add feedback from luca

msambol · msambol · commit d51f5815b6a1 · 2024-03-19T10:16:14.000-06:00
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/README.md
@@ -260,7 +260,8 @@ listener.addTargets('AppFleet', {
 ### Enforce security group inbound rules on PrivateLink traffic for a Network Load Balancer
 
 You can indicate whether to evaluate inbound security group rules for traffic 
-sent to a Network Load Balancer through AWS PrivateLink. The default is `on`. 
+sent to a Network Load Balancer through AWS PrivateLink.
+The evaluation is enabled by default.
 
 ```ts
 declare const vpc: ec2.Vpc;
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-load-balancer.ts
@@ -41,7 +41,7 @@ export interface NetworkLoadBalancerProps extends BaseLoadBalancerProps {
   /**
    * Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.
    *
-   * @default on
+   * @default true
    */
   readonly enforceSecurityGroupInboundRulesOnPrivateLinkTraffic?: boolean;
 }
@@ -208,8 +208,8 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
   public readonly metrics: INetworkLoadBalancerMetrics;
   public readonly ipAddressType?: IpAddressType;
   public readonly connections: ec2.Connections;
-  public readonly enforceSecurityGroupInboundRulesOnPrivateLinkTraffic?: string;
   private readonly isSecurityGroupsPropertyDefined: boolean;
+  private readonly _enforceSecurityGroupInboundRulesOnPrivateLinkTraffic?: boolean;
 
   /**
    * After the implementation of `IConnectable` (see https://github.com/aws/aws-cdk/pull/28494), the default
@@ -229,7 +229,7 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
       securityGroups: Lazy.list({ produce: () => this.securityGroups }),
       ipAddressType: props.ipAddressType,
       enforceSecurityGroupInboundRulesOnPrivateLinkTraffic: Lazy.string({
-        produce: () => this.transformEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic(props.enforceSecurityGroupInboundRulesOnPrivateLinkTraffic),
+        produce: () => this.enforceSecurityGroupInboundRulesOnPrivateLinkTraffic,
       }),
     });
 
@@ -238,15 +238,12 @@ export class NetworkLoadBalancer extends BaseLoadBalancer implements INetworkLoa
     this.connections = new ec2.Connections({ securityGroups: props.securityGroups });
     this.ipAddressType = props.ipAddressType ?? IpAddressType.IPV4;
     if (props.crossZoneEnabled) { this.setAttribute('load_balancing.cross_zone.enabled', 'true'); }
-    this.enforceSecurityGroupInboundRulesOnPrivateLinkTraffic =
-      this.transformEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic(props.enforceSecurityGroupInboundRulesOnPrivateLinkTraffic);
+    this._enforceSecurityGroupInboundRulesOnPrivateLinkTraffic = props.enforceSecurityGroupInboundRulesOnPrivateLinkTraffic;
   }
 
-  private transformEnforceSecurityGroupInboundRulesOnPrivateLinkTraffic(value: boolean | undefined): string | undefined {
-    if (value !== undefined) {
-      return value ? 'on' : 'off';
-    }
-    return undefined;
+  public get enforceSecurityGroupInboundRulesOnPrivateLinkTraffic(): string | undefined {
+    if (this._enforceSecurityGroupInboundRulesOnPrivateLinkTraffic === undefined) return undefined;
+    return this._enforceSecurityGroupInboundRulesOnPrivateLinkTraffic ? 'on' : 'off';
   }
 
   /**
