This terraform module is used to create ALB on AWS.
We eat, drink, sleep and most importantly love DevOps. We are working towards strategies for standardizing architecture while ensuring security for the infrastructure. We are strong believer of the philosophy Bigger problems are always solved by breaking them into smaller manageable problems. Resonating with microservices architecture, it is considered best-practice to run database, cluster, storage in smaller connected yet manageable pieces within the infrastructure.
This module is basically combination of Terraform open source and includes automatation tests and examples. It also helps to create and improve your infrastructure with minimalistic code instead of maintaining the whole infrastructure code yourself.
We have fifty plus terraform modules. A few of them are comepleted and are available for open source usage while a few others are in progress.
This module has a few dependencies:
IMPORTANT: Since the master
branch used in source
varies based on new modifications, we suggest that you use the release versions here.
Here are examples of how you can use this module in your inventory structure:
module "alb" {
source = "clouddrove/alb/aws"
version = "1.4.0"
name = local.name
enable = true
internal = true
load_balancer_type = "application"
instance_count = module.ec2.instance_count
subnets = module.public_subnets.public_subnet_id
target_id = module.ec2.instance_id
vpc_id = module.vpc.vpc_id
allowed_ip = [module.vpc.vpc_cidr_block]
allowed_ports = [3306]
listener_certificate_arn = module.acm.arn
enable_deletion_protection = false
with_target_group = true
https_enabled = true
http_enabled = true
https_port = 443
listener_type = "forward"
target_group_port = 80
http_tcp_listeners = [
{
port = 80
protocol = "TCP"
target_group_index = 0
},
{
port = 81
protocol = "TCP"
target_group_index = 0
},
]
https_listeners = [
{
port = 443
protocol = "TLS"
target_group_index = 0
certificate_arn = module.acm.arn
},
{
port = 84
protocol = "TLS"
target_group_index = 0
certificate_arn = module.acm.arn
},
]
target_groups = [
{
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
deregistration_delay = 300
health_check = {
enabled = true
interval = 30
path = "/"
port = "traffic-port"
healthy_threshold = 3
unhealthy_threshold = 3
timeout = 10
protocol = "HTTP"
matcher = "200-399"
}
}
]
extra_ssl_certs = [
{
https_listener_index = 0
certificate_arn = module.acm.arn
}
]
}
module "nlb" {
source = "clouddrove/alb/aws"
version = "1.4.0"
name = local.name
enable = true
internal = false
load_balancer_type = "network"
instance_count = module.ec2.instance_count
subnets = module.public_subnets.public_subnet_id
target_id = module.ec2.instance_id
vpc_id = module.vpc.vpc_id
enable_deletion_protection = false
with_target_group = true
http_tcp_listeners = [
{
port = 80
protocol = "TCP"
target_group_index = 0
},
{
port = 81
protocol = "TCP"
target_group_index = 0
},
]
target_groups = [
{
backend_protocol = "TCP"
backend_port = 80
target_type = "instance"
},
{
backend_protocol = "TCP"
backend_port = 81
target_type = "instance"
},
]
https_listeners = [
{
port = 443
protocol = "TLS"
target_group_index = 0
certificate_arn = module.acm.arn
},
{
port = 84
protocol = "TLS"
target_group_index = 0
certificate_arn = module.acm.arn
},
]
}
module "clb" {
source = "clouddrove/alb/aws"
version = "1.4.0"
name = local.name
load_balancer_type = "classic"
clb_enable = true
internal = true
vpc_id = module.vpc.vpc_id
target_id = module.ec2.instance_id
subnets = module.public_subnets.public_subnet_id
with_target_group = true
listeners = [
{
lb_port = 22000
lb_protocol = "TCP"
instance_port = 22000
instance_protocol = "TCP"
ssl_certificate_id = null
},
{
lb_port = 4444
lb_protocol = "TCP"
instance_port = 4444
instance_protocol = "TCP"
ssl_certificate_id = null
}
]
health_check_target = "TCP:4444"
health_check_timeout = 10
health_check_interval = 30
health_check_unhealthy_threshold = 5
health_check_healthy_threshold = 5
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_logs | Map containing access logging configuration for load balancer. | map(string) |
{} |
no |
allowed_ip | List of allowed ip. | list(any) |
[] |
no |
allowed_ports | List of allowed ingress ports | list(any) |
[] |
no |
cidr_blocks | equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference | list(string) |
[ |
no |
clb_enable | If true, create clb. | bool |
false |
no |
connection_draining | TBoolean to enable connection draining. Default: false. | bool |
false |
no |
connection_draining_timeout | The time after which connection draining is aborted in seconds. | number |
300 |
no |
desync_mitigation_mode | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | string |
"defensive" |
no |
egress_protocol | equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference | number |
-1 |
no |
egress_rule | Enable to create egress rule | bool |
true |
no |
enable | If true, create alb. | bool |
false |
no |
enable_cross_zone_load_balancing | Indicates whether cross zone load balancing should be enabled in application load balancers. | bool |
true |
no |
enable_deletion_protection | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | bool |
false |
no |
enable_http2 | Indicates whether HTTP/2 is enabled in application load balancers. | bool |
true |
no |
enable_security_group | Enable default Security Group with only Egress traffic allowed. | bool |
true |
no |
enable_tls_version_and_cipher_suite_headers | Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. | bool |
false |
no |
enable_waf_fail_open | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | bool |
false |
no |
enable_xff_client_port | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in application load balancers. | bool |
true |
no |
environment | Environment (e.g. prod , dev , staging ). |
string |
"test" |
no |
extra_ssl_certs | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate_arn, https_listener_index (the index of the listener within https_listeners which the cert applies toward). | list(map(string)) |
[] |
no |
from_port | (Required) Start port (or ICMP type number if protocol is icmp or icmpv6). | number |
0 |
no |
health_check_healthy_threshold | The number of successful health checks before an instance is put into service. | number |
10 |
no |
health_check_interval | The time between health check attempts in seconds. | number |
30 |
no |
health_check_target | The target to use for health checks. | string |
"TCP:80" |
no |
health_check_timeout | The time after which a health check is considered failed in seconds. | number |
5 |
no |
health_check_unhealthy_threshold | The number of failed health checks before an instance is taken out of service. | number |
2 |
no |
http_enabled | A boolean flag to enable/disable HTTP listener. | bool |
true |
no |
http_listener_type | The type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc. | string |
"redirect" |
no |
http_port | The port on which the load balancer is listening. like 80 or 443. | number |
80 |
no |
http_tcp_listener_rules | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http_tcp_listener_index (default to http_tcp_listeners[count.index]) | any |
[] |
no |
http_tcp_listeners | A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target_group_index (defaults to http_tcp_listeners[count.index]) | any |
[] |
no |
https_enabled | A boolean flag to enable/disable HTTPS listener. | bool |
true |
no |
https_listener_rules | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https_listener_index (default to https_listeners[count.index]) | any |
[] |
no |
https_listeners | A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate_arn. Optional key/values: ssl_policy (defaults to ELBSecurityPolicy-2016-08), target_group_index (defaults to 0) | list(map(string)) |
[] |
no |
https_port | The port on which the load balancer is listening. like 80 or 443. | number |
443 |
no |
idle_timeout | The time in seconds that the connection is allowed to be idle. | number |
60 |
no |
instance_count | The count of instances. | number |
0 |
no |
internal | If true, the LB will be internal. | string |
"" |
no |
ip_address_type | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | string |
"ipv4" |
no |
ipv6_cidr_blocks | Enable to create egress rule | list(string) |
[ |
no |
is_external | enable to udated existing security Group | bool |
false |
no |
label_order | Label order, e.g. name ,application . |
list(any) |
[ |
no |
listener_certificate_arn | The ARN of the SSL server certificate. Exactly one certificate is required if the protocol is HTTPS. | string |
"" |
no |
listener_https_fixed_response | Have the HTTPS listener return a fixed response for the default action. | object({ |
null |
no |
listener_protocol | The protocol for connections from clients to the load balancer. Valid values are TCP, HTTP and HTTPS. Defaults to HTTP. | string |
"HTTPS" |
no |
listener_type | The type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc. | string |
"forward" |
no |
listeners | A list of listener configurations for the ELB. | list(object({ |
[] |
no |
load_balancer_create_timeout | Timeout value when creating the ALB. | string |
"10m" |
no |
load_balancer_delete_timeout | Timeout value when deleting the ALB. | string |
"10m" |
no |
load_balancer_type | The type of load balancer to create. Possible values are application or network. The default value is application. | string |
"" |
no |
load_balancer_update_timeout | Timeout value when updating the ALB. | string |
"10m" |
no |
managedby | ManagedBy, eg 'CloudDrove'. | string |
"[email protected]" |
no |
name | Name (e.g. app or cluster ). |
string |
"" |
no |
preserve_host_header | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | bool |
false |
no |
protocol | The protocol. If not icmp, tcp, udp, or all use the. | string |
"tcp" |
no |
repository | Terraform current module repo | string |
"https://github.com/clouddrove/terraform-aws-alb" |
no |
sg_description | The security group description. | string |
"Instance default security group (only egress access is allowed)." |
no |
sg_egress_description | Description of the egress and ingress rule | string |
"Description of the rule." |
no |
sg_egress_ipv6_description | Description of the egress_ipv6 rule | string |
"Description of the rule." |
no |
sg_ids | of the security group id. | list(any) |
[] |
no |
sg_ingress_description | Description of the ingress rule | string |
"Description of the ingress rule use elasticache." |
no |
ssl_policy | Name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS. | string |
"ELBSecurityPolicy-TLS-1-2-2017-01" |
no |
status_code | The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302). | string |
"HTTP_301" |
no |
subnet_mapping | A list of subnet mapping blocks describing subnets to attach to network load balancer | list(map(string)) |
[] |
no |
subnets | A list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type network. Changing this value will for load balancers of type network will force a recreation of the resource. | list(any) |
[] |
no |
target_group_port | The port on which targets receive traffic, unless overridden when registering a specific target. | string |
80 |
no |
target_groups | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend_protocol, backend_port. Optional key/values are in the target_groups_defaults variable. | any |
[] |
no |
target_id | The ID of the target. This is the Instance ID for an instance, or the container ID for an ECS container. If the target type is ip, specify an IP address. | list(any) |
n/a | yes |
to_port | equal to 0. The supported values are defined in the IpProtocol argument on the IpPermission API reference | number |
65535 |
no |
vpc_id | The identifier of the VPC in which to create the target group. | string |
"" |
no |
with_target_group | Create LoadBlancer without target group | bool |
true |
no |
xff_header_processing_mode | Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. | string |
"append" |
no |
Name | Description |
---|---|
arn | The ARN of the ALB. |
arn_suffix | The ARN suffix of the ALB. |
clb_arn | The ARN of the CLB. |
clb_name | DNS name of CLB. |
clb_zone_id | The ID of the zone which ALB is provisioned. |
dns_name | DNS name of ALB. |
http_listener_arn | The ARN of the HTTP listener. |
https_listener_arn | The ARN of the HTTPS listener. |
listener_arns | A list of all the listener ARNs. |
main_target_group_arn | The main target group ARN. |
name | The ARN suffix of the ALB. |
security_group_arn | Amazon Resource Name (ARN) of the security group |
security_group_id | ID of the security group |
tags | A mapping of tags to assign to the resource. |
zone_id | The ID of the zone which ALB is provisioned. |
In this module testing is performed with terratest and it creates a small piece of infrastructure, matches the output like ARN, ID and Tags name etc and destroy infrastructure in your AWS account. This testing is written in GO, so you need a GO environment in your system.
You need to run the following command in the testing folder:
go test -run Test
If you come accross a bug or have any feedback, please log it in our issue tracker, or feel free to drop us an email at [email protected].
If you have found it worth your time, go ahead and give us a ★ on our GitHub!
At CloudDrove, we offer expert guidance, implementation support and services to help organisations accelerate their journey to the cloud. Our services include docker and container orchestration, cloud migration and adoption, infrastructure automation, application modernisation and remediation, and performance engineering.
We are The Cloud Experts!
We ❤️ Open Source and you can check out our other modules to get help with your new Cloud ideas.