fix(elbv2): unable to deploy template with IPv4 load balancer when denyAllIgwTraffic set

[Michae1CC]

Reason for this change

Integ test for NLB attributes (integ.nlb-attributes.ts) fails to deploy due to an error. The error occurs when denyAllIgwTraffic is explicitly set for load balancers with Ipv4 addressing, the ipv6.deny_all_igw_traffic attribute is set.

Description of changes

• Remove the denyAllIgwTraffic setting from integ.nlb-attribute.ts
• Instead, set denyAllIgwTraffic in integ.nlb.dualstack.internal.ts.
• Raise an error during synthesis if denyAllIgwTraffic is set on a load balancer that does not use dual stack addressing.

Description of how you validated changes

• Added new unit tests for different combinations of denyAllIgwTraffic and ipAddressType
• Updated existing integration test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[nmussy]

I think your change is affecting unrelated configurations, I would double check your condition and what you're expecting it do accomplish

I would also like to see additional unit tests, a combination of the following possibilities. I'm not sure what's the expected behavior for some of them, and coverage is always good:

• denyAllIgwTraffic: undefined/denyAllIgwTraffic: false/denyAllIgwTraffic: true
• ipAddressType: undefined/ipAddressType: IpAddressType.IPV4/ipAddressType: IpAddressType.DUALSTACK

Would you also be able to add additional integration tests to make sure that denyAllIgwTraffic: false and ipAddressType: IpAddressType.DUALSTACK is being deployed correctly?

[nmussy]

Suggested change

	test('loadBalancerName unallowed: denyAllIgwTraffic set to false for Ipv4 adressing', () => {
	test('throw error for denyAllIgwTraffic set to false for Ipv4 adressing', () => {

[nmussy]

ipAddressType is meant to be IpAddressType.IPV4 by default, and denyAllIgwTraffic is supposed to be false, I assume this condition is incorrect?

[Michae1CC]

Appreciate the feedback! Apologies for the spiel

Yes, ipAddressType is meant to be IpAddressType.IPV4. As for denyAllIgwTraffic the docs mention "optional, default: false for internet-facing load balancers and true for internal load balancers". Looking at code though, denyAllIgwTraffic is never actually given a default value which is why we have this check for undefined here.

The denyAllIgwTraffic was created from this issue: #29520. Basically
denyAllIgwTraffic is supposed to set ipv6.deny_all_igw_traffic. However, having ipv6.deny_all_igw_traffic set (to either true or false) for any Ipv4 load balancer will cause a failed deployment. I'm starting to think the condition should actually be this:

Suggested change

	if (additionalProps.ipAddressType === IpAddressType.IPV4 && baseProps.denyAllIgwTraffic === false) {
	if (additionalProps.ipAddressType === IpAddressType.IPV4 && baseProps.denyAllIgwTraffic !== undefined) {

[nmussy]

Looking at code though, denyAllIgwTraffic is never actually given a default value which is why we have this check for undefined here.

The CDK doesn't always set the default values, in fact most of the time CloudFormation does. This is the case here, although it's more complicated than just defaulted to false, see docs. The @default value needs to be updated to reflect this

[nmussy]

That's a scary change, I'm going to assume it's an unintended side effect. Given the integration was being deployed before your change, I assume the integ stack was being deployed successfully

[Michae1CC]

Hehe, well that's the thing, I could not deploy the integration test before my change. The deployment failed with

Resource handler returned message: "Load balancer attribute key 'ipv6.deny_all_igw_traffic' is not supported on load balancers with IP address type 'ipv4'.

That's why I renamed the test to, in effect, remove the old test and replace with a template you can deploy (the name I use also aligns with the existing alb test). This particular integration test was added very recently. I can only think that who ever created it only synthesized the test and didn't try deploying.

[nmussy]

@badmintoncryer Could we get some clarification on this? See #29521

[badmintoncryer]

Surely I haven't created a snapshot without deploying it...
I'll try it later. Please wait for a while.

[badmintoncryer]

@nmussy @Michae1CC
I tried to deploy integ.nlb-attributes.ts but it cannot. I'm really sorry and I don't know how I could create snapshot files...

I have conducted deployment verification for internal ALBs and NLBs across several patterns.
The results are the same for both ALB and NLB.

ipAddressType	denyAllIgwTraffic	deployment result	error message
IPV4	true	failed	Load balancer attribute key 'ipv6.deny_all_igw_traffic' is not supported on load balancers with IP address type 'ipv4'.
IPV4	false	failed	Load balancer attribute key 'ipv6.deny_all_igw_traffic' is not supported on load balancers with IP address type 'ipv4'.
DUAL_STACK	true	success
DUAL_STACK	false	failed	Load balancer attribute key 'ipv6.deny_all_igw_traffic' cannot be modified for load balancers of type 'network'.

Based on these results, I propose the following amendments:

1. If denyAllIgwTraffic is defined, return an error if ipAddressType is not DUAL_STACK.
2. Revise the existing integ.nlb-attributes.ts to make it deployable:

• Remove the denyAllIgwTraffic setting.
• Instead, set denyAllIgwTraffic in integ.nlb.dualstack.internal.ts.

For item 2, it might be better to handle it as a separate issue.
If so, I will take responsibility for addressing it.

[badmintoncryer]

@Michae1CC My only suggestion is that the PR title should describe the content of the bug being resolved, rather than just mentioning the resolution of integration test errors.

Titles for feat and fix PRs end up in the change log. Think about what makes most sense for users reading the changelog while writing them.
- feat: describe the feature (not the action of creating the commit or PR, for example, avoid words like "added" or "changed")
- fix: describe the bug (not the solution)

Since I am unable to conduct community reviews, it would be best for the rest to be checked by @nmussy .

[Michae1CC]

Gotcha, maybe something like integ test for NLB attributes failing to deploy due to setting denyAllIgwTraffic?

[badmintoncryer]

I apologize, I finally realized that this was actually a PR intended to resolve an integration test error. My English skills are limited and I made a significant misunderstanding. My suggestion to split the PR also made no sense. I'm sorry.

Without specifically mentioning the integration test, how about using the title:
'fix(elbv2): unable to deploy an IPv4 load balancer with denyAllIgwTraffic enabled'?
or considering it as the addition of a verification feature,
'feat(elbv2): verification of denyAllIgwTraffic for IPv4 Load Balancers'

However, I would appreciate it if you could consider nmussy opinion on this matter as well.

[nmussy]

No need to apologize! And I agree, this PR's goal is not to fix an integration test, it's to prevent this pattern from being synthesized in the first place

[Michae1CC]

Thanks both, updated the title

[nmussy]

@Michae1CC I also left you a general comment in the review, in case you didn't see it: #29956 (review)

[Michae1CC]

@Michae1CC I also left you a general comment in the review, in case you didn't see it: #29956 (review)

Yes, thanks again! I'll add more tests once we've aligned on the expected behaviour.

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Michae1CC]

Hey both, updated the integration tests and PR description. Let me know what you think.

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 8542f60
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[Michae1CC]

@nmussy just floating this back up, are there any other changes you wanted? @badmintoncryer seems happy with it, but mentioned they would leave the review to you since they're not part of the cdk team.

[nmussy]

I'm not a maintainer either 😅 But yes, LGTM 👍

[jrobbins-LiveData]

I don't know if the problem I am having trying to deploy an ELBv2 with an IPv4 VPC is related to this issue or not (sorry if irrelevant), but I am getting this error

AlbCdk-test | 14/22 | 8:28:08 PM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer | ALB (ALBAEE750D2) Resource handler returned message: "Load balancer attribute key 'ipv6.deny_all_igw_traffic' is not supported on load balancers with IP address type 'ipv4'. (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: cfbc6c78-d50c-4760-a163-020bceffe4d2)" (RequestToken: c487d145-cdbc-6431-112b-daa1a9bc652f, HandlerErrorCode: InvalidRequest)

The Python CDK code is

        alb = elbv2.ApplicationLoadBalancer(
            self, 'ALB',
            internet_facing=True,
            http2_enabled=True,
            ip_address_type=elbv2.IpAddressType.IPV4,
            drop_invalid_header_fields=True,
            desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
            client_keep_alive=cdk.Duration.seconds(500),
            deny_all_igw_traffic=False,
            preserve_host_header=True,
            x_amzn_tls_version_and_cipher_suite_headers=True,
            preserve_xff_client_port=True,
            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
            waf_fail_open=True,
            vpc=vpc,
            vpc_subnets=vpc_subnets
            # security_group=security_group
        )

The VPC is IPv4 only.

The subnets are the 3 public subnets of that VPC.

[Michae1CC]

I don't know if the problem I am having trying to deploy an ELBv2 with an IPv4 VPC is related to this issue or not (sorry if irrelevant), but I am getting this error

AlbCdk-test | 14/22 | 8:28:08 PM | CREATE_FAILED        | AWS::ElasticLoadBalancingV2::LoadBalancer | ALB (ALBAEE750D2) Resource handler returned message: "Load balancer attribute key 'ipv6.deny_all_igw_traffic' is not supported on load balancers with IP address type 'ipv4'. (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: cfbc6c78-d50c-4760-a163-020bceffe4d2)" (RequestToken: c487d145-cdbc-6431-112b-daa1a9bc652f, HandlerErrorCode: InvalidRequest)

The Python CDK code is

        alb = elbv2.ApplicationLoadBalancer(
            self, 'ALB',
            internet_facing=True,
            http2_enabled=True,
            ip_address_type=elbv2.IpAddressType.IPV4,
            drop_invalid_header_fields=True,
            desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
            client_keep_alive=cdk.Duration.seconds(500),
            deny_all_igw_traffic=False,
            preserve_host_header=True,
            x_amzn_tls_version_and_cipher_suite_headers=True,
            preserve_xff_client_port=True,
            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
            waf_fail_open=True,
            vpc=vpc,
            vpc_subnets=vpc_subnets
            # security_group=security_group
        )

The VPC is IPv4 only.

The subnets are the 3 public subnets of that VPC.

@jrobbins-LiveData yes, this problem is directly related to these changes. Currently, having deny_all_igw_traffic set when using elbv2.IpAddressType.IPV4 will cause the template to fail during deploy. Part of these changes will catch this by throwing an error during synthesis.

[Michae1CC]

@paulhcsun , @GavinZZ would either of you mind reviewing this one - thanks.

[jrobbins-LiveData]

@Michae1CC, I commented out deny_all_igw_traffic=False and the deployment worked.

        alb = elbv2.ApplicationLoadBalancer(
            self, 'ALB',
            internet_facing=True,
            http2_enabled=True,
            ip_address_type=elbv2.IpAddressType.IPV4,
            drop_invalid_header_fields=True,
            desync_mitigation_mode=elbv2.DesyncMitigationMode.DEFENSIVE,
            client_keep_alive=cdk.Duration.seconds(500),
            # deny_all_igw_traffic=False,
            preserve_host_header=True,
            x_amzn_tls_version_and_cipher_suite_headers=True,
            preserve_xff_client_port=True,
            xff_header_processing_mode=elbv2.XffHeaderProcessingMode.APPEND,
            waf_fail_open=True,
            vpc=vpc,
            vpc_subnets=vpc_subnets
            # security_group=security_group
        )

The CDK help indeed does not list a default for this param as it is marked as Optional.

deny_all_igw_traffic (Optional[bool]) – Indicates whether the load balancer blocks traffic through the Internet Gateway (IGW). Default: - false for internet-facing load balancers and true for internal load balancers

Does that mean that deny_all_igw_traffic is a tri-state param, or is that what you are changing? Just curious as to what the new behavior will be post-PR?