-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(elasticloadbalancingv2): upgrade to v1.92.0 drops certificates on ALB if more than 2 certificates exist #13490
Conversation
… ALB if more than 2 certificates exist Support for multiple certificates attached to a single ALB listener was originally implemented by putting all certificates in an array on a single `ListenerCertificate` resource. The docs state that only one certificate may be specified, although multiple certificates do appear to work initially. Initial resource creation of a `ListenerCertificate` with multiple certificates appears to succeed, but subsequent updates to this resource (to either add or remove certificates) yields undefined and undesireable behavior. The fix in #13332 attempted to fix this by creating a new `ListenerCertificate` per certificate, and -- at my direction -- maintained partial backwards compatibility by keeping the original ID for the first `ListenerCertificate` resource. However, this has the effect of triggering an update to the existing resource, which does not appear to work correctly. By forcing a logical ID change for all `ListenerCertificate` resources, we can force all existing resources to be deleted, and new resources created. This avoids doing any updates on any `ListenerCertificate` resources with an array of certificates, which appears to side-step the undefined behavior. fixes #13437
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the same issue I had a month ago but for a different resource - 96cbe32#diff-d415373a5da24bc939a806d1dbd72f953000f19b3ae72978c65fa851d310e0d6
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
This PR does a couple of things to update the NetworkListener to be on par with ApplicationListener. 1. Add a NetworkListenerCertificate construct that allows you to associate multiple certificates with a listener. 2. Add a `addCertificates` method to `NetworkListener` similar to the same method on the `ApplicationListener`. This is needed because even though the `certificates` property on a `Listener`is an array, it expects only one certificate. To add more than one you have to create an `AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality was added to `ApplicationListner` via #13490. fixes #8918, #15328 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
This PR does a couple of things to update the NetworkListener to be on par with ApplicationListener. 1. Add a NetworkListenerCertificate construct that allows you to associate multiple certificates with a listener. 2. Add a `addCertificates` method to `NetworkListener` similar to the same method on the `ApplicationListener`. This is needed because even though the `certificates` property on a `Listener`is an array, it expects only one certificate. To add more than one you have to create an `AWS::ElasticLoadBalancingV2::ListenerCertificate`. This functionality was added to `ApplicationListner` via aws#13490. fixes aws#8918, aws#15328 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Support for multiple certificates attached to a single ALB listener was
originally implemented by putting all certificates in an array on a single
ListenerCertificate
resource. The docs state that only one certificate may bespecified, although multiple certificates do appear to work initially. Initial
resource creation of a
ListenerCertificate
with multiple certificates appearsto succeed, but subsequent updates to this resource (to either add or remove
certificates) yields undefined and undesireable behavior.
The fix in #13332 attempted to fix this by creating a new
ListenerCertificate
per certificate, and -- at my direction -- maintained partial backwards
compatibility by keeping the original ID for the first
ListenerCertificate
resource. However, this has the effect of triggering an update to the existing
resource, which does not appear to work correctly.
By forcing a logical ID change for all
ListenerCertificate
resources, we canforce all existing resources to be deleted, and new resources created. This
avoids doing any updates on any
ListenerCertificate
resources with an arrayof certificates, which appears to side-step the undefined behavior.
fixes #13437
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license