HTTP and HTTPS listeners with default actions:
module "alb" {
source = "./"
name = "my-alb"
load_balancer_type = "application"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name = "pref-"
backend_protocol = "HTTP"
backend_port = 80
target_type = "instance"
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}HTTP to HTTPS redirect and HTTPS cognito authentication:
module "alb" {
source = "./"
name = "my-alb"
load_balancer_type = "application"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name = "pref-"
backend_protocol = "HTTPS"
backend_port = 443
target_type = "instance"
}
]
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
action_type = "authenticate-cognito"
target_group_index = 0
authenticate_cognito = {
user_pool_arn = "arn:aws:cognito-idp::123456789012:userpool/test-pool"
user_pool_client_id = "6oRmFiS0JHk="
user_pool_domain = "test-domain-com"
}
}
]
http_tcp_listeners = [
{
port = 80
protocol = "HTTP"
action_type = "redirect"
redirect = {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
]
tags = {
Environment = "Test"
}
}Cognito Authentication only on certain routes, with redirects for other routes:
module "alb" {
source = "./"
name = "my-alb"
load_balancer_type = "application"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
security_groups = ["sg-edcd9784", "sg-edcd9785"]
access_logs = {
bucket = "my-alb-logs"
}
target_groups = [
{
name = "default-"
backend_protocol = "HTTPS"
backend_port = 443
target_type = "instance"
}
]
https_listeners = [
{
port = 443
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
}
]
https_listener_rules = [
{
https_listener_index = 0
priority = 5000
actions = [{
type = "redirect"
status_code = "HTTP_302"
host = "www.youtube.com"
path = "/watch"
query = "v=dQw4w9WgXcQ"
protocol = "HTTPS"
}]
conditions = [{
path_patterns = ["/onboarding", "/docs"]
}]
},
{
https_listener_index = 0
priority = 2
actions = [
{
type = "authenticate-cognito"
user_pool_arn = "arn:aws:cognito-idp::123456789012:userpool/test-pool"
user_pool_client_id = "6oRmFiS0JHk="
user_pool_domain = "test-domain-com"
},
{
type = "forward"
target_group_index = 0
}
]
conditions = [{
path_patterns = ["/protected-route", "private/*"]
}]
}
]
}When you're using ALB Listener rules, make sure that every rule's actions block ends in a forward, redirect, or fixed-response action so that every rule will resolve to some sort of an HTTP response. Checkout the AWS documentation for more information.
module "nlb" {
source = "./"
name = "my-nlb"
load_balancer_type = "network"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
access_logs = {
bucket = "my-nlb-logs"
}
target_groups = [
{
name = "pref-"
backend_protocol = "TCP"
backend_port = 80
target_type = "ip"
}
]
https_listeners = [
{
port = 443
protocol = "TLS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
target_group_index = 0
}
]
http_tcp_listeners = [
{
port = 80
protocol = "TCP"
target_group_index = 0
}
]
tags = {
Environment = "Test"
}
}| Name | Version |
|---|---|
| terraform | >= 0.12.6, < 0.14 |
| aws | >= 2.54, < 4.0 |
| Name | Version |
|---|---|
| aws | >= 2.54, < 4.0 |
No Modules.
| Name |
|---|
| aws_lb |
| aws_lb_listener |
| aws_lb_listener_certificate |
| aws_lb_listener_rule |
| aws_lb_target_group |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_logs | (Optional) An Access Logs block. Access Logs documented below. | map(string) |
{} |
no |
| drop_invalid_header_fields | (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type application. | bool |
false |
no |
| enable | Controls if the Load Balancer should be created | bool |
true |
no |
| enable_cross_zone_load_balancing | (Optional) If true, cross-zone load balancing of the load balancer will be enabled. This is a network load balancer feature. Defaults to false. | bool |
false |
no |
| enable_deletion_protection | (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | bool |
false |
no |
| enable_http2 | (Optional) Indicates whether HTTP/2 is enabled in application load balancers. Defaults to true. | bool |
true |
no |
| extra_ssl_certs | (Optional) A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate_arn, https_listener_index (the index of the listener within https_listeners which the cert applies toward). | list(map(string)) |
[] |
no |
| http_tcp_listeners | (Optional) A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target_group_index (defaults to http_tcp_listeners[count.index]) | any |
[] |
no |
| https_listener_rules | (Optional) A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https_listener_index (default to https_listeners[count.index]) | any |
[] |
no |
| https_listeners | (Optional) A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate_arn. Optional key/values: ssl_policy (defaults to ELBSecurityPolicy-2016-08), target_group_index (defaults to https_listeners[count.index]) | any |
[] |
no |
| idle_timeout | (Optional) The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application. Default: 60. | number |
60 |
no |
| internal | (Optional) If true, the LB will be internal. | bool |
true |
no |
| ip_address_type | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack | string |
"ipv4" |
no |
| listener_ssl_policy_default | (Optional) The security policy if using HTTPS externally on the load balancer. See. | string |
"ELBSecurityPolicy-2016-08" |
no |
| load_balancer_create_timeout | (Optional) Timeout value when creating the ALB. | string |
"10m" |
no |
| load_balancer_delete_timeout | (Optional) Timeout value when deleting the ALB. | string |
"10m" |
no |
| load_balancer_type | (Optional)The type of load balancer to create. Possible values are application or network. | string |
"application" |
no |
| load_balancer_update_timeout | (Optional) Timeout value when updating the ALB. | string |
"10m" |
no |
| name | (Required) The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. If not specified, Terraform will autogenerate a name beginning with tf-lb | string |
n/a | yes |
| security_groups | (Optional) A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application. | list(string) |
[] |
no |
| subnet_mapping | (Optional) A subnet mapping block as documented below. | list(map(string)) |
[] |
no |
| subnets | (Optional) A list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type network. Changing this value for load balancers of type network will force a recreation of the resource. | list(string) |
null |
no |
| tags | (Optional) A map of tags to add to all resources | map(string) |
{} |
no |
| target_groups | (Optional) A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend_protocol, backend_port | any |
[] |
no |
| vpc_id | (Optional) VPC id where the load balancer and other resources will be deployed. | string |
null |
no |
| Name | Description |
|---|---|
| http_tcp_listener_arns | The ARN of the TCP and HTTP load balancer listeners created. |
| http_tcp_listener_ids | The IDs of the TCP and HTTP load balancer listeners created. |
| https_listener_arns | The ARNs of the HTTPS load balancer listeners created. |
| https_listener_ids | The IDs of the load balancer listeners created. |
| target_group_arn_suffixes | ARN suffixes of our target groups - can be used with CloudWatch. |
| target_group_arns | ARNs of the target groups. Useful for passing to your Auto Scaling group. |
| target_group_names | Name of the target group. Useful for passing to your CodeDeploy Deployment Group. |
| this_lb_arn | The ID and ARN of the load balancer we created. |
| this_lb_arn_suffix | ARN suffix of our load balancer - can be used with CloudWatch. |
| this_lb_dns_name | The DNS name of the load balancer. |
| this_lb_id | The ID and ARN of the load balancer we created. |
| this_lb_zone_id | The zone_id of the load balancer to assist with creating DNS records. |
- Support for LB traget group attachment