elbv2: open property should be on LoadBalancer, not on Listener. #6281
Description
I am trying to create a internet facing ALB that is accesible only from whitelisted IP addresses.
I am creating a security group that sets the ingress whitelist rule and attach it to the loadbalancer.
However, additional ingress rule allowing access from everywhere gets added to the security group by something.
Reproduction Steps
const lbSecGroup = new ec2.SecurityGroup(this, `lbSecurityGroup-${config.site}`, {
description: 'Allow access to loadbalancer',
vpc: vpc,
});
lbSecGroup.addIngressRule(ec2.Peer.ipv4('123.123.123.123/32'), ec2.Port.tcp(80), 'desc');
const loadbalancer = new elbv2.ApplicationLoadBalancer(this, `LB`, {
vpc,
internetFacing: true,
loadBalancerName: `lb`,
securityGroup: lbSecGroup,
});
Error Log
cdk diff shows like this.
Security Group Changes
┌───┬─────────────────────────────────┬─────┬────────────┬─────────────────────────────────┐
│ │ Group │ Dir │ Protocol │ Peer │
├───┼─────────────────────────────────┼─────┼────────────┼─────────────────────────────────┤
│ + │ ${lbSecurityGroup.GroupId} │ In │ TCP 80 │ 123.123.123.123/32 │
│ + │ ${lbSecurityGroup.GroupId} │ In │ TCP 80 │ Everyone (IPv4) │
│ + │ ${lbSecurityGroup.GroupId} │ Out │ Everything │ Everyone (IPv4) │
├───┼─────────────────────────────────┼─────┼────────────┼─────────────────────────────────┤
I am expecting that there should not be the rule In, TCP 80, Everyone (IPv4). I have not specified it in my code, and loadbalancer doesn't need it to function. I removed the extra ingress rule and everything worked just fine.
Environment
- CLI Version : 1.23.0 (build 01f326e)
- Framework Version: 1.24.0
- OS : MacOS
- Language : Typescript
This is 🐛 Bug Report