fix(ecs-patterns): resolve target group conflict when updating ALB internetFacing or loadBalancerName (under feature flag)

[puretension]

fix(ecs-patterns): resolve target group conflict when switching ALB public/private

Fixes #33253

Issue # (if applicable)

Closes #33253.

Reason for this change

When switching ApplicationLoadBalancedFargateService from public to private (or vice versa), CloudFormation fails with "target group cannot be associated with more than one load balancer" error. This happens because both old and new load balancers try to use the same target group during replacement.

Updating the loadBalancerName of ApplicationLoadBalancedFargateService can also trigger the same issue.

Description of changes

Modified target group naming in ApplicationLoadBalancedServiceBase to include the load balancer type and name. e.g:

• Public load balancer: target group named "ECS"
• Private load balancer: target group named "ECSPrivate"
• Private load balancer with name "Foo": target group named "ECSFooPrivate"

This ensures each load balancer gets its own target group, preventing conflicts during CloudFormation updates.

⚠️ Destructive Changes

This PR contains intentional destructive changes to fix the target group conflict issue:

• Target Group Names Changed, e.g:

  • Public ALB: ECS (unchanged)
  • Private ALB: ECSPrivate (new)

• Impact: When switching from public to private ALB (or vice versa), CloudFormation will:

  1. Create new target group with different name
  2. Delete old target group
  3. This prevents the "target group cannot be associated with more than one load balancer" error

• Justification: This is the intended fix for issue (aws_ecs_patterns): ApplicationLoadBalancedFargateService fails to update when switched from public to private - Fails due to target group #33253. The destructive change is necessary to resolve the CloudFormation conflict.

Breaking Change: ❌ No - This only affects the internal target group naming, not user-facing APIs.

Describe any new or updated permissions being added

No new IAM permissions required.

Description of how you validated changes

• Added unit tests verifying target group names for both public and private configurations
• Created integration test integ.alb-fargate-service-public-private-switch.ts that deploys both public and private ALB services
• Verified CloudFormation templates generate different target group names

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

[aws-cdk-automation]

(This review is outdated)

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[Abogical]

Hi @puretension, Thank you for your contribution!

As this PR has breaking (destructive) changes, a feature flag will be needed here. See this guide which will help you add a new feature flag for this PR. This fix will then only take effect when the feature flag is set.

Also, see my comment on setting the ID below.

Pull request has been modified.

[Abogical]

Thank you for the quick edit!

Following steps 4-6 in the feature flag guide, the following is needed:

4. Add an entry for your feature flag in the README file.

5. In your tests, ensure that you test your feature with and without the feature flag enabled. You can do this by passing the feature flag to the context property when instantiating an App.

   const myFeatureFlag = { [cxapi.MY_FEATURE_FLAG]: true };
   const app = new App({
      context: myFeatureFlag,
   }),
   const stackUnderTest = new Stack(app);

6. In your PR title (which goes into CHANGELOG), add a (under feature flag) suffix. e.g:

   fix(core): impossible to use the same physical stack name for two stacks (under feature flag)
   context: myFeatureFlag,
   }),
   const stackUnderTest = new Stack(app);
   In your PR title (which goes into CHANGELOG), add a (under feature flag) suffix. e.g:

fix(core): impossible to use the same physical stack name for two stacks (under feature flag)

Pull request has been modified.

[puretension]

Thank you for the really quick feedback! I've completed missed steps 4-6.

I added the feature flag documentation to the README, implemented tests for both enabled and disabled scenarios following
your specified pattern, and the PR title already includes the "(under feature flag)" suffix. I really appreciate your
detailed guidance as this is my first CDK contribution.

All changes have been committed and pushed. Please let me know if there's anything else needed!

[Abogical]

This is the wrong README file to edit. The README file to edit is at packages/aws-cdk-lib/cx-api/README.md

[puretension]

@Abogical Thank you for the correction!
I apologize for the basic mistake of editing the wrong README file.😅
I've now moved the feature flag documentation from the root README.md to the correct location at packages/aws-cdk-lib/cx-api/README.md as requested.

I'll be more careful to follow the documentation guidelines precisely in future contributions.
Thank you for your patience and guidance!

Pull request has been modified.

[Abogical]

Integration test snapshot needs to be updated:

CHANGED    aws-elasticloadbalancingv2-targets/test/integ.alb-target 3.735s
@aws-cdk-testing/framework-integ:       Resources
@aws-cdk-testing/framework-integ:       [-] AWS::ElasticLoadBalancingV2::TargetGroup ServiceLBPublicListenerECSGroup0CC8688C destroy
@aws-cdk-testing/framework-integ:       [+] AWS::ElasticLoadBalancingV2::TargetGroup ServiceLBPublicListenerECSPrivateGroup93D5832E
@aws-cdk-testing/framework-integ:       [~] AWS::ElasticLoadBalancingV2::Listener ServiceLBPublicListener46709EAA
@aws-cdk-testing/framework-integ:        └─ [~] DefaultActions
@aws-cdk-testing/framework-integ:            └─ @@ -1,7 +1,7 @@
@aws-cdk-testing/framework-integ:               [ ] [
@aws-cdk-testing/framework-integ:               [ ]   {
@aws-cdk-testing/framework-integ:               [ ]     "TargetGroupArn": {
@aws-cdk-testing/framework-integ:               [-]       "Ref": "ServiceLBPublicListenerECSGroup0CC8688C"
@aws-cdk-testing/framework-integ:               [+]       "Ref": "ServiceLBPublicListenerECSPrivateGroup93D5832E"
@aws-cdk-testing/framework-integ:               [ ]     },
@aws-cdk-testing/framework-integ:               [ ]     "Type": "forward"
@aws-cdk-testing/framework-integ:               [ ]   }
@aws-cdk-testing/framework-integ:       [~] AWS::ECS::Service Service9571FDD8
@aws-cdk-testing/framework-integ:        ├─ [~] LoadBalancers
@aws-cdk-testing/framework-integ:        │   └─ @@ -3,7 +3,7 @@
@aws-cdk-testing/framework-integ:        │      [ ]     "ContainerName": "nginx",
@aws-cdk-testing/framework-integ:        │      [ ]     "ContainerPort": 80,
@aws-cdk-testing/framework-integ:        │      [ ]     "TargetGroupArn": {
@aws-cdk-testing/framework-integ:        │      [-]       "Ref": "ServiceLBPublicListenerECSGroup0CC8688C"
@aws-cdk-testing/framework-integ:        │      [+]       "Ref": "ServiceLBPublicListenerECSPrivateGroup93D5832E"
@aws-cdk-testing/framework-integ:        │      [ ]     }
@aws-cdk-testing/framework-integ:        │      [ ]   }
@aws-cdk-testing/framework-integ:        │      [ ] ]
@aws-cdk-testing/framework-integ:        └─ [~] DependsOn
@aws-cdk-testing/framework-integ:            └─ @@ -1,5 +1,5 @@
@aws-cdk-testing/framework-integ:               [ ] [
@aws-cdk-testing/framework-integ:               [ ]   "ServiceLBPublicListener46709EAA",
@aws-cdk-testing/framework-integ:               [-]   "ServiceLBPublicListenerECSGroup0CC8688C",
@aws-cdk-testing/framework-integ:               [+]   "ServiceLBPublicListenerECSPrivateGroup93D5832E",
@aws-cdk-testing/framework-integ:               [ ]   "TaskTaskRoleE98524A1"
@aws-cdk-testing/framework-integ:               [ ] ]
@aws-cdk-testing/framework-integ:       [~] AWS::ElasticLoadBalancingV2::TargetGroup NlblistenerTargetsGroupDD2A3CB0
@aws-cdk-testing/framework-integ:        └─ [~] DependsOn
@aws-cdk-testing/framework-integ:            └─ @@ -1,4 +1,4 @@
@aws-cdk-testing/framework-integ:               [ ] [
@aws-cdk-testing/framework-integ:               [ ]   "ServiceLBPublicListener46709EAA",
@aws-cdk-testing/framework-integ:               [-]   "ServiceLBPublicListenerECSGroup0CC8688C"
@aws-cdk-testing/framework-integ:               [+]   "ServiceLBPublicListenerECSPrivateGroup93D5832E"
@aws-cdk-testing/framework-integ:               [ ] ]

Pull request has been modified.

[Abogical]

Yet another snapshot to be updated. Unfortunately, there can be a lot of snapshots to update especially modifying this package:

CHANGED    aws-ecs-patterns/test/fargate/integ.alb-fargate-service-public-private-switch

Pull request has been modified.

[mergify]

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[Abogical]

@Mergifyio update

[mergify]

update

❌ Mergify doesn't have permission to update

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/codeql.yml without workflows permission

[Abogical]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased

[puretension]

@Abogical Thank you so much for your patience, guidance, and approval throughout this entire contribution process! 🙏

The previous CI Codebuild PR Build failure was likely due to the branch being out of sync🤔.
The rebase should have resolved the ESLint issues that were blocking the merge.

Should I change something more for safely merge? Or is there anything else I need to address before this can be merged?

[Abogical]

@Abogical Thank you so much for your patience, guidance, and approval throughout this entire contribution process! 🙏

@puretension You're welcome!

The previous CI Codebuild PR Build failure was likely due to the branch being out of sync🤔.
The rebase should have resolved the ESLint issues that were blocking the merge.

Should I change something more for safely merge? Or is there anything else I need to address before this can be merged?

There seems to be a build issue in our workflow that approves PR's. We're working on this atm. Hopefully, when this is resolved, the PR can be merged.

[Abogical]

@Mergifyio rebase

[mergify]

rebase

✅ Branch has been successfully rebased