aws-ecs-patterns: ApplicationLoadBalancedEc2Service doesn't set SecurityGroups properly, so that ALB can't reach to container

[acomagu]

Describe the bug

If I use ec2.Cluster imported from another stack with ApplicationLoadBalancedEc2Service, not reachable from ALB to the container and will have unhealthy status.

There are two causes:

• The SecurityGroup of EC2 instance doesn't allow any incoming traffic. Should allow the port range used for ALB dynamic port mapping.
  

• The SecurityGroup of ALB doesn't allow any outgoing TCP traffic. Should allow all TCP traffic(maybe, but at least should allow something).
  

Expected Behavior

The SecurityGroups of EC2 instance and ALB are configured properly without additional coding, or the documentation is written to properly configure them.

Current Behavior

ALB can't see the ECS containers and recognizes them as unhealthy.

Reproduction Steps

Deploying with the following code reproduces the situation.

import * as cdk from 'aws-cdk-lib';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as ecs from 'aws-cdk-lib/aws-ecs';
import * as ecsPatterns from 'aws-cdk-lib/aws-ecs-patterns';
import * as constructs from 'constructs';

export class ClusterStack extends cdk.Stack {
  readonly clusterAttributes: ecs.ClusterAttributes;

  constructor(scope: constructs.Construct, id: string) {
    super(scope, id);

    const vpc = new ec2.Vpc(this, 'VPC', {
      maxAzs: 2,
    });

    const cluster = new ecs.Cluster(this, 'Cluster', {
      capacity: {
        instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.NANO),
        maxCapacity: 2,
      },
      vpc,
    });
    this.clusterAttributes = cluster;
  }
}

export class ServiceStack extends cdk.Stack {
  constructor(scope: constructs.Construct, id: string, props: { clusterAttributes: ecs.ClusterAttributes }) {
    super(scope, id);

    const cluster = ecs.Cluster.fromClusterAttributes(this, 'Cluster', props.clusterAttributes);

    new ecsPatterns.ApplicationLoadBalancedEc2Service(this, 'Service', {
      cluster,
      taskImageOptions: {
        image: ecs.ContainerImage.fromRegistry('amazon/amazon-ecs-sample'),
      },
      memoryLimitMiB: 128,
      circuitBreaker: { rollback: true },
    });
  }
}

const app = new cdk.App();
const clusterStack = new ClusterStack(app, 'ClusterStack');
new ServiceStack(app, 'ServiceStack', {
  clusterAttributes: clusterStack.clusterAttributes,
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.93.0 (build 724bd01)

Framework Version

No response

Node.js Version

2.93.0

OS

Linux acm-envy3-win 5.15.90.4-microsoft-standard-WSL2 #1 SMP Tue Jul 18 21:28:32 UTC 2023 x86_64 GNU/Linux

Language

Typescript

Language Version

5.2.2

Other information

No response

[acomagu]

Solved by rewriting as follows:

diff a b
index ffd1f07..717d6d5 100644
--- a
+++ b
@@ -21,7 +21,10 @@ export class ClusterStack extends cdk.Stack {
       },
       vpc,
     });
-    this.clusterAttributes = cluster;
+    this.clusterAttributes = {
+      ...cluster,
+      securityGroups: cluster.connections.securityGroups,
+    };
   }
 }

I think it's better that there is a field like cluster.attributes where ClusterAttributes can be retrieved straightforwardly.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[acomagu]

For anyone who got here: don't use spread notation(clusterAttribute = { ...cluster }) to copy properties. The my above code still doesn't work.

In JavaScript, class getter is not enumerable, so not copied by object spreading.

Assign all properties individually for safe:

this.clusterAttributes = {
  autoscalingGroup: cluster.autoscalingGroup,
  clusterArn: cluster.clusterArn,
  clusterName: cluster.clusterName,
  defaultCloudMapNamespace: cluster.defaultCloudMapNamespace,
  executeCommandConfiguration: cluster.executeCommandConfiguration,
  hasEc2Capacity: cluster.hasEc2Capacity,
  securityGroups: cluster.connections.securityGroups,
  vpc: cluster.vpc,
};

(I hope more convenient way to import cluster from another stack)