elb-NetworkListener: Error: Resolution error: Resolution error: Trying to resolve() a Construct at /Resources/${Token[June20Stack.HttpsListener.Resource.LogicalID.232]}/Properties/certificates/0/node/_actualNode.

[KarthickEmis]

:question: General Issue

The Question

Trying to create an ECS with NLB thaat has both TCP and TLS port. For TLS we need of Certificate to be attached in the network listner. When i try to do this i am getting the below error. Error: Resolution error: Resolution error: Trying to resolve() a Construct at /Resources/${Token[June20Stack.HttpsListener.Resource.LogicalID.232]}/Properties/certificates/0/node/_actualNode.

Code:

let vpc: ec2.IVpc;

const hostedZone = HostedZone.fromHostedZoneAttributes(
  this,
  hostedZoneName,
  {
    zoneName: this.node.tryGetContext("hostedZone"),
    hostedZoneId: hostedZoneId
  }
);

const certificate = new DnsValidatedCertificate(this, "pdftron-certificate", {
  domainName: domainName,
  hostedZone: hostedZone
});

// Set up network
if (vpcId === "") {
  vpc = new ec2.Vpc(this, "PdfTronVpc", {
    cidr: "10.0.0.0/16",
    enableDnsSupport: true,
    enableDnsHostnames: true
  });
  new CfnOutput(this, "VpcId", {
    value: vpc.vpcId,
    description: "The VPC ID for the PDFTron Web Server",
    exportName: awsPrefixName + "-pdftron-vpc-id"
  });
} else {
  vpc = ec2.Vpc.fromLookup(this, "vpc", {
    vpcId: vpcId
  });
}

//const vpc = new Vpc(this, vpcName);
//console.log(vpc)

const apiRole = new iam.Role(this, taskDefRole, {
  roleName: awsPrefixName + task,
  assumedBy: new iam.ServicePrincipal(
    this.node.tryGetContext("ecsServiceURL")
  ),
  managedPolicies: [iam.ManagedPolicy.fromManagedPolicyArn(this,
    ecsPolicyName,
    ecsPolicyArn)]
});

const cluster = new Cluster(this, clusterName, {
  vpc: vpc,
  clusterName: awsPrefixName + clusterName
});

const taskDefn = new FargateTaskDefinition(this, fargateTaskDefn, {
  cpu: this.node.tryGetContext("pdfTronTaskCpuUnit"),
  memoryLimitMiB: this.node.tryGetContext("pdfTronTaskMemory")
});

// TaskDefn.taskRole.addManagedPolicy(ManagedPolicy.fromAwsManagedPolicyName("service-role/AmazonECSTaskExecutionRolePolicy"))

// taskDefn.taskRole.roleArn = apiRole.roleArn;

const logDriver = new AwsLogDriver({
  streamPrefix: pdftronlogName
});

const container = taskDefn.addContainer(containerResource, {
  image: ContainerImage.fromRegistry(this.node.tryGetContext("pdfTronImage")),
  environment: {
    INCLUDE_DEMO: "true"
  },
  logging: logDriver,
});

// Define the port mappings between the container, and the pdftron.
const portMappings = this.node.tryGetContext("pdfTronEcsPortMappings");
for (const map of portMappings) {
  container.addPortMappings({
    containerPort: map.containerPort,
  });
}

var subnetIds: string[] = [];
vpc.privateSubnets.forEach(subnet => {
  subnetIds.push(subnet.subnetId);
});

const pdftronSecurityGroup = new SecurityGroup(this, pdfTronSGName, {
  vpc: Vpc.fromLookup(this, "pdftronsgVpc", {
    vpcId: vpcId
  }),
  allowAllOutbound: true,
  description: "Security group for pdftron service",
  securityGroupName: awsPrefixName + "-pdftron-sg"
});
Tag.add(pdftronSecurityGroup, "name", awsPrefixName + "-pdftron-sg");

pdftronSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(80), "TCP port");
pdftronSecurityGroup.addIngressRule(Peer.anyIpv4(), Port.tcp(8090), "PDF Tron port");

const service = new FargateService(this, fargateService, {
  taskDefinition: taskDefn,
  cluster: cluster,
  serviceName: awsPrefixName + fargateService,
  securityGroup: pdftronSecurityGroup,
  desiredCount: 1,
  assignPublicIp: false,
  vpcSubnets: {
    subnetType: SubnetType.PRIVATE
  }
});

// ELB - NLB 

const loadBalancer = new elb.NetworkLoadBalancer(this, "PDFTronLoadBalancer", {
  loadBalancerName: awsPrefixName + "-pdftron-elb",
  internetFacing: true,
  vpcSubnets: {
    subnetType: SubnetType.PUBLIC
  },
  vpc: vpc,
  deletionProtection: true
});

//Target Group
const targetGroup = new elb.NetworkTargetGroup(this, "JenkinsTargetGroup", {
  targetGroupName: awsPrefixName + "-pdftron-tg",
  port: 80,
  targets: [service],
  vpc: vpc,
  targetType: TargetType.IP
});

targetGroup.configureHealthCheck({
  path: this.node.tryGetContext("pdftronHealthCheckPath"),
  port: this.node.tryGetContext("pdftronHealthCheckPort"),
  protocol: this.node.tryGetContext("pdftronHealthCheckProtocol") as Protocol,
  healthyThresholdCount: this.node.tryGetContext("pdftronHealthCheckHealthyThresholdCount"),
  timeout: Duration.seconds(this.node.tryGetContext("pdftronHealthCheckTimeout")),
  interval: Duration.seconds(this.node.tryGetContext("pdftronHealthCheckInterval")),
  healthyHttpCodes: this.node.tryGetContext("pdftronHealthCheckHealthyHttpCodes"),
});

//Listeners   -- issue in the certificates section
const httpsli = new elb.NetworkListener(this, "HttpsListener", {
  certificates: [
    certificate
  ],
  loadBalancer: loadBalancer,
  port: 443,
  protocol: Protocol.TLS,
  defaultTargetGroups: [targetGroup],
  sslPolicy: elb.SslPolicy.RECOMMENDED
});

new elb.NetworkListener(this, "HttpListener", {
  loadBalancer: loadBalancer,
  protocol: Protocol.TCP,
  port: 80,
  defaultTargetGroups: [targetGroup]
});

// AutoScaling

const scaling = service.autoScaleTaskCount({
  maxCapacity: 10,
  minCapacity: 1
});

scaling.scaleOnCpuUtilization("CpuScaling", {
  targetUtilizationPercent: 60,
  scaleInCooldown: Duration.seconds(60),
  scaleOutCooldown: Duration.seconds(60)
})

scaling.scaleOnMemoryUtilization("MemoryScaling", {
  targetUtilizationPercent: 60,
  scaleInCooldown: Duration.seconds(60),
  scaleOutCooldown: Duration.seconds(60)
})

// ARecord for having DNS
new CfnRecordSet(this, recordSetName, {
  name: recordName + this.node.tryGetContext("hostedZone"),
  type: "A",
  hostedZoneId: hostedZone.hostedZoneId,
  aliasTarget: {
    dnsName: loadBalancer.loadBalancerDnsName,
    hostedZoneId: loadBalancer.loadBalancerCanonicalHostedZoneId
  }
});

new CfnOutput(this, "Load Balancer DNS", {
  value: loadBalancer.loadBalancerDnsName
});

Environment

• CDK CLI Version:
• Module Version:
• Node.js Version:
• OS:
• Language (Version):

Other information

[KarthickEmis]

i identified the issue and it was due to the type mismatch of certificate in Network Listener it was IListnerCertificate not ICertifcate.