i have this so far, i want to point the

httpsListener

to the task target group, but i am not sure how to do that (i tried putting it in portMappings but it didn’t work)

const apiCertificateArn = 'some-arn'

const httpsListener = alb.createListener('https-listener', {
  port: 443,
  protocol: 'HTTPS',
  external: true,
  certificateArn: apiCertificateArn,
});

const httpListener = alb.createListener('http-listener', {
  port: 80,
  protocol: 'HTTP',
  external: true,
});

// Build and publish a Docker image to a private ECR registry.
const img = awsx.ecs.Image.fromPath('api-img', '.');

// Create a Fargate service task that can scale out.
const appService = new awsx.ecs.FargateService('api-service', {
  cluster,
  taskDefinitionArgs: {
    container: {
      image: img,
      cpu: 2048,
      memory: 1024,
      portMappings: [httpListener],
      environment: [{ name: 'PORT', value: '80' }],
    },
  },
  desiredCount: 1,
});

const albSecurityGroup = new awsx.ec2.SecurityGroup(`${appName}-lb-sg`, {
  egress: [
    {
      fromPort: 443,
      toPort: 443,
      protocol: "tcp",
      cidrBlocks: ["0.0.0.0/0"],
      description: `For ${appName} load balancer`,
    },
  ],
  ingress: [
    {
      fromPort: 443,
      toPort: 443,
      protocol: "tcp",
      cidrBlocks: ["0.0.0.0/0"],
      description: `For ${appName} load balancer`,
    },
  ],
  vpc,
});

const alb = new awsx.lb.ApplicationLoadBalancer(`${appName}-lb`, {
  loadBalancer: new aws.lb.LoadBalancer(`${appName}-alb`, {
    accessLogs: {
      bucket: logBucketId,
      enabled: true,
      prefix: appName,
    },
    dropInvalidHeaderFields: true,
    external: true,
    securityGroups: [albSecurityGroup.id],
    subnets: publicSubnetIds,
  }),
  vpc,
});

alb.createListener(`${appName}-http`, {
  defaultAction: {
    type: "redirect",
    redirect: {
      protocol: "HTTPS",
      port: "443",
      statusCode: "HTTP_301",
    },
  },
  external: false,
  port: 80,
  protocol: "HTTP",
  vpc,
});

const https = alb.createListener(`${appName}-https`, {
  certificateArn,
  defaultActions: [
    {
      fixedResponse: {
        contentType: "text/plain",
        messageBody: "404 Site Not Found",
        statusCode: "404",
      },
      type: "fixed-response",
    },
  ],
  external: false,
  port: 443,
  protocol: "HTTPS",
  sslPolicy: "ELBSecurityPolicy-TLS-1-2-Ext-2018-06",
  vpc: vpc.vpc,
});

const appTargetGroup = new awsx.lb.ApplicationTargetGroup(`${appName}-tg`, {
  deregistrationDelay: 0,
  healthCheck: {
    path: "/",
    port: "443",
    protocol: "HTTPS",
    matcher: "200",
  },
  loadBalancer: alb,
  port: 443,
  protocol: "HTTPS",
  vpc,
});

new awsx.lb.ListenerRule(`${appName}-lr`, https, {
  actions: [
    {
      targetGroupArn: appTargetGroup.targetGroup.arn.apply(v => v),
      type: "forward",
    },
  ],
  conditions: [
    {
      hostHeader: {
        values: [`${appName}.*`],
      },
    },
  ],
  priority: 1,
});

new aws.route53.Record(`${appName}-www`, {
  aliases: [
    {
      evaluateTargetHealth: true,
      name: alb.loadBalancer.dnsName,
      zoneId: zoneId,
    },
  ],
  name: appName,
  type: "A",
  zoneId: hostedZoneId,
});

And the service has:

portMappings: [appTargetGroup],

thanks for the thorough answer