(ecs-patterns): unnecessary breaking target group port change introduced after upgrading cdk

[aaaeeeo]

What is the problem?

We recently upgraded the cdk version from 1.13x to 1.147 and noticed a breaking change prevent us from deploying.

The change is introduced by this commit: #18157 from #18073

In ecs-patterns, target group was generated with hard-coded port 80, and now changed to containerPort that in our case is 8080.
This triggered a replacement of the target group, and in production, we certainly cannot replace the target group or LB.

The service is currently working fine, and my understanding is when used with ECS and dynamic port mapping, the port in target group is meaningless as ECS host ports are dynamically opened:
https://stackoverflow.com/questions/42715647/whats-the-target-group-port-for-when-using-application-load-balancer-ec2-con
https://aws.amazon.com/premiumsupport/knowledge-center/dynamic-port-mapping-ecs/
Looks like even ECS is hard coding target group port to 80 when create service in console.

So what is the exact issue of #18073, what is it trying to fix? #18157 says "Fix Network Load Balancer Port assignments" but actaully changed the target group port instead? Looks like the change is meaningless and introduced breaking replacement to people who are already using the construct.

Currently, we have to patch the L1 target group to get this around. Could we revert #18157?

Reproduction Steps

Upgrade the cdk version from 1.130 to 1.147 and compare the generated TargetGroup from NetworkLoadBalancedEc2Service without any code change

What did you expect to happen?

Generated template should remain unchanged without any code change:

      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "HealthCheckPort": "traffic-port",
        "HealthCheckProtocol": "TCP",
        "HealthyThresholdCount": 10,
        "Port": 80,
        "Protocol": "TCP",

What actually happened?

Target group port changed to container port triggered a replacement of the target group for our service that is working fine.

      "Type": "AWS::ElasticLoadBalancingV2::TargetGroup",
      "Properties": {
        "HealthCheckPort": "traffic-port",
        "HealthCheckProtocol": "TCP",
        "HealthyThresholdCount": 10,
        "Port": 8080,
        "Protocol": "TCP",

CDK CLI Version

1.147

Framework Version

No response

Node.js Version

14

OS

Mac

Language

Typescript

Language Version

No response

Other information

No response

[madeline-k]

Thank you for raising this issue and providing a workaround @aaaeeeo!

The purpose of the change in #18157 is to pass through the NetworkLoadBalanced<Ec2|Fargate>ServiceProps.taskImageOptions.containerPort and the NetworkMultipleTargetGroups<Ec2|Fargate>ServiceProps.targetGroups[X].containerPort to the generated ElasticLoadBalancingV2::TargetGroup's Port property. So I can see now that the title of #18157 was not the most descriptive. It should have said something like, "fix(ecs-patterns) containerPort assignments are not propagated to TargetGroup Port assignments for NetworkLoadBalancedServices and NetworkMultipleTargetGroupsServices".

This is the behavior we want for new applications, since it works for all network modes. However, it has unfortunately introduced a breaking change for applications that have already been deployed with the previous behavior. While reviewing this fix, I did not realize that updating the Port would cause replacement. For next steps, we will put this behavior behind a feature flag. And then you will be able to upgrade and remove the workaround you've added.

[blimmer]

For those looking to work around the issue via the L1 construct, it looks something like this:

const service = new patterns.NetworkLoadBalancedFargateService(this, "FargateService", {
  // props
});

// Work around https://github.com/aws/aws-cdk/issues/19411
(service.targetGroup.node.defaultChild as elbv2.CfnTargetGroup).port = 80;