feat: Add props for NLB TLS certificate

NLB listener only allow 1 cert. The listener's protocol will become TLS if cert configured. And the target group protocol is same as listener by default (TLS).
aws · Aug 15, 2024 · d83e8ee · d83e8ee
1 parent ad1b797
commit d83e8ee
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/network-load-balanced-service-base.ts b/packages/aws-cdk-lib/aws-ecs-patterns/lib/base/network-load-balanced-service-base.ts
@@ -4,7 +4,7 @@ import {
   AwsLogDriver, BaseService, CloudMapOptions, Cluster, ContainerImage, DeploymentController, DeploymentCircuitBreaker,
   ICluster, LogDriver, PropagatedTagSource, Secret, CapacityProviderStrategy,
 } from '../../../aws-ecs';
-import { INetworkLoadBalancer, IpAddressType, NetworkListener, NetworkLoadBalancer, NetworkLoadBalancerProps, NetworkTargetGroup } from '../../../aws-elasticloadbalancingv2';
+import { IListenerCertificate, INetworkLoadBalancer, IpAddressType, NetworkListener, NetworkLoadBalancer, NetworkLoadBalancerProps, NetworkTargetGroup } from '../../../aws-elasticloadbalancingv2';
 import { IRole } from '../../../aws-iam';
 import { ARecord, CnameRecord, IHostedZone, RecordTarget } from '../../../aws-route53';
 import { LoadBalancerTarget } from '../../../aws-route53-targets';
@@ -136,6 +136,15 @@ export interface NetworkLoadBalancedServiceBaseProps {
    */
   readonly listenerPort?: number;
 
+  /**
+   * Listener certificate list of ACM cert ARNs.
+   * If you provide a certificate, the listener's protocol will be TLS.
+   * If not, the listener's protocol will be TCP.
+   *
+   * @default - none
+   */
+  readonly listenerCertificate?: IListenerCertificate;
+
   /**
    * Specifies whether to propagate the tags from the task definition or the service to the tasks in the service.
    * Tags can only be propagated to the tasks within the service during service creation.
@@ -368,12 +377,16 @@ export abstract class NetworkLoadBalancedServiceBase extends Construct {
     };
 
     const loadBalancer = props.loadBalancer ?? new NetworkLoadBalancer(this, 'LB', lbProps);
-    const listenerPort = props.listenerPort ?? 80;
+
+    const listenerProps = {
+      port: props.listenerPort ?? 80,
+      certificates: props.listenerCertificate ? [props.listenerCertificate] : undefined,
+    };
+    this.listener = loadBalancer.addListener('PublicListener', listenerProps);
+
     const targetProps = {
       port: props.taskImageOptions?.containerPort ?? 80,
     };
-
-    this.listener = loadBalancer.addListener('PublicListener', { port: listenerPort });
     this.targetGroup = this.listener.addTargets('ECS', targetProps);
 
     if (typeof props.domainName !== 'undefined') {