-
-
Notifications
You must be signed in to change notification settings - Fork 49
/
main.tf
197 lines (165 loc) · 5.96 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
locals {
target_group_enabled = "${var.target_group_arn == "" ? "true" : "false"}"
target_group_arn = "${local.target_group_enabled == "true" ? aws_lb_target_group.default.arn : var.target_group_arn}"
}
data "aws_lb_target_group" "default" {
arn = "${local.target_group_arn}"
}
module "default_label" {
enabled = "${local.target_group_enabled}"
source = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.2.1"
attributes = "${var.attributes}"
delimiter = "${var.delimiter}"
name = "${var.name}"
namespace = "${var.namespace}"
stage = "${var.stage}"
tags = "${var.tags}"
}
locals {
supported_authentication_actions = {
"COGNITO" = {
type = "authenticate-cognito"
authenticate_cognito = [{
user_pool_arn = "${var.authentication_cognito_user_pool_arn}"
user_pool_client_id = "${var.authentication_cognito_user_pool_client_id}"
user_pool_domain = "${var.authentication_cognito_user_pool_domain}"
}]
}
"OIDC" = {
type = "authenticate-oidc"
authenticate_oidc = [{
client_id = "${var.authentication_oidc_client_id}"
client_secret = "${var.authentication_oidc_client_secret}"
issuer = "${var.authentication_oidc_issuer}"
authorization_endpoint = "${var.authentication_oidc_authorization_endpoint}"
token_endpoint = "${var.authentication_oidc_token_endpoint}"
user_info_endpoint = "${var.authentication_oidc_user_info_endpoint}"
}]
}
"NONE" = {
type = "none"
}
}
authentication_action = "${local.supported_authentication_actions[var.authentication_type]}"
}
resource "aws_lb_target_group" "default" {
count = "${local.target_group_enabled == "true" ? 1 : 0}"
name = "${module.default_label.id}"
port = "${var.port}"
protocol = "${var.protocol}"
vpc_id = "${var.vpc_id}"
target_type = "${var.target_type}"
deregistration_delay = "${var.deregistration_delay}"
health_check {
path = "${var.health_check_path}"
timeout = "${var.health_check_timeout}"
healthy_threshold = "${var.health_check_healthy_threshold}"
unhealthy_threshold = "${var.health_check_unhealthy_threshold}"
interval = "${var.health_check_interval}"
matcher = "${var.health_check_matcher}"
}
lifecycle {
create_before_destroy = true
}
}
resource "aws_lb_listener_rule" "unauthenticated_paths" {
count = "${length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) == 0 ? var.unauthenticated_listener_arns_count : 0}"
listener_arn = "${var.unauthenticated_listener_arns[count.index]}"
priority = "${var.unauthenticated_priority + count.index}"
action = [
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "path-pattern"
values = ["${var.unauthenticated_paths}"]
}
}
resource "aws_lb_listener_rule" "authenticated_paths" {
count = "${length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) == 0 ? var.authenticated_listener_arns_count : 0}"
listener_arn = "${var.authenticated_listener_arns[count.index]}"
priority = "${var.authenticated_priority + count.index}"
action = [
"${local.authentication_action}",
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "path-pattern"
values = ["${var.authenticated_paths}"]
}
}
resource "aws_lb_listener_rule" "unauthenticated_hosts" {
count = "${length(var.unauthenticated_hosts) > 0 && length(var.unauthenticated_paths) == 0 ? var.unauthenticated_listener_arns_count : 0}"
listener_arn = "${var.unauthenticated_listener_arns[count.index]}"
priority = "${var.unauthenticated_priority + count.index}"
action = [
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "host-header"
values = ["${var.unauthenticated_hosts}"]
}
}
resource "aws_lb_listener_rule" "authenticated_hosts" {
count = "${length(var.authenticated_hosts) > 0 && length(var.authenticated_paths) == 0 ? var.authenticated_listener_arns_count : 0}"
listener_arn = "${var.authenticated_listener_arns[count.index]}"
priority = "${var.authenticated_priority + count.index}"
action = [
"${local.authentication_action}",
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "host-header"
values = ["${var.authenticated_hosts}"]
}
}
resource "aws_lb_listener_rule" "unauthenticated_hosts_paths" {
count = "${length(var.unauthenticated_paths) > 0 && length(var.unauthenticated_hosts) > 0 ? var.unauthenticated_listener_arns_count : 0}"
listener_arn = "${var.unauthenticated_listener_arns[count.index]}"
priority = "${var.unauthenticated_priority + count.index}"
action = [
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "host-header"
values = ["${var.unauthenticated_hosts}"]
}
condition {
field = "path-pattern"
values = ["${var.unauthenticated_paths}"]
}
}
resource "aws_lb_listener_rule" "authenticated_hosts_paths" {
count = "${length(var.authenticated_paths) > 0 && length(var.authenticated_hosts) > 0 ? var.authenticated_listener_arns_count : 0}"
listener_arn = "${var.authenticated_listener_arns[count.index]}"
priority = "${var.authenticated_priority + count.index}"
action = [
"${local.authentication_action}",
{
type = "forward"
target_group_arn = "${local.target_group_arn}"
},
]
condition {
field = "host-header"
values = ["${var.authenticated_hosts}"]
}
condition {
field = "path-pattern"
values = ["${var.authenticated_paths}"]
}
}