aws · rix0rrr · Dec 19, 2025
diff --git a/packages/aws-cdk-lib/aws-codedeploy/lib/ecs/deployment-group.ts b/packages/aws-cdk-lib/aws-codedeploy/lib/ecs/deployment-group.ts
@@ -63,7 +63,7 @@ export interface EcsBlueGreenDeploymentConfig {
    * The load balancer listener used to serve production traffic and to shift production traffic from the
    * 'blue' ECS task set to the 'green' ECS task set during a blue-green deployment.
    */
-  readonly listener: elbv2.IListener;
+  readonly listener: elbv2.IListenerRef;
 
   /**
    * The load balancer listener used to route test traffic to the 'green' ECS task set during a blue-green deployment.
@@ -79,7 +79,7 @@ export interface EcsBlueGreenDeploymentConfig {
    *
    * @default No test listener will be added
    */
-  readonly testListener?: elbv2.IListener;
+  readonly testListener?: elbv2.IListenerRef;
 
   /**
    * Specify how long CodeDeploy waits for approval to continue a blue-green deployment before it stops the deployment.
@@ -330,12 +330,12 @@ export class EcsDeploymentGroup extends DeploymentGroupBase implements IEcsDeplo
           ],
           prodTrafficRoute: {
             listenerArns: [
-              options.listener.listenerArn,
+              options.listener.listenerRef.listenerArn,
             ],
           },
           testTrafficRoute: options.testListener ? {
             listenerArns: [
-              options.testListener.listenerArn,
+              options.testListener.listenerRef.listenerArn,
             ],
           } : undefined,
         },

diff --git a/packages/aws-cdk-lib/aws-ecs/lib/alternate-target-configuration.ts b/packages/aws-cdk-lib/aws-ecs/lib/alternate-target-configuration.ts
@@ -1,6 +1,7 @@
 import { IConstruct } from 'constructs';
 import * as elbv2 from '../../aws-elasticloadbalancingv2';
 import * as iam from '../../aws-iam';
+import { aws_elasticloadbalancingv2 } from '../../interfaces';
 
 /**
  * Represents a listener configuration for advanced load balancer settings
@@ -111,7 +112,7 @@ export interface AlternateTargetProps extends AlternateTargetOptions {
   /**
    * The alternate target group
    */
-  readonly alternateTargetGroup: elbv2.ITargetGroup;
+  readonly alternateTargetGroup: aws_elasticloadbalancingv2.ITargetGroupRef;
 
   /**
    * The production listener rule ARN (ALB) or listener ARN (NLB)
@@ -138,7 +139,7 @@ export class AlternateTarget implements IAlternateTarget {
     });
 
     const config: AlternateTargetConfig = {
-      alternateTargetGroupArn: this.props.alternateTargetGroup.targetGroupArn,
+      alternateTargetGroupArn: this.props.alternateTargetGroup.targetGroupRef.targetGroupArn,
       roleArn: role.roleArn,
       productionListenerRule: this.props.productionListener._listenerArn,
       testListenerRule: this.props.testListener?._listenerArn,

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/alb-target.ts
@@ -1,4 +1,5 @@
 import * as elbv2 from '../../aws-elasticloadbalancingv2';
+import { aws_elasticloadbalancingv2 } from '../../interfaces';
 
 /**
  * A single Application Load Balancer as the target for load balancing.
@@ -20,14 +21,14 @@ export class AlbArnTarget implements elbv2.INetworkLoadBalancerTarget {
    * Don't call this, it is called automatically when you add the target to a
    * load balancer.
    */
-  public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps {
+  public attachToNetworkTargetGroup(targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return this._attach(targetGroup);
   }
 
   /**
    * @internal
    */
-  protected _attach(_targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps {
+  protected _attach(_targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return {
       targetType: elbv2.TargetType.ALB,
       targetJson: { id: this.albArn, port: this.port },
@@ -48,8 +49,8 @@ export class AlbTarget extends AlbArnTarget {
    * @param alb The application load balancer to load balance to
    * @param port The port on which the target is listening
    */
-  constructor(alb: elbv2.IApplicationLoadBalancer, port: number) {
-    super(alb.loadBalancerArn, port);
+  constructor(alb: aws_elasticloadbalancingv2.ILoadBalancerRef, port: number) {
+    super(alb.loadBalancerRef.loadBalancerArn, port);
   }
 }
 
@@ -68,7 +69,7 @@ export class AlbListenerTarget extends AlbArnTarget {
     super(albListener.loadBalancer.loadBalancerArn, albListener.port);
   }
 
-  private attach(targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps {
+  private attach(targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     targetGroup.node.addDependency(this.albListener);
     return super._attach(targetGroup);
   }
@@ -82,7 +83,7 @@ export class AlbListenerTarget extends AlbArnTarget {
    * This adds dependency on albListener because creation of ALB listener and NLB can vary during runtime.
    * More Details on - https://github.com/aws/aws-cdk/issues/17208
    */
-  public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps {
+  public attachToNetworkTargetGroup(targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return this.attach(targetGroup);
   }
 }
diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/ip-target.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/ip-target.ts
@@ -1,4 +1,5 @@
 import * as elbv2 from '../../aws-elasticloadbalancingv2';
+import { aws_elasticloadbalancingv2 } from '../../interfaces';
 
 /**
  * An IP address that is a target for load balancing.
@@ -43,7 +44,7 @@ export class IpTarget implements elbv2.IApplicationLoadBalancerTarget, elbv2.INe
    * Don't call this, it is called automatically when you add the target to a
    * load balancer.
    */
-  public attachToApplicationTargetGroup(targetGroup: elbv2.IApplicationTargetGroup): elbv2.LoadBalancerTargetProps {
+  public attachToApplicationTargetGroup(targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return this.attach(targetGroup);
   }
 
@@ -53,11 +54,11 @@ export class IpTarget implements elbv2.IApplicationLoadBalancerTarget, elbv2.INe
    * Don't call this, it is called automatically when you add the target to a
    * load balancer.
    */
-  public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps {
+  public attachToNetworkTargetGroup(targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return this.attach(targetGroup);
   }
 
-  private attach(_targetGroup: elbv2.ITargetGroup): elbv2.LoadBalancerTargetProps {
+  private attach(_targetGroup: aws_elasticloadbalancingv2.ITargetGroupRef): elbv2.LoadBalancerTargetProps {
     return {
       targetType: elbv2.TargetType.IP,
       targetJson: { id: this.ipAddress, port: this.port, availabilityZone: this.availabilityZone },

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener-certificate.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener-certificate.ts
@@ -1,6 +1,6 @@
 import { Construct } from 'constructs';
-import { IApplicationListener } from './application-listener';
 import { ValidationError } from '../../../core/lib/errors';
+import { aws_elasticloadbalancingv2 as elbv2 } from '../../../interfaces';
 import { CfnListenerCertificate } from '../elasticloadbalancingv2.generated';
 import { IListenerCertificate } from '../shared/listener-certificate';
 
@@ -11,7 +11,7 @@ export interface ApplicationListenerCertificateProps {
   /**
    * The listener to attach the rule to
    */
-  readonly listener: IApplicationListener;
+  readonly listener: elbv2.IListenerRef;
 
   /**
    * ARNs of certificates to attach
@@ -50,7 +50,7 @@ export class ApplicationListenerCertificate extends Construct {
     ];
 
     new CfnListenerCertificate(this, 'Resource', {
-      listenerArn: props.listener.listenerArn,
+      listenerArn: props.listener.listenerRef.listenerArn,
       certificates,
     });
   }

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-listener.ts
@@ -5,14 +5,15 @@ import { ApplicationListenerRule, FixedResponse, RedirectResponse } from './appl
 import { IApplicationLoadBalancer } from './application-load-balancer';
 import { ApplicationTargetGroup, IApplicationLoadBalancerTarget, IApplicationTargetGroup } from './application-target-group';
 import { ListenerCondition } from './conditions';
-import { ITrustStore } from './trust-store';
+
 import * as ec2 from '../../../aws-ec2';
 import * as cxschema from '../../../cloud-assembly-schema';
 import { Annotations, Duration, FeatureFlags, Lazy, Resource, Token } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
 import * as cxapi from '../../../cx-api';
+import { aws_elasticloadbalancingv2 } from '../../../interfaces';
 import { BaseListener, BaseListenerLookupOptions, IListener } from '../shared/base-listener';
 import { HealthCheck } from '../shared/base-target-group';
 import { ApplicationProtocol, ApplicationProtocolVersion, TargetGroupLoadBalancingAlgorithmType, IpAddressType, SslPolicy } from '../shared/enums';
@@ -130,7 +131,7 @@ export interface MutualAuthentication {
    *
    * @default - no trust store
    */
-  readonly trustStore?: ITrustStore;
+  readonly trustStore?: aws_elasticloadbalancingv2.ITrustStoreRef;
 
   /**
    * Indicates whether expired client certificates are ignored
@@ -287,7 +288,7 @@ export class ApplicationListener extends BaseListener implements IApplicationLis
         advertiseTrustStoreCaNames,
         ignoreClientCertificateExpiry: props.mutualAuthentication?.ignoreClientCertificateExpiry,
         mode: props.mutualAuthentication?.mutualAuthenticationMode,
-        trustStoreArn: props.mutualAuthentication?.trustStore?.trustStoreArn,
+        trustStoreArn: props.mutualAuthentication?.trustStore?.trustStoreRef.trustStoreArn,
       } : undefined,
     });
     // Enhanced CDK Analytics Telemetry
@@ -695,6 +696,15 @@ abstract class ExternalApplicationListener extends Resource implements IApplicat
    */
   public abstract readonly listenerArn: string;
 
+  /**
+   * A reference to this listener
+   */
+  public get listenerRef(): aws_elasticloadbalancingv2.ListenerReference {
+    return {
+      listenerArn: this.listenerArn,
+    };
+  }
+
   constructor(scope: Construct, id: string) {
     super(scope, id);
   }

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-load-balancer.ts
@@ -12,6 +12,7 @@ import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata, MethodMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
 import * as cxapi from '../../../cx-api';
+import { aws_elasticloadbalancingv2 } from '../../../interfaces';
 import { ApplicationELBMetrics } from '../elasticloadbalancingv2-canned-metrics.generated';
 import { BaseLoadBalancer, BaseLoadBalancerLookupOptions, BaseLoadBalancerProps, ILoadBalancerV2 } from '../shared/base-load-balancer';
 import { IpAddressType, ApplicationProtocol, DesyncMitigationMode } from '../shared/enums';
@@ -1219,6 +1220,15 @@ class ImportedApplicationLoadBalancer extends Resource implements IApplicationLo
    */
   public readonly loadBalancerArn: string;
 
+  /**
+   * A reference to this load balancer
+   */
+  public get loadBalancerRef(): aws_elasticloadbalancingv2.LoadBalancerReference {
+    return {
+      loadBalancerArn: this.loadBalancerArn,
+    };
+  }
+
   public get listeners(): ApplicationListener[] {
     throw Error('.listeners can only be accessed if the class was constructed as an owned, not imported, load balancer');
   }
@@ -1281,6 +1291,15 @@ class LookedUpApplicationLoadBalancer extends Resource implements IApplicationLo
   public readonly vpc?: ec2.IVpc;
   public readonly metrics: IApplicationLoadBalancerMetrics;
 
+  /**
+   * A reference to this load balancer
+   */
+  public get loadBalancerRef(): aws_elasticloadbalancingv2.LoadBalancerReference {
+    return {
+      loadBalancerArn: this.loadBalancerArn,
+    };
+  }
+
   public get listeners(): ApplicationListener[] {
     throw Error('.listeners can only be accessed if the class was constructed as an owned, not looked up, load balancer');
   }

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-target-group.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/application-target-group.ts
@@ -6,6 +6,7 @@ import * as ec2 from '../../../aws-ec2';
 import { Aws, Annotations, Duration, Token } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
+import { aws_elasticloadbalancingv2 as elbv2 } from '../../../interfaces';
 import { ApplicationELBMetrics } from '../elasticloadbalancingv2-canned-metrics.generated';
 import {
   BaseTargetGroupProps, ITargetGroup, loadBalancerNameFromListenerArn, LoadBalancerTargetProps,
@@ -698,7 +699,7 @@ class ImportedApplicationTargetGroup extends ImportedTargetGroupBase implements
     }
   }
 
-  public registerListener(_listener: IApplicationListener, _associatingConstruct?: IConstruct) {
+  public registerListener(_listener: elbv2.IListenerRef, _associatingConstruct?: IConstruct) {
     // Nothing to do, we know nothing of our members
     Annotations.of(this).addWarningV2('@aws-cdk/aws-elbv2:albTargetGroupCannotRegisterListener', 'Cannot register listener on imported target group -- security groups might need to be updated manually');
   }

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store-revocation.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store-revocation.ts
@@ -1,9 +1,9 @@
 import { Construct } from 'constructs';
-import { ITrustStore } from './trust-store';
 import { IBucketRef } from '../../../aws-s3';
 import { Resource } from '../../../core';
 import { addConstructMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
+import { aws_elasticloadbalancingv2 } from '../../../interfaces';
 import { CfnTrustStoreRevocation } from '../elasticloadbalancingv2.generated';
 
 /**
@@ -14,7 +14,7 @@ export interface TrustStoreRevocationProps {
   /**
    * The trust store
    */
-  readonly trustStore: ITrustStore;
+  readonly trustStore: aws_elasticloadbalancingv2.ITrustStoreRef;
 
   /**
    * The revocation file to add
@@ -75,7 +75,7 @@ export class TrustStoreRevocation extends Resource {
     addConstructMetadata(this, props);
 
     new CfnTrustStoreRevocation(this, 'Resource', {
-      trustStoreArn: props.trustStore.trustStoreArn,
+      trustStoreArn: props.trustStore.trustStoreRef.trustStoreArn,
       revocationContents: props.revocationContents?.map(content => ({
         revocationType: content.revocationType,
         s3Bucket: content.bucket.bucketRef.bucketName,

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/alb/trust-store.ts
@@ -4,12 +4,13 @@ import { Fn, IResource, Lazy, Names, Resource, Token } from '../../../core';
 import { ValidationError } from '../../../core/lib/errors';
 import { addConstructMetadata } from '../../../core/lib/metadata-resource';
 import { propertyInjectable } from '../../../core/lib/prop-injectable';
+import { aws_elasticloadbalancingv2 } from '../../../interfaces';
 import { CfnTrustStore } from '../elasticloadbalancingv2.generated';
 
 /**
  * Represents a Trust Store
  */
-export interface ITrustStore extends IResource {
+export interface ITrustStore extends IResource, aws_elasticloadbalancingv2.ITrustStoreRef {
   /**
    * The name of the trust store
    * @attribute
@@ -73,6 +74,12 @@ export class TrustStore extends Resource implements ITrustStore {
     class Import extends Resource implements ITrustStore {
       public readonly trustStoreArn = trustStoreArn;
       public readonly trustStoreName = trustStoreName;
+
+      public get trustStoreRef(): aws_elasticloadbalancingv2.TrustStoreReference {
+        return {
+          trustStoreArn: this.trustStoreArn,
+        };
+      }
     }
     return new Import(scope, id);
   }
@@ -105,6 +112,15 @@ export class TrustStore extends Resource implements ITrustStore {
    */
   public readonly trustStoreArn: string;
 
+  /**
+   * A reference to this trust store
+   */
+  public get trustStoreRef(): aws_elasticloadbalancingv2.TrustStoreReference {
+    return {
+      trustStoreArn: this.trustStoreArn,
+    };
+  }
+
   constructor(scope: Construct, id: string, props: TrustStoreProps) {
     super(scope, id, {
       physicalName: props.trustStoreName ?? Lazy.string({

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener-action.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener-action.ts
@@ -1,8 +1,8 @@
 import { Construct } from 'constructs';
-import { INetworkListener } from './network-listener';
 import { INetworkTargetGroup } from './network-target-group';
 import { Duration } from '../../../core';
 import { UnscopedValidationError } from '../../../core/lib/errors';
+import { aws_elasticloadbalancingv2 as elbv2 } from '../../../interfaces';
 import { CfnListener, CfnListenerRule } from '../elasticloadbalancingv2.generated';
 import { IListenerAction } from '../shared/listener-action';
 
@@ -96,7 +96,7 @@ export class NetworkListenerAction implements IListenerAction {
   /**
    * Called when the action is being used in a listener
    */
-  public bind(scope: Construct, listener: INetworkListener) {
+  public bind(scope: Construct, listener: elbv2.IListenerRef) {
     // Empty on purpose
     Array.isArray(scope);
     Array.isArray(listener);
@@ -164,7 +164,7 @@ class TargetGroupListenerAction extends NetworkListenerAction {
     super(defaultActionJson);
   }
 
-  public bind(_scope: Construct, listener: INetworkListener) {
+  public bind(_scope: Construct, listener: elbv2.IListenerRef) {
     for (const tg of this.targetGroups) {
       tg.registerListener(listener);
     }

diff --git a/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener-certificate.ts b/packages/aws-cdk-lib/aws-elasticloadbalancingv2/lib/nlb/network-listener-certificate.ts
@@ -1,5 +1,5 @@
 import { Construct } from 'constructs';
-import { INetworkListener } from './network-listener';
+import { aws_elasticloadbalancingv2 as elbv2 } from '../../../interfaces';
 import { CfnListenerCertificate } from '../elasticloadbalancingv2.generated';
 import { IListenerCertificate } from '../shared/listener-certificate';
 
@@ -10,7 +10,7 @@ export interface NetworkListenerCertificateProps {
   /**
    * The listener to attach the rule to
    */
-  readonly listener: INetworkListener;
+  readonly listener: elbv2.IListenerRef;
 
   /**
    * Certificates to attach
@@ -32,7 +32,7 @@ export class NetworkListenerCertificate extends Construct {
     ];
 
     new CfnListenerCertificate(this, 'Resource', {
-      listenerArn: props.listener.listenerArn,
+      listenerArn: props.listener.listenerRef.listenerArn,
       certificates,
     });
   }