Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(elasticloadbalancingv2): upgrade to v1.92.0 drops certificates on ALB if more than 2 certificates exist #13490

Merged
merged 2 commits into from
Mar 9, 2021

Conversation

njlynch
Copy link
Contributor

@njlynch njlynch commented Mar 9, 2021

Support for multiple certificates attached to a single ALB listener was
originally implemented by putting all certificates in an array on a single
ListenerCertificate resource. The docs state that only one certificate may be
specified, although multiple certificates do appear to work initially. Initial
resource creation of a ListenerCertificate with multiple certificates appears
to succeed, but subsequent updates to this resource (to either add or remove
certificates) yields undefined and undesireable behavior.

The fix in #13332 attempted to fix this by creating a new ListenerCertificate
per certificate, and -- at my direction -- maintained partial backwards
compatibility by keeping the original ID for the first ListenerCertificate
resource. However, this has the effect of triggering an update to the existing
resource, which does not appear to work correctly.

By forcing a logical ID change for all ListenerCertificate resources, we can
force all existing resources to be deleted, and new resources created. This
avoids doing any updates on any ListenerCertificate resources with an array
of certificates, which appears to side-step the undefined behavior.

fixes #13437


By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

… ALB if more than 2 certificates exist

Support for multiple certificates attached to a single ALB listener was
originally implemented by putting all certificates in an array on a single
`ListenerCertificate` resource. The docs state that only one certificate may be
specified, although multiple certificates do appear to work initially.  Initial
resource creation of a `ListenerCertificate` with multiple certificates appears
to succeed, but subsequent updates to this resource (to either add or remove
certificates) yields undefined and undesireable behavior.

The fix in #13332 attempted to fix this by creating a new `ListenerCertificate`
per certificate, and -- at my direction -- maintained partial backwards
compatibility by keeping the original ID for the first `ListenerCertificate`
resource. However, this has the effect of triggering an update to the existing
resource, which does not appear to work correctly.

By forcing a logical ID change for all `ListenerCertificate` resources, we can
force all existing resources to be deleted, and new resources created. This
avoids doing any updates on any `ListenerCertificate` resources with an array
of certificates, which appears to side-step the undefined behavior.

fixes #13437
@njlynch njlynch requested a review from a team March 9, 2021 12:59
@njlynch njlynch self-assigned this Mar 9, 2021
@gitpod-io
Copy link

gitpod-io bot commented Mar 9, 2021

@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 9, 2021
@github-actions github-actions bot added the @aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 label Mar 9, 2021
Copy link
Contributor

@nija-at nija-at left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the same issue I had a month ago but for a different resource - 96cbe32#diff-d415373a5da24bc939a806d1dbd72f953000f19b3ae72978c65fa851d310e0d6

@mergify
Copy link
Contributor

mergify bot commented Mar 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject89A8053A-LhjRyN9kxr8o
  • Commit ID: 4f8cfd3
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify
Copy link
Contributor

mergify bot commented Mar 9, 2021

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify mergify bot merged commit 01b94f8 into master Mar 9, 2021
@mergify mergify bot deleted the njlynch/alb-listener-certs branch March 9, 2021 15:50
This was referenced Mar 12, 2021
This was referenced Mar 14, 2021
mergify bot pushed a commit that referenced this pull request Mar 31, 2022
This PR does a couple of things to update the NetworkListener to be on
par with ApplicationListener.

1. Add a NetworkListenerCertificate construct that allows you to
   associate multiple certificates with a listener.
2. Add a `addCertificates` method to `NetworkListener` similar to the
   same method on the `ApplicationListener`.

This is needed because even though the `certificates` property on a
`Listener`is an array, it expects only one certificate. To add more than
one you have to create an
`AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality
was added to `ApplicationListner` via #13490.

fixes #8918, #15328

----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
StevePotter pushed a commit to StevePotter/aws-cdk that referenced this pull request Apr 27, 2022
This PR does a couple of things to update the NetworkListener to be on
par with ApplicationListener.

1. Add a NetworkListenerCertificate construct that allows you to
   associate multiple certificates with a listener.
2. Add a `addCertificates` method to `NetworkListener` similar to the
   same method on the `ApplicationListener`.

This is needed because even though the `certificates` property on a
`Listener`is an array, it expects only one certificate. To add more than
one you have to create an
`AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality
was added to `ApplicationListner` via aws#13490.

fixes aws#8918, aws#15328

----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
@aws-cdk/aws-elasticloadbalancingv2 Related to Amazon Elastic Load Balancing V2 contribution/core This is a PR that came from AWS.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

(elasticloadbalancingv2): #13332 is a breaking change!
3 participants