cdklabs · bvtujo · Jan 24, 2023 · Jan 24, 2023 · Jan 24, 2023
diff --git a/API.md b/API.md
diff --git a/src/extensions/http-load-balancer.ts b/src/extensions/http-load-balancer.ts
@@ -1,4 +1,5 @@
 import { CfnOutput, Duration } from 'aws-cdk-lib';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
 import * as alb from 'aws-cdk-lib/aws-elasticloadbalancingv2';
 import { Construct } from 'constructs';
@@ -10,6 +11,14 @@ export interface HttpLoadBalancerProps {
    * The number of ALB requests per target.
    */
   readonly requestsPerTarget?: number;
+
+  /**
+   * An ACM certificate to associate with this load balancer. If specified, this
+   * extension will listen over HTTPS on port 443.
+   *
+   * @default - undefined. The load balancer will listen on port 80 over HTTP.
+   */
+  readonly certificate?: acm.ICertificate;
 }
 /**
  * This extension add a public facing load balancer for sending traffic
@@ -19,10 +28,12 @@ export class HttpLoadBalancerExtension extends ServiceExtension {
   private loadBalancer!: alb.IApplicationLoadBalancer;
   private listener!: alb.IApplicationListener;
   private requestsPerTarget?: number;
+  private certificate?: acm.ICertificate;
 
   constructor(props: HttpLoadBalancerProps = {}) {
     super('load-balancer');
     this.requestsPerTarget = props.requestsPerTarget;
+    this.certificate = props.certificate;
   }
 
   // Before the service is created, go ahead and create the load balancer itself.
@@ -33,12 +44,28 @@ export class HttpLoadBalancerExtension extends ServiceExtension {
       vpc: this.parentService.vpc,
       internetFacing: true,
     });
-
+    const protocol = this.certificate ? alb.ApplicationProtocol.HTTPS : alb.ApplicationProtocol.HTTP;
+    const port = this.certificate ? 443 : 80;
     this.listener = this.loadBalancer.addListener(`${this.parentService.id}-listener`, {
-      port: 80,
+      port,
+      protocol,
       open: true,
     });
 
+    if (this.certificate) {
+      this.listener.addCertificates('cert', [alb.ListenerCertificate.fromCertificateManager(this.certificate)]);
+      this.loadBalancer.addListener(`${this.parentService.id}-redirect-listener`, {
+        protocol: alb.ApplicationProtocol.HTTP,
+        port: 80,
+        open: true,
+        defaultAction: alb.ListenerAction.redirect({
+          port: '443',
+          protocol: alb.ApplicationProtocol.HTTPS,
+          permanent: true,
+        }),
+      });
+    }
+
     // Automatically create an output
     new CfnOutput(scope, `${this.parentService.id}-load-balancer-dns-output`, {
       value: this.loadBalancer.loadBalancerDnsName,

diff --git a/test/http-load-balancer.test.ts b/test/http-load-balancer.test.ts
@@ -1,5 +1,6 @@
 import { Stack } from 'aws-cdk-lib';
 import { Template } from 'aws-cdk-lib/assertions';
+import * as acm from 'aws-cdk-lib/aws-certificatemanager';
 import * as ecs from 'aws-cdk-lib/aws-ecs';
 import { Container, Environment, HttpLoadBalancerExtension, Service, ServiceDescription } from '../lib';
 
@@ -138,4 +139,56 @@ describe('http load balancer', () => {
       });
     }).toThrow(/Auto scaling target for the service 'my-service' hasn't been configured. Please use Service construct to configure 'minTaskCount' and 'maxTaskCount'./);
   });
+
+  test('should create HTTP listener and redirect if certificate specified', () => {
+    // GIVEN
+    const stack = new Stack();
+
+    // WHEN
+    const environment = new Environment(stack, 'production');
+    const serviceDescription = new ServiceDescription();
+
+    serviceDescription.add(new Container({
+      cpu: 256,
+      memoryMiB: 512,
+      trafficPort: 80,
+      image: ecs.ContainerImage.fromRegistry('nathanpeck/name'),
+    }));
+    const certificate = acm.Certificate.fromCertificateArn(
+      stack,
+      'importedCert',
+      'arn:aws:acm:us-west-2:1234567:certificate/ABC123',
+    );
+    serviceDescription.add(new HttpLoadBalancerExtension({ certificate }));
+
+    new Service(stack, 'my-service', {
+      environment,
+      serviceDescription,
+      desiredCount: 2,
+    });
+
+    // THEN
+    Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+      Port: 443,
+      Certificates: [
+        { CertificateArn: 'arn:aws:acm:us-west-2:1234567:certificate/ABC123' },
+      ],
+      Protocol: 'HTTPS',
+    });
+
+    Template.fromStack(stack).hasResourceProperties('AWS::ElasticLoadBalancingV2::Listener', {
+      Port: 80,
+      Protocol: 'HTTP',
+      DefaultActions: [
+        {
+          RedirectConfig: {
+            Port: '443',
+            Protocol: 'HTTPS',
+            StatusCode: 'HTTP_301',
+          },
+          Type: 'redirect',
+        },
+      ],
+    });
+  });
 });