diff --git a/modules/alb-instance-target-group/outputs.tf b/modules/alb-instance-target-group/outputs.tf index 7c30a6c..cc28171 100644 --- a/modules/alb-instance-target-group/outputs.tf +++ b/modules/alb-instance-target-group/outputs.tf @@ -94,3 +94,19 @@ output "health_check" { timeout = aws_lb_target_group.this.health_check[0].timeout } } + +output "resource_group" { + description = "The resource group created to manage resources in this module." + value = merge( + { + enabled = var.resource_group.enabled && var.module_tags_enabled + }, + (var.resource_group.enabled && var.module_tags_enabled + ? { + arn = module.resource_group[0].arn + name = module.resource_group[0].name + } + : {} + ) + ) +} diff --git a/modules/alb-instance-target-group/resource-group.tf b/modules/alb-instance-target-group/resource-group.tf index 7487ba0..85c4fb0 100644 --- a/modules/alb-instance-target-group/resource-group.tf +++ b/modules/alb-instance-target-group/resource-group.tf @@ -1,6 +1,6 @@ locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name + resource_group_name = (var.resource_group.name != "" + ? var.resource_group.name : join(".", [ local.metadata.package, local.metadata.module, @@ -12,12 +12,12 @@ locals { module "resource_group" { source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" + version = "~> 0.12.0" - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name - description = var.resource_group_description + description = var.resource_group.description query = { resource_tags = local.module_tags diff --git a/modules/alb-instance-target-group/variables.tf b/modules/alb-instance-target-group/variables.tf index c4a3bbc..a761f10 100644 --- a/modules/alb-instance-target-group/variables.tf +++ b/modules/alb-instance-target-group/variables.tf @@ -224,23 +224,21 @@ variable "module_tags_enabled" { # Resource Group ################################################### -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." - nullable = false + +variable "resource_group" { + description = < [aws](#provider\_aws) | 5.30.0 | +| [aws](#provider\_aws) | 6.12.0 | ## Modules | Name | Source | Version | |------|--------|---------| | [listener](#module\_listener) | ../alb-listener | n/a | -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [security\_group](#module\_security\_group) | tedilabs/network/aws//modules/security-group | ~> 0.31.0 | +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 | +| [security\_group](#module\_security\_group) | tedilabs/network/aws//modules/security-group | ~> 0.32.0 | ## Resources @@ -43,9 +43,9 @@ This module creates following resources. |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) The name of the load balancer. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. | `string` | n/a | yes | | [vpc\_id](#input\_vpc\_id) | (Required) The ID of the VPC which the load balancer belongs to. | `string` | n/a | yes | -| [access\_log](#input\_access\_log) | (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. `access_log` as defined below.
(Optional) `enabled` - Indicates whether to enable access logs. Defaults to `false`.
(Optional) `s3_bucket` - A configuration of the S3 Bucket for access logs. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket used to store the access logs.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket. | 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
| `{}` | no | +| [access\_log](#input\_access\_log) | (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. `access_log` as defined below.
(Optional) `enabled` - Indicates whether to enable access logs. Defaults to `false`.
(Optional) `s3_bucket` - A configuration of the S3 Bucket for access logs. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket used to store the access logs.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket. | 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
| `{}` | no | | [cross\_zone\_load\_balancing\_enabled](#input\_cross\_zone\_load\_balancing\_enabled) | (Optional) Cross-zone load balancing distributes traffic evenly across all targets in the Availability Zones enabled for the load balancer. Cross-zone load balancing is always on for Application Load Balancers. However, you can turn it off for a specific target group using target group attributes. Defaults to `true`. | `bool` | `true` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the load balancer. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `listener_ingress_ipv4_cidrs` - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_ipv6_cidrs` - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_prefix_lists` - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_security_groups` - A list of security group IDs to allow on the listener port. Defaults to `[]`." | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the load balancer. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `listener_ingress_ipv4_cidrs` - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_ipv6_cidrs` - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_prefix_lists` - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_security_groups` - A list of security group IDs to allow on the listener port. Defaults to `[]`." | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
| `{}` | no | | [deletion\_protection\_enabled](#input\_deletion\_protection\_enabled) | (Optional) Indicates whether deletion of the load balancer via the AWS API will be protected. Defaults to `false`. | `bool` | `false` | no | | [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | (Optional) Determines how the load balancer handles requests that might pose a security risk to your application. Valid values are `DEFENSIVE`, `STRICTEST` and `MONITOR`. Defaults to `DEFENSIVE`. | `string` | `"DEFENSIVE"` | no | | [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Defaults to `false`. | `bool` | `false` | no | @@ -53,19 +53,17 @@ This module creates following resources. | [idle\_timeout](#input\_idle\_timeout) | (Optional) The number of seconds before the load balancer determines the connection is idle and closes it. Defaults to `60` | `number` | `60` | no | | [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are `IPV4` and `DUALSTACK`. | `string` | `"IPV4"` | no | | [is\_public](#input\_is\_public) | (Optional) Indicates whether the load balancer will be public. Defaults to `false`. | `bool` | `false` | no | -| [listeners](#input\_listeners) | (Optional) A list of listener configurations of the application load balancer. Listeners listen for connection requests using their `protocol` and `port`. Each value of `listener` block as defined below.
(Required) `port` - The number of port on which the listener of load balancer is listening.
(Required) `protocol` - The protocol for connections from clients to the load balancer. Valid values are `HTTP` and `HTTPS`.
(Required) `default_action_type` - The type of default routing action. Valid values are `FORWARD`, `FIXED_RESPONSE`, `REDIRECT_301` and `REDIRECT_302`.
(Optional) `default_action_parameters` - Configuration block for the parameters of the default routing action.
(Optional) `rules` - The rules that you define for the listener determine how the load balancer routes requests to the targets in one or more target groups.
(Optional) The configuration for TLS listener of the load balancer. Required if `protocol` is `HTTPS`. `tls` block as defined below.
(Optional) `certificate` - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `additional_certificates` variable.
(Optional) `additional_certificates` - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) `security_policy` - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `HTTPS`. Defaults to `ELBSecurityPolicy-2016-08` security policy. The `ELBSecurityPolicy-2016-08` security policy is always used for backend connections. Application Load Balancers do not support custom security policies. | `any` | `[]` | no | +| [listeners](#input\_listeners) | (Optional) A list of listener configurations of the application load balancer. Listeners listen for connection requests using their `protocol` and `port`. Each value of `listener` block as defined below.
(Required) `port` - The number of port on which the listener of load balancer is listening.
(Required) `protocol` - The protocol for connections from clients to the load balancer. Valid values are `HTTP` and `HTTPS`.
(Required) `default_action_type` - The type of default routing action. Valid values are `FORWARD`, `FIXED_RESPONSE`, `REDIRECT_301` and `REDIRECT_302`.
(Optional) `default_action_parameters` - Configuration block for the parameters of the default routing action.
(Optional) `rules` - The rules that you define for the listener determine how the load balancer routes requests to the targets in one or more target groups.
(Optional) The configuration for TLS listener of the load balancer. Required if `protocol` is `HTTPS`. `tls` block as defined below.
(Optional) `certificate` - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `additional_certificates` variable.
(Optional) `additional_certificates` - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) `security_policy` - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `HTTPS`. Defaults to `ELBSecurityPolicy-2016-08` security policy. The `ELBSecurityPolicy-2016-08` security policy is always used for backend connections. Application Load Balancers do not support custom security policies. | `any` | `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least two Availability Zone and one subnet for each zone. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each value of `network_mapping` block as defined below.
(Required) `subnet` - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone. | 
map(object({
    subnet = string
  }))
| `{}` | no | +| [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least two Availability Zone and one subnet for each zone. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each value of `network_mapping` block as defined below.
(Required) `subnet` - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone. | 
map(object({
    subnet = string
  }))
| `{}` | no | | [preserve\_host\_header](#input\_preserve\_host\_header) | (Optional) Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to `false`. | `bool` | `false` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | +| [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.
(Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.
(Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.
(Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | 
object({
    enabled     = optional(bool, true)
    name        = optional(string, "")
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | | [security\_groups](#input\_security\_groups) | (Optional) A list of security group IDs to assign to the Load Balancer. | `list(string)` | `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [timeouts](#input\_timeouts) | (Optional) How long to wait for the load balancer to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
| `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the load balancer to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
| `{}` | no | | [tls\_negotiation\_headers\_enabled](#input\_tls\_negotiation\_headers\_enabled) | (Optional) Whether the two TLS negotiation headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Defaults to `false`. | `bool` | `false` | no | | [waf\_fail\_open\_enabled](#input\_waf\_fail\_open\_enabled) | (Optional) Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to `false`. | `bool` | `false` | no | -| [xff\_header](#input\_xff\_header) | (Optional) The configuration for . `xff_header` block as defined below.
(Optional) `mode` - How the load balancer modifies the `X-Forwarded-For` header in the HTTP request before sending the request to the target. Valid values are `APPEND`, `PRESERVE`, `REMOVE`. Defaults to `APPEND`.
`APPEND` - The load balancer appends the IP address of the client to the `X-Forwarded-For` header.
`PRESERVE` - The load balancer preserves the original IP address of the client.
`REMOVE` - The load balancer removes the `X-Forwarded-For` header from the request.
(Optional) `client_port_preservation_enabled` - Whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. Defaults to `false`. | 
object({
    mode                             = optional(string, "APPEND")
    client_port_preservation_enabled = optional(bool, false)
  })
| `{}` | no | +| [xff\_header](#input\_xff\_header) | (Optional) The configuration for . `xff_header` block as defined below.
(Optional) `mode` - How the load balancer modifies the `X-Forwarded-For` header in the HTTP request before sending the request to the target. Valid values are `APPEND`, `PRESERVE`, `REMOVE`. Defaults to `APPEND`.
`APPEND` - The load balancer appends the IP address of the client to the `X-Forwarded-For` header.
`PRESERVE` - The load balancer preserves the original IP address of the client.
`REMOVE` - The load balancer removes the `X-Forwarded-For` header from the request.
(Optional) `client_port_preservation_enabled` - Whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. Defaults to `false`. | 
object({
    mode                             = optional(string, "APPEND")
    client_port_preservation_enabled = optional(bool, false)
  })
| `{}` | no | ## Outputs @@ -84,6 +82,7 @@ This module creates following resources. | [listeners](#output\_listeners) | The listeners of the application load balancer. | | [name](#output\_name) | The name of the load balancer. | | [network\_mapping](#output\_network\_mapping) | The configuration for the load balancer how routes traffic to targets in which subnets and IP address settings. | +| [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. | | [security\_groups](#output\_security\_groups) | A set of security group IDs which is assigned to the load balancer. | | [subnets](#output\_subnets) | A list of subnet IDs attached to the load balancer. | | [type](#output\_type) | The type of the load balancer. Always return `APPLICATION`. | diff --git a/modules/alb/main.tf b/modules/alb/main.tf index 8140886..258c2d0 100644 --- a/modules/alb/main.tf +++ b/modules/alb/main.tf @@ -154,8 +154,10 @@ module "listener" { security_policy = try(each.value.tls.security_policy, "ELBSecurityPolicy-2016-08") } - resource_group_enabled = false - module_tags_enabled = false + resource_group = { + enabled = false + } + module_tags_enabled = false tags = merge( local.module_tags, diff --git a/modules/alb/outputs.tf b/modules/alb/outputs.tf index b8bf79c..b601f56 100644 --- a/modules/alb/outputs.tf +++ b/modules/alb/outputs.tf @@ -102,3 +102,19 @@ output "listeners" { description = "The listeners of the application load balancer." value = module.listener } + +output "resource_group" { + description = "The resource group created to manage resources in this module." + value = merge( + { + enabled = var.resource_group.enabled && var.module_tags_enabled + }, + (var.resource_group.enabled && var.module_tags_enabled + ? { + arn = module.resource_group[0].arn + name = module.resource_group[0].name + } + : {} + ) + ) +} diff --git a/modules/alb/resource-group.tf b/modules/alb/resource-group.tf index 7487ba0..85c4fb0 100644 --- a/modules/alb/resource-group.tf +++ b/modules/alb/resource-group.tf @@ -1,6 +1,6 @@ locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name + resource_group_name = (var.resource_group.name != "" + ? var.resource_group.name : join(".", [ local.metadata.package, local.metadata.module, @@ -12,12 +12,12 @@ locals { module "resource_group" { source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" + version = "~> 0.12.0" - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name - description = var.resource_group_description + description = var.resource_group.description query = { resource_tags = local.module_tags diff --git a/modules/alb/variables.tf b/modules/alb/variables.tf index 3337612..e7ac42a 100644 --- a/modules/alb/variables.tf +++ b/modules/alb/variables.tf @@ -309,22 +309,21 @@ variable "module_tags_enabled" { # Resource Group ################################################### -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." + +variable "resource_group" { + description = < [aws](#provider\_aws) | 5.30.0 | +| [aws](#provider\_aws) | 6.12.0 | | [terraform](#provider\_terraform) | n/a | ## Modules @@ -26,8 +26,8 @@ This module creates following resources. | Name | Source | Version | |------|--------|---------| | [listener](#module\_listener) | ../nlb-listener | n/a | -| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.10.0 | -| [security\_group](#module\_security\_group) | tedilabs/network/aws//modules/security-group | ~> 0.31.0 | +| [resource\_group](#module\_resource\_group) | tedilabs/misc/aws//modules/resource-group | ~> 0.12.0 | +| [security\_group](#module\_security\_group) | tedilabs/network/aws//modules/security-group | ~> 0.32.0 | ## Resources @@ -43,23 +43,21 @@ This module creates following resources. | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [name](#input\_name) | (Required) The name of the load balancer. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. | `string` | n/a | yes | -| [access\_log](#input\_access\_log) | (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. `access_log` as defined below.
(Optional) `enabled` - Indicates whether to enable access logs. Defaults to `false`.
(Optional) `s3_bucket` - A configuration of the S3 Bucket for access logs. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket used to store the access logs.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket. | 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
| `{}` | no | +| [access\_log](#input\_access\_log) | (Optional) A configuration for the access logs for the load balancer. Access logs deliver detailed logs of all requests made to your Elastic Load Balancer. `access_log` as defined below.
(Optional) `enabled` - Indicates whether to enable access logs. Defaults to `false`.
(Optional) `s3_bucket` - A configuration of the S3 Bucket for access logs. `s3_bucket` as defined below.
(Required) `name` - The name of the S3 bucket used to store the access logs.
(Optional) `key_prefix` - The key prefix for the specified S3 bucket. | 
object({
    enabled = optional(bool, false)
    s3_bucket = optional(object({
      name       = optional(string)
      key_prefix = optional(string, "")
    }), {})
  })
| `{}` | no | | [cross\_zone\_load\_balancing\_enabled](#input\_cross\_zone\_load\_balancing\_enabled) | (Optional) Cross-zone load balancing distributes traffic evenly across all targets in the Availability Zones enabled for the load balancer. Indicates whether to enable cross-zone load balancing. Defaults to `false`. Regional data transfer charges may apply when cross-zone load balancing is enabled. | `bool` | `false` | no | -| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the load balancer. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `listener_ingress_ipv4_cidrs` - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_ipv6_cidrs` - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_prefix_lists` - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_security_groups` - A list of security group IDs to allow on the listener port. Defaults to `[]`." | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
| `{}` | no | +| [default\_security\_group](#input\_default\_security\_group) | (Optional) The configuration of the default security group for the load balancer. `default_security_group` block as defined below.
(Optional) `enabled` - Whether to use the default security group. Defaults to `true`.
(Optional) `name` - The name of the default security group. If not provided, the load balancer name is used for the name of security group.
(Optional) `description` - The description of the default security group.
(Optional) `ingress_rules` - A list of ingress rules in a security group. Defaults to `[]`. Each block of `ingress_rules` as defined below.
(Required) `id` - The ID of the ingress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `egress_rules` - A list of egress rules in a security group. Defaults to `[{ id = "default", protocol = -1, from_port = 1, to_port=65535, ipv4_cidrs = ["0.0.0.0/0"] }]`. Each block of `egress_rules` as defined below.
(Required) `id` - The ID of the egress rule. This value is only used internally within Terraform code.
(Optional) `description` - The description of the rule.
(Required) `protocol` - The protocol to match. Note that if `protocol` is set to `-1`, it translates to all protocols, all port ranges, and `from_port` and `to_port` values should not be defined.
(Required) `from_port` - The start of port range for the protocols.
(Required) `to_port` - The end of port range for the protocols.
(Optional) `ipv4_cidrs` - The IPv4 network ranges to allow, in CIDR notation.
(Optional) `ipv6_cidrs` - The IPv6 network ranges to allow, in CIDR notation.
(Optional) `prefix_lists` - The prefix list IDs to allow.
(Optional) `security_groups` - The source security group IDs to allow.
(Optional) `self` - Whether the security group itself will be added as a source to this ingress rule.
(Optional) `listener_ingress_ipv4_cidrs` - A list of IPv4 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_ipv6_cidrs` - A list of IPv6 CIDR ranges to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_prefix_lists` - A list of prefix list IDs for AWS services to allow on the listener port. Defaults to `[]`."
(Optional) `listener_ingress_security_groups` - A list of security group IDs to allow on the listener port. Defaults to `[]`." | 
object({
    enabled     = optional(bool, true)
    name        = optional(string)
    description = optional(string, "Managed by Terraform.")
    ingress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      []
    )
    egress_rules = optional(
      list(object({
        id              = string
        description     = optional(string, "Managed by Terraform.")
        protocol        = string
        from_port       = number
        to_port         = number
        ipv4_cidrs      = optional(list(string), [])
        ipv6_cidrs      = optional(list(string), [])
        prefix_lists    = optional(list(string), [])
        security_groups = optional(list(string), [])
        self            = optional(bool, false)
      })),
      [{
        id          = "default"
        description = "Allow all outbound traffic."
        protocol    = "-1"
        from_port   = 1
        to_port     = 65535
        ipv4_cidrs  = ["0.0.0.0/0"]
      }]
    )
    listener_ingress_ipv4_cidrs      = optional(list(string), [])
    listener_ingress_ipv6_cidrs      = optional(list(string), [])
    listener_ingress_prefix_lists    = optional(list(string), [])
    listener_ingress_security_groups = optional(list(string), [])
  })
| `{}` | no | | [deletion\_protection\_enabled](#input\_deletion\_protection\_enabled) | (Optional) Indicates whether deletion of the load balancer via the AWS API will be protected. Defaults to `false`. | `bool` | `false` | no | | [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are `IPV4` and `DUALSTACK`. | `string` | `"IPV4"` | no | | [is\_public](#input\_is\_public) | (Optional) Indicates whether the load balancer will be public. Defaults to `false`. | `bool` | `false` | no | -| [listeners](#input\_listeners) | (Optional) A list of listener configurations of the network load balancer. Listeners listen for connection requests using their `protocol` and `port`. Each value of `listener` block as defined below.
(Required) `port` - The number of port on which the listener of load balancer is listening.
(Required) `protocol` - The protocol for connections from clients to the load balancer. Valid values are `TCP`, `TLS`, `UDP` and `TCP_UDP`. Not valid to use `UDP` or `TCP_UDP` if dual-stack mode is enabled on the load balancer.
(Required) `target_group` - The ARN of the target group to which to route traffic.
(Optional) `tls` - The configuration for TLS listener of the load balancer. Required if `protocol` is `TLS`. `tls` block as defined below.
(Optional) `certificate` - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `additional_certificates` variable.
(Optional) `additional_certificates` - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) `security_policy` - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `TLS`. Recommend using the `ELBSecurityPolicy-TLS13-1-2-2021-06` security policy. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.
(Optional) `alpn_policy` - The policy of the Application-Layer Protocol Negotiation (ALPN) to select. ALPN is a TLS extension that includes the protocol negotiation within the exchange of hello messages. Can be set if `protocol` is `TLS`. Valid values are `HTTP1Only`, `HTTP2Only`, `HTTP2Optional`, `HTTP2Preferred`, and `None`. Defaults to `None`. | 
list(object({
    port         = number
    protocol     = string
    target_group = string
    tls = optional(object({
      certificate             = optional(string)
      additional_certificates = optional(set(string), [])
      security_policy         = optional(string, "ELBSecurityPolicy-TLS13-1-2-2021-06")
      alpn_policy             = optional(string, "None")
    }), {})
  }))
| `[]` | no | +| [listeners](#input\_listeners) | (Optional) A list of listener configurations of the network load balancer. Listeners listen for connection requests using their `protocol` and `port`. Each value of `listener` block as defined below.
(Required) `port` - The number of port on which the listener of load balancer is listening.
(Required) `protocol` - The protocol for connections from clients to the load balancer. Valid values are `TCP`, `TLS`, `UDP` and `TCP_UDP`. Not valid to use `UDP` or `TCP_UDP` if dual-stack mode is enabled on the load balancer.
(Required) `target_group` - The ARN of the target group to which to route traffic.
(Optional) `tls` - The configuration for TLS listener of the load balancer. Required if `protocol` is `TLS`. `tls` block as defined below.
(Optional) `certificate` - The ARN of the default SSL server certificate. For adding additional SSL certificates, see the `additional_certificates` variable.
(Optional) `additional_certificates` - A set of ARNs of the certificate to attach to the listener. This is for additional certificates and does not replace the default certificate on the listener.
(Optional) `security_policy` - The name of security policy for a Secure Socket Layer (SSL) negotiation configuration. This is used to negotiate SSL connections with clients. Required if protocol is `TLS`. Recommend using the `ELBSecurityPolicy-TLS13-1-2-2021-06` security policy. This security policy includes TLS 1.3, which is optimized for security and performance, and is backward compatible with TLS 1.2.
(Optional) `alpn_policy` - The policy of the Application-Layer Protocol Negotiation (ALPN) to select. ALPN is a TLS extension that includes the protocol negotiation within the exchange of hello messages. Can be set if `protocol` is `TLS`. Valid values are `HTTP1Only`, `HTTP2Only`, `HTTP2Optional`, `HTTP2Preferred`, and `None`. Defaults to `None`. | 
list(object({
    port         = number
    protocol     = string
    target_group = string
    tls = optional(object({
      certificate             = optional(string)
      additional_certificates = optional(set(string), [])
      security_policy         = optional(string, "ELBSecurityPolicy-TLS13-1-2-2021-06")
      alpn_policy             = optional(string, "None")
    }), {})
  }))
| `[]` | no | | [module\_tags\_enabled](#input\_module\_tags\_enabled) | (Optional) Whether to create AWS Resource Tags for the module informations. | `bool` | `true` | no | -| [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least one Availability Zone and one subnet for each zone. We recommend selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each value of `network_mapping` block as defined below.
(Required) `subnet` - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.
(Optional) `private_ipv4_address` - A private ipv4 address within the subnet to assign to the internal load balancer.
(Optional) `ipv6_address` - An ipv6 address within the subnet to assign to the internet-facing load balancer.
(Optional) `elastic_ip` - The allocation ID of the Elastic IP address. | 
map(object({
    subnet               = string
    private_ipv4_address = optional(string)
    ipv6_address         = optional(string)
    elastic_ip           = optional(string)
  }))
| `{}` | no | -| [resource\_group\_description](#input\_resource\_group\_description) | (Optional) The description of Resource Group. | `string` | `"Managed by Terraform."` | no | -| [resource\_group\_enabled](#input\_resource\_group\_enabled) | (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. | `bool` | `true` | no | -| [resource\_group\_name](#input\_resource\_group\_name) | (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. | `string` | `""` | no | -| [route53\_resolver\_availability\_zone\_affinity](#input\_route53\_resolver\_availability\_zone\_affinity) | (Optional) A configuration to determine how traffic is distributed among the load balancer Availability Zones. Only applied to internal requests for clients resolving the load balancer DNS name using Route 53 Resolver. Valid values are `ANY`, `PARTIAL`, `ALL`. Defaults to `ANY`.
`ANY` - Client DNS queries will resolve to healthy load balancer IP addresses across all load balancer Availability Zones.
`PARTIAL` - 85% of client DNS queries will favor load balancer IP addresses in their own Availability Zone. The remaining queries will resolve to any zone. Resolving to any zone may also occur if there are no healthy load balancer IP addresses in the client's zone.
`ALL` - Client DNS queries will favor load balancer IP addresses in their own Availability Zone. Queries may resolve to other zones if there are no healthy load balancer IP addresses in their own zone.
balancer Availability Zones. | `string` | `"ANY"` | no | +| [network\_mapping](#input\_network\_mapping) | (Optional) The configuration for the load balancer how routes traffic to targets in which subnets, and in accordance with IP address settings. Select at least one Availability Zone and one subnet for each zone. We recommend selecting at least two Availability Zones. The load balancer will route traffic only to targets in the selected Availability Zones. Zones that are not supported by the load balancer or VPC cannot be selected. Subnets can be added, but not removed, once a load balancer is created. Each key of `network_mapping` is the availability zone id like `apne2-az1`, `use1-az1`. Each value of `network_mapping` block as defined below.
(Required) `subnet` - The id of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.
(Optional) `private_ipv4_address` - A private ipv4 address within the subnet to assign to the internal load balancer.
(Optional) `ipv6_address` - An ipv6 address within the subnet to assign to the internet-facing load balancer.
(Optional) `elastic_ip` - The allocation ID of the Elastic IP address. | 
map(object({
    subnet               = string
    private_ipv4_address = optional(string)
    ipv6_address         = optional(string)
    elastic_ip           = optional(string)
  }))
| `{}` | no | +| [resource\_group](#input\_resource\_group) | (Optional) A configurations of Resource Group for this module. `resource_group` as defined below.
(Optional) `enabled` - Whether to create Resource Group to find and group AWS resources which are created by this module. Defaults to `true`.
(Optional) `name` - The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`. If not provided, a name will be generated using the module name and instance name.
(Optional) `description` - The description of Resource Group. Defaults to `Managed by Terraform.`. | 
object({
    enabled     = optional(bool, true)
    name        = optional(string, "")
    description = optional(string, "Managed by Terraform.")
  })
| `{}` | no | +| [route53\_resolver\_availability\_zone\_affinity](#input\_route53\_resolver\_availability\_zone\_affinity) | (Optional) A configuration to determine how traffic is distributed among the load balancer Availability Zones. Only applied to internal requests for clients resolving the load balancer DNS name using Route 53 Resolver. Valid values are `ANY`, `PARTIAL`, `ALL`. Defaults to `ANY`.
`ANY` - Client DNS queries will resolve to healthy load balancer IP addresses across all load balancer Availability Zones.
`PARTIAL` - 85% of client DNS queries will favor load balancer IP addresses in their own Availability Zone. The remaining queries will resolve to any zone. Resolving to any zone may also occur if there are no healthy load balancer IP addresses in the client's zone.
`ALL` - Client DNS queries will favor load balancer IP addresses in their own Availability Zone. Queries may resolve to other zones if there are no healthy load balancer IP addresses in their own zone.
balancer Availability Zones. | `string` | `"ANY"` | no | | [security\_group\_evaluation\_on\_privatelink\_enabled](#input\_security\_group\_evaluation\_on\_privatelink\_enabled) | (Optional) Whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. Defaults to `false`. | `bool` | `false` | no | | [security\_groups](#input\_security\_groups) | (Optional) A list of security group IDs to assign to the Load Balancer. Security groups for Network Load Balancer cannot be added if none are currently present, and cannot all be removed once added. If either of these conditions are met, this will force a recreation of the resource. | `list(string)` | `[]` | no | | [tags](#input\_tags) | (Optional) A map of tags to add to all resources. | `map(string)` | `{}` | no | -| [timeouts](#input\_timeouts) | (Optional) How long to wait for the load balancer to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
| `{}` | no | +| [timeouts](#input\_timeouts) | (Optional) How long to wait for the load balancer to be created/updated/deleted. | 
object({
    create = optional(string, "10m")
    update = optional(string, "10m")
    delete = optional(string, "10m")
  })
| `{}` | no | ## Outputs @@ -78,6 +76,7 @@ This module creates following resources. | [listeners](#output\_listeners) | The listeners of the network load balancer. | | [name](#output\_name) | The name of the load balancer. | | [network\_mapping](#output\_network\_mapping) | The configuration for the load balancer how routes traffic to targets in which subnets and IP address settings. | +| [resource\_group](#output\_resource\_group) | The resource group created to manage resources in this module. | | [security\_group\_evaluation\_on\_privatelink\_enabled](#output\_security\_group\_evaluation\_on\_privatelink\_enabled) | Whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through AWS PrivateLink. | | [security\_groups](#output\_security\_groups) | A set of security group IDs which is assigned to the load balancer. | | [subnets](#output\_subnets) | A list of subnet IDs attached to the load balancer. | diff --git a/modules/nlb/main.tf b/modules/nlb/main.tf index dc1481a..5745e7a 100644 --- a/modules/nlb/main.tf +++ b/modules/nlb/main.tf @@ -174,8 +174,10 @@ module "listener" { alpn_policy = each.value.tls.alpn_policy } - resource_group_enabled = false - module_tags_enabled = false + resource_group = { + enabled = false + } + module_tags_enabled = false tags = merge( local.module_tags, diff --git a/modules/nlb/outputs.tf b/modules/nlb/outputs.tf index 14d1b0e..fc1b699 100644 --- a/modules/nlb/outputs.tf +++ b/modules/nlb/outputs.tf @@ -96,3 +96,19 @@ output "listeners" { description = "The listeners of the network load balancer." value = module.listener } + +output "resource_group" { + description = "The resource group created to manage resources in this module." + value = merge( + { + enabled = var.resource_group.enabled && var.module_tags_enabled + }, + (var.resource_group.enabled && var.module_tags_enabled + ? { + arn = module.resource_group[0].arn + name = module.resource_group[0].name + } + : {} + ) + ) +} diff --git a/modules/nlb/resource-group.tf b/modules/nlb/resource-group.tf index 7487ba0..85c4fb0 100644 --- a/modules/nlb/resource-group.tf +++ b/modules/nlb/resource-group.tf @@ -1,6 +1,6 @@ locals { - resource_group_name = (var.resource_group_name != "" - ? var.resource_group_name + resource_group_name = (var.resource_group.name != "" + ? var.resource_group.name : join(".", [ local.metadata.package, local.metadata.module, @@ -12,12 +12,12 @@ locals { module "resource_group" { source = "tedilabs/misc/aws//modules/resource-group" - version = "~> 0.10.0" + version = "~> 0.12.0" - count = (var.resource_group_enabled && var.module_tags_enabled) ? 1 : 0 + count = (var.resource_group.enabled && var.module_tags_enabled) ? 1 : 0 name = local.resource_group_name - description = var.resource_group_description + description = var.resource_group.description query = { resource_tags = local.module_tags diff --git a/modules/nlb/variables.tf b/modules/nlb/variables.tf index f5fa62b..b90efb5 100644 --- a/modules/nlb/variables.tf +++ b/modules/nlb/variables.tf @@ -251,23 +251,21 @@ variable "module_tags_enabled" { # Resource Group ################################################### -variable "resource_group_enabled" { - description = "(Optional) Whether to create Resource Group to find and group AWS resources which are created by this module." - type = bool - default = true - nullable = false -} -variable "resource_group_name" { - description = "(Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with `AWS` or `aws`." - type = string - default = "" - nullable = false -} -variable "resource_group_description" { - description = "(Optional) The description of Resource Group." - type = string - default = "Managed by Terraform." - nullable = false + +variable "resource_group" { + description = <