aws-cdk-lib 2.162.0__py3-none-any.whl → 2.163.0__py3-none-any.whl

aws_cdk/aws_ecs_patterns/__init__.py

@@ -1124,6 +1124,56 @@ queue_processing_fargate_service = ecs_patterns.NetworkLoadBalancedFargateServic
 )
 ```
 
+### Set TLS for NetworkLoadBalancedFargateService / NetworkLoadBalancedEc2Service
+
+To set up TLS listener in Network Load Balancer, you need to pass extactly one ACM certificate into the option `listenerCertificate`. The listener port and the target group port will also become 443 by default. You can override the listener's port with `listenerPort` and the target group's port with `taskImageOptions.containerPort`.
+
+```python
+from aws_cdk.aws_certificatemanager import Certificate
+
+
+certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
+load_balanced_fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(self, "Service",
+    # The default value of listenerPort is 443 if you pass in listenerCertificate
+    # It is configured to port 4443 here
+    listener_port=4443,
+    listener_certificate=certificate,
+    task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
+        image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+        # The default value of containerPort is 443 if you pass in listenerCertificate
+        # It is configured to port 8443 here
+        container_port=8443
+    )
+)
+```
+
+```python
+from aws_cdk.aws_certificatemanager import Certificate
+
+# cluster: ecs.Cluster
+
+certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
+load_balanced_ecs_service = ecs_patterns.NetworkLoadBalancedEc2Service(self, "Service",
+    cluster=cluster,
+    memory_limit_mi_b=1024,
+    # The default value of listenerPort is 443 if you pass in listenerCertificate
+    # It is configured to port 4443 here
+    listener_port=4443,
+    listener_certificate=certificate,
+    task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
+        image=ecs.ContainerImage.from_registry("test"),
+        # The default value of containerPort is 443 if you pass in listenerCertificate
+        # It is configured to port 8443 here
+        container_port=8443,
+        environment={
+            "TEST_ENVIRONMENT_VARIABLE1": "test environment variable 1 value",
+            "TEST_ENVIRONMENT_VARIABLE2": "test environment variable 2 value"
+        }
+    ),
+    desired_count=2
+)
+```
+
 ### Use dualstack Load Balancer
 
 You can use dualstack IP address type for Application Load Balancer and Network Load Balancer.
@@ -1268,6 +1318,7 @@ from ..aws_elasticloadbalancingv2 import (
     ApplicationProtocolVersion as _ApplicationProtocolVersion_dddfe47b,
     ApplicationTargetGroup as _ApplicationTargetGroup_906fe365,
     IApplicationLoadBalancer as _IApplicationLoadBalancer_4cbd50ab,
+    IListenerCertificate as _IListenerCertificate_94ab42d7,
     INetworkLoadBalancer as _INetworkLoadBalancer_96e17101,
     IpAddressType as _IpAddressType_c43b240e,
     NetworkListener as _NetworkListener_539c17bf,
@@ -4009,6 +4060,7 @@ class NetworkLoadBalancedServiceBase(
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -4036,7 +4088,8 @@ class NetworkLoadBalancedServiceBase(
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -4064,6 +4117,7 @@ class NetworkLoadBalancedServiceBase(
             enable_execute_command=enable_execute_command,
             health_check_grace_period=health_check_grace_period,
             ip_address_type=ip_address_type,
+            listener_certificate=listener_certificate,
             listener_port=listener_port,
             load_balancer=load_balancer,
             max_healthy_percent=max_healthy_percent,
@@ -4174,6 +4228,7 @@ typing.cast(typing.Any, NetworkLoadBalancedServiceBase).__jsii_proxy_class__ = l
         "enable_execute_command": "enableExecuteCommand",
         "health_check_grace_period": "healthCheckGracePeriod",
         "ip_address_type": "ipAddressType",
+        "listener_certificate": "listenerCertificate",
         "listener_port": "listenerPort",
         "load_balancer": "loadBalancer",
         "max_healthy_percent": "maxHealthyPercent",
@@ -4202,6 +4257,7 @@ class NetworkLoadBalancedServiceBaseProps:
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -4227,7 +4283,8 @@ class NetworkLoadBalancedServiceBaseProps:
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -4257,6 +4314,7 @@ class NetworkLoadBalancedServiceBaseProps:
             # container_definition: ecs.ContainerDefinition
             # container_image: ecs.ContainerImage
             # hosted_zone: route53.HostedZone
+            # listener_certificate: elbv2.ListenerCertificate
             # log_driver: ecs.LogDriver
             # namespace: servicediscovery.INamespace
             # network_load_balancer: elbv2.NetworkLoadBalancer
@@ -4296,6 +4354,7 @@ class NetworkLoadBalancedServiceBaseProps:
                 enable_execute_command=False,
                 health_check_grace_period=cdk.Duration.minutes(30),
                 ip_address_type=elbv2.IpAddressType.IPV4,
+                listener_certificate=listener_certificate,
                 listener_port=123,
                 load_balancer=network_load_balancer,
                 max_healthy_percent=123,
@@ -4350,6 +4409,7 @@ class NetworkLoadBalancedServiceBaseProps:
             check_type(argname="argument enable_execute_command", value=enable_execute_command, expected_type=type_hints["enable_execute_command"])
             check_type(argname="argument health_check_grace_period", value=health_check_grace_period, expected_type=type_hints["health_check_grace_period"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
+            check_type(argname="argument listener_certificate", value=listener_certificate, expected_type=type_hints["listener_certificate"])
             check_type(argname="argument listener_port", value=listener_port, expected_type=type_hints["listener_port"])
             check_type(argname="argument load_balancer", value=load_balancer, expected_type=type_hints["load_balancer"])
             check_type(argname="argument max_healthy_percent", value=max_healthy_percent, expected_type=type_hints["max_healthy_percent"])
@@ -4385,6 +4445,8 @@ class NetworkLoadBalancedServiceBaseProps:
             self._values["health_check_grace_period"] = health_check_grace_period
         if ip_address_type is not None:
             self._values["ip_address_type"] = ip_address_type
+        if listener_certificate is not None:
+            self._values["listener_certificate"] = listener_certificate
         if listener_port is not None:
             self._values["listener_port"] = listener_port
         if load_balancer is not None:
@@ -4537,11 +4599,23 @@ class NetworkLoadBalancedServiceBaseProps:
         result = self._values.get("ip_address_type")
         return typing.cast(typing.Optional[_IpAddressType_c43b240e], result)
 
+    @builtins.property
+    def listener_certificate(self) -> typing.Optional[_IListenerCertificate_94ab42d7]:
+        '''Listener certificate list of ACM cert ARNs.
+
+        If you provide a certificate, the listener's protocol will be TLS.
+        If not, the listener's protocol will be TCP.
+
+        :default: - none
+        '''
+        result = self._values.get("listener_certificate")
+        return typing.cast(typing.Optional[_IListenerCertificate_94ab42d7], result)
+
     @builtins.property
     def listener_port(self) -> typing.Optional[jsii.Number]:
         '''Listener port of the network load balancer that will serve traffic to the service.
 
-        :default: 80
+        :default: 80 or 443 with listenerCertificate provided
         '''
         result = self._values.get("listener_port")
         return typing.cast(typing.Optional[jsii.Number], result)
@@ -4704,7 +4778,7 @@ class NetworkLoadBalancedTaskImageOptions:
         '''
         :param image: The image used to start a container. Image or taskDefinition must be specified, but not both. Default: - none
         :param container_name: The container name value to be specified in the task definition. Default: - none
-        :param container_port: The port number on the container that is bound to the user-specified or automatically assigned host port. If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. If you are using containers in a task with the bridge network mode and you specify a container port and not a host port, your container automatically receives a host port in the ephemeral port range. Port mappings that are automatically assigned in this way do not count toward the 100 reserved ports limit of a container instance. For more information, see `hostPort <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html#ECS-Type-PortMapping-hostPort>`_. Default: 80
+        :param container_port: The port number on the container that is bound to the user-specified or automatically assigned host port. If you are using containers in a task with the awsvpc or host network mode, exposed ports should be specified using containerPort. If you are using containers in a task with the bridge network mode and you specify a container port and not a host port, your container automatically receives a host port in the ephemeral port range. Port mappings that are automatically assigned in this way do not count toward the 100 reserved ports limit of a container instance. For more information, see `hostPort <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html#ECS-Type-PortMapping-hostPort>`_. Default: 80 or 443 with listenerCertificate provided
         :param docker_labels: A key/value map of labels to add to the container. Default: - No labels.
         :param enable_logging: Flag to indicate whether to enable logging. Default: true
         :param environment: The environment variables to pass to the container. Default: - No environment variables.
@@ -4718,13 +4792,23 @@ class NetworkLoadBalancedTaskImageOptions:
 
         Example::
 
+            from aws_cdk.aws_certificatemanager import Certificate
+            
             # cluster: ecs.Cluster
             
+            certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
             load_balanced_ecs_service = ecs_patterns.NetworkLoadBalancedEc2Service(self, "Service",
                 cluster=cluster,
                 memory_limit_mi_b=1024,
+                # The default value of listenerPort is 443 if you pass in listenerCertificate
+                # It is configured to port 4443 here
+                listener_port=4443,
+                listener_certificate=certificate,
                 task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
                     image=ecs.ContainerImage.from_registry("test"),
+                    # The default value of containerPort is 443 if you pass in listenerCertificate
+                    # It is configured to port 8443 here
+                    container_port=8443,
                     environment={
                         "TEST_ENVIRONMENT_VARIABLE1": "test environment variable 1 value",
                         "TEST_ENVIRONMENT_VARIABLE2": "test environment variable 2 value"
@@ -4804,7 +4888,7 @@ class NetworkLoadBalancedTaskImageOptions:
         For more information, see
         `hostPort <https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_PortMapping.html#ECS-Type-PortMapping-hostPort>`_.
 
-        :default: 80
+        :default: 80 or 443 with listenerCertificate provided
         '''
         result = self._values.get("container_port")
         return typing.cast(typing.Optional[jsii.Number], result)
@@ -10392,13 +10476,23 @@ class NetworkLoadBalancedEc2Service(
 
     Example::
 
+        from aws_cdk.aws_certificatemanager import Certificate
+        
         # cluster: ecs.Cluster
         
+        certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
         load_balanced_ecs_service = ecs_patterns.NetworkLoadBalancedEc2Service(self, "Service",
             cluster=cluster,
             memory_limit_mi_b=1024,
+            # The default value of listenerPort is 443 if you pass in listenerCertificate
+            # It is configured to port 4443 here
+            listener_port=4443,
+            listener_certificate=certificate,
             task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
                 image=ecs.ContainerImage.from_registry("test"),
+                # The default value of containerPort is 443 if you pass in listenerCertificate
+                # It is configured to port 8443 here
+                container_port=8443,
                 environment={
                     "TEST_ENVIRONMENT_VARIABLE1": "test environment variable 1 value",
                     "TEST_ENVIRONMENT_VARIABLE2": "test environment variable 2 value"
@@ -10431,6 +10525,7 @@ class NetworkLoadBalancedEc2Service(
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -10464,7 +10559,8 @@ class NetworkLoadBalancedEc2Service(
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -10498,6 +10594,7 @@ class NetworkLoadBalancedEc2Service(
             enable_execute_command=enable_execute_command,
             health_check_grace_period=health_check_grace_period,
             ip_address_type=ip_address_type,
+            listener_certificate=listener_certificate,
             listener_port=listener_port,
             load_balancer=load_balancer,
             max_healthy_percent=max_healthy_percent,
@@ -10541,6 +10638,7 @@ class NetworkLoadBalancedEc2Service(
         "enable_execute_command": "enableExecuteCommand",
         "health_check_grace_period": "healthCheckGracePeriod",
         "ip_address_type": "ipAddressType",
+        "listener_certificate": "listenerCertificate",
         "listener_port": "listenerPort",
         "load_balancer": "loadBalancer",
         "max_healthy_percent": "maxHealthyPercent",
@@ -10575,6 +10673,7 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -10606,7 +10705,8 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -10627,13 +10727,23 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
 
         Example::
 
+            from aws_cdk.aws_certificatemanager import Certificate
+            
             # cluster: ecs.Cluster
             
+            certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
             load_balanced_ecs_service = ecs_patterns.NetworkLoadBalancedEc2Service(self, "Service",
                 cluster=cluster,
                 memory_limit_mi_b=1024,
+                # The default value of listenerPort is 443 if you pass in listenerCertificate
+                # It is configured to port 4443 here
+                listener_port=4443,
+                listener_certificate=certificate,
                 task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
                     image=ecs.ContainerImage.from_registry("test"),
+                    # The default value of containerPort is 443 if you pass in listenerCertificate
+                    # It is configured to port 8443 here
+                    container_port=8443,
                     environment={
                         "TEST_ENVIRONMENT_VARIABLE1": "test environment variable 1 value",
                         "TEST_ENVIRONMENT_VARIABLE2": "test environment variable 2 value"
@@ -10664,6 +10774,7 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
             check_type(argname="argument enable_execute_command", value=enable_execute_command, expected_type=type_hints["enable_execute_command"])
             check_type(argname="argument health_check_grace_period", value=health_check_grace_period, expected_type=type_hints["health_check_grace_period"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
+            check_type(argname="argument listener_certificate", value=listener_certificate, expected_type=type_hints["listener_certificate"])
             check_type(argname="argument listener_port", value=listener_port, expected_type=type_hints["listener_port"])
             check_type(argname="argument load_balancer", value=load_balancer, expected_type=type_hints["load_balancer"])
             check_type(argname="argument max_healthy_percent", value=max_healthy_percent, expected_type=type_hints["max_healthy_percent"])
@@ -10705,6 +10816,8 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
             self._values["health_check_grace_period"] = health_check_grace_period
         if ip_address_type is not None:
             self._values["ip_address_type"] = ip_address_type
+        if listener_certificate is not None:
+            self._values["listener_certificate"] = listener_certificate
         if listener_port is not None:
             self._values["listener_port"] = listener_port
         if load_balancer is not None:
@@ -10869,11 +10982,23 @@ class NetworkLoadBalancedEc2ServiceProps(NetworkLoadBalancedServiceBaseProps):
         result = self._values.get("ip_address_type")
         return typing.cast(typing.Optional[_IpAddressType_c43b240e], result)
 
+    @builtins.property
+    def listener_certificate(self) -> typing.Optional[_IListenerCertificate_94ab42d7]:
+        '''Listener certificate list of ACM cert ARNs.
+
+        If you provide a certificate, the listener's protocol will be TLS.
+        If not, the listener's protocol will be TCP.
+
+        :default: - none
+        '''
+        result = self._values.get("listener_certificate")
+        return typing.cast(typing.Optional[_IListenerCertificate_94ab42d7], result)
+
     @builtins.property
     def listener_port(self) -> typing.Optional[jsii.Number]:
         '''Listener port of the network load balancer that will serve traffic to the service.
 
-        :default: 80
+        :default: 80 or 443 with listenerCertificate provided
         '''
         result = self._values.get("listener_port")
         return typing.cast(typing.Optional[jsii.Number], result)
@@ -11089,16 +11214,21 @@ class NetworkLoadBalancedFargateService(
 
     Example::
 
-        # vpc: ec2.Vpc
-        # security_group: ec2.SecurityGroup
+        from aws_cdk.aws_certificatemanager import Certificate
         
-        queue_processing_fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(self, "Service",
-            vpc=vpc,
-            memory_limit_mi_b=512,
+        
+        certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
+        load_balanced_fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(self, "Service",
+            # The default value of listenerPort is 443 if you pass in listenerCertificate
+            # It is configured to port 4443 here
+            listener_port=4443,
+            listener_certificate=certificate,
             task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
-                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-            ),
-            security_groups=[security_group]
+                image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+                # The default value of containerPort is 443 if you pass in listenerCertificate
+                # It is configured to port 8443 here
+                container_port=8443
+            )
         )
     '''
 
@@ -11122,6 +11252,7 @@ class NetworkLoadBalancedFargateService(
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -11158,7 +11289,8 @@ class NetworkLoadBalancedFargateService(
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -11195,6 +11327,7 @@ class NetworkLoadBalancedFargateService(
             enable_execute_command=enable_execute_command,
             health_check_grace_period=health_check_grace_period,
             ip_address_type=ip_address_type,
+            listener_certificate=listener_certificate,
             listener_port=listener_port,
             load_balancer=load_balancer,
             max_healthy_percent=max_healthy_percent,
@@ -11249,6 +11382,7 @@ class NetworkLoadBalancedFargateService(
         "enable_execute_command": "enableExecuteCommand",
         "health_check_grace_period": "healthCheckGracePeriod",
         "ip_address_type": "ipAddressType",
+        "listener_certificate": "listenerCertificate",
         "listener_port": "listenerPort",
         "load_balancer": "loadBalancer",
         "max_healthy_percent": "maxHealthyPercent",
@@ -11289,6 +11423,7 @@ class NetworkLoadBalancedFargateServiceProps(
         enable_execute_command: typing.Optional[builtins.bool] = None,
         health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
         ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+        listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
         listener_port: typing.Optional[jsii.Number] = None,
         load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
         max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -11323,7 +11458,8 @@ class NetworkLoadBalancedFargateServiceProps(
         :param enable_execute_command: Whether ECS Exec should be enabled. Default: - false
         :param health_check_grace_period: The period of time, in seconds, that the Amazon ECS service scheduler ignores unhealthy Elastic Load Balancing target health checks after a task has first started. Default: - defaults to 60 seconds if at least one load balancer is in-use and it is not already set
         :param ip_address_type: The type of IP addresses to use. If you want to add a UDP or TCP_UDP listener to the load balancer, you must choose IPv4. Default: IpAddressType.IPV4
-        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80
+        :param listener_certificate: Listener certificate list of ACM cert ARNs. If you provide a certificate, the listener's protocol will be TLS. If not, the listener's protocol will be TCP. Default: - none
+        :param listener_port: Listener port of the network load balancer that will serve traffic to the service. Default: 80 or 443 with listenerCertificate provided
         :param load_balancer: The network load balancer that will serve traffic to the service. If the load balancer has been imported, the vpc attribute must be specified in the call to fromNetworkLoadBalancerAttributes(). [disable-awslint:ref-via-interface] Default: - a new load balancer will be created.
         :param max_healthy_percent: The maximum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that can run in a service during a deployment. Default: - 100 if daemon, otherwise 200
         :param min_healthy_percent: The minimum number of tasks, specified as a percentage of the Amazon ECS service's DesiredCount value, that must continue to run and remain healthy during a deployment. Default: - 0 if daemon, otherwise 50
@@ -11347,16 +11483,21 @@ class NetworkLoadBalancedFargateServiceProps(
 
         Example::
 
-            # vpc: ec2.Vpc
-            # security_group: ec2.SecurityGroup
+            from aws_cdk.aws_certificatemanager import Certificate
             
-            queue_processing_fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(self, "Service",
-                vpc=vpc,
-                memory_limit_mi_b=512,
+            
+            certificate = Certificate.from_certificate_arn(self, "Cert", "arn:aws:acm:us-east-1:123456:certificate/abcdefg")
+            load_balanced_fargate_service = ecs_patterns.NetworkLoadBalancedFargateService(self, "Service",
+                # The default value of listenerPort is 443 if you pass in listenerCertificate
+                # It is configured to port 4443 here
+                listener_port=4443,
+                listener_certificate=certificate,
                 task_image_options=ecsPatterns.NetworkLoadBalancedTaskImageOptions(
-                    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample")
-                ),
-                security_groups=[security_group]
+                    image=ecs.ContainerImage.from_registry("amazon/amazon-ecs-sample"),
+                    # The default value of containerPort is 443 if you pass in listenerCertificate
+                    # It is configured to port 8443 here
+                    container_port=8443
+                )
             )
         '''
         if isinstance(circuit_breaker, dict):
@@ -11385,6 +11526,7 @@ class NetworkLoadBalancedFargateServiceProps(
             check_type(argname="argument enable_execute_command", value=enable_execute_command, expected_type=type_hints["enable_execute_command"])
             check_type(argname="argument health_check_grace_period", value=health_check_grace_period, expected_type=type_hints["health_check_grace_period"])
             check_type(argname="argument ip_address_type", value=ip_address_type, expected_type=type_hints["ip_address_type"])
+            check_type(argname="argument listener_certificate", value=listener_certificate, expected_type=type_hints["listener_certificate"])
             check_type(argname="argument listener_port", value=listener_port, expected_type=type_hints["listener_port"])
             check_type(argname="argument load_balancer", value=load_balancer, expected_type=type_hints["load_balancer"])
             check_type(argname="argument max_healthy_percent", value=max_healthy_percent, expected_type=type_hints["max_healthy_percent"])
@@ -11429,6 +11571,8 @@ class NetworkLoadBalancedFargateServiceProps(
             self._values["health_check_grace_period"] = health_check_grace_period
         if ip_address_type is not None:
             self._values["ip_address_type"] = ip_address_type
+        if listener_certificate is not None:
+            self._values["listener_certificate"] = listener_certificate
         if listener_port is not None:
             self._values["listener_port"] = listener_port
         if load_balancer is not None:
@@ -11599,11 +11743,23 @@ class NetworkLoadBalancedFargateServiceProps(
         result = self._values.get("ip_address_type")
         return typing.cast(typing.Optional[_IpAddressType_c43b240e], result)
 
+    @builtins.property
+    def listener_certificate(self) -> typing.Optional[_IListenerCertificate_94ab42d7]:
+        '''Listener certificate list of ACM cert ARNs.
+
+        If you provide a certificate, the listener's protocol will be TLS.
+        If not, the listener's protocol will be TCP.
+
+        :default: - none
+        '''
+        result = self._values.get("listener_certificate")
+        return typing.cast(typing.Optional[_IListenerCertificate_94ab42d7], result)
+
     @builtins.property
     def listener_port(self) -> typing.Optional[jsii.Number]:
         '''Listener port of the network load balancer that will serve traffic to the service.
 
-        :default: 80
+        :default: 80 or 443 with listenerCertificate provided
         '''
         result = self._values.get("listener_port")
         return typing.cast(typing.Optional[jsii.Number], result)
@@ -16434,6 +16590,7 @@ def _typecheckingstub__12b53d0ee1ed0e067bd3d89a143b1004884a752670676417fa81284f7
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -16481,6 +16638,7 @@ def _typecheckingstub__b8c23351e0c4b39637462c662d702bdc3b000214d7335a22d67c31895
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -17108,6 +17266,7 @@ def _typecheckingstub__25a24a1cd170ed236f46460373e5ad18864ab4b8845363c5e05a08cd3
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -17136,6 +17295,7 @@ def _typecheckingstub__b000aecf519f70fc3affe03da9de2d9fb2bdfca5ee4102634f4e17198
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -17175,6 +17335,7 @@ def _typecheckingstub__633773eb8c5e71fd9d413b4600a4460d67ddbbf4f0d1ad414b05ab210
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,
@@ -17209,6 +17370,7 @@ def _typecheckingstub__883e3ba9ce3759b7fedc824d271d29edacc0ccdd564e943054039dc84
     enable_execute_command: typing.Optional[builtins.bool] = None,
     health_check_grace_period: typing.Optional[_Duration_4839e8c3] = None,
     ip_address_type: typing.Optional[_IpAddressType_c43b240e] = None,
+    listener_certificate: typing.Optional[_IListenerCertificate_94ab42d7] = None,
     listener_port: typing.Optional[jsii.Number] = None,
     load_balancer: typing.Optional[_INetworkLoadBalancer_96e17101] = None,
     max_healthy_percent: typing.Optional[jsii.Number] = None,