-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ecs-patterns): allow setting TLS listener for NLB patterns #6988
feat(ecs-patterns): allow setting TLS listener for NLB patterns #6988
Conversation
48fb160
to
ab32b36
Compare
packages/@aws-cdk/aws-ecs-patterns/lib/base/network-multiple-target-groups-service-base.ts
Outdated
Show resolved
Hide resolved
packages/@aws-cdk/aws-ecs-patterns/lib/base/network-multiple-target-groups-service-base.ts
Outdated
Show resolved
Hide resolved
Should this also be updated for the NLBService? |
ab32b36
to
2281220
Compare
The PR looks great! I think this is more of a feature than a chore, so you’ll need to add an example to the README. |
Is this only blocked by a readme? |
No this is blocked because public TLS listener with domain still won't work with this PR. |
Understood. Thanks for the response. |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
won't be able to work on it for a while. close for now. |
Following. This has just tripped me up too. Is there anything we can do to help move this along? |
For anyone who finds this... I made use of the ECS patterns as they're really useful, and got TLS termination working like this: .....
const tlsCertificate = new DnsValidatedCertificate(this, 'SFTPWebCert', {
domainName: `sftp.${props.zone.zoneName}`,
hostedZone: props.zone,
});
const cluster = new ecs.Cluster(this, 'SFTPCluster', { vpc: props.vpc });
const sftpService = new ecsPatterns.NetworkMultipleTargetGroupsFargateService(this, 'SFTPService', {
cluster,
serviceName: 'sftpgo',
desiredCount: 1,
cpu: 256,
memoryLimitMiB: 512,
taskImageOptions: {
containerName: 'sftpgo',
image: ecs.ContainerImage.fromRegistry("ghcr.io/drakkan/sftpgo:v2.2.2"),
},
loadBalancers: [
{
name: 'sftpgo',
domainName: `sftp.${props.zone.zoneName}.`,
domainZone: props.zone,
publicLoadBalancer: true,
listeners: [
{
name: 'sftp',
port: 2022,
},
],
}
],
targetGroups: [
{
containerPort: 2022,
listener: 'sftp',
},
],
});
// As it isn't possible to configure TLS through the listeners in above,
// we must resort to configuring them manually.
const container = sftpService.taskDefinition.findContainer('sftpgo');
container.addPortMappings({
containerPort: 8080,
});
const webListener = sftpService.loadBalancer.addListener('web', {
port: 443,
certificates: [ { certificateArn: tlsCertificate.certificateArn } ],
sslPolicy: elbv2.SslPolicy.RECOMMENDED,
alpnPolicy: elbv2.AlpnPolicy.HTTP1_ONLY,
});
sftpService.service.registerLoadBalancerTargets({
containerName: 'sftpgo',
containerPort: 8080,
newTargetGroupId: 'sftpgo-web',
listener: ecs.ListenerConfig.networkListener(webListener, {
port: 8080,
protocol: 'TCP',
}),
});
// Although this opens ports to everywhere, the Fargate container is not
// exposed directly to the outside world. All traffic is handled by the NLBs.
sftpService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(2022), 'SSH/SFTP');
sftpService.service.connections.allowFromAnyIpv4(ec2.Port.tcp(8080), 'Web UI');
..... I pass in the Route53 zone and VPC from other stacks. The main thing here is that I make use of |
fix #6263
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license