(elasticloadbalancingv2): Update rules for alb listener to have two or more actions

[afsanehr]

Hi,

We have an application load balancer that is targeting a lambda. We want to update its listener's rule to return fixed response 403 by default and forward actions to target group (of type lambda) if path is /test and method is post.
This is doable via management console.
With cdk and cloudformation template it throws error:
Protocol cannot be specified for target groups with target type 'lambda'

In management console we have this for listener:

Rule                condition                                              action
1                 IF: Http method is post                            THEN: Forward to target group
                      Path is /test
last              IF: Requests otherwise not routed                  THEN: Return fixed response 403

Reproduction Steps

    let target = new targets.LambdaTarget(this.lambda)
    let applicationLoadBalancerTargetGroup = new elb.ApplicationTargetGroup(this, 'GatewayTargetGroup', {
          port: 443,
          vpc: this.vpc,
          targets: [target]
     })
    let applicationLoadBalancerListener = this.applicationLoadBalancer.addListener('test', {
      port: 443,
      protocol: elb.Protocol.HTTPS,
      certificateArns: [this.cert], 
      defaultAction: elb.ListenerAction.fixedResponse(403, {
        contentType: elb.ContentType.APPLICATION_JSON,
        messageBody: 'Forbidden'
      })
    })
    let applicationLoadBalancerPathListenerRule = new elb.ApplicationListenerRule(this, 'PathListenerRule', {
      listener: applicationLoadBalancerListener,
      priority: 1,
      conditions:[
        elb.ListenerCondition.httpRequestMethods(['POST']),
        elb.ListenerCondition.pathPatterns(['/test'])
      ],
      action: elb.ListenerAction.forward([applicationLoadBalancerTargetGroup])
  })

What did you expect to happen?

To be able to update rules same as what is doable in management console

What actually happened?

cloudformation stack failed with: Protocol cannot be specified for target groups with target type 'lambda'

I understand according to this https://docs.aws.amazon.com/cdk/api/latest/docs/aws-elasticloadbalancingv2-readme.html#protocol-for-load-balancer-targets
seems like creating application target group is only limited to instance type or ip. If that is the case here, is there a workaround to be able to do this in cdk?

Environment

• CDK CLI Version : 1.68.0
• Node.js Version: v13.6.0
• OS : macOS Mojave version 10.14.6
• Language (Version): TypeScript

Other

---

This is 🐛 Bug Report

[amarflybot]

For me the error is different:
Message:
Invalid request provided: AWS::ElasticLoadBalancingV2::ListenerRule Validation exception new ApplicationListenerRule (~node_modules/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener-rule.ts:231:22)

[NGL321]

Hey @afsanehr,

Thanks for reporting this. Your error message and the way you structured makes me think this is one of two possible problems.

The first possibility I see is that you are passing the lambda function incorrectly to target:

let target = new targets.LambdaTarget(FUNCTION_GOES_HERE);

The error message Protocol cannot be specified for target groups with target type 'lambda' makes me think that you are passing a Lambda class object rather than a Function object. It would help to see where you declare your function this.lambda.

I attempted to reproduce, and I was unable to see your described behavior. What I did see is that in your code elb.Protocol.HTTPS should likely be elb.ApplicationProtocol.HTTPS, and assuming that certificateArns: [this.cert], references the cert and not the ARN, it should be certificates: [this.cert].

The other possibility is that there is a bug in our ELBv2 library.

To better understand this it would be helpful to know what line specifically is throwing your exception as well as seeing the variables referenced but not shown (this.cert, this.applicationLoadBalancer, this.lambda).

😸 😷

[afsanehr]

Hi @NGL321, thanks for the quick turnaround :)

I am passing the following to the lambdaTargets

this.lambda = new lambda.Function(this, 'lambda', {
      runtime: lambda.Runtime.PYTHON_2_7,
      code: lambda.Code.fromBucket(s3Bucket, this.artifactoryKey),
      handler: 'testLambda.lambda_handler',
      timeout: cdk.Duration.seconds(300)
    })

I also updated the elb.Protocol.HTTPS to elb.ApplicationProtocol.HTTPS same result
One more thing is that since I have the certificateArn I am using the certificateArns rather than certificates, I assume that should be doable?
so this.cert actually holds the certficiateArn value and is coming from a customresource lambda creating the arns, we are passing this in other projects using that Arn value and it works fine.
may be I should rewrite the snippet such as this that:

     this.lambda = new lambda.Function(this, 'lambda', {
      runtime: lambda.Runtime.PYTHON_2_7,
      code: lambda.Code.fromBucket(s3Bucket, this.artifactoryKey),
      handler: 'testLambda.lambda_handler',
      timeout: cdk.Duration.seconds(300)
    })
    let target = new targets.LambdaTarget(this.lambda)
    let applicationLoadBalancerTargetGroup = new elb.ApplicationTargetGroup(this, 'GatewayTargetGroup', {
          port: 443,
          vpc: this.vpc,
          targets: [target]
     })
    this.applicationLoadBalancer = new elb.ApplicationLoadBalancer(this, 'GatewayALB', {
      vpc: this.vpc,
      internetFacing: false,
      vpcSubnets: this.vpc.isolatedSubnets,
      securityGroup: this.securityGroup
    })
    let applicationLoadBalancerListener = this.applicationLoadBalancer.addListener('test', {
      port: 443,
      protocol: elb.ApplicationProtocol.HTTPS,
      certificateArns: [this.certArn], 
      defaultAction: elb.ListenerAction.fixedResponse(403, {
        contentType: elb.ContentType.APPLICATION_JSON,
        messageBody: 'Forbidden'
      })
    })
    let applicationLoadBalancerPathListenerRule = new elb.ApplicationListenerRule(this, 'PathListenerRule', {
      listener: applicationLoadBalancerListener,
      priority: 1,
      conditions:[
        elb.ListenerCondition.httpRequestMethods(['POST']),
        elb.ListenerCondition.pathPatterns(['/test'])
      ],
      action: elb.ListenerAction.forward([applicationLoadBalancerTargetGroup])
  })

Another note is that the stack with the generated cloud formation template fails at GatewayTargetGroup creation with the error mentioned. When you say you couldn't replicate the issue, did the stack generation pass for you? I tried commenting everything after the ApplicationTargetGroup and the stack still fails.
Thank you again.

[afsanehr]

Hi @NGL321 was wondering if there is any update on this issue? Thanks!

[NGL321]

Hey @afsanehr,

Sorry for the delay. I have, as of yet, still been unable to reproduce your described behavior, despite using an identical stack. Unsure of what is causing this. I have one more thing to try, and will report if that fails to reproduce the failure.

From what I can tell at the moment, this is not an issue with generating the template as cdk synth works 100% of the time with code provided. There is a chance this is a cloudformation bug with the elb handling.

[NGL321]

Okay, I was finally able to reproduce.

My initial assessment was very wrong 🤦. The problem here is that the prop protocol in ApplicationListener cannot presently be specified for Lambda function targets. The exception is being generated by the Elastic Load Balancer API rather than the CDK.

The biggest problem here is that the parameter is forced into the template. If left blank, it is automatically assigned based on port:

aws-cdk/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

Line 186 in f92b65e

const [protocol, port] = determineProtocolAndPort(props.protocol, props.port);

aws-cdk/packages/@aws-cdk/aws-elasticloadbalancingv2/lib/shared/util.ts

Line 60 in f92b65e

if (protocol === undefined) { protocol = defaultProtocolForPort(port!); }

There are two possibilities here: either it is intended behavior of ELBv2 and we need to stop forcing protocol, OR it is a bug in the API.

I have cut an internal ticket to the team to determine this. Unfortunately I am not aware of a workaround atm, but I will update this ticket as soon as I hear from the team.

😸 😷