feat(ecs-patterns): support NLB with TLS listener and target group

[199911]

Issue # (if applicable)

Closes #8517

Reason for this change

NLB support TLS protocol in listener and target group.
This changes provide a feature parity in ECS patterns, allowing customer to enhance security with encrypted traffic between NLB and services

Description of changes

• Add listenerCertificate to NetworkLoadBalancedServiceBaseProps, default value is none
• Change the default value of listenerPort and taskImageOptions.containerPort to 443, if listenerCertificate is provided.

Description of how you validated changes

• Added both unit test and integration test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[agarwal-aashish]

The code looks good and unit tests should cover all the points. Moreover it is backward compatible so should not break any clients.

[199911]

Hi @agarwal-aashish

Thanks for the review and approval!
Will the bot merge CR automatically?
Are there any pending actions on my side?

[199911]

@Mergifyio refresh

[mergify]

refresh

✅ Pull request refreshed

[moelasmar]

left minor comment

[moelasmar]

since creating the certificate is not important for this testing, could you please modify the integration for EC2, and Fargate to accept an imported certificate, as the certificate creation step takes a very long time, and slow down this testing.

[199911]

Sounds good to me.

To confirm I understand your suggestion:
I can use

aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/integ.domain-name.ts

Line 13 in ab73e53

const certArn = process.env.CDK_INTEG_CERT_ARN || process.env.CERT_ARN;

and then import a certificate with

aws-cdk/packages/@aws-cdk-testing/framework-integ/test/aws-apigateway/test/integ.domain-name.ts

Line 83 in ab73e53

const certificate = Certificate.fromCertificateArn(testCase, 'Cert', certArn);

[moelasmar]

and for the certificate creation itself, I believe you can create a self signed certificate and then import it, I believe this will be an easier solution.

[moelasmar]

you can follow the following steps to create a self signed certificate:

$ openssl genrsa -out my-private.key 2048
$ openssl req -new -key my-private.key -out my-csr.csr
$ openssl x509 -req -days 365 -in my-csr.csr -signkey my-private.key -out my-certificate.crt

Then you can follow this link to import it.

Also, please add these steps to the test case as comment

[199911]

Thanks for the guidance!

I will take me some time to learn the details of self signed certificate and update the tests.

[199911]

Hi @moelasmar,

I tested my change with Amazon issued cert at the end.
And the update code works.

---

When I use the self signed cert, all AWS resources exception the NLB created successfully. The NLB failed with the following message in CloudFormation deployment events:
Resource handler returned message: "The certificate 'arn:aws:acm:us-east-1:128346755879:certificate/efe2138c-cf1d-481b-ba56-737b1ca1819f' must have a fully-qualified domain name, a supported signature, and a supported key size. (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: 49557e15-b32d-43f9-bb26-7ef309de21a7)" (RequestToken: 5c8f3642-cc69-6051-e9d7-a4b6fdc41064, HandlerErrorCode: InvalidRequest)

Pull request has been modified.

[moelasmar]

thanks @199911. I will update the PR status to request changes till you update the integration testing

Pull request has been modified.

[199911]

Hi moelasmar,

I have cleaned up the integration test, please review.

---

I notice there are other integration tests creating a test certificate inline.
I can help clean up those test after this PR merged.

[moelasmar]

I do not see the environment variable CERT_ARN mentioned in the framework-integ/README.md file. Can you update this file, and add some details on how to create this certificate.

[199911]

Thanks for the review!
I updated the README and attached a link to AWS doc.

If we need more details in README, I propose to do it in another PR.
So the ECS Fargate pattern fix can be published first.

[moelasmar]

it looks good to me

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 153b7f7
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.