feat(ecs): vpc link for api gatway and load balanced services #1541

dotxlem · 2019-01-14T13:35:45Z

Overview

The primary purpose of this work is to fill in the gaps in
implementation for deploying a VPC link between API Gateway, and an
ECS service. My goal was to allow setting up a {proxy+} API which would
forward to a Fargate service in a private VPC.

This has been tagged as 'ecs', but also involves changes to api gateway.

Since VPC links require an NLB, the LoadBalanced{Fargate|Ecs}Service classes
have been modified to support selecting either an ALB or an NLB.

Closes #1500.

Changes

On the APIGW side, IntegrationOptions now accepts an optional connetion
type enum, as well as a VpcLink. VpcLink itself is a new construct
which accepts an array of Network Load Balancers. I also added the missing
requestParameters prop for Method, to allow properly setting up a proxy
path variable.

For ECS, in my use case I wanted to use the LoadBalanced*Service constructs, however
they only supported ALB. I have pulled all of the ELBv2 related setup
into the new LoadBalancedService base class, and also created a base
props interface LoadBalancedServiceProps. This deals with the common setup
between the Fargate and ECS services, and allows the selection of ALB or NLB.
As a side-effect of this refactoring, you can also now pass a Certificate to
LoadBalancedEcsService.

There is a new Method test for the VPC link props, as well as new tests
for both VpcLink and LoadBalancedFargateService.

Pull Request Checklist

Testing
- Unit test added
- CLI change?: manually run integration tests and paste output as a PR comment
- cdk-init template change?: coordinated update of integration tests with team
Docs
- jsdocs: All public APIs documented
- README: README and/or documentation topic updated
Title and Description
- Change type: title prefixed with fix, feat will appear in changelog
- Title: use lower-case and doesn't end with a period
- Breaking?: last paragraph: "BREAKING CHANGE: <describe what changed + link for details>"
- Issues: Indicate issues fixed via: "Fixes #xxx" or "Closes #xxx"
[n/a] Sensitive Modules (requires 2 PR approvers)
- IAM Policy Document (in @aws-cdk/aws-iam)
- EC2 Security Groups and ACLs (in @aws-cdk/aws-ec2)
- Grant APIs (only if not based on official documentation with a reference)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license.

Overview ======== The primary purpose of this work is to fill in the gaps in implementation for deploying a VPC link between API Gateway, and an ECS service. My goal was to allow setting up a {proxy+} API which would forward to a Fargate service in a private VPC. This has been tagged as 'ecs', but also involves changes to api gateway. Since VPC links require an NLB, the LoadBalanced{Fargate|Ecs}Service classes have been modified to support selecting either an ALB or an NLB. Changes ======= On the APIGW side, `IntegrationOptions` now accepts an optional connetion type enum, as well as a VpcLink. `VpcLink` itself is a new construct which accepts an array of Network Load Balancers. I also added the missing `requestParameters` prop for `Method`, to allow properly setting up a proxy path variable. For ECS, in my use case I wanted to use the LoadBalanced*Service constructs, however they only supported ALB. I have pulled all of the ELBv2 related setup into the new `LoadBalancedService` base class, and also created a base props interface `LoadBalancedServiceProps`. This deals with the common setup between the Fargate and ECS services, and allows the selection of ALB or NLB. As a side-effect of this refactoring, you can also now pass a Certificate to `LoadBalancedEcsService`. There is a new `Method` test for the VPC link props, as well as new tests for both `VpcLink` and `LoadBalancedFargateService`.

rix0rrr

Love what you've done with the refactor!

I have some small style comments, but approved modulo those!

rix0rrr · 2019-01-15T14:55:24Z

packages/@aws-cdk/aws-apigateway/lib/method.ts

@@ -173,6 +179,8 @@ export class Method extends cdk.Construct {
      requestTemplates: options.requestTemplates,
      passthroughBehavior: options.passthroughBehavior,
      integrationResponses: options.integrationResponses,
+      connectionType: options.connectionType,
+      connectionId: options.vpcLink ? options.vpcLink.vpcLinkId : undefined,


What if connectiontype === internet and a vpcLink is supplied. Is that ok?

The docs for ConnectionId state:

The ID of the VpcLink used for the integration when connectionType=VPC_LINK and undefined, otherwise.

I took that to mean that it would just be ignored. Probably best to throw an error though to alert the user, since that's probably not what they wanted to happen.

That's what I was getting at. Thanks.

rix0rrr · 2019-01-15T14:56:04Z