(elbv2): cyclic dependency on TLS network load balancer listener

[fschaeffler]

We have two different stacks. The resources between the two stacks are as follows.

Stack A

• Application Load Balancer
• Application Load Balancer Default Listener
• Network Load Balancer
• Network Load Balancer Listener

Stack B

• Application Load Balancer Target Group
• Network Load Balancer Target Group

Stack A: source code - working

const vpc = new ec2.Vpc(this, 'VPC', {
    natGateways: 2,
    subnetConfiguration: [
        {
            name: 'Public',
            subnetType: ec2.SubnetType.PUBLIC
        },
        {
            name: 'Private',
            subnetType: ec2.SubnetType.PRIVATE
        }
    ]
})

const alb = new elbv2.ApplicationLoadBalancer(
    this,
    'ALB',
    { vpc, internetFacing: true }
)

const nlb = new elbv2.NetworkLoadBalancer(
    this,
    'NLB',
    { vpc, internetFacing: true }
)

const albDefaultListener = alb.addListener('ALBDefaultListener', {
    protocol: ApplicationProtocol.HTTPS,
    certificates: [certificate],
    defaultAction: ListenerAction.fixedResponse(200)
})

const nlbTargetGroup = new NetworkTargetGroup(this, 'NLBTargetGroup', {
    port: 80,
    vpc,
    targetType: TargetType.IP
})

const nlbDefaultListener = nlb.addListener('NLBDefaultListener', {
    port: 8443,
    defaultTargetGroups: [nlbTargetGroup]
})

Stack B: source code

albDefaultListener.addTargets('ALBTarget', {
    protocol: ApplicationProtocol.HTTP,
    conditions: [
        ListenerCondition.hostHeaders([`${app}${domainTag}.*`])
    ],
    priority: 1,
    targets: [
        service.loadBalancerTarget({
            containerName: 'Container'
        })
    ]
})

nlbDefaultListener.addTargets('NLBTarget', {
    port: 80,
    protocol: Protocol.TCP,
    targets: [
        service.loadBalancerTarget({
            containerName: 'Container'
        })
    ]
})

The issue that I'm facing is that if I want to use SSL/TLS on the load balancer listener, I'm running into dependency issues. It seems that there must be some small difference of how the application load balancer is doing it, because there it's already working.

Stack A: source code - failing

// const nlbDefaultListener = nlbDefaultListener.addListener('NLBDefaultListener', {
//     port: 8443,
//     defaultTargetGroups: [nlbTargetGroup]
// })

const nlbDefaultListener = nlbDefaultListener.addListener('NLBDefaultListener', {
    port: 8443,
    defaultTargetGroups: [nlbTargetGroup],
    protocol: Protocol.TLS,
    certificates: [certificate]
})

Error message

Error: Resolution error: Resolution error: Unable to resolve object tree with circular reference. Path: /Resources/${Token[AppServerStageDev.NLB.AppServerStageDevNLBListenerAPIServer.Resource.LogicalID.209]}/Properties/certificates/0/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host/node/host..
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:63:15)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
    at resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:145:51)
    at Object.resolve (/home/flo/dev/***/app-server/node_modules/@aws-cdk/core/lib/private/resolve.js:57:48)
Subprocess exited with error 1

AWS CDK versions & dependencies

The use Node.js version is 14.17.1.

"@aws-cdk/aws-certificatemanager": "1.110.0",
"@aws-cdk/aws-ec2": "1.110.0",
"@aws-cdk/aws-ecs": "1.110.0",
"@aws-cdk/aws-ecs-patterns": "1.110.0",
"@aws-cdk/aws-elasticloadbalancingv2": "1.110.0",
"@aws-cdk/aws-route53": "1.110.0",
"@aws-cdk/aws-route53-targets": "1.110.0",
"@aws-cdk/core": "1.110.0",
"aws-cdk": "1.110.0"

[fschaeffler]

Both, the ALB and NLB, addListener method take certificates as a parameter with the type of IListenerCertificate[]. However, the issue comes from how the certificate(s) are defined.

For the examples below, the instance of certificate is of the Type acm.Certificate.

not working

• ✔️ ALB.addListener with { certificates: [certificate] }
• ✖️ NLB.addListener with { certificates: [certificate] }

working

• ✔️ ALB.addListener with { certificates: [certificate] }
• ✔️ NLB.addListener with { certificates: [{ certificateArn: certificate.certificateArn }] }

[abonstu]

Man this was doing my head in! Nice catch and well described 👍