├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── bug_report.yml │ ├── config.yml │ ├── feature_request.md │ ├── feature_request.yml │ └── question.md ├── PULL_REQUEST_TEMPLATE.md ├── banner.png ├── mergify.yml ├── renovate.json ├── settings.yml └── workflows │ ├── branch.yml │ ├── chatops.yml │ ├── release.yml │ └── scheduled.yml ├── .gitignore ├── LICENSE ├── README.md ├── README.yaml ├── atmos.yaml ├── context.tf ├── examples └── complete │ ├── context.tf │ ├── fixtures.us-east-2.tfvars │ ├── main.tf │ ├── outputs.tf │ ├── variables.tf │ └── versions.tf ├── main.tf ├── outputs.tf ├── test ├── .gitignore ├── Makefile ├── Makefile.alpine └── src │ ├── .gitignore │ ├── Makefile │ ├── examples_complete_test.go │ ├── go.mod │ └── go.sum ├── variables.tf └── versions.tf /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # Use this file to define individuals or teams that are responsible for code in a repository. 2 | # Read more: 3 | # 4 | # Order is important: the last matching pattern has the highest precedence 5 | 6 | # These owners will be the default owners for everything 7 | * @cloudposse/engineering @cloudposse/contributors 8 | 9 | # Cloud Posse must review any changes to Makefiles 10 | **/Makefile @cloudposse/engineering 11 | **/Makefile.* @cloudposse/engineering 12 | 13 | # Cloud Posse must review any changes to GitHub actions 14 | .github/* @cloudposse/engineering 15 | 16 | # Cloud Posse must review any changes to standard context definition, 17 | # but some changes can be rubber-stamped. 18 | **/*.tf @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 19 | README.yaml @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 20 | README.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 21 | docs/*.md @cloudposse/engineering @cloudposse/contributors @cloudposse/approvers 22 | 23 | # Cloud Posse Admins must review all changes to CODEOWNERS or the mergify configuration 24 | .github/mergify.yml @cloudposse/admins 25 | .github/CODEOWNERS @cloudposse/admins 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | about: Create a report to help us improve 4 | title: '' 5 | labels: 'bug' 6 | assignees: '' 7 | 8 | --- 9 | 10 | Found a bug? Maybe our [Slack Community](https://slack.cloudposse.com) can help. 11 | 12 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 13 | 14 | ## Describe the Bug 15 | A clear and concise description of what the bug is. 16 | 17 | ## Expected Behavior 18 | A clear and concise description of what you expected to happen. 19 | 20 | ## Steps to Reproduce 21 | Steps to reproduce the behavior: 22 | 1. Go to '...' 23 | 2. Run '....' 24 | 3. Enter '....' 25 | 4. See error 26 | 27 | ## Screenshots 28 | If applicable, add screenshots or logs to help explain your problem. 29 | 30 | ## Environment (please complete the following information): 31 | 32 | Anything that will help us triage the bug will help. Here are some ideas: 33 | - OS: [e.g. Linux, OSX, WSL, etc] 34 | - Version [e.g. 10.15] 35 | 36 | ## Additional Context 37 | Add any other context about the problem here. -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | description: Create a report to help us improve 4 | labels: ["bug"] 5 | assignees: [""] 6 | body: 7 | - type: markdown 8 | attributes: 9 | value: | 10 | Found a bug? 11 | 12 | Please checkout our [Slack Community](https://slack.cloudposse.com) 13 | or visit our [Slack Archive](https://archive.sweetops.com/). 14 | 15 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 16 | 17 | - type: textarea 18 | id: concise-description 19 | attributes: 20 | label: Describe the Bug 21 | description: A clear and concise description of what the bug is. 22 | placeholder: What is the bug about? 23 | validations: 24 | required: true 25 | 26 | - type: textarea 27 | id: expected 28 | attributes: 29 | label: Expected Behavior 30 | description: A clear and concise description of what you expected. 31 | placeholder: What happened? 32 | validations: 33 | required: true 34 | 35 | - type: textarea 36 | id: reproduction-steps 37 | attributes: 38 | label: Steps to Reproduce 39 | description: Steps to reproduce the behavior. 40 | placeholder: How do we reproduce it? 41 | validations: 42 | required: true 43 | 44 | - type: textarea 45 | id: screenshots 46 | attributes: 47 | label: Screenshots 48 | description: If applicable, add screenshots or logs to help explain. 49 | validations: 50 | required: false 51 | 52 | - type: textarea 53 | id: environment 54 | attributes: 55 | label: Environment 56 | description: Anything that will help us triage the bug. 57 | placeholder: | 58 | - OS: [e.g. Linux, OSX, WSL, etc] 59 | - Version [e.g. 10.15] 60 | - Module version 61 | - Terraform version 62 | validations: 63 | required: false 64 | 65 | - type: textarea 66 | id: additional 67 | attributes: 68 | label: Additional Context 69 | description: | 70 | Add any other context about the problem here. 71 | validations: 72 | required: false 73 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/config.yml: -------------------------------------------------------------------------------- 1 | blank_issues_enabled: false 2 | 3 | contact_links: 4 | 5 | - name: Community Slack Team 6 | url: https://cloudposse.com/slack/ 7 | about: |- 8 | Please ask and answer questions here. 9 | 10 | - name: Office Hours 11 | url: https://cloudposse.com/office-hours/ 12 | about: |- 13 | Join us every Wednesday for FREE Office Hours (lunch & learn). 14 | 15 | - name: DevOps Accelerator Program 16 | url: https://cloudposse.com/accelerate/ 17 | about: |- 18 | Own your infrastructure in record time. We build it. You drive it. 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: 'feature request' 6 | assignees: '' 7 | 8 | --- 9 | 10 | Have a question? Please checkout our [Slack Community](https://slack.cloudposse.com) or visit our [Slack Archive](https://archive.sweetops.com/). 11 | 12 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 13 | 14 | ## Describe the Feature 15 | 16 | A clear and concise description of what the bug is. 17 | 18 | ## Expected Behavior 19 | 20 | A clear and concise description of what you expected to happen. 21 | 22 | ## Use Case 23 | 24 | Is your feature request related to a problem/challenge you are trying to solve? Please provide some additional context of why this feature or capability will be valuable. 25 | 26 | ## Describe Ideal Solution 27 | 28 | A clear and concise description of what you want to happen. If you don't know, that's okay. 29 | 30 | ## Alternatives Considered 31 | 32 | Explain what alternative solutions or features you've considered. 33 | 34 | ## Additional Context 35 | 36 | Add any other context or screenshots about the feature request here. 37 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature Request 3 | description: Suggest an idea for this project 4 | labels: ["feature request"] 5 | assignees: [""] 6 | body: 7 | - type: markdown 8 | attributes: 9 | value: | 10 | Have a question? 11 | 12 | Please checkout our [Slack Community](https://slack.cloudposse.com) 13 | or visit our [Slack Archive](https://archive.sweetops.com/). 14 | 15 | [![Slack Community](https://slack.cloudposse.com/badge.svg)](https://slack.cloudposse.com) 16 | 17 | - type: textarea 18 | id: concise-description 19 | attributes: 20 | label: Describe the Feature 21 | description: A clear and concise description of what the feature is. 22 | placeholder: What is the feature about? 23 | validations: 24 | required: true 25 | 26 | - type: textarea 27 | id: expected 28 | attributes: 29 | label: Expected Behavior 30 | description: A clear and concise description of what you expected. 31 | placeholder: What happened? 32 | validations: 33 | required: true 34 | 35 | - type: textarea 36 | id: use-case 37 | attributes: 38 | label: Use Case 39 | description: | 40 | Is your feature request related to a problem/challenge you are trying 41 | to solve? 42 | 43 | Please provide some additional context of why this feature or 44 | capability will be valuable. 45 | validations: 46 | required: true 47 | 48 | - type: textarea 49 | id: ideal-solution 50 | attributes: 51 | label: Describe Ideal Solution 52 | description: A clear and concise description of what you want to happen. 53 | validations: 54 | required: true 55 | 56 | - type: textarea 57 | id: alternatives-considered 58 | attributes: 59 | label: Alternatives Considered 60 | description: Explain alternative solutions or features considered. 61 | validations: 62 | required: false 63 | 64 | - type: textarea 65 | id: additional 66 | attributes: 67 | label: Additional Context 68 | description: | 69 | Add any other context about the problem here. 70 | validations: 71 | required: false 72 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudposse/terraform-aws-alb-ingress/eee50e550d15391729ba57ae619dd1524eee2156/.github/ISSUE_TEMPLATE/question.md -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | ## what 2 | 3 | 7 | 8 | ## why 9 | 10 | 15 | 16 | ## references 17 | 18 | 22 | -------------------------------------------------------------------------------- /.github/banner.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudposse/terraform-aws-alb-ingress/eee50e550d15391729ba57ae619dd1524eee2156/.github/banner.png -------------------------------------------------------------------------------- /.github/mergify.yml: -------------------------------------------------------------------------------- 1 | extends: .github 2 | -------------------------------------------------------------------------------- /.github/renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "extends": [ 3 | "config:base", 4 | ":preserveSemverRanges" 5 | ], 6 | "baseBranches": ["main", "master", "/^release\\/v\\d{1,2}$/"], 7 | "labels": ["auto-update"], 8 | "dependencyDashboardAutoclose": true, 9 | "enabledManagers": ["terraform"], 10 | "terraform": { 11 | "ignorePaths": ["**/context.tf", "examples/**"] 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /.github/settings.yml: -------------------------------------------------------------------------------- 1 | # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch. 2 | _extends: .github 3 | repository: 4 | name: terraform-aws-alb-ingress 5 | description: Terraform module to provision an HTTP style ingress rule based on hostname and path for an ALB using target groups 6 | homepage: https://cloudposse.com/accelerate 7 | topics: aws, terraform, terraform-modules, alb, application-load-balancer, ingress, ecs, target-group, hcl2 8 | 9 | 10 | 11 | 12 | -------------------------------------------------------------------------------- /.github/workflows/branch.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Branch 3 | on: 4 | pull_request: 5 | branches: 6 | - main 7 | - release/** 8 | types: [opened, synchronize, reopened, labeled, unlabeled] 9 | push: 10 | branches: 11 | - main 12 | - release/v* 13 | paths-ignore: 14 | - '.github/**' 15 | - 'docs/**' 16 | - 'examples/**' 17 | - 'test/**' 18 | - 'README.md' 19 | 20 | permissions: {} 21 | 22 | jobs: 23 | terraform-module: 24 | uses: cloudposse/.github/.github/workflows/shared-terraform-module.yml@main 25 | secrets: inherit 26 | -------------------------------------------------------------------------------- /.github/workflows/chatops.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: chatops 3 | on: 4 | issue_comment: 5 | types: [created] 6 | 7 | permissions: 8 | pull-requests: write 9 | id-token: write 10 | contents: write 11 | statuses: write 12 | 13 | jobs: 14 | test: 15 | uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main 16 | if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }} 17 | secrets: inherit 18 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: release 3 | on: 4 | release: 5 | types: 6 | - published 7 | 8 | permissions: 9 | id-token: write 10 | contents: write 11 | pull-requests: write 12 | 13 | jobs: 14 | terraform-module: 15 | uses: cloudposse/.github/.github/workflows/shared-release-branches.yml@main 16 | secrets: inherit 17 | -------------------------------------------------------------------------------- /.github/workflows/scheduled.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: scheduled 3 | on: 4 | workflow_dispatch: { } # Allows manually trigger this workflow 5 | schedule: 6 | - cron: "0 3 * * *" 7 | 8 | permissions: 9 | pull-requests: write 10 | id-token: write 11 | contents: write 12 | 13 | jobs: 14 | scheduled: 15 | uses: cloudposse/.github/.github/workflows/shared-terraform-scheduled.yml@main 16 | secrets: inherit 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled files 2 | *.tfstate 3 | *.tfstate.backup 4 | .terraform.tfstate.lock.info 5 | 6 | # Module directory 7 | .terraform/ 8 | .idea 9 | *.iml 10 | 11 | # Build Harness 12 | .build-harness 13 | build-harness/ -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright 2018-2019 Cloud Posse, LLC 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Project Banner
5 |

6 | Latest ReleaseLast UpdatedSlack Community

7 | 8 | 9 | 29 | 30 | Terraform module to provision an HTTP style ALB ingress based on hostname and/or path. 31 | 32 | ALB ingress can be provisioned without authentication, or using Cognito or OIDC authentication. 33 | 34 | 35 | > [!TIP] 36 | > #### 👽 Use Atmos with Terraform 37 | > Cloud Posse uses [`atmos`](https://atmos.tools) to easily orchestrate multiple environments using Terraform.
38 | > Works with [Github Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift). 39 | > 40 | >
41 | > Watch demo of using Atmos with Terraform 42 | >
43 | > Example of running atmos to manage infrastructure from our Quick Start tutorial. 44 | > 45 | 46 | 47 | 48 | 49 | 50 | ## Usage 51 | 52 | For a complete example, see [examples/complete](examples/complete). 53 | 54 | For automated test of the complete example using `bats` and `Terratest`, see [test](test). 55 | 56 | ```hcl 57 | provider "aws" { 58 | region = var.region 59 | } 60 | 61 | module "vpc" { 62 | source = "cloudposse/vpc/aws" 63 | # Cloud Posse recommends pinning every module to a specific version 64 | # version = "x.x.x" 65 | 66 | namespace = var.namespace 67 | stage = var.stage 68 | name = var.name 69 | delimiter = var.delimiter 70 | attributes = var.attributes 71 | cidr_block = var.vpc_cidr_block 72 | 73 | tags = var.tags 74 | } 75 | 76 | module "subnets" { 77 | source = "cloudposse/dynamic-subnets/aws" 78 | # Cloud Posse recommends pinning every module to a specific version 79 | # version = "x.x.x" 80 | 81 | availability_zones = var.availability_zones 82 | namespace = var.namespace 83 | stage = var.stage 84 | name = var.name 85 | attributes = var.attributes 86 | delimiter = var.delimiter 87 | vpc_id = module.vpc.vpc_id 88 | igw_id = module.vpc.igw_id 89 | cidr_block = module.vpc.vpc_cidr_block 90 | nat_gateway_enabled = false 91 | nat_instance_enabled = false 92 | 93 | tags = var.tags 94 | } 95 | 96 | module "alb" { 97 | source = "cloudposse/alb/aws" 98 | # Cloud Posse recommends pinning every module to a specific version 99 | # version = "x.x.x" 100 | 101 | namespace = var.namespace 102 | stage = var.stage 103 | name = var.name 104 | attributes = var.attributes 105 | delimiter = var.delimiter 106 | vpc_id = module.vpc.vpc_id 107 | security_group_ids = [module.vpc.vpc_default_security_group_id] 108 | subnet_ids = module.subnets.public_subnet_ids 109 | internal = var.internal 110 | http_enabled = var.http_enabled 111 | access_logs_enabled = var.access_logs_enabled 112 | alb_access_logs_s3_bucket_force_destroy = var.alb_access_logs_s3_bucket_force_destroy 113 | cross_zone_load_balancing_enabled = var.cross_zone_load_balancing_enabled 114 | http2_enabled = var.http2_enabled 115 | idle_timeout = var.idle_timeout 116 | ip_address_type = var.ip_address_type 117 | deletion_protection_enabled = var.deletion_protection_enabled 118 | deregistration_delay = var.deregistration_delay 119 | health_check_path = var.health_check_path 120 | health_check_timeout = var.health_check_timeout 121 | health_check_healthy_threshold = var.health_check_healthy_threshold 122 | health_check_unhealthy_threshold = var.health_check_unhealthy_threshold 123 | health_check_interval = var.health_check_interval 124 | health_check_matcher = var.health_check_matcher 125 | target_group_port = var.target_group_port 126 | target_group_target_type = var.target_group_target_type 127 | 128 | tags = var.tags 129 | } 130 | 131 | module "alb_ingress" { 132 | source = "cloudposse/alb-ingress/aws" 133 | # Cloud Posse recommends pinning every module to a specific version 134 | # version = "x.x.x" 135 | 136 | namespace = var.namespace 137 | stage = var.stage 138 | name = var.name 139 | attributes = var.attributes 140 | delimiter = var.delimiter 141 | vpc_id = module.vpc.vpc_id 142 | authentication_type = var.authentication_type 143 | unauthenticated_priority = var.unauthenticated_priority 144 | unauthenticated_paths = var.unauthenticated_paths 145 | slow_start = var.slow_start 146 | stickiness_enabled = var.stickiness_enabled 147 | default_target_group_enabled = false 148 | target_group_arn = module.alb.default_target_group_arn 149 | unauthenticated_listener_arns = [module.alb.http_listener_arn] 150 | 151 | tags = var.tags 152 | } 153 | ``` 154 | 155 | > [!IMPORTANT] 156 | > In Cloud Posse's examples, we avoid pinning modules to specific versions to prevent discrepancies between the documentation 157 | > and the latest released versions. However, for your own projects, we strongly advise pinning each module to the exact version 158 | > you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic 159 | > approach for updating versions to avoid unexpected changes. 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | ## Requirements 170 | 171 | | Name | Version | 172 | |------|---------| 173 | | [terraform](#requirement\_terraform) | >= 1.0 | 174 | | [aws](#requirement\_aws) | >= 4.0 | 175 | 176 | ## Providers 177 | 178 | | Name | Version | 179 | |------|---------| 180 | | [aws](#provider\_aws) | >= 4.0 | 181 | 182 | ## Modules 183 | 184 | | Name | Source | Version | 185 | |------|--------|---------| 186 | | [target\_group](#module\_target\_group) | cloudposse/label/null | 0.25.0 | 187 | | [this](#module\_this) | cloudposse/label/null | 0.25.0 | 188 | 189 | ## Resources 190 | 191 | | Name | Type | 192 | |------|------| 193 | | [aws_lb_listener_rule.authenticated_hosts_cognito](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 194 | | [aws_lb_listener_rule.authenticated_hosts_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 195 | | [aws_lb_listener_rule.authenticated_hosts_paths_cognito](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 196 | | [aws_lb_listener_rule.authenticated_hosts_paths_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 197 | | [aws_lb_listener_rule.authenticated_paths_cognito](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 198 | | [aws_lb_listener_rule.authenticated_paths_oidc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 199 | | [aws_lb_listener_rule.unauthenticated_hosts](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 200 | | [aws_lb_listener_rule.unauthenticated_hosts_paths](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 201 | | [aws_lb_listener_rule.unauthenticated_paths](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | 202 | | [aws_lb_target_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | 203 | | [aws_lb_target_group.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/lb_target_group) | data source | 204 | 205 | ## Inputs 206 | 207 | | Name | Description | Type | Default | Required | 208 | |------|-------------|------|---------|:--------:| 209 | | [additional\_tag\_map](#input\_additional\_tag\_map) | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`.
This is for some rare cases where resources want additional configuration of tags
and therefore take a list of maps with tag key, value, and additional configuration. | `map(string)` | `{}` | no | 210 | | [attributes](#input\_attributes) | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`,
in the order they appear in the list. New attributes are appended to the
end of the list. The elements of the list are joined by the `delimiter`
and treated as a single ID element. | `list(string)` | `[]` | no | 211 | | [authenticated\_hosts](#input\_authenticated\_hosts) | Authenticated hosts to match in Hosts header | `list(string)` | `[]` | no | 212 | | [authenticated\_listener\_arns](#input\_authenticated\_listener\_arns) | A list of authenticated ALB listener ARNs to attach ALB listener rules to | `list(string)` | `[]` | no | 213 | | [authenticated\_paths](#input\_authenticated\_paths) | Authenticated path pattern to match (a maximum of 1 can be defined) | `list(string)` | `[]` | no | 214 | | [authenticated\_priority](#input\_authenticated\_priority) | The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority | `number` | `null` | no | 215 | | [authentication\_cognito\_on\_unauthenticated\_request](#input\_authentication\_cognito\_on\_unauthenticated\_request) | Cognito unauthenticated behavior, deny, allow, or authenticate | `string` | `"authenticate"` | no | 216 | | [authentication\_cognito\_request\_extra\_params](#input\_authentication\_cognito\_request\_extra\_params) | Cognito query parameters to include in redirect request | `map(string)` | `null` | no | 217 | | [authentication\_cognito\_scope](#input\_authentication\_cognito\_scope) | Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) | `string` | `null` | no | 218 | | [authentication\_cognito\_user\_pool\_arn](#input\_authentication\_cognito\_user\_pool\_arn) | Cognito User Pool ARN | `string` | `""` | no | 219 | | [authentication\_cognito\_user\_pool\_client\_id](#input\_authentication\_cognito\_user\_pool\_client\_id) | Cognito User Pool Client ID | `string` | `""` | no | 220 | | [authentication\_cognito\_user\_pool\_domain](#input\_authentication\_cognito\_user\_pool\_domain) | Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com) | `string` | `""` | no | 221 | | [authentication\_oidc\_authorization\_endpoint](#input\_authentication\_oidc\_authorization\_endpoint) | OIDC Authorization Endpoint | `string` | `""` | no | 222 | | [authentication\_oidc\_client\_id](#input\_authentication\_oidc\_client\_id) | OIDC Client ID | `string` | `""` | no | 223 | | [authentication\_oidc\_client\_secret](#input\_authentication\_oidc\_client\_secret) | OIDC Client Secret | `string` | `""` | no | 224 | | [authentication\_oidc\_issuer](#input\_authentication\_oidc\_issuer) | OIDC Issuer | `string` | `""` | no | 225 | | [authentication\_oidc\_on\_unauthenticated\_request](#input\_authentication\_oidc\_on\_unauthenticated\_request) | OIDC unauthenticated behavior, deny, allow, or authenticate | `string` | `"authenticate"` | no | 226 | | [authentication\_oidc\_request\_extra\_params](#input\_authentication\_oidc\_request\_extra\_params) | OIDC query parameters to include in redirect request | `map(string)` | `null` | no | 227 | | [authentication\_oidc\_scope](#input\_authentication\_oidc\_scope) | OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP) | `string` | `null` | no | 228 | | [authentication\_oidc\_token\_endpoint](#input\_authentication\_oidc\_token\_endpoint) | OIDC Token Endpoint | `string` | `""` | no | 229 | | [authentication\_oidc\_user\_info\_endpoint](#input\_authentication\_oidc\_user\_info\_endpoint) | OIDC User Info Endpoint | `string` | `""` | no | 230 | | [authentication\_type](#input\_authentication\_type) | Authentication type. Supported values are `COGNITO` and `OIDC` | `string` | `""` | no | 231 | | [context](#input\_context) | Single object for setting entire context at once.
See description of individual variables for details.
Leave string and numeric variables as `null` to use default value.
Individual variable settings (non-null) override settings in context object,
except for attributes, tags, and additional\_tag\_map, which are merged. | `any` | 
{
  "additional_tag_map": {},
  "attributes": [],
  "delimiter": null,
  "descriptor_formats": {},
  "enabled": true,
  "environment": null,
  "id_length_limit": null,
  "label_key_case": null,
  "label_order": [],
  "label_value_case": null,
  "labels_as_tags": [
    "unset"
  ],
  "name": null,
  "namespace": null,
  "regex_replace_chars": null,
  "stage": null,
  "tags": {},
  "tenant": null
}
| no | 232 | | [default\_target\_group\_enabled](#input\_default\_target\_group\_enabled) | Enable/disable creation of the default target group | `bool` | `true` | no | 233 | | [delimiter](#input\_delimiter) | Delimiter to be used between ID elements.
Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. | `string` | `null` | no | 234 | | [deregistration\_delay](#input\_deregistration\_delay) | The amount of time to wait in seconds while deregistering target | `number` | `15` | no | 235 | | [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.
Map of maps. Keys are names of descriptors. Values are maps of the form
`{
format = string
labels = list(string)
}`
(Type is `any` so the map values can later be enhanced to provide additional options.)
`format` is a Terraform format string to be passed to the `format()` function.
`labels` is a list of labels, in order, to pass to `format()` function.
Label values will be normalized before being passed to `format()` so they will be
identical to how they appear in `id`.
Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no | 236 | | [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no | 237 | | [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no | 238 | | [health\_check\_enabled](#input\_health\_check\_enabled) | Indicates whether health checks are enabled. Defaults to `true` | `bool` | `true` | no | 239 | | [health\_check\_healthy\_threshold](#input\_health\_check\_healthy\_threshold) | The number of consecutive health checks successes required before healthy | `number` | `2` | no | 240 | | [health\_check\_interval](#input\_health\_check\_interval) | The duration in seconds in between health checks | `number` | `15` | no | 241 | | [health\_check\_matcher](#input\_health\_check\_matcher) | The HTTP response codes to indicate a healthy check | `string` | `"200-399"` | no | 242 | | [health\_check\_path](#input\_health\_check\_path) | The destination for the health check request | `string` | `"/"` | no | 243 | | [health\_check\_port](#input\_health\_check\_port) | The port to use to connect with the target. Valid values are either ports 1-65536, or `traffic-port`. Defaults to `traffic-port` | `string` | `"traffic-port"` | no | 244 | | [health\_check\_protocol](#input\_health\_check\_protocol) | The protocol to use to connect with the target. Defaults to `HTTP`. Not applicable when `target_type` is `lambda` | `string` | `"HTTP"` | no | 245 | | [health\_check\_timeout](#input\_health\_check\_timeout) | The amount of time to wait in seconds before failing a health check request | `number` | `10` | no | 246 | | [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | The number of consecutive health check failures required before unhealthy | `number` | `2` | no | 247 | | [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).
Set to `0` for unlimited length.
Set to `null` for keep the existing setting, which defaults to `0`.
Does not affect `id_full`. | `number` | `null` | no | 248 | | [label\_key\_case](#input\_label\_key\_case) | Controls the letter case of the `tags` keys (label names) for tags generated by this module.
Does not affect keys of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper`.
Default value: `title`. | `string` | `null` | no | 249 | | [label\_order](#input\_label\_order) | The order in which the labels (ID elements) appear in the `id`.
Defaults to ["namespace", "environment", "stage", "name", "attributes"].
You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. | `list(string)` | `null` | no | 250 | | [label\_value\_case](#input\_label\_value\_case) | Controls the letter case of ID elements (labels) as included in `id`,
set as tag values, and output by this module individually.
Does not affect values of tags passed in via the `tags` input.
Possible values: `lower`, `title`, `upper` and `none` (no transformation).
Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs.
Default value: `lower`. | `string` | `null` | no | 251 | | [labels\_as\_tags](#input\_labels\_as\_tags) | Set of labels (ID elements) to include as tags in the `tags` output.
Default is to include all labels.
Tags with empty values will not be included in the `tags` output.
Set to `[]` to suppress all generated tags.
**Notes:**
The value of the `name` tag, if included, will be the `id`, not the `name`.
Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be
changed in later chained modules. Attempts to change it will be silently ignored. | `set(string)` | 
[
  "default"
]
| no | 252 | | [listener\_http\_header\_conditions](#input\_listener\_http\_header\_conditions) | A list of http header conditions to apply to the listener. | 
list(object({
    name  = string
    value = list(string)
  }))
| `[]` | no | 253 | | [load\_balancing\_algorithm\_type](#input\_load\_balancing\_algorithm\_type) | Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round\_robin, least\_outstanding\_requests or weighted\_random. The default is round\_robin. | `string` | `"round_robin"` | no | 254 | | [load\_balancing\_anomaly\_mitigation](#input\_load\_balancing\_anomaly\_mitigation) | Determines whether to enable target anomaly mitigation. Only supported by the weighted\_random load balancing algorithm type. Valid values are 'on' or 'off'. | `string` | `"off"` | no | 255 | | [name](#input\_name) | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'.
This is the only ID element not also included as a `tag`.
The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. | `string` | `null` | no | 256 | | [namespace](#input\_namespace) | ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique | `string` | `null` | no | 257 | | [port](#input\_port) | The port for the created ALB target group (if `target_group_arn` is not set) | `number` | `80` | no | 258 | | [protocol](#input\_protocol) | The protocol for the created ALB target group (if `target_group_arn` is not set) | `string` | `"HTTP"` | no | 259 | | [protocol\_version](#input\_protocol\_version) | Only applicable when protocol is `HTTP` or `HTTPS`. The protocol version. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is `HTTP1`, which sends requests to targets using HTTP/1.1 | `string` | `"HTTP1"` | no | 260 | | [regex\_replace\_chars](#input\_regex\_replace\_chars) | Terraform regular expression (regex) string.
Characters matching the regex will be removed from the ID elements.
If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. | `string` | `null` | no | 261 | | [slow\_start](#input\_slow\_start) | The amount of time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is `0` seconds | `number` | `0` | no | 262 | | [stage](#input\_stage) | ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release' | `string` | `null` | no | 263 | | [stickiness\_cookie\_duration](#input\_stickiness\_cookie\_duration) | The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds) | `number` | `86400` | no | 264 | | [stickiness\_cookie\_name](#input\_stickiness\_cookie\_name) | Name of the application based cookie. AWSALB, AWSALBAPP, and AWSALBTG prefixes are reserved and cannot be used. Only needed when `stickiness_type` is app\_cookie | `string` | `null` | no | 265 | | [stickiness\_enabled](#input\_stickiness\_enabled) | Boolean to enable / disable `stickiness`. Default is `true` | `bool` | `true` | no | 266 | | [stickiness\_type](#input\_stickiness\_type) | The type of sticky sessions. The possible values are `lb_cookie` or `app_cookie` | `string` | `"lb_cookie"` | no | 267 | | [tags](#input\_tags) | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`).
Neither the tag keys nor the tag values will be modified by this module. | `map(string)` | `{}` | no | 268 | | [target\_group\_arn](#input\_target\_group\_arn) | Existing ALB target group ARN. If provided, set `default_target_group_enabled` to `false` to disable creation of the default target group | `string` | `""` | no | 269 | | [target\_group\_name](#input\_target\_group\_name) | Override the target group name | `string` | `""` | no | 270 | | [target\_type](#input\_target\_type) | The type (`instance`, `ip` or `lambda`) of targets that can be registered with the target group | `string` | `"ip"` | no | 271 | | [tenant](#input\_tenant) | ID element \_(Rarely used, not included by default)\_. A customer identifier, indicating who this instance of a resource is for | `string` | `null` | no | 272 | | [unauthenticated\_hosts](#input\_unauthenticated\_hosts) | Unauthenticated hosts to match in Hosts header | `list(string)` | `[]` | no | 273 | | [unauthenticated\_listener\_arns](#input\_unauthenticated\_listener\_arns) | A list of unauthenticated ALB listener ARNs to attach ALB listener rules to | `list(string)` | `[]` | no | 274 | | [unauthenticated\_paths](#input\_unauthenticated\_paths) | Unauthenticated path pattern to match (a maximum of 1 can be defined) | `list(string)` | `[]` | no | 275 | | [unauthenticated\_priority](#input\_unauthenticated\_priority) | The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `authenticated_priority` since a listener can't have multiple rules with the same priority | `number` | `null` | no | 276 | | [vpc\_id](#input\_vpc\_id) | The VPC ID where generated ALB target group will be provisioned (if `target_group_arn` is not set) | `string` | n/a | yes | 277 | 278 | ## Outputs 279 | 280 | | Name | Description | 281 | |------|-------------| 282 | | [target\_group\_arn](#output\_target\_group\_arn) | ALB Target Group ARN | 283 | | [target\_group\_arn\_suffix](#output\_target\_group\_arn\_suffix) | ALB Target Group ARN suffix | 284 | | [target\_group\_name](#output\_target\_group\_name) | ALB Target Group name | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | ## Related Projects 294 | 295 | Check out these related projects. 296 | 297 | - [terraform-aws-alb](https://github.com/cloudposse/terraform-aws-alb) - Terraform module to create an ALB, default ALB listener(s), and a default ALB target and related security groups. 298 | 299 | 300 | > [!TIP] 301 | > #### Use Terraform Reference Architectures for AWS 302 | > 303 | > Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly. 304 | > 305 | > ✅ We build it together with your team.
306 | > ✅ Your team owns everything.
307 | > ✅ 100% Open Source and backed by fanatical support.
308 | > 309 | > Request Quote 310 | >
📚 Learn More 311 | > 312 | >
313 | > 314 | > Cloud Posse is the leading [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-alb-ingress&utm_content=commercial_support) for funded startups and enterprises. 315 | > 316 | > *Your team can operate like a pro today.* 317 | > 318 | > Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed. 319 | > #### Day-0: Your Foundation for Success 320 | > - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. 321 | > - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases. 322 | > - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance. 323 | > - **Security Baseline.** Establish a secure environment from the start, with built-in governance, accountability, and comprehensive audit logs, safeguarding your operations. 324 | > - **GitOps.** Empower your team to manage infrastructure changes confidently and efficiently through Pull Requests, leveraging the full power of GitHub Actions. 325 | > 326 | > Request Quote 327 | > 328 | > #### Day-2: Your Operational Mastery 329 | > - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency. 330 | > - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it. 331 | > - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity. 332 | > - **Code Reviews.** Enhance your team’s code quality with our expert feedback, fostering continuous improvement and collaboration. 333 | > - **Bug Fixes.** Rely on our team to troubleshoot and resolve any issues, ensuring your systems run smoothly. 334 | > - **Migration Assistance.** Accelerate your migration process with our dedicated support, minimizing disruption and speeding up time-to-value. 335 | > - **Customer Workshops.** Engage with our team in weekly workshops, gaining insights and strategies to continuously improve and innovate. 336 | > 337 | > Request Quote 338 | >
339 | 340 | ## ✨ Contributing 341 | 342 | This project is under active development, and we encourage contributions from our community. 343 | 344 | 345 | 346 | Many thanks to our outstanding contributors: 347 | 348 | 349 | 350 | 351 | 352 | For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-aws-alb-ingress/issues). 353 | 354 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. 355 | 1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-aws-alb-ingress/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). 356 | 2. **Fork** the repo on GitHub 357 | 3. **Clone** the project to your own machine 358 | 4. **Commit** changes to your own branch 359 | 5. **Push** your work back up to your fork 360 | 6. Submit a **Pull Request** so that we can review your changes 361 | 362 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! 363 | 364 | ### 🌎 Slack Community 365 | 366 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-alb-ingress&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. 367 | 368 | ### 📰 Newsletter 369 | 370 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-alb-ingress&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. 371 | Dropped straight into your Inbox every week — and usually a 5-minute read. 372 | 373 | ### 📆 Office Hours 374 | 375 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-aws-alb-ingress&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else. 376 | It's **FREE** for everyone! 377 | ## License 378 | 379 | License 380 | 381 |
382 | Preamble to the Apache License, Version 2.0 383 |
384 |
385 | 386 | Complete license is available in the [`LICENSE`](LICENSE) file. 387 | 388 | ```text 389 | Licensed to the Apache Software Foundation (ASF) under one 390 | or more contributor license agreements. See the NOTICE file 391 | distributed with this work for additional information 392 | regarding copyright ownership. The ASF licenses this file 393 | to you under the Apache License, Version 2.0 (the 394 | "License"); you may not use this file except in compliance 395 | with the License. You may obtain a copy of the License at 396 | 397 | https://www.apache.org/licenses/LICENSE-2.0 398 | 399 | Unless required by applicable law or agreed to in writing, 400 | software distributed under the License is distributed on an 401 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 402 | KIND, either express or implied. See the License for the 403 | specific language governing permissions and limitations 404 | under the License. 405 | ``` 406 |
407 | 408 | ## Trademarks 409 | 410 | All other trademarks referenced herein are the property of their respective owners. 411 | 412 | 413 | --- 414 | Copyright © 2017-2025 [Cloud Posse, LLC](https://cpco.io/copyright) 415 | 416 | 417 | README footer 418 | 419 | Beacon 420 | -------------------------------------------------------------------------------- /README.yaml: -------------------------------------------------------------------------------- 1 | name: terraform-aws-alb-ingress 2 | license: APACHE2 3 | github_repo: cloudposse/terraform-aws-alb-ingress 4 | badges: 5 | - name: Latest Release 6 | image: https://img.shields.io/github/release/cloudposse/terraform-aws-alb-ingress.svg?style=for-the-badge 7 | url: https://github.com/cloudposse/terraform-aws-alb-ingress/releases/latest 8 | - name: Last Updated 9 | image: https://img.shields.io/github/last-commit/cloudposse/terraform-aws-alb-ingress.svg?style=for-the-badge 10 | url: https://github.com/cloudposse/terraform-aws-alb-ingress/commits 11 | - name: Slack Community 12 | image: https://slack.cloudposse.com/for-the-badge.svg 13 | url: https://cloudposse.com/slack 14 | 15 | # List any related terraform modules that this module may be used with or that this module depends on. 16 | related: 17 | - name: terraform-aws-alb 18 | description: Terraform module to create an ALB, default ALB listener(s), and a default ALB target and related security groups. 19 | url: https://github.com/cloudposse/terraform-aws-alb 20 | description: |- 21 | Terraform module to provision an HTTP style ALB ingress based on hostname and/or path. 22 | 23 | ALB ingress can be provisioned without authentication, or using Cognito or OIDC authentication. 24 | usage: |- 25 | For a complete example, see [examples/complete](examples/complete). 26 | 27 | For automated test of the complete example using `bats` and `Terratest`, see [test](test). 28 | 29 | ```hcl 30 | provider "aws" { 31 | region = var.region 32 | } 33 | 34 | module "vpc" { 35 | source = "cloudposse/vpc/aws" 36 | # Cloud Posse recommends pinning every module to a specific version 37 | # version = "x.x.x" 38 | 39 | namespace = var.namespace 40 | stage = var.stage 41 | name = var.name 42 | delimiter = var.delimiter 43 | attributes = var.attributes 44 | cidr_block = var.vpc_cidr_block 45 | 46 | tags = var.tags 47 | } 48 | 49 | module "subnets" { 50 | source = "cloudposse/dynamic-subnets/aws" 51 | # Cloud Posse recommends pinning every module to a specific version 52 | # version = "x.x.x" 53 | 54 | availability_zones = var.availability_zones 55 | namespace = var.namespace 56 | stage = var.stage 57 | name = var.name 58 | attributes = var.attributes 59 | delimiter = var.delimiter 60 | vpc_id = module.vpc.vpc_id 61 | igw_id = module.vpc.igw_id 62 | cidr_block = module.vpc.vpc_cidr_block 63 | nat_gateway_enabled = false 64 | nat_instance_enabled = false 65 | 66 | tags = var.tags 67 | } 68 | 69 | module "alb" { 70 | source = "cloudposse/alb/aws" 71 | # Cloud Posse recommends pinning every module to a specific version 72 | # version = "x.x.x" 73 | 74 | namespace = var.namespace 75 | stage = var.stage 76 | name = var.name 77 | attributes = var.attributes 78 | delimiter = var.delimiter 79 | vpc_id = module.vpc.vpc_id 80 | security_group_ids = [module.vpc.vpc_default_security_group_id] 81 | subnet_ids = module.subnets.public_subnet_ids 82 | internal = var.internal 83 | http_enabled = var.http_enabled 84 | access_logs_enabled = var.access_logs_enabled 85 | alb_access_logs_s3_bucket_force_destroy = var.alb_access_logs_s3_bucket_force_destroy 86 | cross_zone_load_balancing_enabled = var.cross_zone_load_balancing_enabled 87 | http2_enabled = var.http2_enabled 88 | idle_timeout = var.idle_timeout 89 | ip_address_type = var.ip_address_type 90 | deletion_protection_enabled = var.deletion_protection_enabled 91 | deregistration_delay = var.deregistration_delay 92 | health_check_path = var.health_check_path 93 | health_check_timeout = var.health_check_timeout 94 | health_check_healthy_threshold = var.health_check_healthy_threshold 95 | health_check_unhealthy_threshold = var.health_check_unhealthy_threshold 96 | health_check_interval = var.health_check_interval 97 | health_check_matcher = var.health_check_matcher 98 | target_group_port = var.target_group_port 99 | target_group_target_type = var.target_group_target_type 100 | 101 | tags = var.tags 102 | } 103 | 104 | module "alb_ingress" { 105 | source = "cloudposse/alb-ingress/aws" 106 | # Cloud Posse recommends pinning every module to a specific version 107 | # version = "x.x.x" 108 | 109 | namespace = var.namespace 110 | stage = var.stage 111 | name = var.name 112 | attributes = var.attributes 113 | delimiter = var.delimiter 114 | vpc_id = module.vpc.vpc_id 115 | authentication_type = var.authentication_type 116 | unauthenticated_priority = var.unauthenticated_priority 117 | unauthenticated_paths = var.unauthenticated_paths 118 | slow_start = var.slow_start 119 | stickiness_enabled = var.stickiness_enabled 120 | default_target_group_enabled = false 121 | target_group_arn = module.alb.default_target_group_arn 122 | unauthenticated_listener_arns = [module.alb.http_listener_arn] 123 | 124 | tags = var.tags 125 | } 126 | ``` 127 | 128 | include: [] 129 | contributors: [] 130 | -------------------------------------------------------------------------------- /atmos.yaml: -------------------------------------------------------------------------------- 1 | # Atmos Configuration — powered by https://atmos.tools 2 | # 3 | # This configuration enables centralized, DRY, and consistent project scaffolding using Atmos. 4 | # 5 | # Included features: 6 | # - Organizational custom commands: https://atmos.tools/core-concepts/custom-commands 7 | # - Automated README generation: https://atmos.tools/cli/commands/docs/generate 8 | # 9 | 10 | # Import shared configuration used by all modules 11 | import: 12 | - https://raw.githubusercontent.com/cloudposse/.github/refs/heads/main/.github/atmos/terraform-module.yaml 13 | -------------------------------------------------------------------------------- /context.tf: -------------------------------------------------------------------------------- 1 | # 2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label 3 | # All other instances of this file should be a copy of that one 4 | # 5 | # 6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf 7 | # and then place it in your Terraform module to automatically get 8 | # Cloud Posse's standard configuration inputs suitable for passing 9 | # to Cloud Posse modules. 10 | # 11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf 12 | # 13 | # Modules should access the whole context as `module.this.context` 14 | # to get the input variables with nulls for defaults, 15 | # for example `context = module.this.context`, 16 | # and access individual variables as `module.this.`, 17 | # with final values filled in. 18 | # 19 | # For example, when using defaults, `module.this.context.delimiter` 20 | # will be null, and `module.this.delimiter` will be `-` (hyphen). 21 | # 22 | 23 | module "this" { 24 | source = "cloudposse/label/null" 25 | version = "0.25.0" # requires Terraform >= 0.13.0 26 | 27 | enabled = var.enabled 28 | namespace = var.namespace 29 | tenant = var.tenant 30 | environment = var.environment 31 | stage = var.stage 32 | name = var.name 33 | delimiter = var.delimiter 34 | attributes = var.attributes 35 | tags = var.tags 36 | additional_tag_map = var.additional_tag_map 37 | label_order = var.label_order 38 | regex_replace_chars = var.regex_replace_chars 39 | id_length_limit = var.id_length_limit 40 | label_key_case = var.label_key_case 41 | label_value_case = var.label_value_case 42 | descriptor_formats = var.descriptor_formats 43 | labels_as_tags = var.labels_as_tags 44 | 45 | context = var.context 46 | } 47 | 48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here 49 | 50 | variable "context" { 51 | type = any 52 | default = { 53 | enabled = true 54 | namespace = null 55 | tenant = null 56 | environment = null 57 | stage = null 58 | name = null 59 | delimiter = null 60 | attributes = [] 61 | tags = {} 62 | additional_tag_map = {} 63 | regex_replace_chars = null 64 | label_order = [] 65 | id_length_limit = null 66 | label_key_case = null 67 | label_value_case = null 68 | descriptor_formats = {} 69 | # Note: we have to use [] instead of null for unset lists due to 70 | # https://github.com/hashicorp/terraform/issues/28137 71 | # which was not fixed until Terraform 1.0.0, 72 | # but we want the default to be all the labels in `label_order` 73 | # and we want users to be able to prevent all tag generation 74 | # by setting `labels_as_tags` to `[]`, so we need 75 | # a different sentinel to indicate "default" 76 | labels_as_tags = ["unset"] 77 | } 78 | description = <<-EOT 79 | Single object for setting entire context at once. 80 | See description of individual variables for details. 81 | Leave string and numeric variables as `null` to use default value. 82 | Individual variable settings (non-null) override settings in context object, 83 | except for attributes, tags, and additional_tag_map, which are merged. 84 | EOT 85 | 86 | validation { 87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) 88 | error_message = "Allowed values: `lower`, `title`, `upper`." 89 | } 90 | 91 | validation { 92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) 93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`." 94 | } 95 | } 96 | 97 | variable "enabled" { 98 | type = bool 99 | default = null 100 | description = "Set to false to prevent the module from creating any resources" 101 | } 102 | 103 | variable "namespace" { 104 | type = string 105 | default = null 106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" 107 | } 108 | 109 | variable "tenant" { 110 | type = string 111 | default = null 112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" 113 | } 114 | 115 | variable "environment" { 116 | type = string 117 | default = null 118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" 119 | } 120 | 121 | variable "stage" { 122 | type = string 123 | default = null 124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" 125 | } 126 | 127 | variable "name" { 128 | type = string 129 | default = null 130 | description = <<-EOT 131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. 132 | This is the only ID element not also included as a `tag`. 133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. 134 | EOT 135 | } 136 | 137 | variable "delimiter" { 138 | type = string 139 | default = null 140 | description = <<-EOT 141 | Delimiter to be used between ID elements. 142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. 143 | EOT 144 | } 145 | 146 | variable "attributes" { 147 | type = list(string) 148 | default = [] 149 | description = <<-EOT 150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, 151 | in the order they appear in the list. New attributes are appended to the 152 | end of the list. The elements of the list are joined by the `delimiter` 153 | and treated as a single ID element. 154 | EOT 155 | } 156 | 157 | variable "labels_as_tags" { 158 | type = set(string) 159 | default = ["default"] 160 | description = <<-EOT 161 | Set of labels (ID elements) to include as tags in the `tags` output. 162 | Default is to include all labels. 163 | Tags with empty values will not be included in the `tags` output. 164 | Set to `[]` to suppress all generated tags. 165 | **Notes:** 166 | The value of the `name` tag, if included, will be the `id`, not the `name`. 167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be 168 | changed in later chained modules. Attempts to change it will be silently ignored. 169 | EOT 170 | } 171 | 172 | variable "tags" { 173 | type = map(string) 174 | default = {} 175 | description = <<-EOT 176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). 177 | Neither the tag keys nor the tag values will be modified by this module. 178 | EOT 179 | } 180 | 181 | variable "additional_tag_map" { 182 | type = map(string) 183 | default = {} 184 | description = <<-EOT 185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. 186 | This is for some rare cases where resources want additional configuration of tags 187 | and therefore take a list of maps with tag key, value, and additional configuration. 188 | EOT 189 | } 190 | 191 | variable "label_order" { 192 | type = list(string) 193 | default = null 194 | description = <<-EOT 195 | The order in which the labels (ID elements) appear in the `id`. 196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"]. 197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. 198 | EOT 199 | } 200 | 201 | variable "regex_replace_chars" { 202 | type = string 203 | default = null 204 | description = <<-EOT 205 | Terraform regular expression (regex) string. 206 | Characters matching the regex will be removed from the ID elements. 207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. 208 | EOT 209 | } 210 | 211 | variable "id_length_limit" { 212 | type = number 213 | default = null 214 | description = <<-EOT 215 | Limit `id` to this many characters (minimum 6). 216 | Set to `0` for unlimited length. 217 | Set to `null` for keep the existing setting, which defaults to `0`. 218 | Does not affect `id_full`. 219 | EOT 220 | validation { 221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." 223 | } 224 | } 225 | 226 | variable "label_key_case" { 227 | type = string 228 | default = null 229 | description = <<-EOT 230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module. 231 | Does not affect keys of tags passed in via the `tags` input. 232 | Possible values: `lower`, `title`, `upper`. 233 | Default value: `title`. 234 | EOT 235 | 236 | validation { 237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) 238 | error_message = "Allowed values: `lower`, `title`, `upper`." 239 | } 240 | } 241 | 242 | variable "label_value_case" { 243 | type = string 244 | default = null 245 | description = <<-EOT 246 | Controls the letter case of ID elements (labels) as included in `id`, 247 | set as tag values, and output by this module individually. 248 | Does not affect values of tags passed in via the `tags` input. 249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation). 250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. 251 | Default value: `lower`. 252 | EOT 253 | 254 | validation { 255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) 256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`." 257 | } 258 | } 259 | 260 | variable "descriptor_formats" { 261 | type = any 262 | default = {} 263 | description = <<-EOT 264 | Describe additional descriptors to be output in the `descriptors` output map. 265 | Map of maps. Keys are names of descriptors. Values are maps of the form 266 | `{ 267 | format = string 268 | labels = list(string) 269 | }` 270 | (Type is `any` so the map values can later be enhanced to provide additional options.) 271 | `format` is a Terraform format string to be passed to the `format()` function. 272 | `labels` is a list of labels, in order, to pass to `format()` function. 273 | Label values will be normalized before being passed to `format()` so they will be 274 | identical to how they appear in `id`. 275 | Default is `{}` (`descriptors` output will be empty). 276 | EOT 277 | } 278 | 279 | #### End of copy of cloudposse/terraform-null-label/variables.tf 280 | -------------------------------------------------------------------------------- /examples/complete/context.tf: -------------------------------------------------------------------------------- 1 | # 2 | # ONLY EDIT THIS FILE IN github.com/cloudposse/terraform-null-label 3 | # All other instances of this file should be a copy of that one 4 | # 5 | # 6 | # Copy this file from https://github.com/cloudposse/terraform-null-label/blob/master/exports/context.tf 7 | # and then place it in your Terraform module to automatically get 8 | # Cloud Posse's standard configuration inputs suitable for passing 9 | # to Cloud Posse modules. 10 | # 11 | # curl -sL https://raw.githubusercontent.com/cloudposse/terraform-null-label/master/exports/context.tf -o context.tf 12 | # 13 | # Modules should access the whole context as `module.this.context` 14 | # to get the input variables with nulls for defaults, 15 | # for example `context = module.this.context`, 16 | # and access individual variables as `module.this.`, 17 | # with final values filled in. 18 | # 19 | # For example, when using defaults, `module.this.context.delimiter` 20 | # will be null, and `module.this.delimiter` will be `-` (hyphen). 21 | # 22 | 23 | module "this" { 24 | source = "cloudposse/label/null" 25 | version = "0.25.0" # requires Terraform >= 0.13.0 26 | 27 | enabled = var.enabled 28 | namespace = var.namespace 29 | tenant = var.tenant 30 | environment = var.environment 31 | stage = var.stage 32 | name = var.name 33 | delimiter = var.delimiter 34 | attributes = var.attributes 35 | tags = var.tags 36 | additional_tag_map = var.additional_tag_map 37 | label_order = var.label_order 38 | regex_replace_chars = var.regex_replace_chars 39 | id_length_limit = var.id_length_limit 40 | label_key_case = var.label_key_case 41 | label_value_case = var.label_value_case 42 | descriptor_formats = var.descriptor_formats 43 | labels_as_tags = var.labels_as_tags 44 | 45 | context = var.context 46 | } 47 | 48 | # Copy contents of cloudposse/terraform-null-label/variables.tf here 49 | 50 | variable "context" { 51 | type = any 52 | default = { 53 | enabled = true 54 | namespace = null 55 | tenant = null 56 | environment = null 57 | stage = null 58 | name = null 59 | delimiter = null 60 | attributes = [] 61 | tags = {} 62 | additional_tag_map = {} 63 | regex_replace_chars = null 64 | label_order = [] 65 | id_length_limit = null 66 | label_key_case = null 67 | label_value_case = null 68 | descriptor_formats = {} 69 | # Note: we have to use [] instead of null for unset lists due to 70 | # https://github.com/hashicorp/terraform/issues/28137 71 | # which was not fixed until Terraform 1.0.0, 72 | # but we want the default to be all the labels in `label_order` 73 | # and we want users to be able to prevent all tag generation 74 | # by setting `labels_as_tags` to `[]`, so we need 75 | # a different sentinel to indicate "default" 76 | labels_as_tags = ["unset"] 77 | } 78 | description = <<-EOT 79 | Single object for setting entire context at once. 80 | See description of individual variables for details. 81 | Leave string and numeric variables as `null` to use default value. 82 | Individual variable settings (non-null) override settings in context object, 83 | except for attributes, tags, and additional_tag_map, which are merged. 84 | EOT 85 | 86 | validation { 87 | condition = lookup(var.context, "label_key_case", null) == null ? true : contains(["lower", "title", "upper"], var.context["label_key_case"]) 88 | error_message = "Allowed values: `lower`, `title`, `upper`." 89 | } 90 | 91 | validation { 92 | condition = lookup(var.context, "label_value_case", null) == null ? true : contains(["lower", "title", "upper", "none"], var.context["label_value_case"]) 93 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`." 94 | } 95 | } 96 | 97 | variable "enabled" { 98 | type = bool 99 | default = null 100 | description = "Set to false to prevent the module from creating any resources" 101 | } 102 | 103 | variable "namespace" { 104 | type = string 105 | default = null 106 | description = "ID element. Usually an abbreviation of your organization name, e.g. 'eg' or 'cp', to help ensure generated IDs are globally unique" 107 | } 108 | 109 | variable "tenant" { 110 | type = string 111 | default = null 112 | description = "ID element _(Rarely used, not included by default)_. A customer identifier, indicating who this instance of a resource is for" 113 | } 114 | 115 | variable "environment" { 116 | type = string 117 | default = null 118 | description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'" 119 | } 120 | 121 | variable "stage" { 122 | type = string 123 | default = null 124 | description = "ID element. Usually used to indicate role, e.g. 'prod', 'staging', 'source', 'build', 'test', 'deploy', 'release'" 125 | } 126 | 127 | variable "name" { 128 | type = string 129 | default = null 130 | description = <<-EOT 131 | ID element. Usually the component or solution name, e.g. 'app' or 'jenkins'. 132 | This is the only ID element not also included as a `tag`. 133 | The "name" tag is set to the full `id` string. There is no tag with the value of the `name` input. 134 | EOT 135 | } 136 | 137 | variable "delimiter" { 138 | type = string 139 | default = null 140 | description = <<-EOT 141 | Delimiter to be used between ID elements. 142 | Defaults to `-` (hyphen). Set to `""` to use no delimiter at all. 143 | EOT 144 | } 145 | 146 | variable "attributes" { 147 | type = list(string) 148 | default = [] 149 | description = <<-EOT 150 | ID element. Additional attributes (e.g. `workers` or `cluster`) to add to `id`, 151 | in the order they appear in the list. New attributes are appended to the 152 | end of the list. The elements of the list are joined by the `delimiter` 153 | and treated as a single ID element. 154 | EOT 155 | } 156 | 157 | variable "labels_as_tags" { 158 | type = set(string) 159 | default = ["default"] 160 | description = <<-EOT 161 | Set of labels (ID elements) to include as tags in the `tags` output. 162 | Default is to include all labels. 163 | Tags with empty values will not be included in the `tags` output. 164 | Set to `[]` to suppress all generated tags. 165 | **Notes:** 166 | The value of the `name` tag, if included, will be the `id`, not the `name`. 167 | Unlike other `null-label` inputs, the initial setting of `labels_as_tags` cannot be 168 | changed in later chained modules. Attempts to change it will be silently ignored. 169 | EOT 170 | } 171 | 172 | variable "tags" { 173 | type = map(string) 174 | default = {} 175 | description = <<-EOT 176 | Additional tags (e.g. `{'BusinessUnit': 'XYZ'}`). 177 | Neither the tag keys nor the tag values will be modified by this module. 178 | EOT 179 | } 180 | 181 | variable "additional_tag_map" { 182 | type = map(string) 183 | default = {} 184 | description = <<-EOT 185 | Additional key-value pairs to add to each map in `tags_as_list_of_maps`. Not added to `tags` or `id`. 186 | This is for some rare cases where resources want additional configuration of tags 187 | and therefore take a list of maps with tag key, value, and additional configuration. 188 | EOT 189 | } 190 | 191 | variable "label_order" { 192 | type = list(string) 193 | default = null 194 | description = <<-EOT 195 | The order in which the labels (ID elements) appear in the `id`. 196 | Defaults to ["namespace", "environment", "stage", "name", "attributes"]. 197 | You can omit any of the 6 labels ("tenant" is the 6th), but at least one must be present. 198 | EOT 199 | } 200 | 201 | variable "regex_replace_chars" { 202 | type = string 203 | default = null 204 | description = <<-EOT 205 | Terraform regular expression (regex) string. 206 | Characters matching the regex will be removed from the ID elements. 207 | If not set, `"/[^a-zA-Z0-9-]/"` is used to remove all characters other than hyphens, letters and digits. 208 | EOT 209 | } 210 | 211 | variable "id_length_limit" { 212 | type = number 213 | default = null 214 | description = <<-EOT 215 | Limit `id` to this many characters (minimum 6). 216 | Set to `0` for unlimited length. 217 | Set to `null` for keep the existing setting, which defaults to `0`. 218 | Does not affect `id_full`. 219 | EOT 220 | validation { 221 | condition = var.id_length_limit == null ? true : var.id_length_limit >= 6 || var.id_length_limit == 0 222 | error_message = "The id_length_limit must be >= 6 if supplied (not null), or 0 for unlimited length." 223 | } 224 | } 225 | 226 | variable "label_key_case" { 227 | type = string 228 | default = null 229 | description = <<-EOT 230 | Controls the letter case of the `tags` keys (label names) for tags generated by this module. 231 | Does not affect keys of tags passed in via the `tags` input. 232 | Possible values: `lower`, `title`, `upper`. 233 | Default value: `title`. 234 | EOT 235 | 236 | validation { 237 | condition = var.label_key_case == null ? true : contains(["lower", "title", "upper"], var.label_key_case) 238 | error_message = "Allowed values: `lower`, `title`, `upper`." 239 | } 240 | } 241 | 242 | variable "label_value_case" { 243 | type = string 244 | default = null 245 | description = <<-EOT 246 | Controls the letter case of ID elements (labels) as included in `id`, 247 | set as tag values, and output by this module individually. 248 | Does not affect values of tags passed in via the `tags` input. 249 | Possible values: `lower`, `title`, `upper` and `none` (no transformation). 250 | Set this to `title` and set `delimiter` to `""` to yield Pascal Case IDs. 251 | Default value: `lower`. 252 | EOT 253 | 254 | validation { 255 | condition = var.label_value_case == null ? true : contains(["lower", "title", "upper", "none"], var.label_value_case) 256 | error_message = "Allowed values: `lower`, `title`, `upper`, `none`." 257 | } 258 | } 259 | 260 | variable "descriptor_formats" { 261 | type = any 262 | default = {} 263 | description = <<-EOT 264 | Describe additional descriptors to be output in the `descriptors` output map. 265 | Map of maps. Keys are names of descriptors. Values are maps of the form 266 | `{ 267 | format = string 268 | labels = list(string) 269 | }` 270 | (Type is `any` so the map values can later be enhanced to provide additional options.) 271 | `format` is a Terraform format string to be passed to the `format()` function. 272 | `labels` is a list of labels, in order, to pass to `format()` function. 273 | Label values will be normalized before being passed to `format()` so they will be 274 | identical to how they appear in `id`. 275 | Default is `{}` (`descriptors` output will be empty). 276 | EOT 277 | } 278 | 279 | #### End of copy of cloudposse/terraform-null-label/variables.tf 280 | -------------------------------------------------------------------------------- /examples/complete/fixtures.us-east-2.tfvars: -------------------------------------------------------------------------------- 1 | region = "us-east-2" 2 | 3 | availability_zones = ["us-east-2a", "us-east-2b"] 4 | 5 | namespace = "eg" 6 | 7 | stage = "test" 8 | 9 | name = "lb" 10 | 11 | vpc_cidr_block = "172.16.0.0/16" 12 | 13 | internal = false 14 | 15 | http_enabled = true 16 | 17 | access_logs_enabled = true 18 | 19 | alb_access_logs_s3_bucket_force_destroy = true 20 | 21 | cross_zone_load_balancing_enabled = true 22 | 23 | http2_enabled = true 24 | 25 | idle_timeout = 60 26 | 27 | ip_address_type = "ipv4" 28 | 29 | deletion_protection_enabled = false 30 | 31 | deregistration_delay = 15 32 | 33 | health_check_path = "/" 34 | 35 | health_check_timeout = 10 36 | 37 | health_check_healthy_threshold = 2 38 | 39 | health_check_unhealthy_threshold = 2 40 | 41 | health_check_interval = 15 42 | 43 | health_check_matcher = "200-399" 44 | 45 | target_group_port = 80 46 | 47 | target_group_target_type = "ip" 48 | 49 | authentication_type = "" 50 | 51 | unauthenticated_priority = 100 52 | 53 | unauthenticated_paths = ["/"] 54 | 55 | slow_start = 0 56 | 57 | stickiness_enabled = false 58 | -------------------------------------------------------------------------------- /examples/complete/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | } 4 | 5 | module "vpc" { 6 | source = "cloudposse/vpc/aws" 7 | version = "2.1.0" 8 | ipv4_primary_cidr_block = var.vpc_cidr_block 9 | context = module.this.context 10 | } 11 | 12 | module "subnets" { 13 | source = "cloudposse/dynamic-subnets/aws" 14 | version = "2.3.0" 15 | availability_zones = var.availability_zones 16 | vpc_id = module.vpc.vpc_id 17 | igw_id = [module.vpc.igw_id] 18 | ipv4_cidr_block = [module.vpc.vpc_cidr_block] 19 | nat_gateway_enabled = false 20 | nat_instance_enabled = false 21 | context = module.this.context 22 | } 23 | 24 | module "alb" { 25 | source = "cloudposse/alb/aws" 26 | version = "1.8.0" 27 | 28 | vpc_id = module.vpc.vpc_id 29 | security_group_ids = [module.vpc.vpc_default_security_group_id] 30 | subnet_ids = module.subnets.public_subnet_ids 31 | internal = var.internal 32 | http_enabled = var.http_enabled 33 | access_logs_enabled = var.access_logs_enabled 34 | alb_access_logs_s3_bucket_force_destroy = var.alb_access_logs_s3_bucket_force_destroy 35 | cross_zone_load_balancing_enabled = var.cross_zone_load_balancing_enabled 36 | http2_enabled = var.http2_enabled 37 | idle_timeout = var.idle_timeout 38 | ip_address_type = var.ip_address_type 39 | deletion_protection_enabled = var.deletion_protection_enabled 40 | deregistration_delay = var.deregistration_delay 41 | health_check_path = var.health_check_path 42 | health_check_timeout = var.health_check_timeout 43 | health_check_healthy_threshold = var.health_check_healthy_threshold 44 | health_check_unhealthy_threshold = var.health_check_unhealthy_threshold 45 | health_check_interval = var.health_check_interval 46 | health_check_matcher = var.health_check_matcher 47 | target_group_port = var.target_group_port 48 | target_group_target_type = var.target_group_target_type 49 | 50 | context = module.this.context 51 | } 52 | 53 | module "alb_ingress" { 54 | source = "../.." 55 | 56 | vpc_id = module.vpc.vpc_id 57 | authentication_type = var.authentication_type 58 | unauthenticated_priority = var.unauthenticated_priority 59 | unauthenticated_paths = var.unauthenticated_paths 60 | slow_start = var.slow_start 61 | stickiness_enabled = var.stickiness_enabled 62 | default_target_group_enabled = false 63 | target_group_arn = module.alb.default_target_group_arn 64 | unauthenticated_listener_arns = [module.alb.http_listener_arn] 65 | 66 | context = module.this.context 67 | } 68 | -------------------------------------------------------------------------------- /examples/complete/outputs.tf: -------------------------------------------------------------------------------- 1 | output "public_subnet_cidrs" { 2 | value = module.subnets.public_subnet_cidrs 3 | description = "Public subnet CIDRs" 4 | } 5 | 6 | output "private_subnet_cidrs" { 7 | value = module.subnets.private_subnet_cidrs 8 | description = "Private subnet CIDRs" 9 | } 10 | 11 | output "vpc_cidr" { 12 | value = module.vpc.vpc_cidr_block 13 | description = "VPC ID" 14 | } 15 | 16 | output "alb_name" { 17 | description = "The ARN suffix of the ALB" 18 | value = module.alb.alb_name 19 | } 20 | 21 | output "alb_arn" { 22 | description = "The ARN of the ALB" 23 | value = module.alb.alb_arn 24 | } 25 | 26 | output "alb_arn_suffix" { 27 | description = "The ARN suffix of the ALB" 28 | value = module.alb.alb_arn_suffix 29 | } 30 | 31 | output "alb_dns_name" { 32 | description = "DNS name of ALB" 33 | value = module.alb.alb_dns_name 34 | } 35 | 36 | output "alb_zone_id" { 37 | description = "The ID of the zone which ALB is provisioned" 38 | value = module.alb.alb_zone_id 39 | } 40 | 41 | output "security_group_id" { 42 | description = "The security group ID of the ALB" 43 | value = module.alb.security_group_id 44 | } 45 | 46 | output "default_target_group_arn" { 47 | description = "The default target group ARN" 48 | value = module.alb.default_target_group_arn 49 | } 50 | 51 | output "http_listener_arn" { 52 | description = "The ARN of the HTTP listener" 53 | value = module.alb.http_listener_arn 54 | } 55 | 56 | output "listener_arns" { 57 | description = "A list of all the listener ARNs" 58 | value = module.alb.listener_arns 59 | } 60 | 61 | output "access_logs_bucket_id" { 62 | description = "The S3 bucket ID for access logs" 63 | value = module.alb.access_logs_bucket_id 64 | } 65 | 66 | output "target_group_name" { 67 | description = "ALB Target Group name" 68 | value = module.alb_ingress.target_group_name 69 | } 70 | 71 | output "target_group_arn" { 72 | description = "ALB Target Group ARN" 73 | value = module.alb_ingress.target_group_arn 74 | } 75 | 76 | output "target_group_arn_suffix" { 77 | description = "ALB Target Group ARN suffix" 78 | value = module.alb_ingress.target_group_arn_suffix 79 | } 80 | -------------------------------------------------------------------------------- /examples/complete/variables.tf: -------------------------------------------------------------------------------- 1 | variable "region" { 2 | type = string 3 | description = "AWS Region for S3 bucket" 4 | } 5 | 6 | variable "availability_zones" { 7 | type = list(string) 8 | description = "List of availability zones" 9 | } 10 | 11 | variable "vpc_cidr_block" { 12 | type = string 13 | description = "VPC CIDR block" 14 | } 15 | 16 | variable "internal" { 17 | type = bool 18 | description = "A boolean flag to determine whether the ALB should be internal" 19 | } 20 | 21 | variable "http_enabled" { 22 | type = bool 23 | description = "A boolean flag to enable/disable HTTP listener" 24 | } 25 | 26 | variable "access_logs_enabled" { 27 | type = bool 28 | description = "A boolean flag to enable/disable access_logs" 29 | } 30 | 31 | variable "cross_zone_load_balancing_enabled" { 32 | type = bool 33 | description = "A boolean flag to enable/disable cross zone load balancing" 34 | } 35 | 36 | variable "http2_enabled" { 37 | type = bool 38 | description = "A boolean flag to enable/disable HTTP/2" 39 | } 40 | 41 | variable "idle_timeout" { 42 | type = number 43 | description = "The time in seconds that the connection is allowed to be idle" 44 | } 45 | 46 | variable "ip_address_type" { 47 | type = string 48 | description = "The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack`." 49 | } 50 | 51 | variable "deletion_protection_enabled" { 52 | type = bool 53 | description = "A boolean flag to enable/disable deletion protection for ALB" 54 | } 55 | 56 | variable "alb_access_logs_s3_bucket_force_destroy" { 57 | type = bool 58 | description = "A boolean that indicates all objects should be deleted from the ALB access logs S3 bucket so that the bucket can be destroyed without error" 59 | } 60 | 61 | variable "target_group_port" { 62 | type = number 63 | description = "The port for the default target group" 64 | } 65 | 66 | variable "target_group_target_type" { 67 | type = string 68 | description = "The type (`instance`, `ip` or `lambda`) of targets that can be registered with the target group" 69 | } 70 | 71 | variable "deregistration_delay" { 72 | type = number 73 | description = "The amount of time to wait in seconds while deregistering target" 74 | } 75 | 76 | variable "health_check_path" { 77 | type = string 78 | description = "The destination for the health check request" 79 | } 80 | 81 | variable "health_check_timeout" { 82 | type = number 83 | description = "The amount of time to wait in seconds before failing a health check request" 84 | } 85 | 86 | variable "health_check_healthy_threshold" { 87 | type = number 88 | description = "The number of consecutive health checks successes required before healthy" 89 | } 90 | 91 | variable "health_check_unhealthy_threshold" { 92 | type = number 93 | description = "The number of consecutive health check failures required before unhealthy" 94 | } 95 | 96 | variable "health_check_interval" { 97 | type = number 98 | description = "The duration in seconds in between health checks" 99 | } 100 | 101 | variable "health_check_matcher" { 102 | type = string 103 | description = "The HTTP response codes to indicate a healthy check" 104 | } 105 | 106 | variable "unauthenticated_priority" { 107 | type = number 108 | description = "The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `authenticated_priority` since a listener can't have multiple rules with the same priority" 109 | } 110 | 111 | variable "unauthenticated_paths" { 112 | type = list(string) 113 | description = "Unauthenticated path pattern to match (a maximum of 1 can be defined)" 114 | } 115 | 116 | variable "authentication_type" { 117 | type = string 118 | description = "Authentication type. Supported values are `COGNITO` and `OIDC`" 119 | } 120 | 121 | variable "slow_start" { 122 | type = number 123 | description = "The amount of time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is `0` seconds" 124 | } 125 | 126 | variable "stickiness_enabled" { 127 | type = bool 128 | description = "Boolean to enable / disable `stickiness`. Default is `true`" 129 | } 130 | -------------------------------------------------------------------------------- /examples/complete/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.0" 8 | } 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | target_group_arn = var.default_target_group_enabled ? join("", aws_lb_target_group.default[*].arn) : var.target_group_arn 3 | } 4 | 5 | data "aws_lb_target_group" "default" { 6 | count = module.this.enabled ? 1 : 0 7 | 8 | arn = local.target_group_arn 9 | } 10 | 11 | module "target_group" { 12 | source = "cloudposse/label/null" 13 | version = "0.25.0" 14 | id_length_limit = 32 15 | context = module.this.context 16 | } 17 | 18 | resource "aws_lb_target_group" "default" { 19 | count = module.this.enabled && var.default_target_group_enabled ? 1 : 0 20 | 21 | name = coalesce(var.target_group_name, module.target_group.id) 22 | port = var.port 23 | protocol = var.protocol 24 | protocol_version = var.protocol_version 25 | slow_start = var.slow_start 26 | target_type = var.target_type 27 | vpc_id = var.vpc_id 28 | 29 | deregistration_delay = var.deregistration_delay 30 | 31 | load_balancing_algorithm_type = var.load_balancing_algorithm_type 32 | load_balancing_anomaly_mitigation = var.load_balancing_anomaly_mitigation 33 | 34 | stickiness { 35 | type = var.stickiness_type 36 | cookie_duration = var.stickiness_cookie_duration 37 | cookie_name = var.stickiness_cookie_name 38 | enabled = var.stickiness_enabled 39 | } 40 | 41 | health_check { 42 | enabled = var.health_check_enabled 43 | path = var.health_check_path 44 | port = coalesce(var.health_check_port, var.port) 45 | protocol = coalesce(var.health_check_protocol, var.protocol) 46 | timeout = var.health_check_timeout 47 | healthy_threshold = var.health_check_healthy_threshold 48 | unhealthy_threshold = var.health_check_unhealthy_threshold 49 | interval = var.health_check_interval 50 | matcher = var.health_check_matcher 51 | } 52 | 53 | tags = module.this.tags 54 | 55 | lifecycle { 56 | create_before_destroy = true 57 | } 58 | } 59 | 60 | resource "aws_lb_listener_rule" "unauthenticated_paths" { 61 | count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? length(var.unauthenticated_listener_arns) : 0 62 | 63 | listener_arn = var.unauthenticated_listener_arns[count.index] 64 | priority = var.unauthenticated_priority > 0 ? var.unauthenticated_priority + count.index : null 65 | 66 | action { 67 | type = "forward" 68 | target_group_arn = local.target_group_arn 69 | } 70 | 71 | condition { 72 | path_pattern { 73 | values = var.unauthenticated_paths 74 | } 75 | } 76 | 77 | dynamic "condition" { 78 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 79 | content { 80 | dynamic "http_header" { 81 | for_each = var.listener_http_header_conditions 82 | 83 | content { 84 | http_header_name = http_header.value["name"] 85 | values = http_header.value["value"] 86 | } 87 | } 88 | } 89 | } 90 | } 91 | 92 | resource "aws_lb_listener_rule" "authenticated_paths_oidc" { 93 | count = module.this.enabled && var.authentication_type == "OIDC" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? length(var.authenticated_listener_arns) : 0 94 | 95 | listener_arn = var.authenticated_listener_arns[count.index] 96 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 97 | 98 | action { 99 | type = "authenticate-oidc" 100 | 101 | authenticate_oidc { 102 | client_id = var.authentication_oidc_client_id 103 | client_secret = var.authentication_oidc_client_secret 104 | issuer = var.authentication_oidc_issuer 105 | authorization_endpoint = var.authentication_oidc_authorization_endpoint 106 | token_endpoint = var.authentication_oidc_token_endpoint 107 | user_info_endpoint = var.authentication_oidc_user_info_endpoint 108 | scope = var.authentication_oidc_scope 109 | 110 | on_unauthenticated_request = var.authentication_oidc_on_unauthenticated_request 111 | authentication_request_extra_params = var.authentication_oidc_request_extra_params 112 | } 113 | } 114 | 115 | action { 116 | type = "forward" 117 | target_group_arn = local.target_group_arn 118 | } 119 | 120 | condition { 121 | path_pattern { 122 | values = var.authenticated_paths 123 | } 124 | } 125 | 126 | dynamic "condition" { 127 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 128 | content { 129 | dynamic "http_header" { 130 | for_each = var.listener_http_header_conditions 131 | 132 | content { 133 | http_header_name = http_header.value["name"] 134 | values = http_header.value["value"] 135 | } 136 | } 137 | } 138 | } 139 | } 140 | 141 | resource "aws_lb_listener_rule" "authenticated_paths_cognito" { 142 | count = module.this.enabled && var.authentication_type == "COGNITO" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? length(var.authenticated_listener_arns) : 0 143 | 144 | listener_arn = var.authenticated_listener_arns[count.index] 145 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 146 | 147 | action { 148 | type = "authenticate-cognito" 149 | 150 | authenticate_cognito { 151 | user_pool_arn = var.authentication_cognito_user_pool_arn 152 | user_pool_client_id = var.authentication_cognito_user_pool_client_id 153 | user_pool_domain = var.authentication_cognito_user_pool_domain 154 | scope = var.authentication_cognito_scope 155 | 156 | on_unauthenticated_request = var.authentication_cognito_on_unauthenticated_request 157 | authentication_request_extra_params = var.authentication_cognito_request_extra_params 158 | } 159 | } 160 | 161 | action { 162 | type = "forward" 163 | target_group_arn = local.target_group_arn 164 | } 165 | 166 | condition { 167 | path_pattern { 168 | values = var.authenticated_paths 169 | } 170 | } 171 | 172 | dynamic "condition" { 173 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 174 | content { 175 | dynamic "http_header" { 176 | for_each = var.listener_http_header_conditions 177 | 178 | content { 179 | http_header_name = http_header.value["name"] 180 | values = http_header.value["value"] 181 | } 182 | } 183 | } 184 | } 185 | } 186 | 187 | resource "aws_lb_listener_rule" "unauthenticated_hosts" { 188 | count = module.this.enabled && length(var.unauthenticated_hosts) > 0 && length(var.unauthenticated_paths) == 0 ? length(var.unauthenticated_listener_arns) : 0 189 | 190 | listener_arn = var.unauthenticated_listener_arns[count.index] 191 | priority = var.unauthenticated_priority > 0 ? var.unauthenticated_priority + count.index : null 192 | 193 | action { 194 | type = "forward" 195 | target_group_arn = local.target_group_arn 196 | } 197 | 198 | condition { 199 | host_header { 200 | values = var.unauthenticated_hosts 201 | } 202 | } 203 | 204 | dynamic "condition" { 205 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 206 | content { 207 | dynamic "http_header" { 208 | for_each = var.listener_http_header_conditions 209 | 210 | content { 211 | http_header_name = http_header.value["name"] 212 | values = http_header.value["value"] 213 | } 214 | } 215 | } 216 | } 217 | } 218 | 219 | resource "aws_lb_listener_rule" "authenticated_hosts_oidc" { 220 | count = module.this.enabled && var.authentication_type == "OIDC" && length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? length(var.authenticated_listener_arns) : 0 221 | 222 | listener_arn = var.authenticated_listener_arns[count.index] 223 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 224 | 225 | action { 226 | type = "authenticate-oidc" 227 | 228 | authenticate_oidc { 229 | client_id = var.authentication_oidc_client_id 230 | client_secret = var.authentication_oidc_client_secret 231 | issuer = var.authentication_oidc_issuer 232 | authorization_endpoint = var.authentication_oidc_authorization_endpoint 233 | token_endpoint = var.authentication_oidc_token_endpoint 234 | user_info_endpoint = var.authentication_oidc_user_info_endpoint 235 | scope = var.authentication_oidc_scope 236 | 237 | on_unauthenticated_request = var.authentication_oidc_on_unauthenticated_request 238 | authentication_request_extra_params = var.authentication_oidc_request_extra_params 239 | } 240 | } 241 | 242 | action { 243 | type = "forward" 244 | target_group_arn = local.target_group_arn 245 | } 246 | 247 | condition { 248 | host_header { 249 | values = var.authenticated_hosts 250 | } 251 | } 252 | 253 | dynamic "condition" { 254 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 255 | content { 256 | dynamic "http_header" { 257 | for_each = var.listener_http_header_conditions 258 | 259 | content { 260 | http_header_name = http_header.value["name"] 261 | values = http_header.value["value"] 262 | } 263 | } 264 | } 265 | } 266 | } 267 | 268 | resource "aws_lb_listener_rule" "authenticated_hosts_cognito" { 269 | count = module.this.enabled && var.authentication_type == "COGNITO" && length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? length(var.authenticated_listener_arns) : 0 270 | 271 | listener_arn = var.authenticated_listener_arns[count.index] 272 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 273 | 274 | action { 275 | type = "authenticate-cognito" 276 | 277 | authenticate_cognito { 278 | user_pool_arn = var.authentication_cognito_user_pool_arn 279 | user_pool_client_id = var.authentication_cognito_user_pool_client_id 280 | user_pool_domain = var.authentication_cognito_user_pool_domain 281 | scope = var.authentication_cognito_scope 282 | 283 | on_unauthenticated_request = var.authentication_cognito_on_unauthenticated_request 284 | authentication_request_extra_params = var.authentication_cognito_request_extra_params 285 | } 286 | } 287 | 288 | action { 289 | type = "forward" 290 | target_group_arn = local.target_group_arn 291 | } 292 | 293 | condition { 294 | host_header { 295 | values = var.authenticated_hosts 296 | } 297 | } 298 | 299 | dynamic "condition" { 300 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 301 | content { 302 | dynamic "http_header" { 303 | for_each = var.listener_http_header_conditions 304 | 305 | content { 306 | http_header_name = http_header.value["name"] 307 | values = http_header.value["value"] 308 | } 309 | } 310 | } 311 | } 312 | } 313 | 314 | resource "aws_lb_listener_rule" "unauthenticated_hosts_paths" { 315 | count = module.this.enabled && length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) > 0 ? length(var.unauthenticated_listener_arns) : 0 316 | 317 | listener_arn = var.unauthenticated_listener_arns[count.index] 318 | priority = var.unauthenticated_priority > 0 ? var.unauthenticated_priority + count.index : null 319 | 320 | action { 321 | type = "forward" 322 | target_group_arn = local.target_group_arn 323 | } 324 | 325 | condition { 326 | host_header { 327 | values = var.unauthenticated_hosts 328 | } 329 | } 330 | 331 | condition { 332 | path_pattern { 333 | values = var.unauthenticated_paths 334 | } 335 | } 336 | 337 | dynamic "condition" { 338 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 339 | content { 340 | dynamic "http_header" { 341 | for_each = var.listener_http_header_conditions 342 | 343 | content { 344 | http_header_name = http_header.value["name"] 345 | values = http_header.value["value"] 346 | } 347 | } 348 | } 349 | } 350 | } 351 | 352 | resource "aws_lb_listener_rule" "authenticated_hosts_paths_oidc" { 353 | count = module.this.enabled && var.authentication_type == "OIDC" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? length(var.authenticated_listener_arns) : 0 354 | 355 | listener_arn = var.authenticated_listener_arns[count.index] 356 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 357 | 358 | action { 359 | type = "authenticate-oidc" 360 | 361 | authenticate_oidc { 362 | client_id = var.authentication_oidc_client_id 363 | client_secret = var.authentication_oidc_client_secret 364 | issuer = var.authentication_oidc_issuer 365 | authorization_endpoint = var.authentication_oidc_authorization_endpoint 366 | token_endpoint = var.authentication_oidc_token_endpoint 367 | user_info_endpoint = var.authentication_oidc_user_info_endpoint 368 | scope = var.authentication_oidc_scope 369 | 370 | on_unauthenticated_request = var.authentication_oidc_on_unauthenticated_request 371 | authentication_request_extra_params = var.authentication_oidc_request_extra_params 372 | } 373 | } 374 | 375 | action { 376 | type = "forward" 377 | target_group_arn = local.target_group_arn 378 | } 379 | 380 | condition { 381 | host_header { 382 | values = var.authenticated_hosts 383 | } 384 | } 385 | 386 | condition { 387 | path_pattern { 388 | values = var.authenticated_paths 389 | } 390 | } 391 | 392 | dynamic "condition" { 393 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 394 | content { 395 | dynamic "http_header" { 396 | for_each = var.listener_http_header_conditions 397 | 398 | content { 399 | http_header_name = http_header.value["name"] 400 | values = http_header.value["value"] 401 | } 402 | } 403 | } 404 | } 405 | } 406 | 407 | resource "aws_lb_listener_rule" "authenticated_hosts_paths_cognito" { 408 | count = module.this.enabled && var.authentication_type == "COGNITO" && length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? length(var.authenticated_listener_arns) : 0 409 | 410 | listener_arn = var.authenticated_listener_arns[count.index] 411 | priority = var.authenticated_priority > 0 ? var.authenticated_priority + count.index : null 412 | 413 | action { 414 | type = "authenticate-cognito" 415 | 416 | authenticate_cognito { 417 | user_pool_arn = var.authentication_cognito_user_pool_arn 418 | user_pool_client_id = var.authentication_cognito_user_pool_client_id 419 | user_pool_domain = var.authentication_cognito_user_pool_domain 420 | scope = var.authentication_cognito_scope 421 | 422 | on_unauthenticated_request = var.authentication_cognito_on_unauthenticated_request 423 | authentication_request_extra_params = var.authentication_cognito_request_extra_params 424 | } 425 | } 426 | 427 | action { 428 | type = "forward" 429 | target_group_arn = local.target_group_arn 430 | } 431 | 432 | condition { 433 | host_header { 434 | values = var.authenticated_hosts 435 | } 436 | } 437 | 438 | condition { 439 | path_pattern { 440 | values = var.authenticated_paths 441 | } 442 | } 443 | 444 | dynamic "condition" { 445 | for_each = length(var.listener_http_header_conditions) > 0 ? [""] : [] 446 | content { 447 | dynamic "http_header" { 448 | for_each = var.listener_http_header_conditions 449 | 450 | content { 451 | http_header_name = http_header.value["name"] 452 | values = http_header.value["value"] 453 | } 454 | } 455 | } 456 | } 457 | } 458 | -------------------------------------------------------------------------------- /outputs.tf: -------------------------------------------------------------------------------- 1 | output "target_group_name" { 2 | description = "ALB Target Group name" 3 | value = join("", data.aws_lb_target_group.default[*].name) 4 | } 5 | 6 | output "target_group_arn" { 7 | description = "ALB Target Group ARN" 8 | value = join("", data.aws_lb_target_group.default[*].arn) 9 | } 10 | 11 | output "target_group_arn_suffix" { 12 | description = "ALB Target Group ARN suffix" 13 | value = join("", data.aws_lb_target_group.default[*].arn_suffix) 14 | } 15 | -------------------------------------------------------------------------------- /test/.gitignore: -------------------------------------------------------------------------------- 1 | .test-harness 2 | -------------------------------------------------------------------------------- /test/Makefile: -------------------------------------------------------------------------------- 1 | TEST_HARNESS ?= https://github.com/cloudposse/test-harness.git 2 | TEST_HARNESS_BRANCH ?= master 3 | TEST_HARNESS_PATH = $(realpath .test-harness) 4 | BATS_ARGS ?= --tap 5 | BATS_LOG ?= test.log 6 | 7 | # Define a macro to run the tests 8 | define RUN_TESTS 9 | @echo "Running tests in $(1)" 10 | @cd $(1) && bats $(BATS_ARGS) $(addsuffix .bats,$(addprefix $(TEST_HARNESS_PATH)/test/terraform/,$(TESTS))) 11 | endef 12 | 13 | default: all 14 | 15 | -include Makefile.* 16 | 17 | ## Provision the test-harnesss 18 | .test-harness: 19 | [ -d $@ ] || git clone --depth=1 -b $(TEST_HARNESS_BRANCH) $(TEST_HARNESS) $@ 20 | 21 | ## Initialize the tests 22 | init: .test-harness 23 | 24 | ## Install all dependencies (OS specific) 25 | deps:: 26 | @exit 0 27 | 28 | ## Clean up the test harness 29 | clean: 30 | [ "$(TEST_HARNESS_PATH)" == "/" ] || rm -rf $(TEST_HARNESS_PATH) 31 | 32 | ## Run all tests 33 | all: module examples/complete 34 | 35 | ## Run basic sanity checks against the module itself 36 | module: export TESTS ?= installed lint get-modules module-pinning get-plugins provider-pinning validate terraform-docs input-descriptions output-descriptions 37 | module: deps 38 | $(call RUN_TESTS, ../) 39 | 40 | ## Run tests against example 41 | examples/complete: export TESTS ?= installed lint get-modules get-plugins validate 42 | examples/complete: deps 43 | $(call RUN_TESTS, ../$@) 44 | -------------------------------------------------------------------------------- /test/Makefile.alpine: -------------------------------------------------------------------------------- 1 | ifneq (,$(wildcard /sbin/apk)) 2 | ## Install all dependencies for alpine 3 | deps:: init 4 | @apk add --update terraform-docs@cloudposse json2hcl@cloudposse 5 | endif 6 | -------------------------------------------------------------------------------- /test/src/.gitignore: -------------------------------------------------------------------------------- 1 | .gopath 2 | vendor/ 3 | -------------------------------------------------------------------------------- /test/src/Makefile: -------------------------------------------------------------------------------- 1 | export TF_CLI_ARGS_init ?= -get-plugins=true 2 | export TERRAFORM_VERSION ?= $(shell curl -s https://checkpoint-api.hashicorp.com/v1/check/terraform | jq -r -M '.current_version' | cut -d. -f1-2) 3 | 4 | .DEFAULT_GOAL : all 5 | 6 | .PHONY: all 7 | ## Default target 8 | all: test 9 | 10 | .PHONY : init 11 | ## Initialize tests 12 | init: 13 | @exit 0 14 | 15 | .PHONY : test 16 | ## Run tests 17 | test: init 18 | go mod download 19 | go test -v -timeout 60m -run TestExamplesComplete 20 | 21 | ## Run tests in docker container 22 | docker/test: 23 | docker run --name terratest --rm -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SESSION_TOKEN -e GITHUB_TOKEN \ 24 | -e PATH="/usr/local/terraform/$(TERRAFORM_VERSION)/bin:/go/bin:/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" \ 25 | -v $(CURDIR)/../../:/module/ cloudposse/test-harness:latest -C /module/test/src test 26 | 27 | .PHONY : clean 28 | ## Clean up files 29 | clean: 30 | rm -rf ../../examples/complete/*.tfstate* -------------------------------------------------------------------------------- /test/src/examples_complete_test.go: -------------------------------------------------------------------------------- 1 | package test 2 | 3 | import ( 4 | "os" 5 | "strings" 6 | "testing" 7 | 8 | "github.com/gruntwork-io/terratest/modules/random" 9 | "github.com/gruntwork-io/terratest/modules/terraform" 10 | test_structure "github.com/gruntwork-io/terratest/modules/test-structure" 11 | "github.com/stretchr/testify/assert" 12 | ) 13 | 14 | func cleanup(t *testing.T, terraformOptions *terraform.Options, tempTestFolder string) { 15 | terraform.Destroy(t, terraformOptions) 16 | os.RemoveAll(tempTestFolder) 17 | } 18 | 19 | // Test the Terraform module in examples/complete using Terratest. 20 | func TestExamplesComplete(t *testing.T) { 21 | t.Parallel() 22 | randID := strings.ToLower(random.UniqueId()) 23 | attributes := []string{randID} 24 | 25 | rootFolder := "../../" 26 | terraformFolderRelativeToRoot := "examples/complete" 27 | varFiles := []string{"fixtures.us-east-2.tfvars"} 28 | 29 | tempTestFolder := test_structure.CopyTerraformFolderToTemp(t, rootFolder, terraformFolderRelativeToRoot) 30 | 31 | terraformOptions := &terraform.Options{ 32 | // The path to where our Terraform code is located 33 | TerraformDir: tempTestFolder, 34 | Upgrade: true, 35 | // Variables to pass to our Terraform code using -var-file options 36 | VarFiles: varFiles, 37 | Vars: map[string]interface{}{ 38 | "attributes": attributes, 39 | }, 40 | } 41 | 42 | // At the end of the test, run `terraform destroy` to clean up any resources that were created 43 | defer cleanup(t, terraformOptions, tempTestFolder) 44 | 45 | // This will run `terraform init` and `terraform apply` and fail the test if there are any errors 46 | terraform.InitAndApply(t, terraformOptions) 47 | 48 | // Run `terraform output` to get the value of an output variable 49 | vpcCidr := terraform.Output(t, terraformOptions, "vpc_cidr") 50 | // Verify we're getting back the outputs we expect 51 | assert.Equal(t, "172.16.0.0/16", vpcCidr) 52 | 53 | // Run `terraform output` to get the value of an output variable 54 | privateSubnetCidrs := terraform.OutputList(t, terraformOptions, "private_subnet_cidrs") 55 | // Verify we're getting back the outputs we expect 56 | assert.Equal(t, []string{"172.16.0.0/19", "172.16.32.0/19"}, privateSubnetCidrs) 57 | 58 | // Run `terraform output` to get the value of an output variable 59 | publicSubnetCidrs := terraform.OutputList(t, terraformOptions, "public_subnet_cidrs") 60 | // Verify we're getting back the outputs we expect 61 | assert.Equal(t, []string{"172.16.96.0/19", "172.16.128.0/19"}, publicSubnetCidrs) 62 | 63 | // Run `terraform output` to get the value of an output variable 64 | accessLogsBucketId := terraform.Output(t, terraformOptions, "access_logs_bucket_id") 65 | // Verify we're getting back the outputs we expect eg-test-lb-25346-alb-access-logs 66 | assert.Equal(t, "eg-test-lb-"+attributes[0]+"-alb-access-logs", accessLogsBucketId) 67 | 68 | // Run `terraform output` to get the value of an output variable 69 | albName := terraform.Output(t, terraformOptions, "alb_name") 70 | // Verify we're getting back the outputs we expect 71 | assert.Equal(t, "eg-test-lb-"+attributes[0], albName) 72 | 73 | // Run `terraform output` to get the value of an output variable 74 | defaultTargetGroupArn := terraform.Output(t, terraformOptions, "default_target_group_arn") 75 | // Verify we're getting back the outputs we expect something like "arn:aws:elasticloadbalancing:us-east-2:799847381734:targetgroup/eg-test-lb-11514-default/89e9fe401fc63cf7 76 | assert.Contains(t, defaultTargetGroupArn, "arn:aws:elasticloadbalancing:us-east-2:799847381734:targetgroup/eg-test-lb-"+attributes[0]+"-default") 77 | 78 | // Run `terraform output` to get the value of an output variable 79 | httpListenerArn := terraform.Output(t, terraformOptions, "http_listener_arn") 80 | // Verify we're getting back the outputs we expect 81 | assert.Contains(t, httpListenerArn, "arn:aws:elasticloadbalancing:us-east-2:799847381734:listener/app/eg-test-lb-"+attributes[0]) 82 | } 83 | -------------------------------------------------------------------------------- /test/src/go.mod: -------------------------------------------------------------------------------- 1 | module github.com/cloudposse/terraform-aws-alb 2 | 3 | go 1.17 4 | 5 | require ( 6 | github.com/gruntwork-io/terratest v0.43.0 7 | github.com/stretchr/testify v1.8.1 8 | ) 9 | 10 | require ( 11 | cloud.google.com/go v0.105.0 // indirect 12 | cloud.google.com/go/compute v1.12.1 // indirect 13 | cloud.google.com/go/compute/metadata v0.2.1 // indirect 14 | cloud.google.com/go/iam v0.7.0 // indirect 15 | cloud.google.com/go/storage v1.27.0 // indirect 16 | github.com/agext/levenshtein v1.2.3 // indirect 17 | github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect 18 | github.com/aws/aws-sdk-go v1.44.122 // indirect 19 | github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect 20 | github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect 21 | github.com/cpuguy83/go-md2man/v2 v2.0.0 // indirect 22 | github.com/davecgh/go-spew v1.1.1 // indirect 23 | github.com/emicklei/go-restful/v3 v3.9.0 // indirect 24 | github.com/go-errors/errors v1.0.2-0.20180813162953-d98b870cc4e0 // indirect 25 | github.com/go-logr/logr v1.2.3 // indirect 26 | github.com/go-openapi/jsonpointer v0.19.6 // indirect 27 | github.com/go-openapi/jsonreference v0.20.1 // indirect 28 | github.com/go-openapi/swag v0.22.3 // indirect 29 | github.com/go-sql-driver/mysql v1.4.1 // indirect 30 | github.com/gogo/protobuf v1.3.2 // indirect 31 | github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect 32 | github.com/golang/protobuf v1.5.3 // indirect 33 | github.com/google/gnostic v0.5.7-v3refs // indirect 34 | github.com/google/go-cmp v0.5.9 // indirect 35 | github.com/google/gofuzz v1.1.0 // indirect 36 | github.com/google/uuid v1.3.0 // indirect 37 | github.com/googleapis/enterprise-certificate-proxy v0.2.0 // indirect 38 | github.com/googleapis/gax-go/v2 v2.7.0 // indirect 39 | github.com/gruntwork-io/go-commons v0.8.0 // indirect 40 | github.com/hashicorp/errwrap v1.0.0 // indirect 41 | github.com/hashicorp/go-cleanhttp v0.5.2 // indirect 42 | github.com/hashicorp/go-getter v1.7.4 // indirect 43 | github.com/hashicorp/go-multierror v1.1.0 // indirect 44 | github.com/hashicorp/go-safetemp v1.0.0 // indirect 45 | github.com/hashicorp/go-version v1.6.0 // indirect 46 | github.com/hashicorp/hcl/v2 v2.9.1 // indirect 47 | github.com/hashicorp/terraform-json v0.13.0 // indirect 48 | github.com/imdario/mergo v0.3.11 // indirect 49 | github.com/jinzhu/copier v0.0.0-20190924061706-b57f9002281a // indirect 50 | github.com/jmespath/go-jmespath v0.4.0 // indirect 51 | github.com/josharian/intern v1.0.0 // indirect 52 | github.com/json-iterator/go v1.1.12 // indirect 53 | github.com/klauspost/compress v1.15.11 // indirect 54 | github.com/mailru/easyjson v0.7.7 // indirect 55 | github.com/mattn/go-zglob v0.0.2-0.20190814121620-e3c945676326 // indirect 56 | github.com/mitchellh/go-homedir v1.1.0 // indirect 57 | github.com/mitchellh/go-testing-interface v1.14.1 // indirect 58 | github.com/mitchellh/go-wordwrap v1.0.1 // indirect 59 | github.com/moby/spdystream v0.2.0 // indirect 60 | github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect 61 | github.com/modern-go/reflect2 v1.0.2 // indirect 62 | github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect 63 | github.com/pmezard/go-difflib v1.0.0 // indirect 64 | github.com/pquerna/otp v1.2.0 // indirect 65 | github.com/russross/blackfriday/v2 v2.1.0 // indirect 66 | github.com/spf13/pflag v1.0.5 // indirect 67 | github.com/tmccombs/hcl2json v0.3.3 // indirect 68 | github.com/ulikunitz/xz v0.5.10 // indirect 69 | github.com/urfave/cli v1.22.2 // indirect 70 | github.com/zclconf/go-cty v1.9.1 // indirect 71 | go.opencensus.io v0.24.0 // indirect 72 | golang.org/x/crypto v0.21.0 // indirect 73 | golang.org/x/net v0.23.0 // indirect 74 | golang.org/x/oauth2 v0.1.0 // indirect 75 | golang.org/x/sys v0.18.0 // indirect 76 | golang.org/x/term v0.18.0 // indirect 77 | golang.org/x/text v0.14.0 // indirect 78 | golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect 79 | golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect 80 | google.golang.org/api v0.103.0 // indirect 81 | google.golang.org/appengine v1.6.7 // indirect 82 | google.golang.org/genproto v0.0.0-20221201164419-0e50fba7f41c // indirect 83 | google.golang.org/grpc v1.51.0 // indirect 84 | google.golang.org/protobuf v1.28.1 // indirect 85 | gopkg.in/inf.v0 v0.9.1 // indirect 86 | gopkg.in/yaml.v2 v2.4.0 // indirect 87 | gopkg.in/yaml.v3 v3.0.1 // indirect 88 | k8s.io/api v0.27.2 // indirect 89 | k8s.io/apimachinery v0.27.2 // indirect 90 | k8s.io/client-go v0.27.2 // indirect 91 | k8s.io/klog/v2 v2.90.1 // indirect 92 | k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect 93 | k8s.io/utils v0.0.0-20230209194617-a36077c30491 // indirect 94 | sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect 95 | sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect 96 | sigs.k8s.io/yaml v1.3.0 // indirect 97 | ) 98 | -------------------------------------------------------------------------------- /variables.tf: -------------------------------------------------------------------------------- 1 | variable "default_target_group_enabled" { 2 | type = bool 3 | default = true 4 | description = "Enable/disable creation of the default target group" 5 | } 6 | 7 | variable "target_group_arn" { 8 | type = string 9 | default = "" 10 | description = "Existing ALB target group ARN. If provided, set `default_target_group_enabled` to `false` to disable creation of the default target group" 11 | } 12 | 13 | variable "unauthenticated_listener_arns" { 14 | type = list(string) 15 | default = [] 16 | description = "A list of unauthenticated ALB listener ARNs to attach ALB listener rules to" 17 | } 18 | 19 | variable "listener_http_header_conditions" { 20 | type = list(object({ 21 | name = string 22 | value = list(string) 23 | })) 24 | default = [] 25 | description = "A list of http header conditions to apply to the listener." 26 | } 27 | 28 | variable "authenticated_listener_arns" { 29 | type = list(string) 30 | default = [] 31 | description = "A list of authenticated ALB listener ARNs to attach ALB listener rules to" 32 | } 33 | 34 | variable "deregistration_delay" { 35 | type = number 36 | default = 15 37 | description = "The amount of time to wait in seconds while deregistering target" 38 | } 39 | 40 | variable "load_balancing_algorithm_type" { 41 | type = string 42 | default = "round_robin" 43 | description = "Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round_robin, least_outstanding_requests or weighted_random. The default is round_robin." 44 | } 45 | 46 | variable "load_balancing_anomaly_mitigation" { 47 | type = string 48 | default = "off" 49 | description = "Determines whether to enable target anomaly mitigation. Only supported by the weighted_random load balancing algorithm type. Valid values are 'on' or 'off'." 50 | 51 | validation { 52 | condition = contains(["on", "off"], var.load_balancing_anomaly_mitigation) 53 | error_message = "load_balancing_anomaly_mitigation must be either 'on' or 'off'" 54 | } 55 | } 56 | 57 | variable "health_check_enabled" { 58 | type = bool 59 | default = true 60 | description = "Indicates whether health checks are enabled. Defaults to `true`" 61 | } 62 | 63 | variable "health_check_path" { 64 | type = string 65 | default = "/" 66 | description = "The destination for the health check request" 67 | } 68 | 69 | variable "health_check_port" { 70 | type = string 71 | default = "traffic-port" 72 | description = "The port to use to connect with the target. Valid values are either ports 1-65536, or `traffic-port`. Defaults to `traffic-port`" 73 | } 74 | 75 | variable "health_check_protocol" { 76 | type = string 77 | default = "HTTP" 78 | description = "The protocol to use to connect with the target. Defaults to `HTTP`. Not applicable when `target_type` is `lambda`" 79 | } 80 | 81 | variable "health_check_timeout" { 82 | type = number 83 | default = 10 84 | description = "The amount of time to wait in seconds before failing a health check request" 85 | } 86 | 87 | variable "health_check_healthy_threshold" { 88 | type = number 89 | default = 2 90 | description = "The number of consecutive health checks successes required before healthy" 91 | } 92 | 93 | variable "health_check_unhealthy_threshold" { 94 | type = number 95 | default = 2 96 | description = "The number of consecutive health check failures required before unhealthy" 97 | } 98 | 99 | variable "health_check_interval" { 100 | type = number 101 | default = 15 102 | description = "The duration in seconds in between health checks" 103 | } 104 | 105 | variable "health_check_matcher" { 106 | type = string 107 | default = "200-399" 108 | description = "The HTTP response codes to indicate a healthy check" 109 | } 110 | 111 | variable "unauthenticated_priority" { 112 | type = number 113 | default = null 114 | description = "The priority for the rules without authentication, between 1 and 50000 (1 being highest priority). Must be different from `authenticated_priority` since a listener can't have multiple rules with the same priority" 115 | } 116 | 117 | variable "authenticated_priority" { 118 | type = number 119 | default = null 120 | description = "The priority for the rules with authentication, between 1 and 50000 (1 being highest priority). Must be different from `unauthenticated_priority` since a listener can't have multiple rules with the same priority" 121 | } 122 | 123 | variable "port" { 124 | type = number 125 | default = 80 126 | description = "The port for the created ALB target group (if `target_group_arn` is not set)" 127 | } 128 | 129 | variable "protocol" { 130 | type = string 131 | default = "HTTP" 132 | description = "The protocol for the created ALB target group (if `target_group_arn` is not set)" 133 | } 134 | 135 | variable "protocol_version" { 136 | type = string 137 | default = "HTTP1" 138 | description = "Only applicable when protocol is `HTTP` or `HTTPS`. The protocol version. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is `HTTP1`, which sends requests to targets using HTTP/1.1" 139 | } 140 | 141 | variable "target_group_name" { 142 | type = string 143 | default = "" 144 | description = "Override the target group name" 145 | } 146 | 147 | variable "target_type" { 148 | type = string 149 | default = "ip" 150 | description = "The type (`instance`, `ip` or `lambda`) of targets that can be registered with the target group" 151 | } 152 | 153 | variable "vpc_id" { 154 | type = string 155 | description = "The VPC ID where generated ALB target group will be provisioned (if `target_group_arn` is not set)" 156 | } 157 | 158 | variable "unauthenticated_hosts" { 159 | type = list(string) 160 | default = [] 161 | description = "Unauthenticated hosts to match in Hosts header" 162 | } 163 | 164 | variable "authenticated_hosts" { 165 | type = list(string) 166 | default = [] 167 | description = "Authenticated hosts to match in Hosts header" 168 | } 169 | 170 | variable "unauthenticated_paths" { 171 | type = list(string) 172 | default = [] 173 | description = "Unauthenticated path pattern to match (a maximum of 1 can be defined)" 174 | } 175 | 176 | variable "authenticated_paths" { 177 | type = list(string) 178 | default = [] 179 | description = "Authenticated path pattern to match (a maximum of 1 can be defined)" 180 | } 181 | 182 | variable "authentication_type" { 183 | type = string 184 | default = "" 185 | description = "Authentication type. Supported values are `COGNITO` and `OIDC`" 186 | } 187 | 188 | variable "authentication_cognito_user_pool_arn" { 189 | type = string 190 | description = "Cognito User Pool ARN" 191 | default = "" 192 | } 193 | 194 | variable "authentication_cognito_user_pool_client_id" { 195 | type = string 196 | description = "Cognito User Pool Client ID" 197 | default = "" 198 | } 199 | 200 | variable "authentication_cognito_user_pool_domain" { 201 | type = string 202 | description = "Cognito User Pool Domain. The User Pool Domain should be set to the domain prefix (`xxx`) instead of full domain (https://xxx.auth.us-west-2.amazoncognito.com)" 203 | default = "" 204 | } 205 | 206 | variable "authentication_cognito_scope" { 207 | type = string 208 | description = "Cognito scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)" 209 | default = null 210 | } 211 | 212 | variable "authentication_cognito_on_unauthenticated_request" { 213 | type = string 214 | description = "Cognito unauthenticated behavior, deny, allow, or authenticate" 215 | default = "authenticate" 216 | } 217 | 218 | variable "authentication_cognito_request_extra_params" { 219 | type = map(string) 220 | description = "Cognito query parameters to include in redirect request" 221 | default = null 222 | } 223 | 224 | variable "authentication_oidc_client_id" { 225 | type = string 226 | description = "OIDC Client ID" 227 | default = "" 228 | } 229 | 230 | variable "authentication_oidc_client_secret" { 231 | type = string 232 | description = "OIDC Client Secret" 233 | default = "" 234 | } 235 | 236 | variable "authentication_oidc_issuer" { 237 | type = string 238 | description = "OIDC Issuer" 239 | default = "" 240 | } 241 | 242 | variable "authentication_oidc_authorization_endpoint" { 243 | type = string 244 | description = "OIDC Authorization Endpoint" 245 | default = "" 246 | } 247 | 248 | variable "authentication_oidc_token_endpoint" { 249 | type = string 250 | description = "OIDC Token Endpoint" 251 | default = "" 252 | } 253 | 254 | variable "authentication_oidc_user_info_endpoint" { 255 | type = string 256 | description = "OIDC User Info Endpoint" 257 | default = "" 258 | } 259 | 260 | variable "authentication_oidc_scope" { 261 | type = string 262 | description = "OIDC scope, which should be a space separated string of requested scopes (see https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims, and https://developers.google.com/identity/protocols/oauth2/openid-connect#scope-param for an example set of scopes when using Google as the IdP)" 263 | default = null 264 | } 265 | 266 | variable "authentication_oidc_on_unauthenticated_request" { 267 | type = string 268 | description = "OIDC unauthenticated behavior, deny, allow, or authenticate" 269 | default = "authenticate" 270 | } 271 | 272 | variable "authentication_oidc_request_extra_params" { 273 | type = map(string) 274 | description = "OIDC query parameters to include in redirect request" 275 | default = null 276 | } 277 | 278 | variable "slow_start" { 279 | type = number 280 | default = 0 281 | description = "The amount of time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is `0` seconds" 282 | } 283 | 284 | variable "stickiness_type" { 285 | type = string 286 | default = "lb_cookie" 287 | description = "The type of sticky sessions. The possible values are `lb_cookie` or `app_cookie`" 288 | validation { 289 | condition = contains(["lb_cookie", "app_cookie"], var.stickiness_type) 290 | error_message = "The only current possible values are lb_cookie and app_cookie for ALBs" 291 | } 292 | } 293 | 294 | variable "stickiness_cookie_duration" { 295 | type = number 296 | default = 86400 297 | description = "The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds)" 298 | } 299 | 300 | variable "stickiness_cookie_name" { 301 | type = string 302 | default = null 303 | description = "Name of the application based cookie. AWSALB, AWSALBAPP, and AWSALBTG prefixes are reserved and cannot be used. Only needed when `stickiness_type` is app_cookie" 304 | } 305 | 306 | variable "stickiness_enabled" { 307 | type = bool 308 | default = true 309 | description = "Boolean to enable / disable `stickiness`. Default is `true`" 310 | } 311 | -------------------------------------------------------------------------------- /versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 1.0" 3 | 4 | required_providers { 5 | aws = { 6 | source = "hashicorp/aws" 7 | version = ">= 4.0" 8 | } 9 | } 10 | } 11 | --------------------------------------------------------------------------------