(ALB + Cognito): Missing connection between SecurityGroup of ALB and SecurityGroup of service. #12994
Description
I'm using ALB and ECS Service (Fargate in my case) splitted in different stack at TargetGroup level (like this)
When i'm using action of Forward in listner everything is fine 👌
let action = elbv2.ListenerAction.forward([targetgroup])
listner.addAction(`${serviceName}-listner-action`, {
priority: serviceListnerPriority,
hostHeader: 'sample.exemple.com',
action: action
})
When i'm using action of AuthenticateCognitoAction before the Forward action
(I'm using cognito auth in from of alb, similar to this)
let action = elbv2.ListenerAction.forward([targetgroup])
action = new elbv2Actions.AuthenticateCognitoAction({
userPool: userPool,
userPoolClient: userPoolClientAlb,
userPoolDomain: userPoolDomain,
next: action,
})
listner.addAction(`${serviceName}-listner-action`, {
priority: serviceListnerPriority,
hostHeader: 'sample.exemple.com',
action: action
})
and in my service stack the service.attachToApplicationTargetGroup(props.albTargetGroup) will not generate the AWS::EC2::SecurityGroupIngress to accept connection from ALB to the service.
Reproduction Steps
What did you expect to happen?
In the service stack, I expect a resource type AWS::EC2::SecurityGroupIngress who will refer to the ALB SecurityGroup
What actually happened?
In the service stack, the resource AWS::EC2::SecurityGroupIngress is missing !
Environment
- CDK CLI Version : 1.85.0 (build 5f44668)
- Framework Version:
- Node.js Version: 12.20.1
- OS : MacOSX
- Language (Version): TypeScript (3.9.7)
Other
Currently i'm bypassing the problem by exporting albSG from ALB Stack and manually adding connection between them
service.connections.allowFrom(props.albSG, ec2.Port.tcp(80), 'Allow connection from ALB')
PS: If it's necessary, I can also build a full CDK project with this bug.
This is 🐛 Bug Report