Skip to content

fix(elasticache): security group for ServerlessCache does not use default endpoint port #35738

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(elasticache): security group for ServerlessCache does not use default endpoint port #35738

wants to merge 1 commit into from
+331 −32

Conversation

go-to-k
Copy link
Contributor

@go-to-k go-to-k commented Oct 14, 2025
edited
Loading

Issue # (if applicable)

N/A

Reason for this change

A security group ingress for the new ServerlessCache construct does not use an endpoint port.

The following CDK code generates an INVALID CFn template with null for FromPort and ToPort:

    const cache = new ServerlessCache(this, 'ServerlessCache', {
      vpc,
    });
    const sg = new SecurityGroup(this, 'SecurityGroup', {
      vpc,
    });
    sg.connections.allowToDefaultPort(cache);
  "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": {
   "Type": "AWS::EC2::SecurityGroupIngress",
   "Properties": {
    // ...
    // ...
    "FromPort": null,
    // ...
    // ...
    "ToPort": null
   },

An expected template:

  "SecurityGroupfromawscdkserverlesscacheClientSG6D18D5F9IndirectPortFE633A67": {
   "Type": "AWS::EC2::SecurityGroupIngress",
   "Properties": {
    // ...
    // ...
    "FromPort": {
     "Fn::GetAtt": [
      "Cache18F6EE16",
      "Endpoint.Port"
     ]
    },
    // ...
    // ...
    "ToPort": {
     "Fn::GetAtt": [
      "Cache18F6EE16",
      "Endpoint.Port"
     ]
    }
   }
  },

FYI: The method cache.connections.defaultPort?.toRuleJson() outputs {"Value":{"ipProtocol":"tcp","fromPort":null,"toPort":null}}. But we expect {"Value":{"ipProtocol":"tcp","fromPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]},"toPort":{"Fn::GetAtt":["Cache18F6EE16","Endpoint.Port"]}}}.

Description of changes

Use Token.asNumber for the defaultPort of Connections in ServerlessCache:

    this.connections = new ec2.Connections({
      securityGroups: this.securityGroups,
-      defaultPort: ec2.Port.tcp(Lazy.number({ produce: () => parseInt(this.serverlessCacheEndpointPort) })),
+      defaultPort: ec2.Port.tcp(Token.asNumber(this.serverlessCacheEndpointPort)),
    });

Describe any new or updated permissions being added

Description of how you validated changes

Both an unit test and an integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 14, 2025 09:25
@github-actions github-actions bot added distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 labels Oct 14, 2025
@go-to-k go-to-k changed the title fix(elasticache): security group for ServerlessCache does not use endpoint port fix(elasticache): security group for ServerlessCache does not use default endpoint port Oct 14, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 14, 2025
mazyu36
mazyu36 approved these changes Oct 14, 2025
View reviewed changes
Copy link
Contributor

@mazyu36 mazyu36 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the fix!

@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mazyu36 mazyu36 mazyu36 approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

distinguished-contributor [Pilot] contributed 50+ PRs to the CDK p2 pr/needs-maintainer-review This PR needs a review from a Core Team Member

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@go-to-k @mazyu36 @aws-cdk-automation