fix(ecs): validate networkMode is aws_vpc when proxyConfiguration is …

…provided (aws#4479)

* fix(ecs): check networkMode is AWS_VPC with proxyConfiguration

* chore: fix error message format

* chore: move proxyConfiguration test

packages/@aws-cdk/aws-ecs/lib/base/task-definition.ts

@@ -258,7 +258,9 @@ export class TaskDefinition extends TaskDefinitionBase {
     if (this.isFargateCompatible && this.networkMode !== NetworkMode.AWS_VPC) {
       throw new Error(`Fargate tasks can only have AwsVpc network mode, got: ${this.networkMode}`);
     }
-
+    if (props.proxyConfiguration && this.networkMode !== NetworkMode.AWS_VPC) {
+      throw new Error(`ProxyConfiguration can only be used with AwsVpc network mode, got: ${this.networkMode}`);
+    }
     if (props.placementConstraints && props.placementConstraints.length > 0 && this.isFargateCompatible) {
       throw new Error('Cannot set placement constraints on tasks that run on Fargate');
     }

packages/@aws-cdk/aws-ecs/test/ec2/test.ec2-task-definition.ts

@@ -974,5 +974,28 @@ export = {
 
       test.done();
     }
-  }
+  },
+
+  'throws when setting proxyConfiguration without networkMode AWS_VPC'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+
+    const proxyConfiguration = ecs.ProxyConfigurations.appMeshProxyConfiguration({
+      containerName: 'envoy',
+      properties: {
+        ignoredUID: 1337,
+        proxyIngressPort: 15000,
+        proxyEgressPort: 15001,
+        appPorts: [9080, 9081],
+        egressIgnoredIPs: ["169.254.170.2", "169.254.169.254"]
+      }
+    });
+
+    // THEN
+    test.throws(() => {
+      new ecs.Ec2TaskDefinition(stack, 'TaskDef', { networkMode: ecs.NetworkMode.BRIDGE, proxyConfiguration });
+    }, /ProxyConfiguration can only be used with AwsVpc network mode, got: bridge/);
+
+    test.done();
+  },
 };

packages/@aws-cdk/aws-ecs/test/test.app-mesh-proxy-configuration.ts

@@ -9,18 +9,21 @@ export = {
     const stack = new cdk.Stack();
 
     // WHEN
-    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', { proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
-      containerName: "envoy",
-      properties: {
-        ignoredUID: 1337,
-        ignoredGID: 1338,
-        appPorts: [80, 81],
-        proxyIngressPort: 80,
-        proxyEgressPort: 81,
-        egressIgnoredPorts: [8081],
-        egressIgnoredIPs: ["169.254.170.2", "169.254.169.254"],
-      }
-    })});
+    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+      networkMode: ecs.NetworkMode.AWS_VPC,
+      proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
+        containerName: "envoy",
+        properties: {
+          ignoredUID: 1337,
+          ignoredGID: 1338,
+          appPorts: [80, 81],
+          proxyIngressPort: 80,
+          proxyEgressPort: 81,
+          egressIgnoredPorts: [8081],
+          egressIgnoredIPs: ["169.254.170.2", "169.254.169.254"],
+        }
+      })
+    });
     taskDefinition.addContainer("web", {
       memoryLimitMiB: 1024,
       image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample")
@@ -75,15 +78,18 @@ export = {
     const stack = new cdk.Stack();
 
     // WHEN
-    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', { proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
-      containerName: "envoy",
-      properties: {
-        ignoredUID: 1337,
-        appPorts: [80, 81],
-        proxyIngressPort: 80,
-        proxyEgressPort: 81
-      }
-    })});
+    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+      networkMode: ecs.NetworkMode.AWS_VPC,
+      proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
+        containerName: "envoy",
+        properties: {
+          ignoredUID: 1337,
+          appPorts: [80, 81],
+          proxyIngressPort: 80,
+          proxyEgressPort: 81
+        }
+      })
+    });
     taskDefinition.addContainer("web", {
       memoryLimitMiB: 1024,
       image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample")
@@ -126,17 +132,20 @@ export = {
     const stack = new cdk.Stack();
 
     // WHEN
-    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', { proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
-      containerName: "envoy",
-      properties: {
-        ignoredUID: 1337,
-        appPorts: [80, 81],
-        proxyIngressPort: 80,
-        proxyEgressPort: 81,
-        egressIgnoredIPs: [],
-        egressIgnoredPorts: []
-      }
-    })});
+    const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+      networkMode: ecs.NetworkMode.AWS_VPC,
+      proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
+        containerName: "envoy",
+        properties: {
+          ignoredUID: 1337,
+          appPorts: [80, 81],
+          proxyIngressPort: 80,
+          proxyEgressPort: 81,
+          egressIgnoredIPs: [],
+          egressIgnoredPorts: []
+        }
+      })
+    });
     taskDefinition.addContainer("web", {
       memoryLimitMiB: 1024,
       image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample")
@@ -180,14 +189,17 @@ export = {
 
     // THEN
     test.throws(() => {
-      new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', { proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
-        containerName: "envoy",
-        properties: {
-          appPorts: [80, 81],
-          proxyIngressPort: 80,
-          proxyEgressPort: 81
-        }
-      })});
+      new ecs.Ec2TaskDefinition(stack, 'Ec2TaskDef', {
+        networkMode: ecs.NetworkMode.AWS_VPC,
+        proxyConfiguration: ecs.ProxyConfigurations.appMeshProxyConfiguration({
+          containerName: "envoy",
+          properties: {
+            appPorts: [80, 81],
+            proxyIngressPort: 80,
+            proxyEgressPort: 81
+          }
+        })
+      });
     }, /At least one of ignoredUID or ignoredGID should be specified./);
 
     test.done();