search

awslabs / aws-config-rules

[Node, Python, Java] Repository of sample Custom Rules for AWS Config.
http://aws.amazon.com/config/
Creative Commons Zero v1.0 Universal
1.6k stars 854 forks source link

ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK check fails with ALB ingress controller default action return 404 #340

Open ismailyenigul opened 4 years ago

ismailyenigul commented 4 years ago

ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK expects "All HTTP listener rules have HTTP to HTTPS redirection action configured" as described at https://github.com/awslabs/aws-config-rules/blob/master/python/ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK/ALB_HTTP_TO_HTTPS_REDIRECTION_CHECK.py#L43

But ALB ingress controller creates two ALB rules on HTTP Listener for HTTPS redirect

Rule 1: 
IF Host mydomain.com THEN Forward to HTTPS Listener: 1 (100%) Group-level stickiness: Off

Rule last
HTTP 80: default action 
IF Requests otherwise not routed  THEN  Return fixed response 404

AWS config check fails because of Rule last. But we already configured HTTPS redirect in Rule 1

Related issue: https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/1264

I am not sure this is ALB ingress issue or AWS config rules. But I think AWS config rules can create an exception for Return fixed response 404 to pass validation.

ishaannarang commented 4 years ago

+1

kubilaykaptanoglu commented 3 years ago

We are experiencing a similar problem. Does anyone have any suggestions for a solution other than fixing the source code?

yyurov commented 3 years ago

Any updates ? I'm using last version of "amazon/aws-alb-ingress-controller:v2.1.0" and I'm still have same issue. When I create ingress in ALB I see same default actions with return fixed response 404. This is reason why I can't use CNAME's in R53 with "A" records associated with ALB.

I'm making ALB thru ingress + I'm using external-dns-controller which create A records in R53 when ALB is appearing.

After I want to make R53 DNS Traffic Policy "Failover" for point CNAME to these A records. But this is not works cuz we have default actions with return fixed response. After modify this default actions, CNAME is works good. This is reason why I can't use AWS DNS policy (each 50$ p/month). Yeah I'm able to delete or modify "Return fixed response 404" but, I want to make automation, and this is disturbing for go forward.

I'm using this for create ALB:

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: sts-ingress-prd namespace: sts annotations: kubernetes.io/ingress.class: alb alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:4444444444:certificate/4b411ef0-4444-4444-4444-dad444412b5c alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/security-groups: sg-04444444808894, sg-041444444451722 alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' alb.ingress.kubernetes.io/healthcheck-path: / alb.ingress.kubernetes.io/healthcheck-protocol: "HTTPS" labels: app: sts stage: prd spec: rules:

azelezni commented 3 years ago

Check my suggested solution here