ApplicationLoadBalancedEc2Service allows 0.0.0.0/0 for listenerPort, and no way to remove it

[szurgotc]

When creating an ApplicationLoadBalancedEc2Service, the resulting Security Group allows 0.0.0.0/0 access for the specified listener port and there is no way to remove it. This happens even if you provide an ApplicationLoadBalancer directly.

It appears to be related to the fact that you can't set "open" on the listener created: https://github.com/aws/aws-cdk/blob/v1.42.1/packages/%40aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts#L186-L188

Reproduction Steps

Create an ApplicationLoadBalancedEC2Service

        this.service = new ApplicationLoadBalancedEc2Service(this, 'Service',{
            cluster: this.cluster.cluster,
            cpu: 512,
            taskDefinition: ec2TaskDefinition,
            listenerPort: 443,
            loadBalancer: webLoadBalancer,
            publicLoadBalancer: true,
            domainName: props.dnsName,
            domainZone:
                HostedZone.fromHostedZoneAttributes(this, 'HostedZone', {
                    hostedZoneId: props.hostedZoneId,
                    zoneName: props.dnsName
                })
        });

View the security group after synthesize.

Error Log

No error log.

Environment

• 1.32.2 (but this code is still present in the latest code)
• v12.16.3
• All
• All

Other

This should be called out in the documentation.

Also, there should be a way to specify that the listenerPort in the construct not include 0.0.0.0/0 so that it can be specified directly.

This is 🐛 Bug Report

[rix0rrr]

As a workaround, it's pretty trivial to recreate what the ApplicationLoadBalancedEc2Service does for you, which gives you more control.

[justin8]

Is recreating a construct from scratch really a workaround?

[flemjame-at-amazon]

Fixed by #9433

[metametadata]

@justin8 I think it's a good idea in a long term. Now I really understand and control all the moving parts, don't rely on surprising defaults and don't need to wait for tickets such as the current one or #6210 to be fixed.

Can't say it was a walk in the park to migrate away from ecs-patterns though, mainly because it took me some time to figure out how to set ECS service as an ALB target.

[SomayaB]

Closing this issue since it seems to have been fixed by #9433. Feel free to reopen.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.