Terraform AWS Application Load Balancer module

Terraform module for AWS provider which creates aws_lb* resources

Usage

AWS ALB redirect from HTTP to HTTPS

module "alb" {
  source  = "edelwud/alb/aws"
  version = "x.x.x"

  name = "redirect-http-https"

  type     = "application"
  internal = false
  subnets  = module.vpc.public_subnets

  security_groups = [
    module.vpc.default_security_group_id,
    module.lb_sg.security_group_id
  ]

  listeners = {
    "http-to-https" = {
      port     = 80
      protocol = "HTTP"

      redirect = {
        port        = "443"
        protocol    = "HTTPS"
        status_code = "HTTP_301"
      }
    }

    "https" = {
      port            = 433
      protocol        = "HTTPS"
      ssl_policy      = "ELBSecurityPolicy-2016-08"
      certificate_arn = aws_acm_certificate.example.arn

      fixed_response = {
        content_type = "text/plain"
        message_body = "Fixed response content"
        status_code  = "200"
      }
    }
  }
}

AWS ALB listener rules

module "alb" {
  source  = "edelwud/alb/aws"
  version = "x.x.x"

  name = "listener-rules"

  type     = "application"
  internal = false
  subnets  = module.vpc.public_subnets

  security_groups = [
    module.vpc.default_security_group_id,
    module.lb_sg.security_group_id
  ]

  listeners = {
    "http-to-https" = {
      port     = 80
      protocol = "HTTP"

      redirect = {
        port        = "443"
        protocol    = "HTTPS"
        status_code = "HTTP_301"
      }

      rules = {
        "if-path-pattern-is-api" = {
          priority = 20

          condition = {
            path_pattern = ["/api*"]
          }

          forward = {
            target_group_arn = aws_lb_target_group.api.arn
          }
        }
      }
    }

    "https" = {
      port            = 433
      protocol        = "HTTPS"
      ssl_policy      = "ELBSecurityPolicy-2016-08"
      certificate_arn = aws_acm_certificate.example.arn

      fixed_response = {
        content_type = "text/plain"
        message_body = "Fixed response content"
        status_code  = "200"
      }

      rules = {
        "if-path-pattern-is-api" = {
          priority = 20

          condition = {
            path_pattern = ["/api*"]
          }

          forward = {
            target_group_arn = aws_lb_target_group.api.arn
          }
        }

        "if-host-header-is-example-and-method-is-get" = {
          priority = 20

          condition = {
            host_header         = ["example.com"]
            http_request_method = ["GET"]
          }

          forward = {
            target_group_arn = aws_lb_target_group.ui.arn
          }
        }
      }
    }
  }
}

AWS ALB Cognito & OIDC

module "alb" {
  source  = "edelwud/alb/aws"
  version = "x.x.x"

  name = "cognito-oidc"

  type     = "application"
  internal = false
  subnets  = module.vpc.public_subnets

  security_groups = [
    module.vpc.default_security_group_id,
    module.lb_sg.security_group_id
  ]

  listeners = {
    "access-to-fixed-response-after-oidc" = {
      port            = 433
      protocol        = "HTTPS"
      ssl_policy      = "ELBSecurityPolicy-2016-08"
      certificate_arn = aws_acm_certificate.example.arn

      authenticate_oidc = {
        authorization_endpoint = "https://example.com/authorization_endpoint"
        client_id              = "client_id"
        client_secret          = "client_secret"
        issuer                 = "https://example.com"
        token_endpoint         = "https://example.com/token_endpoint"
        user_info_endpoint     = "https://example.com/user_info_endpoint"
      }

      fixed_response = {
        content_type = "text/plain"
        message_body = "Fixed response content"
        status_code  = "200"
      }

      rules = {
        "cognito-before-api" = {
          priority = 20

          conditions = {
            path_pattern = ["/api*"]
          }

          authenticate_cognito = {
            user_pool_arn       = aws_cognito_user_pool.pool.arn
            user_pool_client_id = aws_cognito_user_pool_client.client.id
            user_pool_domain    = aws_cognito_user_pool_domain.domain.domain
          }

          forward = {
            target_group_arn = aws_lb_target_group.api.arn
          }
        }
      }
    }
  }
}

Requirements

Name	Version
terraform	>= 0.13.1
aws	>= 3.67

Providers

Name	Version
aws	>= 3.67

Modules

No modules.

Resources

Name	Type
aws_lb.this	resource
aws_lb_listener.this	resource
aws_lb_listener_rule.this	resource

Inputs

Name	Description	Type	Default	Required
access_logs	AWS ALB access logs	object({ bucket = string prefix = string enabled = bool })	null	no
deletion_protection	AWS LB deletion protection	string	false	no
idle_timeout	AWS LB idle timeout	number	600	no
internal	Is AWS Load Balancer internal?	bool	false	no
listeners	AWS LB listeners	any	null	no
name	AWS Load Balancer name	string	n/a	yes
security_groups	AWS LB security groups	list(string)	n/a	yes
subnet_mapping	AWS Load Balancer subnet mapping	list(object({ subnet_id = string allocation_id = string }))	null	no
subnets	AWS LB subnets	list(string)	n/a	yes
tags	Tags	map(string)	null	no
type	AWS load balancer type	string	"application"	no

Outputs

Name	Description
lb_arn	AWS Load Balancer ARN
lb_dns_name	AWS Load Balancer DNS name
lb_id	AWS Load Balancer identifiers
lb_listener_rules	AWS Load Balancer listener rules ARN
lb_listeners	AWS Load Balancer listeners ARN
lb_zone_id	AWS Load Balancer Hosted Zone identifier