inboud_security_groups

Add referencing existing security groups for inbound traffic

Add referencing existing security groups for inbound traffic

Add inboud security groups

Add inboud security group

Author: changhyuni

docs/guide/ingress/annotations.md

@@ -530,6 +530,24 @@ Access control for LoadBalancer can be controlled with following annotations:
         ```
         alb.ingress.kubernetes.io/inbound-cidrs: 10.0.0.0/24
         ```
+- <a name="inbound-security-groups">`alb.ingress.kubernetes.io/inbound-security-groups`</a> specifies the SecurtityGroups that are allowed to access LoadBalancer.
+
+    !!!note "Merge Behavior"
+        `inbound-security-groups` is merged across all Ingresses in IngressGroup, but is exclusive per listen-port.
+
+        - the `inbound-security-groups` will only impact the ports defined for that Ingress.
+        - if same listen-port is defined by multiple Ingress within IngressGroup, `inbound-security-groups` should only be defined on one of the Ingress.
+
+    !!!warning ""
+        this annotation will be ignored if `alb.ingress.kubernetes.io/security-groups` is specified.
+
+    !!!tip ""
+        Both name or ID of securityGroups are supported. Name matches a `Name` tag, not the `groupName` attribute.
+
+    !!!example
+        ```
+        alb.ingress.kubernetes.io/inbound-security-groups: sg-xxxx, nameOfSg1, nameOfSg2
+        ```
 
 - <a name="security-group-prefix-lists">`alb.ingress.kubernetes.io/security-group-prefix-lists`</a> specifies the managed prefix lists that are allowed to access LoadBalancer.
 

pkg/annotations/constants.go

@@ -6,48 +6,51 @@ const (
 
 	AnnotationPrefixIngress = "alb.ingress.kubernetes.io"
 	// Ingress annotation suffixes
-	IngressSuffixLoadBalancerName             = "load-balancer-name"
-	IngressSuffixGroupName                    = "group.name"
-	IngressSuffixGroupOrder                   = "group.order"
-	IngressSuffixTags                         = "tags"
-	IngressSuffixIPAddressType                = "ip-address-type"
-	IngressSuffixScheme                       = "scheme"
-	IngressSuffixSubnets                      = "subnets"
-	IngressSuffixCustomerOwnedIPv4Pool        = "customer-owned-ipv4-pool"
-	IngressSuffixLoadBalancerAttributes       = "load-balancer-attributes"
-	IngressSuffixWAFv2ACLARN                  = "wafv2-acl-arn"
-	IngressSuffixWAFACLID                     = "waf-acl-id"
-	IngressSuffixWebACLID                     = "web-acl-id" // deprecated, use "waf-acl-id" instead.
-	IngressSuffixShieldAdvancedProtection     = "shield-advanced-protection"
-	IngressSuffixSecurityGroups               = "security-groups"
-	IngressSuffixListenPorts                  = "listen-ports"
-	IngressSuffixSSLRedirect                  = "ssl-redirect"
-	IngressSuffixInboundCIDRs                 = "inbound-cidrs"
-	IngressSuffixCertificateARN               = "certificate-arn"
-	IngressSuffixSSLPolicy                    = "ssl-policy"
-	IngressSuffixTargetType                   = "target-type"
-	IngressSuffixBackendProtocol              = "backend-protocol"
-	IngressSuffixBackendProtocolVersion       = "backend-protocol-version"
-	IngressSuffixTargetGroupAttributes        = "target-group-attributes"
-	IngressSuffixHealthCheckPort              = "healthcheck-port"
-	IngressSuffixHealthCheckProtocol          = "healthcheck-protocol"
-	IngressSuffixHealthCheckPath              = "healthcheck-path"
-	IngressSuffixHealthCheckIntervalSeconds   = "healthcheck-interval-seconds"
-	IngressSuffixHealthCheckTimeoutSeconds    = "healthcheck-timeout-seconds"
-	IngressSuffixHealthyThresholdCount        = "healthy-threshold-count"
-	IngressSuffixUnhealthyThresholdCount      = "unhealthy-threshold-count"
-	IngressSuffixSuccessCodes                 = "success-codes"
-	IngressSuffixAuthType                     = "auth-type"
-	IngressSuffixAuthIDPCognito               = "auth-idp-cognito"
-	IngressSuffixAuthIDPOIDC                  = "auth-idp-oidc"
-	IngressSuffixAuthOnUnauthenticatedRequest = "auth-on-unauthenticated-request"
-	IngressSuffixAuthScope                    = "auth-scope"
-	IngressSuffixAuthSessionCookie            = "auth-session-cookie"
-	IngressSuffixAuthSessionTimeout           = "auth-session-timeout"
-	IngressSuffixTargetNodeLabels             = "target-node-labels"
-	IngressSuffixManageSecurityGroupRules     = "manage-backend-security-group-rules"
-	IngressSuffixMutualAuthentication         = "mutual-authentication"
-	IngressSuffixSecurityGroupPrefixLists     = "security-group-prefix-lists"
+	IngressSuffixLoadBalancerName                = "load-balancer-name"
+	IngressSuffixGroupName                       = "group.name"
+	IngressSuffixGroupOrder                      = "group.order"
+	IngressSuffixTags                            = "tags"
+	IngressSuffixIPAddressType                   = "ip-address-type"
+	IngressSuffixScheme                          = "scheme"
+	IngressSuffixSubnets                         = "subnets"
+	IngressSuffixCustomerOwnedIPv4Pool           = "customer-owned-ipv4-pool"
+	IngressSuffixLoadBalancerAttributes          = "load-balancer-attributes"
+	IngressSuffixWAFv2ACLARN                     = "wafv2-acl-arn"
+	IngressSuffixWAFACLID                        = "waf-acl-id"
+	IngressSuffixWebACLID                        = "web-acl-id" // deprecated, use "waf-acl-id" instead.
+	IngressSuffixShieldAdvancedProtection        = "shield-advanced-protection"
+	IngressSuffixSecurityGroups                  = "security-groups"
+	IngressSuffixListenPorts                     = "listen-ports"
+	IngressSuffixSSLRedirect                     = "ssl-redirect"
+	IngressSuffixInboundCIDRs                    = "inbound-cidrs"
+	IngressSuffixCertificateARN                  = "certificate-arn"
+	IngressSuffixSSLPolicy                       = "ssl-policy"
+	IngressSuffixTargetType                      = "target-type"
+	IngressSuffixBackendProtocol                 = "backend-protocol"
+	IngressSuffixBackendProtocolVersion          = "backend-protocol-version"
+	IngressSuffixTargetGroupAttributes           = "target-group-attributes"
+	IngressSuffixHealthCheckPort                 = "healthcheck-port"
+	IngressSuffixHealthCheckProtocol             = "healthcheck-protocol"
+	IngressSuffixHealthCheckPath                 = "healthcheck-path"
+	IngressSuffixHealthCheckIntervalSeconds      = "healthcheck-interval-seconds"
+	IngressSuffixHealthCheckTimeoutSeconds       = "healthcheck-timeout-seconds"
+	IngressSuffixHealthyThresholdCount           = "healthy-threshold-count"
+	IngressSuffixUnhealthyThresholdCount         = "unhealthy-threshold-count"
+	IngressSuffixSuccessCodes                    = "success-codes"
+	IngressSuffixAuthType                        = "auth-type"
+	IngressSuffixAuthIDPCognito                  = "auth-idp-cognito"
+	IngressSuffixAuthIDPOIDC                     = "auth-idp-oidc"
+	IngressSuffixAuthOnUnauthenticatedRequest    = "auth-on-unauthenticated-request"
+	IngressSuffixAuthScope                       = "auth-scope"
+	IngressSuffixAuthSessionCookie               = "auth-session-cookie"
+	IngressSuffixAuthSessionTimeout              = "auth-session-timeout"
+	IngressSuffixTargetNodeLabels                = "target-node-labels"
+	IngressSuffixManageSecurityGroupRules        = "manage-backend-security-group-rules"
+	IngressSuffixMutualAuthentication            = "mutual-authentication"
+	IngressSuffixSecurityGroupPrefixLists        = "security-group-prefix-lists"
+	IngressSuffixlsAttsAnnotationPrefix          = "listener-attributes"
+	IngressLBSuffixMultiClusterTargetGroup       = "multi-cluster-target-group"
+	IngressSuffixLoadBalancerCapacityReservation = "minimum-load-balancer-capacity"
 
 	// NLB annotation suffixes
 	// prefixes service.beta.kubernetes.io, service.kubernetes.io

pkg/ingress/model_build_listener.go

@@ -107,17 +107,25 @@ type listenPortConfig struct {
 	sslPolicy            *string
 	tlsCerts             []string
 	mutualAuthentication *elbv2model.MutualAuthenticationAttributes
+	securityGroupIDs     []string
 }
 
 func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context.Context, ing *ClassifiedIngress) (map[int64]listenPortConfig, error) {
 	explicitTLSCertARNs := t.computeIngressExplicitTLSCertARNs(ctx, ing)
 	explicitSSLPolicy := t.computeIngressExplicitSSLPolicy(ctx, ing)
 	var prefixListIDs []string
 	t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixSecurityGroupPrefixLists, &prefixListIDs, ing.Ing.Annotations)
+
+	securityGroupIDs, err := t.computeIngressExplicitSecurityGroupIDs(ctx, ing)
+	if err != nil {
+		return nil, err
+	}
+
 	inboundCIDRv4s, inboundCIDRV6s, err := t.computeIngressExplicitInboundCIDRs(ctx, ing)
 	if err != nil {
 		return nil, err
 	}
+
 	mutualAuthenticationAttributes, err := t.computeIngressMutualAuthentication(ctx, ing)
 	if err != nil {
 		return nil, err
@@ -146,10 +154,11 @@ func (t *defaultModelBuildTask) computeIngressListenPortConfigByPort(ctx context
 	listenPortConfigByPort := make(map[int64]listenPortConfig, len(listenPorts))
 	for port, protocol := range listenPorts {
 		cfg := listenPortConfig{
-			protocol:       protocol,
-			inboundCIDRv4s: inboundCIDRv4s,
-			inboundCIDRv6s: inboundCIDRV6s,
-			prefixLists:    prefixListIDs,
+			protocol:         protocol,
+			inboundCIDRv4s:   inboundCIDRv4s,
+			inboundCIDRv6s:   inboundCIDRV6s,
+			prefixLists:      prefixListIDs,
+			securityGroupIDs: securityGroupIDs,
 		}
 		if protocol == elbv2model.ProtocolHTTPS {
 			if len(explicitTLSCertARNs) == 0 {
@@ -225,6 +234,20 @@ func (t *defaultModelBuildTask) computeIngressListenPorts(_ context.Context, ing
 	return portAndProtocols, nil
 }
 
+func (t *defaultModelBuildTask) computeIngressExplicitSecurityGroupIDs(ctx context.Context, ing *ClassifiedIngress) ([]string, error) {
+	var rawSecurityGroups []string
+	if exists := t.annotationParser.ParseStringSliceAnnotation(annotations.IngressSuffixInboundSecurityGroups, &rawSecurityGroups, ing.Ing.Annotations); !exists {
+		return nil, nil
+	}
+
+	securityGroupIDs, err := t.sgResolver.ResolveViaNameOrID(ctx, rawSecurityGroups)
+	if err != nil {
+		return nil, fmt.Errorf("invalid %v settings on Ingress: %v: %w", annotations.IngressSuffixInboundSecurityGroups, k8s.NamespacedName(ing.Ing), err)
+	}
+
+	return securityGroupIDs, nil
+}
+
 func (t *defaultModelBuildTask) computeIngressExplicitInboundCIDRs(_ context.Context, ing *ClassifiedIngress) ([]string, []string, error) {
 	var rawInboundCIDRs []string
 	fromIngressClassParams := false

pkg/ingress/model_build_managed_sg.go

@@ -109,6 +109,18 @@ func (t *defaultModelBuildTask) buildManagedSecurityGroupIngressPermissions(_ co
 				},
 			})
 		}
+		for _, sgID := range cfg.securityGroupIDs {
+			permissions = append(permissions, ec2model.IPPermission{
+				IPProtocol: "tcp",
+				FromPort:   awssdk.Int64(port),
+				ToPort:     awssdk.Int64(port),
+				UserIDGroupPairs: []ec2model.UserIDGroupPair{
+					{
+						GroupID: sgID,
+					},
+				},
+			})
+		}
 	}
 	return permissions
 }

pkg/ingress/model_builder.go

@@ -310,6 +310,9 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 	var mergedMtlsAttributesProvider *types.NamespacedName
 	var mergedMtlsAttributes *elbv2model.MutualAuthenticationAttributes
 
+	var mergedSecurityGroupProvider *types.NamespacedName
+	mergedSecurityGroups := sets.NewString()
+
 	for _, cfg := range listenPortConfigs {
 		if mergedProtocolProvider == nil {
 			mergedProtocolProvider = &cfg.ingKey
@@ -343,6 +346,17 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 			}
 		}
 
+		if len(cfg.listenPortConfig.securityGroupIDs) != 0 {
+			cfgSecurityGroups := sets.NewString(cfg.listenPortConfig.securityGroupIDs...)
+			if mergedSecurityGroupProvider == nil {
+				mergedSecurityGroupProvider = &cfg.ingKey
+				mergedSecurityGroups = cfgSecurityGroups
+			} else if !mergedSecurityGroups.Equal(cfgSecurityGroups) {
+				return listenPortConfig{}, errors.Errorf("conflicting security groups, %v: %v | %v: %v",
+					*mergedSecurityGroupProvider, mergedSecurityGroups.List(), cfg.ingKey, cfgSecurityGroups.List())
+			}
+		}
+
 		if cfg.listenPortConfig.sslPolicy != nil {
 			if mergedSSLPolicyProvider == nil {
 				mergedSSLPolicyProvider = &cfg.ingKey
@@ -389,6 +403,7 @@ func (t *defaultModelBuildTask) mergeListenPortConfigs(_ context.Context, listen
 		sslPolicy:            mergedSSLPolicy,
 		tlsCerts:             mergedTLSCerts,
 		mutualAuthentication: mergedMtlsAttributes,
+		securityGroupIDs:     mergedSecurityGroups.List(),
 	}, nil
 }
 

pkg/ingress/model_builder_test.go

@@ -3,12 +3,12 @@ package ingress
 import (
 	"context"
 	"encoding/json"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
+	elbv2types "github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2/types"
 	"testing"
 	"time"
 
-	awssdk "github.com/aws/aws-sdk-go/aws"
-	ec2sdk "github.com/aws/aws-sdk-go/service/ec2"
-	elbv2sdk "github.com/aws/aws-sdk-go/service/elbv2"
+	awssdk "github.com/aws/aws-sdk-go-v2/aws"
 	jsonpatch "github.com/evanphx/json-patch"
 	"github.com/go-logr/logr"
 	"github.com/golang/mock/gomock"
@@ -442,7 +442,7 @@ const baseStackJSON = `
 
 func Test_defaultModelBuilder_Build(t *testing.T) {
 	type resolveViaDiscoveryCall struct {
-		subnets []*ec2sdk.Subnet
+		subnets []ec2types.Subnet
 		err     error
 	}
 	type env struct {
@@ -453,7 +453,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 		err        error
 	}
 	type describeSecurityGroupsResult struct {
-		securityGroups []*ec2sdk.SecurityGroup
+		securityGroups []ec2types.SecurityGroup
 		err            error
 	}
 	type fields struct {
@@ -576,7 +576,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 	}
 
 	resolveViaDiscoveryCallForInternalLB := resolveViaDiscoveryCall{
-		subnets: []*ec2sdk.Subnet{
+		subnets: []ec2types.Subnet{
 			{
 				SubnetId:  awssdk.String("subnet-a"),
 				CidrBlock: awssdk.String("192.168.0.0/19"),
@@ -588,7 +588,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 		},
 	}
 	resolveViaDiscoveryCallForInternetFacingLB := resolveViaDiscoveryCall{
-		subnets: []*ec2sdk.Subnet{
+		subnets: []ec2types.Subnet{
 			{
 				SubnetId:  awssdk.String("subnet-c"),
 				CidrBlock: awssdk.String("192.168.64.0/19"),
@@ -605,14 +605,15 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 	}
 
 	tests := []struct {
-		name               string
-		env                env
-		defaultTargetType  string
-		enableIPTargetType *bool
-		args               args
-		fields             fields
-		wantStackPatch     string
-		wantErr            string
+		name                      string
+		env                       env
+		defaultTargetType         string
+		defaultLoadBalancerScheme string
+		enableIPTargetType        *bool
+		args                      args
+		fields                    fields
+		wantStackPatch            string
+		wantErr                   string
 	}{
 		{
 			name: "Ingress - vanilla internal",
@@ -2152,53 +2153,53 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 					{
 						matchedLBs: []elbv2.LoadBalancerWithTags{
 							{
-								LoadBalancer: &elbv2sdk.LoadBalancer{
+								LoadBalancer: &elbv2types.LoadBalancer{
 									LoadBalancerArn: awssdk.String("lb-1"),
-									AvailabilityZones: []*elbv2sdk.AvailabilityZone{
+									AvailabilityZones: []elbv2types.AvailabilityZone{
 										{
 											SubnetId: awssdk.String("subnet-e"),
 										},
 										{
 											SubnetId: awssdk.String("subnet-f"),
 										},
 									},
-									Scheme: awssdk.String("internal"),
+									Scheme: elbv2types.LoadBalancerSchemeEnumInternal,
 								},
 								Tags: map[string]string{
 									"elbv2.k8s.aws/cluster": "cluster-name",
 									"ingress.k8s.aws/stack": "ns-1/ing-1",
 								},
 							},
 							{
-								LoadBalancer: &elbv2sdk.LoadBalancer{
+								LoadBalancer: &elbv2types.LoadBalancer{
 									LoadBalancerArn: awssdk.String("lb-2"),
-									AvailabilityZones: []*elbv2sdk.AvailabilityZone{
+									AvailabilityZones: []elbv2types.AvailabilityZone{
 										{
 											SubnetId: awssdk.String("subnet-e"),
 										},
 										{
 											SubnetId: awssdk.String("subnet-f"),
 										},
 									},
-									Scheme: awssdk.String("internal"),
+									Scheme: elbv2types.LoadBalancerSchemeEnumInternal,
 								},
 								Tags: map[string]string{
 									"keyA": "valueA2",
 									"keyB": "valueB2",
 								},
 							},
 							{
-								LoadBalancer: &elbv2sdk.LoadBalancer{
+								LoadBalancer: &elbv2types.LoadBalancer{
 									LoadBalancerArn: awssdk.String("lb-3"),
-									AvailabilityZones: []*elbv2sdk.AvailabilityZone{
+									AvailabilityZones: []elbv2types.AvailabilityZone{
 										{
 											SubnetId: awssdk.String("subnet-e"),
 										},
 										{
 											SubnetId: awssdk.String("subnet-f"),
 										},
 									},
-									Scheme: awssdk.String("internal"),
+									Scheme: elbv2types.LoadBalancerSchemeEnumInternal,
 								},
 								Tags: map[string]string{
 									"keyA": "valueA3",
@@ -2339,7 +2340,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
 				describeSecurityGroupsResult: []describeSecurityGroupsResult{
 					{
-						securityGroups: []*ec2sdk.SecurityGroup{
+						securityGroups: []ec2types.SecurityGroup{
 							{
 								GroupId: awssdk.String("sg-manual"),
 							},
@@ -2478,7 +2479,7 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
 				describeSecurityGroupsResult: []describeSecurityGroupsResult{
 					{
-						securityGroups: []*ec2sdk.SecurityGroup{
+						securityGroups: []ec2types.SecurityGroup{
 							{
 								GroupId: awssdk.String("sg-manual"),
 							},
@@ -3628,6 +3629,108 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			}
 		}
 	}
+}`,
+		},
+		{
+			name: "Ingress - vanilla with default-load-balancer-scheme internet-facing",
+			env: env{
+				svcs: []*corev1.Service{ns_1_svc_1, ns_1_svc_2, ns_1_svc_3},
+			},
+			fields: fields{
+				resolveViaDiscoveryCalls: []resolveViaDiscoveryCall{resolveViaDiscoveryCallForInternetFacingLB},
+				listLoadBalancersCalls:   []listLoadBalancersCall{listLoadBalancerCallForEmptyLB},
+				enableBackendSG:          true,
+			},
+			defaultLoadBalancerScheme: string(elbv2model.LoadBalancerSchemeInternetFacing),
+			args: args{
+				ingGroup: Group{
+					ID: GroupID{Namespace: "ns-1", Name: "ing-1"},
+					Members: []ClassifiedIngress{
+						{
+							Ing: &networking.Ingress{ObjectMeta: metav1.ObjectMeta{
+								Namespace: "ns-1",
+								Name:      "ing-1",
+							},
+								Spec: networking.IngressSpec{
+									Rules: []networking.IngressRule{
+										{
+											Host: "app-1.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-1",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_1.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+														{
+															Path: "/svc-2",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_2.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "http",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+										{
+											Host: "app-2.example.com",
+											IngressRuleValue: networking.IngressRuleValue{
+												HTTP: &networking.HTTPIngressRuleValue{
+													Paths: []networking.HTTPIngressPath{
+														{
+															Path: "/svc-3",
+															Backend: networking.IngressBackend{
+																Service: &networking.IngressServiceBackend{
+																	Name: ns_1_svc_3.Name,
+																	Port: networking.ServiceBackendPort{
+																		Name: "https",
+																	},
+																},
+															},
+														},
+													},
+												},
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			wantStackPatch: `
+{
+	"resources": {
+		"AWS::ElasticLoadBalancingV2::LoadBalancer": {
+			"LoadBalancer": {
+				"spec": {
+					"name": "k8s-ns1-ing1-159dd7a143",
+					"scheme": "internet-facing",
+					"subnetMapping": [
+						{
+							"subnetID": "subnet-c"
+						},
+						{
+							"subnetID": "subnet-d"
+						}
+					]
+				}
+			}
+		}
+	}
 }`,
 		},
 	}
@@ -3681,6 +3784,10 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 			if defaultTargetType == "" {
 				defaultTargetType = "instance"
 			}
+			defaultLoadBalancerScheme := tt.defaultLoadBalancerScheme
+			if defaultLoadBalancerScheme == "" {
+				defaultLoadBalancerScheme = string(elbv2model.LoadBalancerSchemeInternal)
+			}
 
 			b := &defaultModelBuilder{
 				k8sClient:              k8sClient,
@@ -3703,8 +3810,9 @@ func Test_defaultModelBuilder_Build(t *testing.T) {
 				featureGates:           config.NewFeatureGates(),
 				logger:                 logr.New(&log.NullLogSink{}),
 
-				defaultSSLPolicy:  "ELBSecurityPolicy-2016-08",
-				defaultTargetType: elbv2model.TargetType(defaultTargetType),
+				defaultSSLPolicy:          "ELBSecurityPolicy-2016-08",
+				defaultTargetType:         elbv2model.TargetType(defaultTargetType),
+				defaultLoadBalancerScheme: elbv2model.LoadBalancerScheme(defaultLoadBalancerScheme),
 			}
 
 			if tt.enableIPTargetType == nil {
@@ -3768,7 +3876,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 		ingGroup Group
 	}
 	type args struct {
-		listenPortConfigByPort map[int64]listenPortConfig
+		listenPortConfigByPort map[int32]listenPortConfig
 	}
 	tests := []struct {
 		name    string
@@ -3818,7 +3926,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -3874,7 +3982,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -3933,7 +4041,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -3989,7 +4097,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -4073,7 +4181,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -4160,7 +4268,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -4253,7 +4361,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},
@@ -4346,7 +4454,7 @@ func Test_defaultModelBuildTask_buildSSLRedirectConfig(t *testing.T) {
 				},
 			},
 			args: args{
-				listenPortConfigByPort: map[int64]listenPortConfig{
+				listenPortConfigByPort: map[int32]listenPortConfig{
 					80: {
 						protocol: elbv2model.ProtocolHTTP,
 					},