Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(elbv2): allow control of ingress rules on redirect listener #12768

Merged
merged 4 commits into from
Feb 25, 2021
Merged

feat(elbv2): allow control of ingress rules on redirect listener #12768

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
3ad10a0
feat(elbv2): allow control of ingress rules on redirect listener
MatthewMooreZA Jan 29, 2021
78bd238
Merge branch 'master' into allow-non-open-redirect-listeners
MatthewMooreZA Jan 29, 2021
eedf318
Merge branch 'master' into allow-non-open-redirect-listeners
MatthewMooreZA Feb 12, 2021
26f9383
Merge branch 'master' into allow-non-open-redirect-listeners
mergify[bot] Feb 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions packages/@aws-cdk/aws-elasticloadbalancingv2/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,9 @@ lb.addRedirect({

If you do not provide any options for this method, it redirects HTTP port 80 to HTTPS port 443.

By default all ingress traffic will be allowed on the source port. If you want to be more selective with your
ingress rules then set `open: false` and use the listener's `connections` object to selectively grant access to the listener.

## Defining a Network Load Balancer

Network Load Balancers are defined in a similar way to Application Load
Expand Down
17 changes: 16 additions & 1 deletion packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
return this.addListener(`Redirect${sourcePort}To${targetPort}`, {
protocol: props.sourceProtocol ?? ApplicationProtocol.HTTP,
port: sourcePort,
open: true,
open: props.open ?? true,
defaultAction: ListenerAction.redirect({
port: targetPort,
protocol: props.targetProtocol ?? ApplicationProtocol.HTTPS,
Expand Down Expand Up @@ -665,4 +665,19 @@ export interface ApplicationLoadBalancerRedirectConfig {
*/
readonly targetPort?: number;

/**
* Allow anyone to connect to this listener
*
* If this is specified, the listener will be opened up to anyone who can reach it.
* For internal load balancers this is anyone in the same VPC. For public load
* balancers, this is anyone on the internet.
*
* If you want to be more selective about who can access this load
* balancer, set this to `false` and use the listener's `connections`
* object to selectively grant access to the listener.
*
* @default true
*/
readonly open?: boolean;

}
25 changes: 25 additions & 0 deletions packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/listener.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -727,6 +727,31 @@ describe('tests', () => {
});
});

test('Can supress default ingress rules on a simple redirect response', () => {
// GIVEN
const stack = new cdk.Stack();
const vpc = new ec2.Vpc(stack, 'Stack');

const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', {
vpc,
});

// WHEN
loadBalancer.addRedirect({ open: false });

// THEN
expect(stack).not.toHaveResourceLike('AWS::EC2::SecurityGroup', {
SecurityGroupIngress: [
{
CidrIp: '0.0.0.0/0',
Description: 'Allow from anyone on port 80',
IpProtocol: 'tcp',
},
],
});

});

test('Can add simple redirect responses with custom values', () => {
// GIVEN
const stack = new cdk.Stack();
Expand Down