fix(elasticloadbalancingv2): open, dual-stack-without-public-ipv4 ALB does not allow IPv6 inbound traffic (under feature flag)

[gracelu0]

Issue # (if applicable)

Closes #32197 .

Reason for this change

Default generated security group ingress rules for open, dual-stack-without-public-ipv4 ALB does not allow IPv6 traffic. Only a rule for IPv4 ingress traffic is added to the security group rules currently.

Description of changes

Introduced a new feature flag which is enabled by default so that default generated security group ingress rules now have an additional rule that allows IPv6 ingress from anywhere.

Describe any new or updated permissions being added

No new IAM permissions. Added IPv6 security group ingress rules for open, internet-facing ALBs if IP address type is dual-stack-without-public-ipv4 and feature flag is set to true (default).

Description of how you validated changes

Added unit test which checks the security group rules for both cases where feature flag is enabled/disabled. Updated integration test snapshot.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

Co-authored-by: Clare Liguori [email protected]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed add Clarification Request to a comment.

[gracelu0]

Feature flags with recommended value and default value set to true are getting added here even though they should not be. This section is for v1 feature flags where the behaviour changed. Will open a separate PR to fix this.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[gracelu0]

@Mergifyio update

[mergify]

update

✅ Branch has been successfully updated

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 81.37%. Comparing base (946b748) to head (7c5dc35).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #32765   +/-   ##
=======================================
  Coverage   81.37%   81.37%           
=======================================
  Files         222      222           
  Lines       13693    13693           
  Branches     2412     2412           
=======================================
  Hits        11143    11143           
  Misses       2271     2271           
  Partials      279      279           

Flag	Coverage Δ
suite.unit	81.37% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
packages/aws-cdk	80.68% <ø> (ø)
packages/aws-cdk-lib/core	82.09% <ø> (ø)

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 7c5dc35
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[samson-keung]

I recommend updating the doc for IpAddressType.DUAL_STACK_WITHOUT_PUBLIC_IPV4 to mention how it behaves differently depending on the feature flag.

[samson-keung]

I believe setting the default to true means existing projects will automatically have this feature flag as true, which means they will get the new behaviour automatically, which is a breaking change. Can you double check?

[gracelu0]

Thanks Samson, you're correct that they would automatically get the new ingress rules upon re-deploying. I set the default to true thinking we would want new projects to setup the ingress rules to allow IPv6 by default, but it looks like that is what the recommended value is for. Will update.