Skip to content

Latest commit

 

History

History

nlb

README.md

nlb

This module creates following resources.

  • aws_lb
  • aws_lb_listener (optional)
  • aws_lb_listener_certificate (optional)

Requirements

Name Version
terraform >= 1.6
aws >= 5.30

Providers

Name Version
aws 5.30.0
terraform n/a

Modules

Name Source Version
listener ../nlb-listener n/a
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0
security_group tedilabs/network/aws//modules/security-group ~> 0.31.0

Resources

Name Type
aws_lb.this resource
terraform_data.replace_trigger resource
aws_availability_zones.available data source
aws_subnet.this data source

Inputs

Name Description Type Default Required
name (Required) The name of the load balancer. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. string n/a yes
access_log (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. access_log as defined below.
(Optional) enabled - Indicates whether to enable access logs. Defaults to false.
(Optional) s3_bucket - A configuration of the S3 Bucket for access logs. s3_bucket as defined below.
(Required) name - The name of the S3 bucket used to store the access logs.
(Optional) key_prefix - The key prefix for the specified S3 bucket.		 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
 {} no
cross_zone_load_balancing_enabled (Optional) Cross-zone load balancing distributes traffic evenly across all targets in the Availability Zones enabled for the load balancer. Indicates whether to enable cross-zone load balancing. Defaults to false. Regional data transfer charges may apply when cross-zone load balancing is enabled. bool false no
default_security_group (Optional) The configuration of the default security group for the load balancer. default_security_group block as defined below.
(Optional) enabled - Whether to use the default security group. Defaults to true.
(Optional) name - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) description - The description of the default security group.
(Optional) ingress_rules - A list of ingress rules in a security group. Defaults to []. Each block of ingress_rules as defined below.
(Required) id - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) description - The description of the rule.
(Required) protocol - The protocol to match. Note that if protocol is set to -1, it translates to all protocols, all port ranges, and from_port and to_port values should not be defined.
(Required) from_port - The start of port range for the protocols.
(Required) to_port - The end of port range for the protocols.
(Optional) ipv4_cidrs - The IPv4 network ranges to allow, in CIDR notation.
(Optional) ipv6_cidrs - The IPv6 network ranges to allow, in CIDR notation.
(Optional) prefix_lists - The prefix list IDs to allow.
(Optional) security_groups - The source security group IDs to allow.
(Optional) self - Whether the security group itself will be added as a source to this ingress rule.
(Optional) egress_rules - A list of egress rules in a security group. Defaults to [{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]. Each block of egress_rules as defined below.
(Required) id - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) description - The description of the rule.
(Required) protocol - The protocol to match. Note that if protocol is set to -1, it translates to all protocols, all port ranges, and from_port and to_port values should not be defined.
(Required) from_port - The start of port range for the protocols.
(Required) to_port - The end of port range for the protocols.
(Optional) ipv4_cidrs - The IPv4 network ranges to allow, in CIDR notation.
(Optional) ipv6_cidrs - The IPv6 network ranges to allow, in CIDR notation.
(Optional) prefix_lists - The prefix list IDs to allow.
(Optional) security_groups - The source security group IDs to allow.
(Optional) self - Whether the security group itself will be added as a source to this ingress rule.
(Optional) listener_ingress_ipv4_cidrs - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to []."
(Optional) listener_ingress_ipv6_cidrs - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to []."
(Optional) listener_ingress_prefix_lists - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to []."
(Optional) listener_ingress_security_groups - A list of security group IDs to allow on the listener port. Defaults to []."		 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
 {} no
deletion_protection_enabled (Optional) Indicates whether deletion of the load balancer via the AWS API will be protected. Defaults to false. bool false no
ip_address_type (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are IPV4 and DUALSTACK. string "IPV4" no
is_public (Optional) Indicates whether the load balancer will be public. Defaults to false. bool false no
listeners (Optional) A list of listener configurations of the network load balancer. Listeners listen for connection requests using their protocol and port. Each value of listener block as defined below.
(Required) port - The number of port on which the listener of load balancer is listening.
(Required) protocol - The protocol for connections from clients to the load balancer. Valid values are TCP, TLS, UDP and TCP_UDP. Not valid to use UDP or TCP_UDP if dual-stack mode is enabled on the load balancer.
(Required) target_group - The ARN of the target group to which to route traffic.
(Optional) tls - The configuration for TLS listener of the load balancer. Required if protocol is TLS. tls block as defined below.
(Optional) certificate - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the additional_certificates variable.
(Optional) additional_certificates - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) security_policy - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is TLS. Recommend using the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.
(Optional) alpn_policy - The policy of the Application-Layer Protocol Negotiation (ALPN) to select. ALPN is a TLS extension that includes the protocol negotiation within the exchange of hello messages. Can be set if protocol is TLS. Valid values are HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None. Defaults to None.		 
list(object({
    port         = number
    protocol     = string
    target_group = string
    tls = optional(object({
      certificate             = optional(string)
      additional_certificates = optional(set(string), [])
      security_policy         = optional(string, "ELBSecurityPolicy-TLS13-1-2-2021-06")
      alpn_policy             = optional(string, "None")
    }), {})
  }))
 [] no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
network_mapping (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least one Availability Zone and one subnet for each zone. We recommend selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of network_mapping is the availability zone id like apne2-az1, use1-az1. Each value of network_mapping block as defined below.
(Required) subnet - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.
(Optional) private_ipv4_address - A private ipv4 address within the subnet to assign to the internal load balancer.
(Optional) ipv6_address - An ipv6 address within the subnet to assign to the internet-facing load balancer.
(Optional) elastic_ip - The allocation ID of the Elastic IP address.		 
map(object({
    subnet               = string
    private_ipv4_address = optional(string)
    ipv6_address         = optional(string)
    elastic_ip           = optional(string)
  }))
 {} no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
route53_resolver_availability_zone_affinity (Optional) A configuration to determine how traffic is distributed among the load balancer Availability Zones. Only applied to internal requests for clients resolving the load balancer DNS name using Route 53 Resolver. Valid values are ANY, PARTIAL, ALL. Defaults to ANY.
ANY - Client DNS queries will resolve to healthy load balancer IP addresses across all load balancer Availability Zones.
PARTIAL - 85% of client DNS queries will favor load balancer IP addresses in their own Availability Zone. The remaining queries will resolve to any zone. Resolving to any zone may also occur if there are no healthy load balancer IP addresses in the client's zone.
ALL - Client DNS queries will favor load balancer IP addresses in their own Availability Zone. Queries may resolve to other zones if there are no healthy load balancer IP addresses in their own zone.
balancer Availability Zones.		 string "ANY" no
security_group_evaluation_on_privatelink_enabled (Optional) Whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Defaults to false. bool false no
security_groups (Optional) A list of security group IDs to assign to the Load Balancer. Security groups for Network Load Balancer cannot be added if none are currently present, and cannot all be removed once added. If either of these conditions are met, this will force a recreation of the resource. list(string) [] no
tags (Optional) A map of tags to add to all resources. map(string) {} no
timeouts (Optional) How long to wait for the load balancer to be created/updated/deleted. 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
 {} no

Outputs

Name Description
access_log The configuration for access logs of the load balancer.
arn The Amazon Resource Name (ARN) of the load balancer.
arn_suffix The ARN suffix for use with CloudWatch Metrics.
attributes Load Balancer Attributes that applied to the network load balancer.
availability_zone_ids A list of the Availability Zone IDs which are used by the load balancer.
default_security_group The default security group ID of the load balancer.
domain The DNS name of the load balancer.
id The ID of the load balancer.
ip_address_type The type of IP addresses used by the subnets for your load balancer.
is_public Indicates whether the load balancer is public.
listeners The listeners of the network load balancer.
name The name of the load balancer.
network_mapping The configuration for the load balancer how routes traffic to targets in which subnets and IP address settings.
security_group_evaluation_on_privatelink_enabled Whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink.
security_groups A set of security group IDs which is assigned to the load balancer.
subnets A list of subnet IDs attached to the load balancer.
type The type of the load balancer. Always return NETWORK.
vpc_id The VPC ID of the load balancer.
zone_id The canonical hosted zone ID of the load balancer to be used in a Route 53 Alias record.