ecs-patterns: Simple http -> https redirect

[MrArnoldPalmer]

Add a property to ecs-patterns constructs to automatically setup an http->https redirect on the service's load balancer.

Use Case

User's with publicly accessible services using https usually want to automatically redirect clients from http to https.

As the result of discussion within #5583, it is apparent that setting this up could be much easier. Since this is a super common pattern and one that we should encourage for publicly accessible services, we should make it as easy as possible in the high level patterns constructs.

Proposed Solution

Add an optional property redirectToHttps or forceHttps that when set to true will create a listener on port 80 that redirects to 443. This option should only be able to be set to true when a certificate is provided. This should be added to all ecs-patterns constructs that create load balancers.

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change

---

This is a 🚀 Feature Request

[logemann]

+1 for this idea which i also had and accidentally opened a new FR ;-)

[hoegertn]

Is there any progress on this issue? Is somebody working on implementing this?

[MrArnoldPalmer]

@hoegertn not that I know of. Open to PRs if you're interested.

[khalidx]

Hey! I think this already works... let me know if I'm wrong!

Here's how I implemented HTTP -> HTTPS redirects on the load balancer (single file implementation, < 60 lines, should be easy to follow): https://github.com/khalidx/origin/blob/master/src/cdk.ts

I'll inline the implementation here for reference:

    const vpc = new ec2.Vpc(this, 'InfrastructureVpc', { maxAzs: 3 })

    const cluster = new ecs.Cluster(this, 'InfrastructureCluster', { vpc })

    const service = new ecs_patterns.ApplicationLoadBalancedFargateService(this, 'ServerService', {
      cluster,
      desiredCount: 2,
      cpu: 256,
      memoryLimitMiB: 1024,
      taskImageOptions: {
        image: ecs.ContainerImage.fromAsset(join(__dirname, '../'), { exclude: [ 'node_modules', 'dist', 'exec', 'cdk.out' ] })
      },
      publicLoadBalancer: true,
      domainName: configuration.subdomian,
      domainZone: route53.HostedZone.fromHostedZoneAttributes(this, 'InfrastructureZone', configuration.hostedZone),
      certificate: acm.Certificate.fromCertificateArn(this, 'InfrastructureCertificate', configuration.certificate)
    })

    service
    .loadBalancer
    .addListener('HttpListener', { protocol: elbv2.ApplicationProtocol.HTTP, port: 80 })
    .addRedirectResponse('HttpRedirect', { statusCode: 'HTTP_301', protocol: elbv2.ApplicationProtocol.HTTPS, port: '443' })

By the way, check out https://github.com/khalidx/origin for a boilerplate starter project that deploys a node express API as an HTTPS exposed service using CDK. It also generates a node module, native binaries, and Docker image for your API, so that it can run anywhere!

[hoegertn]

Yes this is a valid approach but the feature requested and implemented by me is to have this with a single config option to save the user from creating the additional LB listener.

[khalidx]

Yes this is a valid approach but the feature requested and implemented by me is to have this with a single config option to save the user from creating the additional LB listener.

Ah, I see @hoegertn! That makes sense. So instead of doing service.loadBalancer the configuration would instead be on the ecs_patterns.ApplicationLoadBalancedFargateService object.

[iwarshak]

@MrArnoldPalmer This PR #9341 seems to be a good start, but I am running into the issue where domainZone and domainName are still required props, even if I am passing in a certificate that I have already provisioned.

[hoegertn]

Imho they are required to create the Route53 entries.

[iwarshak]

@hoegertn No disagreement as to why it's there, just pointing this out to @MrArnoldPalmer and this comment: #5583 (comment)

[merland]

@MrArnoldPalmer This PR #9341 seems to be a good start, but I am running into the issue where domainZone and domainName are still required props, even if I am passing in a certificate that I have already provisioned.

@iwarshak @hoegertn This seems like the same usecase I was working with here. I needed to do it without involving domainZone and domainName. I did succeed but the approach is very ugly.

Hopefully the same result can be achieved with nicer code now, a year later. However this feature request is still open, so maybe not...

[hoegertn]

I think this should work now with commit e6c85e4

So since 1.100.0

[namedgraph]

I don't understand how @khalidx suggestion is supposed to work if NetworkLoadBalancedEc2Service by default creates an HTTP listener on port 80?
https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-ecs-patterns/lib/base/network-load-balanced-service-base.ts#L350
Shouldn't the target properties use props.listenerPort instead of hardcoding port 80?

    const targetProps = {
      port: props.listenerPort,
    };

Anyway when I try to access that listener like this:

NetworkLoadBalancedEc2Service ec2Service = NetworkLoadBalancedEc2Service.Builder.create()....
ec2Service.getListener().???

the only methods available are addAction, addTargetGroups, addTargets, not addRedirectResponse.

[alejandrodau]

It seems this is now possible using the addRedirect method

https://docs.aws.amazon.com/cdk/api/v1/docs/aws-elasticloadbalancingv2-readme.html#:~:text=If%20you%20do%20not%20provide%20any%20options%20for%20this%20method%2C%20it%20redirects%20HTTP%20port%2080%20to%20HTTPS%20port%20443.