https://pulumi.com logo
#aws
Title
# aws
n

nice-policeman-63970

10/08/2020, 9:46 PM
Hi, i'm new to pulumi and also mostly new to AWS. I'm trying to deploy a service in fargate using the awsx package. Unlike the basic examples of this in the docs, I want to expose the service via HTTPS on a custom domain. I have almost figured it out, but I'm running into a weird issue I can't figure out with security rules and health checks. My basic setup is this: • a
awsx.ecs.FargateService
, with a container listening on port 8080 • a
<http://awsx.lb|awsx.lb>.ApplicationTargetGroup
for port 8080 HTTP with the right healthcheck configured. This is connected to the container/service via
portMappings
• a
<http://awsx.lb|awsx.lb>.ApplicationListener
for port 443 HTTPS, connected to the targetGroup • ... a bunch of route53/ACM stuff that seems to be working by now The problem is that the health checks that the Target Group performs are failing with this setup, but succeeding with a listener on port 8080 HTTP (using the same
targetGroup
!) I have narrowed the problem down to the
awsx:x:ec2:IngressSecurityGroupRule
(+egress) named
listener-id-external-0-ingress
awsx creates. This only includes port 443. If I add port 8080 via the console, everything works. I would have expected that this rule is only applied to the external load balancer, not to the container, but maybe not? What can I do to fix this, without fully rewriting from awsx to aws components? (happy to post typescript snippets as well if they are helpful)
b

billowy-army-68599

10/09/2020, 4:34 AM
hey Karl. Sorry for the delay in responding. Can you share the code you're using to deploy? it'll really help with debugging
q

quick-finland-93793

10/09/2020, 7:17 AM
Your service (Target of your TargetGroup) gets assigned with a security group - this group determines which resources/IPs/etc... are allowed to access your service. As the TargetGroup performs Healtchecks at Port 8080 your SecurityGroup has to allow an ingress on port 8080. Ideally you want to allow ingress on Port 8080 for the resources of the ALB securityGroup.
E.G. ALB got
sg-<someID>
your service should contain an ingress rule on port 8080 with Source of the ALB SecurityGroup
n

nice-policeman-63970

10/09/2020, 8:28 AM
Thanks for the explanation about the rules. I'm still not sure how to best express that in my code. Do I declare this rule seperately, and connect it to my service? What causes the (wrong?) automatic creation of the rule for 443 and can I fix that instead?
here's a snippet that can be deployed that should exhibit the same behaviour https://gist.github.com/karlsander/5f78bc114258b9f6d15c225d015a349e (it does still require a database url to start and pass health checks)