Refine alb, nlb, gwlb, alb-listener, nlb-listener

tedilabs · Dec 12, 2023 · c6f7f55 · c6f7f55
1 parent 9fa506c
commit c6f7f55
Show file tree

Hide file tree

Showing 41 changed files with 847 additions and 378 deletions.
diff --git a/examples/alb-with-instance-target-group/main.tf b/examples/alb-with-instance-target-group/main.tf
@@ -32,15 +32,16 @@ module "alb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
   default_security_group = {
+    enabled     = true
     name        = "tedilabs-alb-instance"
     description = "Managed by Terraform."
 
-    ingress_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
+    listener_ingress_ipv4_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
   }
   security_groups = []
 
@@ -114,9 +115,13 @@ module "alb" {
   ]
 
   ## Access Log
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-alb-instance/"
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-alb-instance/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/alb-with-instance-target-group/versions.tf b/examples/alb-with-instance-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/alb-with-ip-target-group/main.tf b/examples/alb-with-ip-target-group/main.tf
@@ -32,15 +32,16 @@ module "alb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
   default_security_group = {
+    enabled     = true
     name        = "tedilabs-alb-ip"
     description = "Managed by Terraform."
 
-    ingress_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
+    listener_ingress_ipv4_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
   }
   security_groups = []
 
@@ -114,9 +115,13 @@ module "alb" {
   ]
 
   ## Access Log
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-alb-ip/"
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-alb-ip/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/alb-with-ip-target-group/versions.tf b/examples/alb-with-ip-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/gwlb-with-instance-target-group/main.tf b/examples/gwlb-with-instance-target-group/main.tf
@@ -28,7 +28,7 @@ module "gwlb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 

diff --git a/examples/gwlb-with-instance-target-group/versions.tf b/examples/gwlb-with-instance-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/gwlb-with-ip-target-group/main.tf b/examples/gwlb-with-ip-target-group/main.tf
@@ -28,7 +28,7 @@ module "gwlb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 

diff --git a/examples/gwlb-with-ip-target-group/versions.tf b/examples/gwlb-with-ip-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/nlb-with-alb-target-group/alb.tf b/examples/nlb-with-alb-target-group/alb.tf
@@ -15,15 +15,16 @@ module "alb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
   default_security_group = {
+    enabled     = true
     name        = "tedilabs-nlb-alb-alb"
     description = "Managed by Terraform."
 
-    ingress_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
+    listener_ingress_ipv4_cidrs = ["10.0.0.0/8", "172.31.0.0/16"]
   }
   security_groups = []
 
@@ -79,9 +80,13 @@ module "alb" {
   ]
 
   ## Access Log
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-nlb-alb-alb/"
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-nlb-alb-alb/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/nlb-with-alb-target-group/main.tf b/examples/nlb-with-alb-target-group/main.tf
@@ -31,7 +31,7 @@ module "nlb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
@@ -45,9 +45,14 @@ module "nlb" {
     target_group = module.target_group.arn
   }]
 
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-nlb-alb/"
+  ## Access Log
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-nlb-alb/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/nlb-with-alb-target-group/versions.tf b/examples/nlb-with-alb-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/nlb-with-instance-target-group/main.tf b/examples/nlb-with-instance-target-group/main.tf
@@ -31,7 +31,7 @@ module "nlb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
@@ -45,9 +45,14 @@ module "nlb" {
     target_group = module.target_group.arn
   }]
 
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-nlb-instance/"
+  ## Access Log
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-nlb-instance/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/nlb-with-instance-target-group/versions.tf b/examples/nlb-with-instance-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/examples/nlb-with-ip-target-group/main.tf b/examples/nlb-with-ip-target-group/main.tf
@@ -31,7 +31,7 @@ module "nlb" {
   network_mapping = {
     for az, subnet in data.aws_subnet.default :
     az => {
-      subnet_id = subnet.id
+      subnet = subnet.id
     }
   }
 
@@ -45,9 +45,14 @@ module "nlb" {
     target_group = module.target_group.arn
   }]
 
-  access_log_enabled       = false
-  access_log_s3_bucket     = "my-bucket"
-  access_log_s3_key_prefix = "/tedilabs-nlb-ip/"
+  ## Access Log
+  access_log = {
+    enabled = false
+    s3_bucket = {
+      name       = "my-bucket"
+      key_prefix = "/tedilabs-nlb-ip/"
+    }
+  }
 
   tags = {
     "project" = "terraform-aws-load-balancer-examples"

diff --git a/examples/nlb-with-ip-target-group/versions.tf b/examples/nlb-with-ip-target-group/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = "~> 1.5"
+  required_version = "~> 1.6"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
     }
   }
 }
diff --git a/modules/alb-listener/README.md b/modules/alb-listener/README.md
@@ -11,14 +11,14 @@ This module creates following resources.
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.71 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.19.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.30.0 |
 
 ## Modules
 
@@ -49,9 +49,7 @@ This module creates following resources.
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no |
 | <a name="input_rules"></a> [rules](#input\_rules) | (Optional) The rules that you define for the listener determine how the load balancer routes requests to the targets in one or more target groups. Each rule consists of a priority, one or more actions, and one or more conditions. Each item of `rules` block as defined below.<br>    (Required) `priority` - The priority for the rule between `1` and `50000`. A listener can't have multiple rules with the same priority.<br>    (Required) `conditions` - A set of conditions of the rule. One or more condition blocks can be set per rule. Most condition types can only be specified once per rule except for `HTTP_HEADER` and `QUERY` which can be specified multiple times. All condition blocks must be satisfied for the rule to match. Each item of `conditions` block as defined below.<br>      (Required) `type` - The type of the condition. Valid values are `HOST`, `HTTP_METHOD`, `HTTP_HEADER`, `PATH`, `QUERY` and `SOURCE_IP`.<br>      (Optional) `name` - The name of HTTP header to search. The maximum size is 40 characters. Comparison is case insensitive. Only RFC7240 characters are supported. Wildcards are not supported. You cannot use HTTP header condition to specify the host header, use a `HOST` condition instead. Only required if `type` is `HTTP_HEADER`.<br>      (Required) `values` for `HOST` - A list of host header patterns to match. The maximum size of each pattern is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). Only one pattern needs to match for the condition to be satisfied.<br>      (Required) `values` for `HTTP_METHOD` - A list of HTTP request methods or verbs to match. Maximum size is 40 characters. Only allowed characters are A-Z, hyphen (-) and underscore (\_). Comparison is case sensitive. Wildcards are not supported. Only one needs to match for the condition to be satisfied. AWS recommends that GET and HEAD requests are routed in the same way because the response to a HEAD request may be cached.<br>      (Required) `values` for `HTTP_HEADER` - A list of header value patterns to match. Maximum size of each pattern is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). If the same header appears multiple times in the request they will be searched in order until a match is found. Only one pattern needs to match for the condition to be satisfied. To require that all of the strings are a match, create one condition block per string.<br>      (Required) `values` for `PATH` - A list of path patterns to match against the request URL. Maximum size of each pattern is 128 characters. Comparison is case sensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). Only one pattern needs to match for the condition to be satisfied. Path pattern is compared only to the path of the URL, not to its query string. To compare against the query string, use a `QUERY` condition.<br>      (Required) `values` for `QUERY` - A list of query string pairs to match. Each query string pair consists of `key` and `value`. Maximum size of each string is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?' character in a query string, escape the character with a backslash (\). Only one pair needs to match for the condition to be satisfied.<br>      (Required) `values` for `SOURCE_IP` - A list of source IP CIDR notations to match. You can use both IPv4 and IPv6 addresses. Wildcards are not supported. Condition is satisfied if the source IP address of the request matches one of the CIDR blocks. Condition is not satisfied by the addresses in the `X-Forwarded-For` header, use `HTTP_HEADER` condition instead.<br>    (Required) `action_type` - The type of the routing action. Valid values are `FORWARD`, `WEIGHTED_FORWARD`, `FIXED_RESPONSE`, `REDIRECT_301` and `REDIRECT_302`.<br>    (Optional) `action_parameters` - Same with `default_action_parameters`. | `any` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no |
-| <a name="input_tls_additional_certificates"></a> [tls\_additional\_certificates](#input\_tls\_additional\_certificates) | (Optional) A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener. | `set(string)` | `[]` | no |
-| <a name="input_tls_certificate"></a> [tls\_certificate](#input\_tls\_certificate) | (Optional) The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `tls_additional_certificates` variable. Required if `protocol` is `HTTPS`. | `string` | `null` | no |
-| <a name="input_tls_security_policy"></a> [tls\_security\_policy](#input\_tls\_security\_policy) | (Optional) The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `HTTPS`. Defaults to `ELBSecurityPolicy-2016-08` security policy. The `ELBSecurityPolicy-2016-08` security policy is always used for backend connections. Application Load Balancers do not support custom security policies. | `string` | `"ELBSecurityPolicy-2016-08"` | no |
+| <a name="input_tls"></a> [tls](#input\_tls) | (Optional) The configuration for TLS listener of the load balancer. Required if `protocol` is `HTTPS`. `tls` block as defined below.<br>    (Optional) `certificate` - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `additional_certificates` variable.<br>    (Optional) `additional_certificates` - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.<br>    (Optional) `security_policy` - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `HTTPS`. Defaults to `ELBSecurityPolicy-2016-08` security policy. The `ELBSecurityPolicy-2016-08` security policy is always used for backend connections. Application Load Balancers do not support custom security policies. | <pre>object({<br>    certificate             = optional(string)<br>    additional_certificates = optional(set(string), [])<br>    security_policy         = optional(string, "ELBSecurityPolicy-2016-08")<br>  })</pre> | `{}` | no |
 
 ## Outputs
 

diff --git a/modules/alb-listener/main.tf b/modules/alb-listener/main.tf
@@ -14,21 +14,27 @@ locals {
   } : {}
 }
 
-
 locals {
   load_balancer_name = split("/", var.load_balancer)[2]
   tls_enabled        = var.protocol == "HTTPS"
 }
 
+
+###################################################
+# ALB Listener
+###################################################
+
+# INFO: Not supported attributes
+# - `alpn_policy`
 resource "aws_lb_listener" "this" {
   load_balancer_arn = var.load_balancer
 
   port     = var.port
   protocol = var.protocol
 
   ## TLS
-  certificate_arn = local.tls_enabled ? var.tls_certificate : null
-  ssl_policy      = local.tls_enabled ? var.tls_security_policy : null
+  certificate_arn = local.tls_enabled ? var.tls.certificate : null
+  ssl_policy      = local.tls_enabled ? var.tls.security_policy : null
 
   dynamic "default_action" {
     for_each = (var.default_action_type == "FORWARD"
@@ -325,7 +331,7 @@ resource "aws_lb_listener_rule" "this" {
 ###################################################
 
 resource "aws_lb_listener_certificate" "this" {
-  for_each = toset(local.tls_enabled ? var.tls_additional_certificates : [])
+  for_each = toset(local.tls_enabled ? var.tls.additional_certificates : [])
 
   listener_arn    = aws_lb_listener.this.arn
   certificate_arn = each.key