod-io bot commented Mar 2, 2021

@mergify mergify bot dismissed njlynch’s stale review March 2, 2021 10:24

Pull request has been modified.

@andreialecu
Copy link
Contributor Author

Note that I have also received a response from AWS support regarding this behavior. The support engineer mentioned:

During my research into this, I found that this is a known issue that AWS CloudFormation service team are aware of this behavior. You are totally correct about your statement.

I checked that an internal ticket to the team is currently being investigated and I have added your voice onto the ticket to make the team aware that you are also facing this behavior.

=> I would suggest you to kindly use multiple separate "AWS::ElasticLoadBalancingV2::ListenerCertificate" resources with only one certificate per resource. This will avoid the need to update the resource "ListenerCertificates" which currently removes the old certificates during the update process.

@andreialecu
Copy link
Contributor Author

@njlynch I added the tests. Let me know if any further changes are required.

Copy link
Contributor

@njlynch njlynch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix!

@mergify
Copy link
Contributor

mergify bot commented Mar 2, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 519bd5d
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 2, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit d3155e9 into aws:master Mar 2, 2021
@andreialecu andreialecu deleted the fix-albcerts branch March 2, 2021 13:34
cornerwings pushed a commit to cornerwings/aws-cdk that referenced this pull request Mar 8, 2021
…ws#13332)

Fixes aws#13150 

> Interestingly, even though the Certificates field is of type Array, the documentation says: You can specify one certificate per resource.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
njlynch added a commit that referenced this pull request Mar 9, 2021
… ALB if more than 2 certificates exist

Support for multiple certificates attached to a single ALB listener was
originally implemented by putting all certificates in an array on a single
`ListenerCertificate` resource. The docs state that only one certificate may be
specified, although multiple certificates do appear to work initially.  Initial
resource creation of a `ListenerCertificate` with multiple certificates appears
to succeed, but subsequent updates to this resource (to either add or remove
certificates) yields undefined and undesireable behavior.

The fix in #13332 attempted to fix this by creating a new `ListenerCertificate`
per certificate, and -- at my direction -- maintained partial backwards
compatibility by keeping the original ID for the first `ListenerCertificate`
resource. However, this has the effect of triggering an update to the existing
resource, which does not appear to work correctly.

By forcing a logical ID change for all `ListenerCertificate` resources, we can
force all existing resources to be deleted, and new resources created. This
avoids doing any updates on any `ListenerCertificate` resources with an array
of certificates, which appears to side-step the undefined behavior.

fixes #13437
mergify bot pushed a commit that referenced this pull request Mar 9, 2021
… ALB if more than 2 certificates exist (#13490)

Support for multiple certificates attached to a single ALB listener was
originally implemented by putting all certificates in an array on a single
`ListenerCertificate` resource. The docs state that only one certificate may be
specified, although multiple certificates do appear to work initially.  Initial
resource creation of a `ListenerCertificate` with multiple certificates appears
to succeed, but subsequent updates to this resource (to either add or remove
certificates) yields undefined and undesireable behavior.

The fix in #13332 attempted to fix this by creating a new `ListenerCertificate`
per certificate, and -- at my direction -- maintained partial backwards
compatibility by keeping the original ID for the first `ListenerCertificate`
resource. However, this has the effect of triggering an update to the existing
resource, which does not appear to work correctly.

By forcing a logical ID change for all `ListenerCertificate` resources, we can
force all existing resources to be deleted, and new resources created. This
avoids doing any updates on any `ListenerCertificate` resources with an array
of certificates, which appears to side-step the undefined behavior.

fixes #13437


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This was referenced Mar 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2
Projects
None yet
3 participants