Skip to content

Latest commit

 

History

History
152 lines (129 loc) · 20.3 KB

README.md

File metadata and controls

152 lines (129 loc) · 20.3 KB

AWS ALB Terraform Module

Test Continuous Integration/Delivery environment on AWS ECS.

Use this code as a Terraform module

Check valid versions on:

This terraform module creates an Application Load Balancer and security group rules in order allow traffic to it.

Install pre commit hooks.

Please run this command right after cloning the repository.

    pre-commit install

For that you may need to install the following tools:

In order to run all checks at any point run the following command:

    pre-commit run --all-files

Requirements

Name Version
terraform >= 0.13
aws >= 4

Providers

Name Version
aws 4.48.0
random 3.4.3

Modules

Name Source Version
lb_logs_s3 cn-terraform/logs-s3-bucket/aws 1.0.5

Resources

Name Type
aws_lb.lb resource
aws_lb_listener.lb_http_listeners resource
aws_lb_listener.lb_https_listeners resource
aws_lb_listener_certificate.additional_certificates_for_https_listeners resource
aws_lb_target_group.lb_http_tgs resource
aws_lb_target_group.lb_https_tgs resource
aws_security_group.lb_access_sg resource
aws_security_group_rule.ingress_through_http resource
aws_security_group_rule.ingress_through_https resource
aws_wafv2_web_acl_association.waf_association resource
random_string.lb_name resource
aws_elb_service_account.default data source

Inputs

Name Description Type Default Required
access_logs_prefix (Optional) if access logging to an S3 bucket, this sets a prefix in the bucket beneath which this LB's logs will be organized. string null no
additional_certificates_arn_for_https_listeners (Optional) List of SSL server certificate ARNs for HTTPS listener. Use it if you need to set additional certificates besides default_certificate_arn list(any) [] no
block_s3_bucket_public_access (Optional) If true, public access to the S3 bucket will be blocked. Ignored if log_bucket_id is provided. bool true no
default_certificate_arn (Optional) The ARN of the default SSL server certificate. Required if var.https_ports is set. string null no
deregistration_delay (Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds. number 300 no
drop_invalid_header_fields (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. bool false no
enable_cross_zone_load_balancing (Optional) If true, cross-zone load balancing of the load balancer will be enabled. Defaults to false. bool false no
enable_deletion_protection (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. bool false no
enable_http2 (Optional) Indicates whether HTTP/2 is enabled in the load balancer. Defaults to true. bool true no
enable_s3_bucket_server_side_encryption (Optional) If true, server side encryption will be applied. Ignored if log_bucket_id is provided. bool true no
enable_s3_logs (Optional) If true, all LoadBalancer logs will be sent to S3. If true, and log_bucket_id is not provided, this module will create the bucket with other provided s3 bucket configuration options bool true no
http_ingress_cidr_blocks List of CIDR blocks to allowed to access the Load Balancer through HTTP list(string)
[
"0.0.0.0/0"
]
no
http_ingress_prefix_list_ids List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP list(string) [] no
http_ports Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code map(any)
{
"default_http": {
"listener_port": 80,
"target_group_port": 80,
"type": "forward"
}
}
no
https_ingress_cidr_blocks List of CIDR blocks to allowed to access the Load Balancer through HTTPS list(string)
[
"0.0.0.0/0"
]
no
https_ingress_prefix_list_ids List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS list(string) [] no
https_ports Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code map(any)
{
"default_http": {
"listener_port": 443,
"target_group_port": 443,
"type": "forward"
}
}
no
idle_timeout (Optional) The time in seconds that the connection is allowed to be idle. Default: 60. number 60 no
internal (Optional) If true, the LB will be internal. bool false no
ip_address_type (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4 string "ipv4" no
load_balancing_algorithm_type (Optional) Determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin. string "round_robin" no
log_bucket_id (Optional) if provided, the ID of a previously-defined S3 bucket to send LB logs to. string null no
name_prefix Name prefix for resources on AWS any n/a yes
private_subnets A list of private subnet IDs to attach to the LB if it is INTERNAL. list(string) n/a yes
public_subnets A list of public subnet IDs to attach to the LB if it is NOT internal. list(string) n/a yes
s3_bucket_server_side_encryption_key (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. Ignored if log_bucket_id is provided. string null no
s3_bucket_server_side_encryption_sse_algorithm (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. Ignored if log_bucket_id is provided. string "AES256" no
security_groups (Optional) A list of security group IDs to assign to the LB. list(string) [] no
slow_start (Optional) The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds. number 0 no
ssl_policy (Optional) The name of the SSL Policy for the listener. . Required if var.https_ports is set. string null no
stickiness (Optional) A Stickiness block. Provide three fields. type, the type of sticky sessions. The only current possible value is lb_cookie. cookie_duration, the time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). enabled, boolean to enable / disable stickiness. Default is true.
object({
type = string
cookie_duration = string
enabled = bool
})
{
"cookie_duration": 86400,
"enabled": true,
"type": "lb_cookie"
}
no
tags Resource tags map(string) {} no
target_group_health_check_enabled (Optional) Indicates whether health checks are enabled. Defaults to true. bool true no
target_group_health_check_healthy_threshold (Optional) The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3. number 3 no
target_group_health_check_interval (Optional) The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds. number 30 no
target_group_health_check_matcher The HTTP codes to use when checking for a successful response from a target. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). Default is 200. string "200" no
target_group_health_check_path The destination for the health check request. string "/" no
target_group_health_check_timeout (Optional) The amount of time, in seconds, during which no response means a failed health check. The range is 2 to 120 seconds, and the default is 5 seconds. number 5 no
target_group_health_check_unhealthy_threshold (Optional) The number of consecutive health check failures required before considering the target unhealthy. Defaults to 3. number 3 no
use_random_name_for_lb If true the LB name will be a random string bool false no
vpc_id ID of the VPC any n/a yes
waf_web_acl_arn ARN of a WAFV2 to associate with the ALB string "" no

Outputs

Name Description
aws_lb_lb_arn The ARN of the load balancer (matches id).
aws_lb_lb_arn_suffix The ARN suffix for use with CloudWatch Metrics.
aws_lb_lb_dns_name The DNS name of the load balancer.
aws_lb_lb_id The ARN of the load balancer (matches arn).
aws_lb_lb_zone_id The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record).
aws_security_group_lb_access_sg_arn The ARN of the security group
aws_security_group_lb_access_sg_description The description of the security group
aws_security_group_lb_access_sg_egress The egress rules.
aws_security_group_lb_access_sg_id The ID of the security group
aws_security_group_lb_access_sg_ingress The ingress rules.
aws_security_group_lb_access_sg_name The name of the security group
aws_security_group_lb_access_sg_owner_id The owner ID.
aws_security_group_lb_access_sg_vpc_id The VPC ID.
lb_http_listeners_arns List of HTTP Listeners ARNs
lb_http_listeners_ids List of HTTP Listeners IDs
lb_http_tgs_arns List of HTTP Target Groups ARNs
lb_http_tgs_ids List of HTTP Target Groups IDs
lb_http_tgs_map_arn_port n/a
lb_http_tgs_names List of HTTP Target Groups Names
lb_http_tgs_ports List of HTTP Target Groups ports
lb_https_listeners_arns List of HTTPS Listeners ARNs
lb_https_listeners_ids List of HTTPS Listeners IDs
lb_https_tgs_arns List of HTTPS Target Groups ARNs
lb_https_tgs_ids List of HTTPS Target Groups IDs
lb_https_tgs_map_arn_port n/a
lb_https_tgs_names List of HTTPS Target Groups Names
lb_https_tgs_ports List of HTTPS Target Groups ports
lb_logs_s3_bucket_arn LB Logging S3 Bucket ARN
lb_logs_s3_bucket_id LB Logging S3 Bucket ID