fix(elasticloadbalancingv2): dualstack ALB missing default IPv6 ingress rule

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-listener.ts

@@ -2,7 +2,7 @@ import * as ec2 from '@aws-cdk/aws-ec2';
 import { Construct, Duration, IResource, Lazy, Resource, Token } from '@aws-cdk/core';
 import { BaseListener } from '../shared/base-listener';
 import { HealthCheck } from '../shared/base-target-group';
-import { ApplicationProtocol, SslPolicy } from '../shared/enums';
+import { ApplicationProtocol, IpAddressType, SslPolicy } from '../shared/enums';
 import { IListenerCertificate, ListenerCertificate } from '../shared/listener-certificate';
 import { determineProtocolAndPort } from '../shared/util';
 import { ListenerAction } from './application-listener-action';
@@ -186,6 +186,10 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
     if (props.open !== false) {
       this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv4(), `Allow from anyone on port ${port}`);
     }
+
+    if (props.open !== false && this.loadBalancer.ipAddressType === IpAddressType.DUAL_STACK) {
+      this.connections.allowDefaultPortFrom(ec2.Peer.anyIpv6(), `Allow from anyone on port ${port}`);
+    }
   }
 
   /**

packages/@aws-cdk/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts

@@ -56,6 +56,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
   }
 
   public readonly connections: ec2.Connections;
+  public readonly ipAddressType?: IpAddressType;
   private readonly securityGroup: ec2.ISecurityGroup;
 
   constructor(scope: Construct, id: string, props: ApplicationLoadBalancerProps) {
@@ -65,6 +66,7 @@ export class ApplicationLoadBalancer extends BaseLoadBalancer implements IApplic
       ipAddressType: props.ipAddressType,
     });
 
+    this.ipAddressType = props.ipAddressType || IpAddressType.IPV4;
     this.securityGroup = props.securityGroup || new ec2.SecurityGroup(this, 'SecurityGroup', {
       vpc: props.vpc,
       description: `Automatically created Security Group for ELB ${this.node.uniqueId}`,
@@ -458,6 +460,11 @@ export interface IApplicationLoadBalancer extends ILoadBalancerV2, ec2.IConnecta
    */
   readonly vpc?: ec2.IVpc;
 
+  /**
+   * The IP Address Type for this load balancer
+   */
+  readonly ipAddressType?: IpAddressType;
+
   /**
    * Add a new listener to this load balancer
    */

packages/@aws-cdk/aws-elasticloadbalancingv2/test/alb/test.listener.ts

@@ -48,7 +48,7 @@ export = {
     test.done();
   },
 
-  'Listener default to open'(test: Test) {
+  'Listener default to open - IPv4'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();
     const vpc = new ec2.Vpc(stack, 'Stack');
@@ -76,6 +76,41 @@ export = {
     test.done();
   },
 
+  'Listener default to open - Dualstack'(test: Test) {
+    // GIVEN
+    const stack = new cdk.Stack();
+    const vpc = new ec2.Vpc(stack, 'Stack');
+    const loadBalancer = new elbv2.ApplicationLoadBalancer(stack, 'LB', { vpc, ipAddressType: elbv2.IpAddressType.DUAL_STACK});
+
+    // WHEN
+    loadBalancer.addListener('MyListener', {
+      port: 80,
+      defaultTargetGroups: [new elbv2.ApplicationTargetGroup(stack, 'Group', { vpc, port: 80 })],
+    });
+
+    // THEN
+    expect(stack).to(haveResource('AWS::EC2::SecurityGroup', {
+      SecurityGroupIngress: [
+        {
+          Description: 'Allow from anyone on port 80',
+          CidrIp: '0.0.0.0/0',
+          FromPort: 80,
+          IpProtocol: 'tcp',
+          ToPort: 80,
+        },
+        {
+          Description: 'Allow from anyone on port 80',
+          CidrIpv6: '::/0',
+          FromPort: 80,
+          IpProtocol: 'tcp',
+          ToPort: 80,
+        },
+      ],
+    }));
+
+    test.done();
+  },
+
   'HTTPS listener requires certificate'(test: Test) {
     // GIVEN
     const stack = new cdk.Stack();