(aws_ecs_patterns): ApplicationLoadBalancedFargateService and NetworkLoadBalancedFargateService fails to become private once configured as public

[hqv-divya]

Describe the bug

I was testing out the CDK with Fargate services and I stumbled across these two constructs.
I tried configuring a sample application using NetworkLoadBalancedFargateService construct using the following code:

const fargateService = new NetworkLoadBalancedFargateService(this, "SampleNetworkLoadBalancedFargateService", {
      vpc,
      taskDefinition: taskDefinition,
      minHealthyPercent: 100,
 });

fargateService.service.connections.allowFromAnyIpv4(Port.tcp(80), "Allow inbound HTTP traffic");
    
fargateService.targetGroup.healthCheck = {
  port: "80",
  protocol: Protocol.TCP,
  interval: Duration.seconds(20),
}

const vpcLink = new VpcLink(this, "SampleNodeVpcLink", {
  targets: [fargateService.loadBalancer],
})

const integration = new Integration({
  type: IntegrationType.HTTP_PROXY,
  integrationHttpMethod: "ANY",
  options: {
    connectionType: ConnectionType.VPC_LINK,
    vpcLink: vpcLink,
  }
})

const api = new RestApi(this, "SampleNodeApi", {
  defaultIntegration: integration,
  deploy: true,
  restApiName: "SampleNodeApi",
})

api.root.addResource("{proxy+}").addMethod("ANY", integration);

This deployed the network load balancer in the public subnet by default. I wanted to make this private so I added the parameter publicLoadBalancer: false in the NetworkLoadBalancedFargateService and tried to deploy it again as an update.

This created a new network load balancer and a new VPC link but it couldn't delete the previous load balancer because instead of deleting the VPC link first, the stack attempted to delete the network load balancer itself.

Resource handler returned message: "Load balancer 'arn:aws:elasticloadbalancing:eu-west-1:xxxxxxxxxx:loadbalancer/net/EcsCon-Sampl-YR9C1LyxDG1G/ec5eeca8f820165e' cannot be deleted because it is currently associated with another service (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: 95033b60-7fe2-4bca-bd34-01071c4e674d)" (RequestToken: 37e62d01-0029-18d2-d8d2-01db07df8ac4, HandlerErrorCode: InvalidRequest)

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

It should delete the attach the API Gateway with the new VPC Link integration, then delete the old VPC link and then delete the network load balancer.

Current Behavior

It tries to delete the network load balancer directly without taking care of it's connections and fails with the error:

Resource handler returned message: "Load balancer 'arn:aws:elasticloadbalancing:eu-west-1:xxxxxxxxxx:loadbalancer/net/EcsCon-Sampl-YR9C1LyxDG1G/ec5eeca8f820165e' cannot be deleted because it is currently associated with another service (Service: ElasticLoadBalancingV2, Status Code: 400, Request ID: 95033b60-7fe2-4bca-bd34-01071c4e674d)" (RequestToken: 37e62d01-0029-18d2-d8d2-01db07df8ac4, HandlerErrorCode: InvalidRequest)

Reproduction Steps

Create and deploy a Fargate service using the construct:

const fargateService = new NetworkLoadBalancedFargateService(this, "SampleNetworkLoadBalancedFargateService", {
      vpc,
      taskDefinition: taskDefinition,
      minHealthyPercent: 100,
 });

fargateService.service.connections.allowFromAnyIpv4(Port.tcp(80), "Allow inbound HTTP traffic");
    
fargateService.targetGroup.healthCheck = {
  port: "80",
  protocol: Protocol.TCP,
  interval: Duration.seconds(20),
}

const vpcLink = new VpcLink(this, "SampleNodeVpcLink", {
  targets: [fargateService.loadBalancer],
})

const integration = new Integration({
  type: IntegrationType.HTTP_PROXY,
  integrationHttpMethod: "ANY",
  options: {
    connectionType: ConnectionType.VPC_LINK,
    vpcLink: vpcLink,
  }
})

const api = new RestApi(this, "SampleNodeApi", {
  defaultIntegration: integration,
  deploy: true,
  restApiName: "SampleNodeApi",
})

api.root.addResource("{proxy+}").addMethod("ANY", integration);

Once it is created successfully, add the property publicLoadBalancer: false to the NetworkLoadBalancedFargateService like so:

const fargateService = new NetworkLoadBalancedFargateService(this, "SampleNetworkLoadBalancedFargateService", {
      vpc,
      taskDefinition: taskDefinition,
      minHealthyPercent: 100,
      publicLoadBalancer: false
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.177.0

Framework Version

No response

Node.js Version

v20.17.0

OS

Windows

Language

TypeScript

Language Version

5.6.2

Other information

No response

[pahud]

After you made the CDK code change, did you run cdk diff? Can you share the output? This would give us more details about what's going to happen on cdk deploy.

[hqv-divya]

Sure, here's the cdk diff

Resources
[~] AWS::ElasticLoadBalancingV2::LoadBalancer SampleNetworkLoadBalancedFargateService/LB SampleNetworkLoadBalancedFargateServiceLB3B04F5EA replace
 ├─ [~] Scheme (requires replacement)
 │   ├─ [-] internet-facing
 │   └─ [+] internal
 └─ [~] Subnets
     └─ @@ -1,4 +1,4 @@
        [ ] [
        [-]   "subnet-08d2e5e9a5526d5cd",
        [-]   "subnet-03639cc2fb087e322"
        [+]   "subnet-0be5b8bc6890cdfd1",
        [+]   "subnet-002110f783fd87957"
        [ ] ]
[~] AWS::ElasticLoadBalancingV2::Listener SampleNetworkLoadBalancedFargateService/LB/PublicListener SampleNetworkLoadBalancedFargateServiceLBPublicListener8ED1C5F0 replace
 └─ [~] LoadBalancerArn (requires replacement)
     └─ [~] .Ref:
         ├─ [-] SampleNetworkLoadBalancedFargateServiceLB3B04F5EA
         └─ [+] SampleNetworkLoadBalancedFargateServiceLB3B04F5EA (replaced)
[~] AWS::ApiGateway::VpcLink SampleNodeVpcLink SampleNodeVpcLink1252BC70 replace
 └─ [~] TargetArns (requires replacement)
     └─ @@ -1,5 +1,5 @@
        [ ] [
        [ ]   {
        [-]     "Ref": "SampleNetworkLoadBalancedFargateServiceLB3B04F5EA"
        [+]     "Ref": "SampleNetworkLoadBalancedFargateServiceLB3B04F5EA (replaced)"
        [ ]   }
        [ ] ]


✨  Number of stacks with differences: 1