Skip to content

Latest commit

 

History

History

alb

README.md

alb

This module creates following resources.

  • aws_lb
  • aws_lb_listener (optional)
  • aws_lb_listener_certificate (optional)
  • aws_lb_listener_rule (optional)

Requirements

Name Version
terraform >= 1.6
aws >= 5.30

Providers

Name Version
aws 5.30.0

Modules

Name Source Version
listener ../alb-listener n/a
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0
security_group tedilabs/network/aws//modules/security-group ~> 0.31.0

Resources

Name Type
aws_lb.this resource
aws_availability_zones.available data source
aws_subnet.this data source

Inputs

Name Description Type Default Required
name (Required) The name of the load balancer. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. string n/a yes
vpc_id (Required) The ID of the VPC which the load balancer belongs to. string n/a yes
access_log (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. access_log as defined below.
(Optional) enabled - Indicates whether to enable access logs. Defaults to false.
(Optional) s3_bucket - A configuration of the S3 Bucket for access logs. s3_bucket as defined below.
(Required) name - The name of the S3 bucket used to store the access logs.
(Optional) key_prefix - The key prefix for the specified S3 bucket.		 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
 {} no
cross_zone_load_balancing_enabled (Optional) Cross-zone load balancing distributes traffic evenly across all targets in the Availability Zones enabled for the load balancer. Cross-zone load balancing is always on for Application Load Balancers. However, you can turn it off for a specific target group using target group attributes. Defaults to true. bool true no
default_security_group (Optional) The configuration of the default security group for the load balancer. default_security_group block as defined below.
(Optional) enabled - Whether to use the default security group. Defaults to true.
(Optional) name - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) description - The description of the default security group.
(Optional) ingress_rules - A list of ingress rules in a security group. Defaults to []. Each block of ingress_rules as defined below.
(Required) id - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) description - The description of the rule.
(Required) protocol - The protocol to match. Note that if protocol is set to -1, it translates to all protocols, all port ranges, and from_port and to_port values should not be defined.
(Required) from_port - The start of port range for the protocols.
(Required) to_port - The end of port range for the protocols.
(Optional) ipv4_cidrs - The IPv4 network ranges to allow, in CIDR notation.
(Optional) ipv6_cidrs - The IPv6 network ranges to allow, in CIDR notation.
(Optional) prefix_lists - The prefix list IDs to allow.
(Optional) security_groups - The source security group IDs to allow.
(Optional) self - Whether the security group itself will be added as a source to this ingress rule.
(Optional) egress_rules - A list of egress rules in a security group. Defaults to [{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]. Each block of egress_rules as defined below.
(Required) id - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) description - The description of the rule.
(Required) protocol - The protocol to match. Note that if protocol is set to -1, it translates to all protocols, all port ranges, and from_port and to_port values should not be defined.
(Required) from_port - The start of port range for the protocols.
(Required) to_port - The end of port range for the protocols.
(Optional) ipv4_cidrs - The IPv4 network ranges to allow, in CIDR notation.
(Optional) ipv6_cidrs - The IPv6 network ranges to allow, in CIDR notation.
(Optional) prefix_lists - The prefix list IDs to allow.
(Optional) security_groups - The source security group IDs to allow.
(Optional) self - Whether the security group itself will be added as a source to this ingress rule.
(Optional) listener_ingress_ipv4_cidrs - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to []."
(Optional) listener_ingress_ipv6_cidrs - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to []."
(Optional) listener_ingress_prefix_lists - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to []."
(Optional) listener_ingress_security_groups - A list of security group IDs to allow on the listener port. Defaults to []."		 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
 {} no
deletion_protection_enabled (Optional) Indicates whether deletion of the load balancer via the AWS API will be protected. Defaults to false. bool false no
desync_mitigation_mode (Optional) Determines how the load balancer handles requests that might pose a security risk to your application. Valid values are DEFENSIVE, STRICTEST and MONITOR. Defaults to DEFENSIVE. string "DEFENSIVE" no
drop_invalid_header_fields (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Defaults to false. bool false no
http2_enabled (Optional) Indicates whether HTTP/2 is enabled. Defaults to true. bool true no
idle_timeout (Optional) The number of seconds before the load balancer determines the connection is idle and closes it. Defaults to 60 number 60 no
ip_address_type (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are IPV4 and DUALSTACK. string "IPV4" no
is_public (Optional) Indicates whether the load balancer will be public. Defaults to false. bool false no
listeners (Optional) A list of listener configurations of the application load balancer. Listeners listen for connection requests using their protocol and port. Each value of listener block as defined below.
(Required) port - The number of port on which the listener of load balancer is listening.
(Required) protocol - The protocol for connections from clients to the load balancer. Valid values are HTTP and HTTPS.
(Required) default_action_type - The type of default routing action. Valid values are FORWARD, FIXED_RESPONSE, REDIRECT_301 and REDIRECT_302.
(Optional) default_action_parameters - Configuration block for the parameters of the default routing action.
(Optional) rules - The rules that you define for the listener determine how the load balancer routes requests to the targets in one or more target groups.
(Optional) The configuration for TLS listener of the load balancer. Required if protocol is HTTPS. tls block as defined below.
(Optional) certificate - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the additional_certificates variable.
(Optional) additional_certificates - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) security_policy - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is HTTPS. Defaults to ELBSecurityPolicy-2016-08 security policy. The ELBSecurityPolicy-2016-08 security policy is always used for backend connections. Application Load Balancers do not support custom security policies.		 any [] no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
network_mapping (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least two Availability Zone and one subnet for each zone. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of network_mapping is the availability zone id like apne2-az1, use1-az1. Each value of network_mapping block as defined below.
(Required) subnet - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.		 
map(object({
    subnet = string
  }))
 {} no
preserve_host_header (Optional) Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to false. bool false no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
security_groups (Optional) A list of security group IDs to assign to the Load Balancer. list(string) [] no
tags (Optional) A map of tags to add to all resources. map(string) {} no
timeouts (Optional) How long to wait for the load balancer to be created/updated/deleted. 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
 {} no
tls_negotiation_headers_enabled (Optional) Whether the two TLS negotiation headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Defaults to false. bool false no
waf_fail_open_enabled (Optional) Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to false. bool false no
xff_header (Optional) The configuration for . xff_header block as defined below.
(Optional) mode - How the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. Valid values are APPEND, PRESERVE, REMOVE. Defaults to APPEND.
APPEND - The load balancer appends the IP address of the client to the X-Forwarded-For header.
PRESERVE - The load balancer preserves the original IP address of the client.
REMOVE - The load balancer removes the X-Forwarded-For header from the request.
(Optional) client_port_preservation_enabled - Whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer. Defaults to false.		 
object({
    mode                             = optional(string, "APPEND")
    client_port_preservation_enabled = optional(bool, false)
  })
 {} no

Outputs

Name Description
access_log The configuration for access logs of the load balancer.
arn The Amazon Resource Name (ARN) of the load balancer.
arn_suffix The ARN suffix for use with CloudWatch Metrics.
attributes Load Balancer Attributes that applied to the application load balancer.
availability_zone_ids A list of the Availability Zone IDs which are used by the load balancer.
default_security_group The default security group ID of the load balancer.
domain The DNS name of the load balancer.
id The ID of the load balancer.
ip_address_type The type of IP addresses used by the subnets for your load balancer.
is_public Indicates whether the load balancer is public.
listeners The listeners of the application load balancer.
name The name of the load balancer.
network_mapping The configuration for the load balancer how routes traffic to targets in which subnets and IP address settings.
security_groups A set of security group IDs which is assigned to the load balancer.
subnets A list of subnet IDs attached to the load balancer.
type The type of the load balancer. Always return APPLICATION.
vpc_id The VPC ID of the load balancer.
zone_id The canonical hosted zone ID of the load balancer to be used in a Route 53 Alias record.