From a4a79dfb66fd868d93b9405617c6ca8938a42893 Mon Sep 17 00:00:00 2001 From: Tushar Bhimrao Hawaldar Date: Fri, 4 Feb 2022 18:46:08 +0530 Subject: [PATCH 01/41] feat: Add support for enable_waf_fail_open and desync_mitigation_mode (#235) --- README.md | 6 ++++-- main.tf | 2 ++ variables.tf | 12 ++++++++++++ versions.tf | 2 +- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 982d9b3..590d619 100644 --- a/README.md +++ b/README.md @@ -293,13 +293,13 @@ module "lb" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.13.1 | -| [aws](#requirement\_aws) | >= 3.40 | +| [aws](#requirement\_aws) | >= 3.67 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.40 | +| [aws](#provider\_aws) | >= 3.67 | ## Modules @@ -324,10 +324,12 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | | [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | +| [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | | [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | | [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | | [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | | [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | +| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | | [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | | [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | | [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | diff --git a/main.tf b/main.tf index c9ada7d..fba0654 100644 --- a/main.tf +++ b/main.tf @@ -15,6 +15,8 @@ resource "aws_lb" "this" { enable_http2 = var.enable_http2 ip_address_type = var.ip_address_type drop_invalid_header_fields = var.drop_invalid_header_fields + enable_waf_fail_open = var.enable_waf_fail_open + desync_mitigation_mode = var.desync_mitigation_mode # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) dynamic "access_logs" { diff --git a/variables.tf b/variables.tf index d2f407e..db3ca2f 100644 --- a/variables.tf +++ b/variables.tf @@ -195,3 +195,15 @@ variable "vpc_id" { type = string default = null } + +variable "enable_waf_fail_open" { + description = "Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF" + type = bool + default = false +} + +variable "desync_mitigation_mode" { + description = "Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync." + type = string + default = "defensive" +} diff --git a/versions.tf b/versions.tf index a7c7781..ef030ea 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.40" + version = ">= 3.67" } } } From cc6fa5705ade3b6bba4603eebb6dd95670e3e75c Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 4 Feb 2022 13:16:38 +0000 Subject: [PATCH 02/41] chore(release): version 6.7.0 [skip ci] ## [6.7.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.6.1...v6.7.0) (2022-02-04) ### Features * Add support for enable_waf_fail_open and desync_mitigation_mode ([#235](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/235)) ([a4a79df](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/a4a79dfb66fd868d93b9405617c6ca8938a42893)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dd8d1a9..67b50df 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [6.7.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.6.1...v6.7.0) (2022-02-04) + + +### Features + +* Add support for enable_waf_fail_open and desync_mitigation_mode ([#235](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/235)) ([a4a79df](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/a4a79dfb66fd868d93b9405617c6ca8938a42893)) + ## [6.6.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.6.0...v6.6.1) (2021-11-22) From 34ba5062591068c77e2f8dc8c454284bbf039ddd Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Sat, 12 Mar 2022 11:33:49 +0100 Subject: [PATCH 03/41] feat: Made it clear that we stand with Ukraine --- README.md | 10 ++++++++++ main.tf | 20 ++++++++++++-------- variables.tf | 6 ++++++ 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 590d619..5c0b0d2 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,8 @@ Terraform module which creates Application and Network Load Balancer resources on AWS. +[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md) + ## Usage ### Application Load Balancer @@ -350,6 +352,7 @@ No modules. | [load\_balancer\_update\_timeout](#input\_load\_balancer\_update\_timeout) | Timeout value when updating the ALB. | `string` | `"10m"` | no | | [name](#input\_name) | The resource name and Name tag of the load balancer. | `string` | `null` | no | | [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | +| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | | [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | | [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | | [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | @@ -384,3 +387,10 @@ Module is maintained by [Anton Babenko](https://github.com/antonbabenko) with he ## License Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/LICENSE) for full details. + +## Additional terms of use for users from Russia and Belarus + +By using the code provided in this repository you agree with the following: +* Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine). +* Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee. +* [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!) diff --git a/main.tf b/main.tf index fba0654..fa84b6a 100644 --- a/main.tf +++ b/main.tf @@ -1,5 +1,9 @@ +locals { + create_lb = var.create_lb && var.putin_khuylo +} + resource "aws_lb" "this" { - count = var.create_lb ? 1 : 0 + count = local.create_lb ? 1 : 0 name = var.name name_prefix = var.name_prefix @@ -56,7 +60,7 @@ resource "aws_lb" "this" { } resource "aws_lb_target_group" "main" { - count = var.create_lb ? length(var.target_groups) : 0 + count = local.create_lb ? length(var.target_groups) : 0 name = lookup(var.target_groups[count.index], "name", null) name_prefix = lookup(var.target_groups[count.index], "name_prefix", null) @@ -132,7 +136,7 @@ locals { } resource "aws_lb_target_group_attachment" "this" { - for_each = var.create_lb && local.target_group_attachments != null ? local.target_group_attachments : {} + for_each = local.create_lb && local.target_group_attachments != null ? local.target_group_attachments : {} target_group_arn = aws_lb_target_group.main[each.value.tg_index].arn target_id = each.value.target_id @@ -141,7 +145,7 @@ resource "aws_lb_target_group_attachment" "this" { } resource "aws_lb_listener_rule" "https_listener_rule" { - count = var.create_lb ? length(var.https_listener_rules) : 0 + count = local.create_lb ? length(var.https_listener_rules) : 0 listener_arn = aws_lb_listener.frontend_https[lookup(var.https_listener_rules[count.index], "https_listener_index", count.index)].arn priority = lookup(var.https_listener_rules[count.index], "priority", null) @@ -388,7 +392,7 @@ resource "aws_lb_listener_rule" "https_listener_rule" { } resource "aws_lb_listener_rule" "http_tcp_listener_rule" { - count = var.create_lb ? length(var.http_tcp_listener_rules) : 0 + count = local.create_lb ? length(var.http_tcp_listener_rules) : 0 listener_arn = aws_lb_listener.frontend_http_tcp[lookup(var.http_tcp_listener_rules[count.index], "http_tcp_listener_index", count.index)].arn priority = lookup(var.http_tcp_listener_rules[count.index], "priority", null) @@ -554,7 +558,7 @@ resource "aws_lb_listener_rule" "http_tcp_listener_rule" { } resource "aws_lb_listener" "frontend_http_tcp" { - count = var.create_lb ? length(var.http_tcp_listeners) : 0 + count = local.create_lb ? length(var.http_tcp_listeners) : 0 load_balancer_arn = aws_lb.this[0].arn @@ -602,7 +606,7 @@ resource "aws_lb_listener" "frontend_http_tcp" { } resource "aws_lb_listener" "frontend_https" { - count = var.create_lb ? length(var.https_listeners) : 0 + count = local.create_lb ? length(var.https_listeners) : 0 load_balancer_arn = aws_lb.this[0].arn @@ -697,7 +701,7 @@ resource "aws_lb_listener" "frontend_https" { } resource "aws_lb_listener_certificate" "https_listener" { - count = var.create_lb ? length(var.extra_ssl_certs) : 0 + count = local.create_lb ? length(var.extra_ssl_certs) : 0 listener_arn = aws_lb_listener.frontend_https[var.extra_ssl_certs[count.index]["https_listener_index"]].arn certificate_arn = var.extra_ssl_certs[count.index]["certificate_arn"] diff --git a/variables.tf b/variables.tf index db3ca2f..5ec54b2 100644 --- a/variables.tf +++ b/variables.tf @@ -207,3 +207,9 @@ variable "desync_mitigation_mode" { type = string default = "defensive" } + +variable "putin_khuylo" { + description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" + type = bool + default = true +} From c3cb92011c83d8cebfe356eaa51e93d76e545fdc Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 12 Mar 2022 10:34:27 +0000 Subject: [PATCH 04/41] chore(release): version 6.8.0 [skip ci] ## [6.8.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.7.0...v6.8.0) (2022-03-12) ### Features * Made it clear that we stand with Ukraine ([34ba506](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/34ba5062591068c77e2f8dc8c454284bbf039ddd)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 67b50df..405f5dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [6.8.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.7.0...v6.8.0) (2022-03-12) + + +### Features + +* Made it clear that we stand with Ukraine ([34ba506](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/34ba5062591068c77e2f8dc8c454284bbf039ddd)) + ## [6.7.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.6.1...v6.7.0) (2022-02-04) From fd88b42a60e2c2cc75d4f123f20c41e494b7385d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Thu, 17 Mar 2022 16:42:54 +0100 Subject: [PATCH 05/41] chore: Updated information for users from Russia/Belarus --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 5c0b0d2..c93c027 100644 --- a/README.md +++ b/README.md @@ -388,9 +388,8 @@ Module is maintained by [Anton Babenko](https://github.com/antonbabenko) with he Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/LICENSE) for full details. -## Additional terms of use for users from Russia and Belarus +## Additional information for users from Russia and Belarus -By using the code provided in this repository you agree with the following: * Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine). * Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee. * [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!) From ba777608fce8a0fa5307222a9324fa54578ed437 Mon Sep 17 00:00:00 2001 From: gbloquel Date: Fri, 15 Apr 2022 21:44:49 +0200 Subject: [PATCH 06/41] feat: Added `weighted-forward` rules for HTTP (#236) --- .pre-commit-config.yaml | 4 +-- README.md | 2 +- examples/complete-alb/README.md | 4 +-- examples/complete-alb/main.tf | 58 +++++++++++++++++++++++++-------- examples/complete-nlb/README.md | 4 +-- examples/complete-nlb/main.tf | 17 ++++++---- main.tf | 38 ++++++++++++++++++--- 7 files changed, 97 insertions(+), 30 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 093121e..bbf2a55 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.62.3 + rev: v1.67.0 hooks: - id: terraform_fmt - id: terraform_validate @@ -23,7 +23,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.1.0 + rev: v4.2.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index c93c027..2052da1 100644 --- a/README.md +++ b/README.md @@ -268,7 +268,7 @@ It's recommended you use this module with [terraform-aws-vpc](https://registry.t ## Notes -1. Terraform AWS provider >= v2.39.0 (via Terraform >= 0.12) has [issue #16674](https://github.com/hashicorp/terraform-provider-aws/issues/16674) related to "Provider produced inconsistent final plan". It means that S3 bucket has to be created before referencing it as an argument inside `access_logs = { bucket = "my-already-created-bucket-for-logs" }`, so this won't work: `access_logs = { bucket = module.log_bucket.s3_bucket_id }`. +1. Terraform AWS provider version v2.39.0 and newer has [issue #16674](https://github.com/hashicorp/terraform-provider-aws/issues/16674) related to "Provider produced inconsistent final plan". It means that S3 bucket has to be created before referencing it as an argument inside `access_logs = { bucket = "my-already-created-bucket-for-logs" }`, so this won't work: `access_logs = { bucket = module.log_bucket.s3_bucket_id }`. ## Conditional creation diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index b6210c5..dc8e98d 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -38,7 +38,7 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 | | [alb](#module\_alb) | ../../ | n/a | -| [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 2.0 | +| [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 3.0 | | [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a | | [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | @@ -54,7 +54,7 @@ Note that this example may create resources which cost money. Run `terraform des | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | | [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | -| [aws_subnet_ids.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | +| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index 401a9c6..2ffbd94 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -13,8 +13,11 @@ data "aws_vpc" "default" { default = true } -data "aws_subnet_ids" "all" { - vpc_id = data.aws_vpc.default.id +data "aws_subnets" "all" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } } resource "random_pet" "this" { @@ -38,21 +41,21 @@ module "security_group" { egress_rules = ["all-all"] } -# module "log_bucket" { -# source = "terraform-aws-modules/s3-bucket/aws" -# version = "~> 1.0" +#module "log_bucket" { +# source = "terraform-aws-modules/s3-bucket/aws" +# version = "~> 3.0" # -# bucket = "logs-${random_pet.this.id}" -# acl = "log-delivery-write" -# force_destroy = true -# attach_elb_log_delivery_policy = true -# } +# bucket = "logs-${random_pet.this.id}" +# acl = "log-delivery-write" +# force_destroy = true +# attach_elb_log_delivery_policy = true +#} module "acm" { source = "terraform-aws-modules/acm/aws" version = "~> 3.0" - domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") # Terraform >= 0.12.17 + domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") zone_id = data.aws_route53_zone.this.id } @@ -90,7 +93,7 @@ module "alb" { vpc_id = data.aws_vpc.default.id security_groups = [module.security_group.security_group_id] - subnets = data.aws_subnet_ids.all.ids + subnets = data.aws_subnets.all.ids # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) # access_logs = { @@ -314,6 +317,35 @@ module "alb" { }] }] }, + { + http_tcp_listener_index = 0 + priority = 4 + + actions = [{ + type = "weighted-forward" + target_groups = [ + { + target_group_index = 1 + weight = 2 + }, + { + target_group_index = 0 + weight = 1 + } + ] + stickiness = { + enabled = true + duration = 3600 + } + }] + + conditions = [{ + query_strings = [{ + key = "weighted" + value = "true" + }] + }] + }, { http_tcp_listener_index = 0 priority = 5000 @@ -470,7 +502,7 @@ resource "null_resource" "download_package" { module "lambda_function" { source = "terraform-aws-modules/lambda/aws" - version = "~> 2.0" + version = "~> 3.0" function_name = "${random_pet.this.id}-lambda" description = "My awesome lambda function" diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index f004eee..e54a154 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -34,7 +34,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Source | Version | |------|--------|---------| -| [acm](#module\_acm) | terraform-aws-modules/acm/aws | n/a | +| [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 | | [nlb](#module\_nlb) | ../../ | n/a | ## Resources @@ -44,7 +44,7 @@ Note that this example may create resources which cost money. Run `terraform des | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | -| [aws_subnet_ids.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnet_ids) | data source | +| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | | [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf index c6af676..ec9c6e2 100644 --- a/examples/complete-nlb/main.tf +++ b/examples/complete-nlb/main.tf @@ -13,8 +13,11 @@ data "aws_vpc" "default" { default = true } -data "aws_subnet_ids" "all" { - vpc_id = data.aws_vpc.default.id +data "aws_subnets" "all" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } } resource "random_pet" "this" { @@ -27,6 +30,7 @@ data "aws_route53_zone" "this" { # module "log_bucket" { # source = "terraform-aws-modules/s3-bucket/aws" +# version = "~> 3.0" # # bucket = "logs-${random_pet.this.id}" # acl = "log-delivery-write" @@ -35,14 +39,15 @@ data "aws_route53_zone" "this" { # } module "acm" { - source = "terraform-aws-modules/acm/aws" + source = "terraform-aws-modules/acm/aws" + version = "~> 3.0" - domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") # Terraform >= 0.12.17 + domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") zone_id = data.aws_route53_zone.this.id } resource "aws_eip" "this" { - count = length(data.aws_subnet_ids.all.ids) + count = length(data.aws_subnets.all.ids) vpc = true } @@ -63,7 +68,7 @@ module "nlb" { # subnets = tolist(data.aws_subnet_ids.all.ids) # Use `subnet_mapping` to attach EIPs - subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : tolist(data.aws_subnet_ids.all.ids)[i] }] + subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : tolist(data.aws_subnets.all.ids)[i] }] # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) # access_logs = { diff --git a/main.tf b/main.tf index fa84b6a..c165dd4 100644 --- a/main.tf +++ b/main.tf @@ -22,14 +22,13 @@ resource "aws_lb" "this" { enable_waf_fail_open = var.enable_waf_fail_open desync_mitigation_mode = var.desync_mitigation_mode - # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) dynamic "access_logs" { for_each = length(keys(var.access_logs)) == 0 ? [] : [var.access_logs] content { - enabled = lookup(access_logs.value, "enabled", lookup(access_logs.value, "bucket", null) != null) - bucket = lookup(access_logs.value, "bucket", null) - prefix = lookup(access_logs.value, "prefix", null) + enabled = try(access_logs.value.enabled, try(access_logs.value.bucket, null) != null) + bucket = try(access_logs.value.bucket, null) + prefix = try(access_logs.value.prefix, null) } } @@ -450,6 +449,37 @@ resource "aws_lb_listener_rule" "http_tcp_listener_rule" { } } + # weighted forward actions + dynamic "action" { + for_each = [ + for action_rule in var.http_tcp_listener_rules[count.index].actions : + action_rule + if action_rule.type == "weighted-forward" + ] + + content { + type = "forward" + forward { + dynamic "target_group" { + for_each = action.value["target_groups"] + + content { + arn = aws_lb_target_group.main[target_group.value["target_group_index"]].id + weight = target_group.value["weight"] + } + } + dynamic "stickiness" { + for_each = [lookup(action.value, "stickiness", {})] + + content { + enabled = try(stickiness.value["enabled"], false) + duration = try(stickiness.value["duration"], 1) + } + } + } + } + } + # Path Pattern condition dynamic "condition" { for_each = [ From 5108b4dbf8099c1432cf17a4b06133634e97d9ab Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 15 Apr 2022 19:45:16 +0000 Subject: [PATCH 07/41] chore(release): version 6.9.0 [skip ci] ## [6.9.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.8.0...v6.9.0) (2022-04-15) ### Features * Added `weighted-forward` rules for HTTP ([#236](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/236)) ([ba77760](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/ba777608fce8a0fa5307222a9324fa54578ed437)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 405f5dc..4073042 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [6.9.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.8.0...v6.9.0) (2022-04-15) + + +### Features + +* Added `weighted-forward` rules for HTTP ([#236](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/236)) ([ba77760](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/ba777608fce8a0fa5307222a9324fa54578ed437)) + ## [6.8.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.7.0...v6.8.0) (2022-03-12) From a01b7cafa95b9770768a4430630ab0f88379fce8 Mon Sep 17 00:00:00 2001 From: SlavaSubotskiy Date: Thu, 21 Apr 2022 13:39:31 +0300 Subject: [PATCH 08/41] feat: Added missing `cookie_name` TG stickiness parameter support (#245) --- main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/main.tf b/main.tf index c165dd4..8001ced 100644 --- a/main.tf +++ b/main.tf @@ -100,6 +100,7 @@ resource "aws_lb_target_group" "main" { enabled = lookup(stickiness.value, "enabled", null) cookie_duration = lookup(stickiness.value, "cookie_duration", null) type = lookup(stickiness.value, "type", null) + cookie_name = lookup(stickiness.value, "cookie_name", null) } } From 596cc0f30f84f0b5f28570aab10f9eee10eed8d5 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Thu, 21 Apr 2022 10:40:07 +0000 Subject: [PATCH 09/41] chore(release): version 6.10.0 [skip ci] ## [6.10.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.9.0...v6.10.0) (2022-04-21) ### Features * Added missing `cookie_name` TG stickiness parameter support ([#245](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/245)) ([a01b7ca](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/a01b7cafa95b9770768a4430630ab0f88379fce8)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4073042..fc563e2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [6.10.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.9.0...v6.10.0) (2022-04-21) + + +### Features + +* Added missing `cookie_name` TG stickiness parameter support ([#245](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/245)) ([a01b7ca](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/a01b7cafa95b9770768a4430630ab0f88379fce8)) + ## [6.9.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.8.0...v6.9.0) (2022-04-15) From e79573d0869ca91fb088e91bc8a3429ecc60c1f8 Mon Sep 17 00:00:00 2001 From: Eamonn Moloney Date: Fri, 20 May 2022 12:53:23 +0100 Subject: [PATCH 10/41] feat: Added support for lambda permissions when the target is a lambda function (#240) --- .pre-commit-config.yaml | 2 +- README.md | 11 ++++---- examples/complete-alb/README.md | 3 ++- examples/complete-alb/main.tf | 45 +++++++++++++++++++++++++-------- main.tf | 24 ++++++++++++++++++ 5 files changed, 68 insertions(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index bbf2a55..19dda01 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.67.0 + rev: v1.71.0 hooks: - id: terraform_fmt - id: terraform_validate diff --git a/README.md b/README.md index 2052da1..4b90900 100644 --- a/README.md +++ b/README.md @@ -33,16 +33,16 @@ module "alb" { backend_protocol = "HTTP" backend_port = 80 target_type = "instance" - targets = [ - { + targets = { + my_target = { target_id = "i-0123456789abcdefg" port = 80 - }, - { + } + my_other_target = { target_id = "i-a1b2c3d4e5f6g7h8i" port = 8080 } - ] + } } ] @@ -311,6 +311,7 @@ No modules. | Name | Type | |------|------| +| [aws_lambda_permission.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | | [aws_lb.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | | [aws_lb_listener.frontend_http_tcp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | | [aws_lb_listener.frontend_https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index dc8e98d..ead2e9a 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -38,7 +38,8 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 | | [alb](#module\_alb) | ../../ | n/a | -| [lambda\_function](#module\_lambda\_function) | terraform-aws-modules/lambda/aws | ~> 3.0 | +| [lambda\_with\_allowed\_triggers](#module\_lambda\_with\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 | +| [lambda\_without\_allowed\_triggers](#module\_lambda\_without\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 | | [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a | | [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index 2ffbd94..54814a8 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -405,13 +405,18 @@ module "alb" { target_type = "lambda" lambda_multi_value_headers_enabled = true targets = { - # Lambda function permission should be granted before - # it is used. There can be an error: - # NB: Error registering targets with target group: - # AccessDenied: elasticloadbalancing principal does not - # have permission to invoke ... from target group ... - my_lambda = { - target_id = module.lambda_function.lambda_function_arn + lambda_with_allowed_triggers = { + target_id = module.lambda_with_allowed_triggers.lambda_function_arn + } + } + }, + { + name_prefix = "l2-" + target_type = "lambda" + targets = { + lambda_without_allowed_triggers = { + target_id = module.lambda_without_allowed_triggers.lambda_function_arn + attach_lambda_permission = true } } }, @@ -500,12 +505,12 @@ resource "null_resource" "download_package" { } } -module "lambda_function" { +module "lambda_with_allowed_triggers" { source = "terraform-aws-modules/lambda/aws" version = "~> 3.0" - function_name = "${random_pet.this.id}-lambda" - description = "My awesome lambda function" + function_name = "${random_pet.this.id}-with-allowed-triggers" + description = "My awesome lambda function (with allowed triggers)" handler = "index.lambda_handler" runtime = "python3.8" @@ -523,3 +528,23 @@ module "lambda_function" { depends_on = [null_resource.download_package] } + +module "lambda_without_allowed_triggers" { + source = "terraform-aws-modules/lambda/aws" + version = "~> 3.0" + + function_name = "${random_pet.this.id}-without-allowed-triggers" + description = "My awesome lambda function (without allowed triggers)" + handler = "index.lambda_handler" + runtime = "python3.8" + + publish = true + + create_package = false + local_existing_package = local.downloaded + + # Allowed triggers will be managed by ALB module + allowed_triggers = {} + + depends_on = [null_resource.download_package] +} diff --git a/main.tf b/main.tf index 8001ced..6c0a168 100644 --- a/main.tf +++ b/main.tf @@ -133,6 +133,28 @@ locals { if k == "targets" ] ])...) + + # Filter out the attachments for lambda functions. The ALB target group needs permission to forward a request on to + # the specified lambda function. This filtered list is used to create those permission resources + target_group_attachments_lambda = { + for k, v in local.target_group_attachments : + (k) => merge(v, { lambda_function_name = split(":", v.target_id)[6] }) + if try(v.attach_lambda_permission, false) + } +} + +resource "aws_lambda_permission" "lb" { + for_each = var.create_lb && local.target_group_attachments_lambda != null ? local.target_group_attachments_lambda : {} + + function_name = each.value.lambda_function_name + qualifier = try(each.value.lambda_qualifier, null) + + statement_id = try(each.value.lambda_statement_id, "AllowExecutionFromLb") + action = try(each.value.lambda_action, "lambda:InvokeFunction") + principal = try(each.value.lambda_principal, "elasticloadbalancing.amazonaws.com") + source_arn = aws_lb_target_group.main[each.value.tg_index].arn + source_account = try(each.value.lambda_source_account, null) + event_source_token = try(each.value.lambda_event_source_token, null) } resource "aws_lb_target_group_attachment" "this" { @@ -142,6 +164,8 @@ resource "aws_lb_target_group_attachment" "this" { target_id = each.value.target_id port = lookup(each.value, "port", null) availability_zone = lookup(each.value, "availability_zone", null) + + depends_on = [aws_lambda_permission.lb] } resource "aws_lb_listener_rule" "https_listener_rule" { From 9ac31e7173c5f57c3fbb692a229008a150b2f064 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 20 May 2022 11:53:52 +0000 Subject: [PATCH 11/41] chore(release): version 6.11.0 [skip ci] ## [6.11.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.10.0...v6.11.0) (2022-05-20) ### Features * Added support for lambda permissions when the target is a lambda function ([#240](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/240)) ([e79573d](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/e79573d0869ca91fb088e91bc8a3429ecc60c1f8)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc563e2..38bc1dc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [6.11.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.10.0...v6.11.0) (2022-05-20) + + +### Features + +* Added support for lambda permissions when the target is a lambda function ([#240](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/240)) ([e79573d](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/e79573d0869ca91fb088e91bc8a3429ecc60c1f8)) + ## [6.10.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.9.0...v6.10.0) (2022-04-21) From 25d31ee31d3a29783568b31dc883eba52de14c9d Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Mon, 23 May 2022 17:45:32 +0200 Subject: [PATCH 12/41] feat!: Upgraded Terraform version to 1.0+. Added wrappers. (#249) --- .github/workflows/pre-commit.yml | 8 +++ .pre-commit-config.yaml | 1 + README.md | 2 +- examples/complete-alb/README.md | 2 +- examples/complete-alb/versions.tf | 2 +- examples/complete-nlb/README.md | 2 +- examples/complete-nlb/versions.tf | 2 +- main.tf | 4 +- versions.tf | 2 +- wrappers/README.md | 100 ++++++++++++++++++++++++++++++ wrappers/main.tf | 42 +++++++++++++ wrappers/outputs.tf | 5 ++ wrappers/variables.tf | 11 ++++ wrappers/versions.tf | 3 + 14 files changed, 178 insertions(+), 8 deletions(-) create mode 100644 wrappers/README.md create mode 100644 wrappers/main.tf create mode 100644 wrappers/outputs.tf create mode 100644 wrappers/variables.tf create mode 100644 wrappers/versions.tf diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index b8f1b8a..adea23e 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -71,6 +71,14 @@ jobs: id: minMax uses: clowdhaus/terraform-min-max@v1.0.3 + - name: Install hcledit (for terraform_wrapper_module_for_each hook) + shell: bash + run: | + curl -L "$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > hcledit.tgz + sudo tar -xzf hcledit.tgz -C /usr/bin/ hcledit + rm -f hcledit.tgz 2> /dev/null + hcledit version + - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 with: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 19dda01..954c537 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -3,6 +3,7 @@ repos: rev: v1.71.0 hooks: - id: terraform_fmt + - id: terraform_wrapper_module_for_each - id: terraform_validate - id: terraform_docs args: diff --git a/README.md b/README.md index 4b90900..79dfe5b 100644 --- a/README.md +++ b/README.md @@ -294,7 +294,7 @@ module "lb" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 3.67 | ## Providers diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index ead2e9a..8611ebe 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -19,7 +19,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 3.40 | | [null](#requirement\_null) | >= 2.0 | | [random](#requirement\_random) | >= 2.0 | diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf index 7dd3807..8317cb9 100644 --- a/examples/complete-alb/versions.tf +++ b/examples/complete-alb/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0.0" required_providers { aws = { diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index e54a154..88aefba 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -19,7 +19,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 0.13.1 | +| [terraform](#requirement\_terraform) | >= 1.0.0 | | [aws](#requirement\_aws) | >= 3.40 | | [random](#requirement\_random) | >= 2.0 | diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf index 2fc3eef..45d645c 100644 --- a/examples/complete-nlb/versions.tf +++ b/examples/complete-nlb/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0.0" required_providers { aws = { diff --git a/main.tf b/main.tf index 6c0a168..59a2510 100644 --- a/main.tf +++ b/main.tf @@ -144,7 +144,7 @@ locals { } resource "aws_lambda_permission" "lb" { - for_each = var.create_lb && local.target_group_attachments_lambda != null ? local.target_group_attachments_lambda : {} + for_each = { for k, v in local.target_group_attachments_lambda : k => v if local.create_lb } function_name = each.value.lambda_function_name qualifier = try(each.value.lambda_qualifier, null) @@ -158,7 +158,7 @@ resource "aws_lambda_permission" "lb" { } resource "aws_lb_target_group_attachment" "this" { - for_each = local.create_lb && local.target_group_attachments != null ? local.target_group_attachments : {} + for_each = { for k, v in local.target_group_attachments : k => v if local.create_lb } target_group_arn = aws_lb_target_group.main[each.value.tg_index].arn target_id = each.value.target_id diff --git a/versions.tf b/versions.tf index ef030ea..5f49438 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 0.13.1" + required_version = ">= 1.0.0" required_providers { aws = { diff --git a/wrappers/README.md b/wrappers/README.md new file mode 100644 index 0000000..909f5ab --- /dev/null +++ b/wrappers/README.md @@ -0,0 +1,100 @@ +# Wrapper for the root module + +The configuration in this directory contains an implementation of a single module wrapper pattern, which allows managing several copies of a module in places where using the native Terraform 0.13+ `for_each` feature is not feasible (e.g., with Terragrunt). + +You may want to use a single Terragrunt configuration file to manage multiple resources without duplicating `terragrunt.hcl` files for each copy of the same module. + +This wrapper does not implement any extra functionality. + +## Usage with Terragrunt + +`terragrunt.hcl`: + +```hcl +terraform { + source = "tfr:///terraform-aws-modules/alb/aws//wrappers" + # Alternative source: + # source = "git::git@github.com:terraform-aws-modules/terraform-aws-alb.git?ref=master//wrappers" +} + +inputs = { + defaults = { # Default values + create = true + tags = { + Terraform = "true" + Environment = "dev" + } + } + + items = { + my-item = { + # omitted... can be any argument supported by the module + } + my-second-item = { + # omitted... can be any argument supported by the module + } + # omitted... + } +} +``` + +## Usage with Terraform + +```hcl +module "wrapper" { + source = "terraform-aws-modules/alb/aws//wrappers" + + defaults = { # Default values + create = true + tags = { + Terraform = "true" + Environment = "dev" + } + } + + items = { + my-item = { + # omitted... can be any argument supported by the module + } + my-second-item = { + # omitted... can be any argument supported by the module + } + # omitted... + } +} +``` + +## Example: Manage multiple S3 buckets in one Terragrunt layer + +`eu-west-1/s3-buckets/terragrunt.hcl`: + +```hcl +terraform { + source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers" + # Alternative source: + # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=master//wrappers" +} + +inputs = { + defaults = { + force_destroy = true + + attach_elb_log_delivery_policy = true + attach_lb_log_delivery_policy = true + attach_deny_insecure_transport_policy = true + attach_require_latest_tls_policy = true + } + + items = { + bucket1 = { + bucket = "my-random-bucket-1" + } + bucket2 = { + bucket = "my-random-bucket-2" + tags = { + Secure = "probably" + } + } + } +} +``` diff --git a/wrappers/main.tf b/wrappers/main.tf new file mode 100644 index 0000000..a05a3cd --- /dev/null +++ b/wrappers/main.tf @@ -0,0 +1,42 @@ +module "wrapper" { + source = "../" + + for_each = var.items + + create_lb = try(each.value.create_lb, var.defaults.create_lb, true) + drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, false) + enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, false) + enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, true) + enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, false) + extra_ssl_certs = try(each.value.extra_ssl_certs, var.defaults.extra_ssl_certs, []) + https_listeners = try(each.value.https_listeners, var.defaults.https_listeners, []) + http_tcp_listeners = try(each.value.http_tcp_listeners, var.defaults.http_tcp_listeners, []) + https_listener_rules = try(each.value.https_listener_rules, var.defaults.https_listener_rules, []) + http_tcp_listener_rules = try(each.value.http_tcp_listener_rules, var.defaults.http_tcp_listener_rules, []) + idle_timeout = try(each.value.idle_timeout, var.defaults.idle_timeout, 60) + ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, "ipv4") + listener_ssl_policy_default = try(each.value.listener_ssl_policy_default, var.defaults.listener_ssl_policy_default, "ELBSecurityPolicy-2016-08") + internal = try(each.value.internal, var.defaults.internal, false) + load_balancer_create_timeout = try(each.value.load_balancer_create_timeout, var.defaults.load_balancer_create_timeout, "10m") + load_balancer_delete_timeout = try(each.value.load_balancer_delete_timeout, var.defaults.load_balancer_delete_timeout, "10m") + name = try(each.value.name, var.defaults.name, null) + name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) + load_balancer_type = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application") + load_balancer_update_timeout = try(each.value.load_balancer_update_timeout, var.defaults.load_balancer_update_timeout, "10m") + access_logs = try(each.value.access_logs, var.defaults.access_logs, {}) + subnets = try(each.value.subnets, var.defaults.subnets, null) + subnet_mapping = try(each.value.subnet_mapping, var.defaults.subnet_mapping, []) + tags = try(each.value.tags, var.defaults.tags, {}) + lb_tags = try(each.value.lb_tags, var.defaults.lb_tags, {}) + target_group_tags = try(each.value.target_group_tags, var.defaults.target_group_tags, {}) + https_listener_rules_tags = try(each.value.https_listener_rules_tags, var.defaults.https_listener_rules_tags, {}) + http_tcp_listener_rules_tags = try(each.value.http_tcp_listener_rules_tags, var.defaults.http_tcp_listener_rules_tags, {}) + https_listeners_tags = try(each.value.https_listeners_tags, var.defaults.https_listeners_tags, {}) + http_tcp_listeners_tags = try(each.value.http_tcp_listeners_tags, var.defaults.http_tcp_listeners_tags, {}) + security_groups = try(each.value.security_groups, var.defaults.security_groups, []) + target_groups = try(each.value.target_groups, var.defaults.target_groups, []) + vpc_id = try(each.value.vpc_id, var.defaults.vpc_id, null) + enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, false) + desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, "defensive") + putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) +} diff --git a/wrappers/outputs.tf b/wrappers/outputs.tf new file mode 100644 index 0000000..5da7c09 --- /dev/null +++ b/wrappers/outputs.tf @@ -0,0 +1,5 @@ +output "wrapper" { + description = "Map of outputs of a wrapper." + value = module.wrapper + # sensitive = false # No sensitive module output found +} diff --git a/wrappers/variables.tf b/wrappers/variables.tf new file mode 100644 index 0000000..a6ea096 --- /dev/null +++ b/wrappers/variables.tf @@ -0,0 +1,11 @@ +variable "defaults" { + description = "Map of default values which will be used for each item." + type = any + default = {} +} + +variable "items" { + description = "Maps of items to create a wrapper from. Values are passed through to the module." + type = any + default = {} +} diff --git a/wrappers/versions.tf b/wrappers/versions.tf new file mode 100644 index 0000000..51cad10 --- /dev/null +++ b/wrappers/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">= 0.13.1" +} From d82d442b53f7312c4d91db71debe226dd048766b Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 23 May 2022 15:46:05 +0000 Subject: [PATCH 13/41] chore(release): version 7.0.0 [skip ci] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## [7.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.11.0...v7.0.0) (2022-05-23) ### ⚠ BREAKING CHANGES * Upgraded Terraform version to 1.0+. Added wrappers. (#249) ### Features * Upgraded Terraform version to 1.0+. Added wrappers. ([#249](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/249)) ([25d31ee](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/25d31ee31d3a29783568b31dc883eba52de14c9d)) --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 38bc1dc..88e0c22 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ All notable changes to this project will be documented in this file. +## [7.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.11.0...v7.0.0) (2022-05-23) + + +### ⚠ BREAKING CHANGES + +* Upgraded Terraform version to 1.0+. Added wrappers. (#249) + +### Features + +* Upgraded Terraform version to 1.0+. Added wrappers. ([#249](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/249)) ([25d31ee](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/25d31ee31d3a29783568b31dc883eba52de14c9d)) + ## [6.11.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.10.0...v6.11.0) (2022-05-20) From 5d080446f6e74d6dcbc6ff6110633d3e6e48c909 Mon Sep 17 00:00:00 2001 From: Warren Krewenki <19960+krewenki@users.noreply.github.com> Date: Fri, 16 Sep 2022 06:00:21 -0300 Subject: [PATCH 14/41] feat!: Add ip_address_type to target group resource, bumped AWS provider version (#255) --- README.md | 4 ++-- examples/complete-alb/README.md | 4 ++-- examples/complete-alb/versions.tf | 2 +- examples/complete-nlb/README.md | 4 ++-- examples/complete-nlb/versions.tf | 2 +- main.tf | 1 + versions.tf | 2 +- 7 files changed, 10 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 79dfe5b..a423cfc 100644 --- a/README.md +++ b/README.md @@ -295,13 +295,13 @@ module "lb" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.67 | +| [aws](#requirement\_aws) | >= 4.27.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.67 | +| [aws](#provider\_aws) | >= 4.27.0 | ## Modules diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index 8611ebe..56e70dd 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -20,7 +20,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.40 | +| [aws](#requirement\_aws) | >= 4.27.0 | | [null](#requirement\_null) | >= 2.0 | | [random](#requirement\_random) | >= 2.0 | @@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.40 | +| [aws](#provider\_aws) | >= 4.27.0 | | [null](#provider\_null) | >= 2.0 | | [random](#provider\_random) | >= 2.0 | diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf index 8317cb9..5d92edf 100644 --- a/examples/complete-alb/versions.tf +++ b/examples/complete-alb/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.40" + version = ">= 4.27.0" } random = { source = "hashicorp/random" diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index 88aefba..db8a2c9 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 3.40 | +| [aws](#requirement\_aws) | >= 4.27.0 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 3.40 | +| [aws](#provider\_aws) | >= 4.27.0 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf index 45d645c..af77374 100644 --- a/examples/complete-nlb/versions.tf +++ b/examples/complete-nlb/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.40" + version = ">= 4.27.0" } random = { source = "hashicorp/random" diff --git a/main.tf b/main.tf index 59a2510..90d68b1 100644 --- a/main.tf +++ b/main.tf @@ -76,6 +76,7 @@ resource "aws_lb_target_group" "main" { lambda_multi_value_headers_enabled = lookup(var.target_groups[count.index], "lambda_multi_value_headers_enabled", false) load_balancing_algorithm_type = lookup(var.target_groups[count.index], "load_balancing_algorithm_type", null) preserve_client_ip = lookup(var.target_groups[count.index], "preserve_client_ip", null) + ip_address_type = lookup(var.target_groups[count.index], "ip_address_type", null) dynamic "health_check" { for_each = length(keys(lookup(var.target_groups[count.index], "health_check", {}))) == 0 ? [] : [lookup(var.target_groups[count.index], "health_check", {})] diff --git a/versions.tf b/versions.tf index 5f49438..65759b7 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 3.67" + version = ">= 4.27.0" } } } From a141aacf2a355d2466b41c81450bb0bb7dcec9bb Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 16 Sep 2022 09:00:55 +0000 Subject: [PATCH 15/41] chore(release): version 8.0.0 [skip ci] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## [8.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v7.0.0...v8.0.0) (2022-09-16) ### ⚠ BREAKING CHANGES * Add ip_address_type to target group resource, bumped AWS provider version (#255) ### Features * Add ip_address_type to target group resource, bumped AWS provider version ([#255](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/255)) ([5d08044](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/5d080446f6e74d6dcbc6ff6110633d3e6e48c909)) --- CHANGELOG.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88e0c22..8ad84db 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,17 @@ All notable changes to this project will be documented in this file. +## [8.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v7.0.0...v8.0.0) (2022-09-16) + + +### ⚠ BREAKING CHANGES + +* Add ip_address_type to target group resource, bumped AWS provider version (#255) + +### Features + +* Add ip_address_type to target group resource, bumped AWS provider version ([#255](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/255)) ([5d08044](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/5d080446f6e74d6dcbc6ff6110633d3e6e48c909)) + ## [7.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v6.11.0...v7.0.0) (2022-05-23) From 33b6ecdc0769a63d43dab0b3287fdcecdcb4e805 Mon Sep 17 00:00:00 2001 From: Marcos Soutullo Rodriguez Date: Tue, 20 Sep 2022 12:52:24 +0100 Subject: [PATCH 16/41] feat: Added connection_termination toggle to target group (#257) --- examples/complete-nlb/main.tf | 11 ++++++----- main.tf | 1 + 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf index ec9c6e2..22efe57 100644 --- a/examples/complete-nlb/main.tf +++ b/examples/complete-nlb/main.tf @@ -107,11 +107,12 @@ module "nlb" { target_groups = [ { - name_prefix = "tu1-" - backend_protocol = "TCP_UDP" - backend_port = 81 - target_type = "instance" - preserve_client_ip = true + name_prefix = "tu1-" + backend_protocol = "TCP_UDP" + backend_port = 81 + target_type = "instance" + connection_termination = true + preserve_client_ip = true tags = { tcp_udp = true } diff --git a/main.tf b/main.tf index 90d68b1..9cbc49e 100644 --- a/main.tf +++ b/main.tf @@ -70,6 +70,7 @@ resource "aws_lb_target_group" "main" { protocol_version = lookup(var.target_groups[count.index], "protocol_version", null) != null ? upper(lookup(var.target_groups[count.index], "protocol_version")) : null target_type = lookup(var.target_groups[count.index], "target_type", null) + connection_termination = lookup(var.target_groups[count.index], "connection_termination", null) deregistration_delay = lookup(var.target_groups[count.index], "deregistration_delay", null) slow_start = lookup(var.target_groups[count.index], "slow_start", null) proxy_protocol_v2 = lookup(var.target_groups[count.index], "proxy_protocol_v2", false) From 5766ccc964f7ec056082e0d77d0cf55ddd60c50c Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 20 Sep 2022 11:53:00 +0000 Subject: [PATCH 17/41] chore(release): version 8.1.0 [skip ci] ## [8.1.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.0.0...v8.1.0) (2022-09-20) ### Features * Added connection_termination toggle to target group ([#257](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/257)) ([33b6ecd](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/33b6ecdc0769a63d43dab0b3287fdcecdcb4e805)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8ad84db..43372e5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.1.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.0.0...v8.1.0) (2022-09-20) + + +### Features + +* Added connection_termination toggle to target group ([#257](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/257)) ([33b6ecd](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/33b6ecdc0769a63d43dab0b3287fdcecdcb4e805)) + ## [8.0.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v7.0.0...v8.0.0) (2022-09-16) From 02fb531b7b61eba257926b99d984a795fd6d28aa Mon Sep 17 00:00:00 2001 From: Mervin Hemaraju <115166315+mervinhemaraju@users.noreply.github.com> Date: Fri, 28 Oct 2022 13:45:38 +0400 Subject: [PATCH 18/41] docs: Added stickiness to examples and README (#263) --- examples/complete-nlb/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf index 22efe57..e88059f 100644 --- a/examples/complete-nlb/main.tf +++ b/examples/complete-nlb/main.tf @@ -113,6 +113,10 @@ module "nlb" { target_type = "instance" connection_termination = true preserve_client_ip = true + stickiness = { + enabled = true + type = "source_ip" + } tags = { tcp_udp = true } From a289290d1d6f617ae1d0d9a93d49f27337a63924 Mon Sep 17 00:00:00 2001 From: Warren Krewenki <19960+krewenki@users.noreply.github.com> Date: Fri, 28 Oct 2022 06:52:01 -0300 Subject: [PATCH 19/41] docs: Update version number used in README.md (#258) Co-authored-by: Anton Babenko --- README.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a423cfc..1edc79e 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@ HTTP and HTTPS listeners with default actions: ```hcl module "alb" { source = "terraform-aws-modules/alb/aws" - version = "~> 6.0" + version = "~> 8.0" name = "my-alb" @@ -74,7 +74,7 @@ HTTP to HTTPS redirect and HTTPS cognito authentication: ```hcl module "alb" { source = "terraform-aws-modules/alb/aws" - version = "~> 6.0" + version = "~> 8.0" name = "my-alb" @@ -136,7 +136,7 @@ Cognito Authentication only on certain routes, with redirects for other routes: ```hcl module "alb" { source = "terraform-aws-modules/alb/aws" - version = "~> 6.0" + version = "~> 8.0" name = "my-alb" @@ -217,7 +217,7 @@ When you're using ALB Listener rules, make sure that every rule's `actions` bloc ```hcl module "nlb" { source = "terraform-aws-modules/alb/aws" - version = "~> 6.0" + version = "~> 8.0" name = "my-nlb" @@ -391,6 +391,6 @@ Apache 2 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraf ## Additional information for users from Russia and Belarus -* Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine). -* Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee. -* [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!) +- Russia has [illegally annexed Crimea in 2014](https://en.wikipedia.org/wiki/Annexation_of_Crimea_by_the_Russian_Federation) and [brought the war in Donbas](https://en.wikipedia.org/wiki/War_in_Donbas) followed by [full-scale invasion of Ukraine in 2022](https://en.wikipedia.org/wiki/2022_Russian_invasion_of_Ukraine). +- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee. +- [Putin khuylo!](https://en.wikipedia.org/wiki/Putin_khuylo!) From 144af83cf291dddbc2d424862054ac8d61555c8e Mon Sep 17 00:00:00 2001 From: Noah Krause Date: Fri, 28 Oct 2022 07:25:32 -0400 Subject: [PATCH 20/41] fix: Matched type of extra certificate var in module to type expected in resource (#259) Co-authored-by: Anton Babenko --- examples/complete-alb/README.md | 1 + examples/complete-alb/main.tf | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index 56e70dd..4cc0e1f 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -42,6 +42,7 @@ Note that this example may create resources which cost money. Run `terraform des | [lambda\_without\_allowed\_triggers](#module\_lambda\_without\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 | | [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a | | [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | +| [wildcard\_cert](#module\_wildcard\_cert) | terraform-aws-modules/acm/aws | ~> 3.0 | ## Resources diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index 54814a8..d7b2317 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -59,6 +59,14 @@ module "acm" { zone_id = data.aws_route53_zone.this.id } +module "wildcard_cert" { + source = "terraform-aws-modules/acm/aws" + version = "~> 3.0" + + domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".") + zone_id = data.aws_route53_zone.this.id +} + ################################################################## # AWS Cognito User Pool ################################################################## @@ -178,6 +186,13 @@ module "alb" { }, ] + extra_ssl_certs = [ + { + https_listener_index = 0 + certificate_arn = module.wildcard_cert.acm_certificate_arn + } + ] + https_listener_rules = [ { https_listener_index = 0 From eee5370c5d111df20c2f79b72d8cf87a8afcd836 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 28 Oct 2022 11:25:57 +0000 Subject: [PATCH 21/41] chore(release): version 8.1.1 [skip ci] ### [8.1.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.0...v8.1.1) (2022-10-28) ### Bug Fixes * Matched type of extra certificate var in module to type expected in resource ([#259](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/259)) ([144af83](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/144af83cf291dddbc2d424862054ac8d61555c8e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 43372e5..6cfdcde 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [8.1.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.0...v8.1.1) (2022-10-28) + + +### Bug Fixes + +* Matched type of extra certificate var in module to type expected in resource ([#259](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/259)) ([144af83](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/144af83cf291dddbc2d424862054ac8d61555c8e)) + ## [8.1.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.0.0...v8.1.0) (2022-09-20) From 40d10dd54c8f4091bdc65f86e5c54e422951101e Mon Sep 17 00:00:00 2001 From: Michael Mayer Date: Fri, 28 Oct 2022 05:38:10 -0700 Subject: [PATCH 22/41] fix: Allow for override of Name tag on load balancer (#262) Co-authored-by: Anton Babenko --- main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 9cbc49e..de2e061 100644 --- a/main.tf +++ b/main.tf @@ -44,11 +44,11 @@ resource "aws_lb" "this" { } tags = merge( - var.tags, - var.lb_tags, { - Name = var.name != null ? var.name : var.name_prefix + Name = (var.name != null) ? var.name : var.name_prefix }, + var.tags, + var.lb_tags, ) timeouts { From 426f980a848f33cd45639ce77f4a00b48ec6897c Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 28 Oct 2022 12:38:44 +0000 Subject: [PATCH 23/41] chore(release): version 8.1.2 [skip ci] ### [8.1.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.1...v8.1.2) (2022-10-28) ### Bug Fixes * Allow for override of Name tag on load balancer ([#262](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/262)) ([40d10dd](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/40d10dd54c8f4091bdc65f86e5c54e422951101e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6cfdcde..eb16d94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [8.1.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.1...v8.1.2) (2022-10-28) + + +### Bug Fixes + +* Allow for override of Name tag on load balancer ([#262](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/262)) ([40d10dd](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/40d10dd54c8f4091bdc65f86e5c54e422951101e)) + ### [8.1.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.0...v8.1.1) (2022-10-28) From d69c4099c9ed38c89b2f4aa6c0684b495d794e8e Mon Sep 17 00:00:00 2001 From: gohmc <46994372+gohmc@users.noreply.github.com> Date: Tue, 1 Nov 2022 01:18:25 +0800 Subject: [PATCH 24/41] feat: Added support for preserve_host_header (#265) --- README.md | 77 ++++++++++++++++++++++++------------------------ main.tf | 1 + variables.tf | 6 ++++ wrappers/main.tf | 1 + 4 files changed, 47 insertions(+), 38 deletions(-) diff --git a/README.md b/README.md index 1edc79e..8cf6062 100644 --- a/README.md +++ b/README.md @@ -323,44 +323,45 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | -| [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | -| [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | -| [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | -| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | -| [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | -| [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | -| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | -| [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | -| [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | -| [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | -| [http\_tcp\_listeners](#input\_http\_tcp\_listeners) | A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target\_group\_index (defaults to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | -| [http\_tcp\_listeners\_tags](#input\_http\_tcp\_listeners\_tags) | A map of tags to add to all http listeners | `map(string)` | `{}` | no | -| [https\_listener\_rules](#input\_https\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https\_listener\_index (default to https\_listeners[count.index]) | `any` | `[]` | no | -| [https\_listener\_rules\_tags](#input\_https\_listener\_rules\_tags) | A map of tags to add to all https listener rules | `map(string)` | `{}` | no | -| [https\_listeners](#input\_https\_listeners) | A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate\_arn. Optional key/values: ssl\_policy (defaults to ELBSecurityPolicy-2016-08), target\_group\_index (defaults to https\_listeners[count.index]) | `any` | `[]` | no | -| [https\_listeners\_tags](#input\_https\_listeners\_tags) | A map of tags to add to all https listeners | `map(string)` | `{}` | no | -| [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `60` | no | -| [internal](#input\_internal) | Boolean determining if the load balancer is internal or externally facing. | `bool` | `false` | no | -| [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | `string` | `"ipv4"` | no | -| [lb\_tags](#input\_lb\_tags) | A map of tags to add to load balancer | `map(string)` | `{}` | no | -| [listener\_ssl\_policy\_default](#input\_listener\_ssl\_policy\_default) | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | `string` | `"ELBSecurityPolicy-2016-08"` | no | -| [load\_balancer\_create\_timeout](#input\_load\_balancer\_create\_timeout) | Timeout value when creating the ALB. | `string` | `"10m"` | no | -| [load\_balancer\_delete\_timeout](#input\_load\_balancer\_delete\_timeout) | Timeout value when deleting the ALB. | `string` | `"10m"` | no | -| [load\_balancer\_type](#input\_load\_balancer\_type) | The type of load balancer to create. Possible values are application or network. | `string` | `"application"` | no | -| [load\_balancer\_update\_timeout](#input\_load\_balancer\_update\_timeout) | Timeout value when updating the ALB. | `string` | `"10m"` | no | -| [name](#input\_name) | The resource name and Name tag of the load balancer. | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | -| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | -| [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | -| [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | -| [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | -| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | -| [target\_group\_tags](#input\_target\_group\_tags) | A map of tags to add to all target groups | `map(string)` | `{}` | no | -| [target\_groups](#input\_target\_groups) | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend\_protocol, backend\_port | `any` | `[]` | no | -| [vpc\_id](#input\_vpc\_id) | VPC id where the load balancer and other resources will be deployed. | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|--------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:| +| [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | +| [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | +| [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | +| [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | +| [preserve\_host\_header](#input\_preserve\_host\_header) | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | `bool` | `false` | no | +| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | +| [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | +| [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | +| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | +| [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | +| [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | +| [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | +| [http\_tcp\_listeners](#input\_http\_tcp\_listeners) | A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target\_group\_index (defaults to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | +| [http\_tcp\_listeners\_tags](#input\_http\_tcp\_listeners\_tags) | A map of tags to add to all http listeners | `map(string)` | `{}` | no | +| [https\_listener\_rules](#input\_https\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https\_listener\_index (default to https\_listeners[count.index]) | `any` | `[]` | no | +| [https\_listener\_rules\_tags](#input\_https\_listener\_rules\_tags) | A map of tags to add to all https listener rules | `map(string)` | `{}` | no | +| [https\_listeners](#input\_https\_listeners) | A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate\_arn. Optional key/values: ssl\_policy (defaults to ELBSecurityPolicy-2016-08), target\_group\_index (defaults to https\_listeners[count.index]) | `any` | `[]` | no | +| [https\_listeners\_tags](#input\_https\_listeners\_tags) | A map of tags to add to all https listeners | `map(string)` | `{}` | no | +| [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `60` | no | +| [internal](#input\_internal) | Boolean determining if the load balancer is internal or externally facing. | `bool` | `false` | no | +| [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | `string` | `"ipv4"` | no | +| [lb\_tags](#input\_lb\_tags) | A map of tags to add to load balancer | `map(string)` | `{}` | no | +| [listener\_ssl\_policy\_default](#input\_listener\_ssl\_policy\_default) | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | `string` | `"ELBSecurityPolicy-2016-08"` | no | +| [load\_balancer\_create\_timeout](#input\_load\_balancer\_create\_timeout) | Timeout value when creating the ALB. | `string` | `"10m"` | no | +| [load\_balancer\_delete\_timeout](#input\_load\_balancer\_delete\_timeout) | Timeout value when deleting the ALB. | `string` | `"10m"` | no | +| [load\_balancer\_type](#input\_load\_balancer\_type) | The type of load balancer to create. Possible values are application or network. | `string` | `"application"` | no | +| [load\_balancer\_update\_timeout](#input\_load\_balancer\_update\_timeout) | Timeout value when updating the ALB. | `string` | `"10m"` | no | +| [name](#input\_name) | The resource name and Name tag of the load balancer. | `string` | `null` | no | +| [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | +| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | +| [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | +| [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | +| [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | +| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | +| [target\_group\_tags](#input\_target\_group\_tags) | A map of tags to add to all target groups | `map(string)` | `{}` | no | +| [target\_groups](#input\_target\_groups) | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend\_protocol, backend\_port | `any` | `[]` | no | +| [vpc\_id](#input\_vpc\_id) | VPC id where the load balancer and other resources will be deployed. | `string` | `null` | no | ## Outputs diff --git a/main.tf b/main.tf index de2e061..5b9ff31 100644 --- a/main.tf +++ b/main.tf @@ -19,6 +19,7 @@ resource "aws_lb" "this" { enable_http2 = var.enable_http2 ip_address_type = var.ip_address_type drop_invalid_header_fields = var.drop_invalid_header_fields + preserve_host_header = var.preserve_host_header enable_waf_fail_open = var.enable_waf_fail_open desync_mitigation_mode = var.desync_mitigation_mode diff --git a/variables.tf b/variables.tf index 5ec54b2..aa9860d 100644 --- a/variables.tf +++ b/variables.tf @@ -10,6 +10,12 @@ variable "drop_invalid_header_fields" { default = false } +variable "preserve_host_header" { + description = "Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false." + type = bool + default = false +} + variable "enable_deletion_protection" { description = "If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false." type = bool diff --git a/wrappers/main.tf b/wrappers/main.tf index a05a3cd..53caf0e 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -5,6 +5,7 @@ module "wrapper" { create_lb = try(each.value.create_lb, var.defaults.create_lb, true) drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, false) + preserve_host_header = try(each.value.preserve_host_header, var.preserve_host_header, false) enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, false) enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, true) enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, false) From 858ae988b3efe72f7d69335ca065c09cbb4c76d7 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 31 Oct 2022 17:18:54 +0000 Subject: [PATCH 25/41] chore(release): version 8.2.0 [skip ci] ## [8.2.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.2...v8.2.0) (2022-10-31) ### Features * Added support for preserve_host_header ([#265](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/265)) ([d69c409](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/d69c4099c9ed38c89b2f4aa6c0684b495d794e8e)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb16d94..9a15a53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.2.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.2...v8.2.0) (2022-10-31) + + +### Features + +* Added support for preserve_host_header ([#265](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/265)) ([d69c409](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/d69c4099c9ed38c89b2f4aa6c0684b495d794e8e)) + ### [8.1.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.1...v8.1.2) (2022-10-28) From dd692c740690f76808cc055a62335a7080b8242f Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Mon, 14 Nov 2022 03:11:59 -0500 Subject: [PATCH 26/41] fix: Update CI configuration files to use latest version (#264) Co-authored-by: Anton Babenko --- .github/workflows/lock.yml | 21 +++++ .github/workflows/pr-title.yml | 2 +- .github/workflows/pre-commit.yml | 27 +++---- .github/workflows/release.yml | 3 +- .github/workflows/stale-actions.yaml | 2 +- .pre-commit-config.yaml | 4 +- README.md | 110 +++++++++++++-------------- examples/complete-alb/README.md | 6 +- examples/complete-alb/versions.tf | 4 +- examples/complete-nlb/README.md | 6 +- examples/complete-nlb/versions.tf | 4 +- outputs.tf | 54 +++++++------ versions.tf | 4 +- wrappers/README.md | 4 +- wrappers/main.tf | 2 +- 15 files changed, 132 insertions(+), 121 deletions(-) create mode 100644 .github/workflows/lock.yml diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml new file mode 100644 index 0000000..d887a66 --- /dev/null +++ b/.github/workflows/lock.yml @@ -0,0 +1,21 @@ +name: 'Lock Threads' + +on: + schedule: + - cron: '50 1 * * *' + +jobs: + lock: + runs-on: ubuntu-latest + steps: + - uses: dessant/lock-threads@v3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + issue-comment: > + I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues. + If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. + issue-inactive-days: '30' + pr-comment: > + I'm going to lock this pull request because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues. + If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. + pr-inactive-days: '30' diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml index 168011c..cb32a0f 100644 --- a/.github/workflows/pr-title.yml +++ b/.github/workflows/pr-title.yml @@ -14,7 +14,7 @@ jobs: steps: # Please look up the latest version from # https://github.com/amannn/action-semantic-pull-request/releases - - uses: amannn/action-semantic-pull-request@v3.4.6 + - uses: amannn/action-semantic-pull-request@v5.0.2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index adea23e..b198c6c 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -17,11 +17,11 @@ jobs: directories: ${{ steps.dirs.outputs.directories }} steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Get root directories id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.3.0 + uses: clowdhaus/terraform-composite-actions/directories@v1.8.2 preCommitMinVersions: name: Min TF pre-commit @@ -32,18 +32,18 @@ jobs: directory: ${{ fromJson(needs.collectInputs.outputs.directories) }} steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 + uses: clowdhaus/terraform-min-max@v1.2.4 with: directory: ${{ matrix.directory }} - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' @@ -51,7 +51,7 @@ jobs: - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' @@ -62,25 +62,18 @@ jobs: needs: collectInputs steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: ref: ${{ github.event.pull_request.head.ref }} repository: ${{github.event.pull_request.head.repo.full_name}} - name: Terraform min/max versions id: minMax - uses: clowdhaus/terraform-min-max@v1.0.3 - - - name: Install hcledit (for terraform_wrapper_module_for_each hook) - shell: bash - run: | - curl -L "$(curl -s https://api.github.com/repos/minamijoyo/hcledit/releases/latest | grep -o -E -m 1 "https://.+?_linux_amd64.tar.gz")" > hcledit.tgz - sudo tar -xzf hcledit.tgz -C /usr/bin/ hcledit - rm -f hcledit.tgz 2> /dev/null - hcledit version + uses: clowdhaus/terraform-min-max@v1.2.4 - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.3.0 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} + install-hcledit: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8a26ca..d2556e0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -4,7 +4,6 @@ on: workflow_dispatch: push: branches: - - main - master paths: - '**/*.tpl' @@ -20,7 +19,7 @@ jobs: if: github.repository_owner == 'terraform-aws-modules' steps: - name: Checkout - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: persist-credentials: false fetch-depth: 0 diff --git a/.github/workflows/stale-actions.yaml b/.github/workflows/stale-actions.yaml index c09ae1d..5037995 100644 --- a/.github/workflows/stale-actions.yaml +++ b/.github/workflows/stale-actions.yaml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v4 + - uses: actions/stale@v6 with: repo-token: ${{ secrets.GITHUB_TOKEN }} # Staling issues and PR's diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 954c537..314c02b 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.71.0 + rev: v1.76.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each @@ -24,7 +24,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.2.0 + rev: v4.3.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer diff --git a/README.md b/README.md index 8cf6062..1e900cc 100644 --- a/README.md +++ b/README.md @@ -294,14 +294,14 @@ module "lb" { | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.27.0 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.27 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27.0 | +| [aws](#provider\_aws) | >= 4.27 | ## Modules @@ -323,63 +323,63 @@ No modules. ## Inputs -| Name | Description | Type | Default | Required | -|--------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------|---------|:--------:| -| [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | -| [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | -| [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | -| [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | -| [preserve\_host\_header](#input\_preserve\_host\_header) | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | `bool` | `false` | no | -| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | -| [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | -| [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | -| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | -| [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | -| [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | -| [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | -| [http\_tcp\_listeners](#input\_http\_tcp\_listeners) | A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target\_group\_index (defaults to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | -| [http\_tcp\_listeners\_tags](#input\_http\_tcp\_listeners\_tags) | A map of tags to add to all http listeners | `map(string)` | `{}` | no | -| [https\_listener\_rules](#input\_https\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https\_listener\_index (default to https\_listeners[count.index]) | `any` | `[]` | no | -| [https\_listener\_rules\_tags](#input\_https\_listener\_rules\_tags) | A map of tags to add to all https listener rules | `map(string)` | `{}` | no | -| [https\_listeners](#input\_https\_listeners) | A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate\_arn. Optional key/values: ssl\_policy (defaults to ELBSecurityPolicy-2016-08), target\_group\_index (defaults to https\_listeners[count.index]) | `any` | `[]` | no | -| [https\_listeners\_tags](#input\_https\_listeners\_tags) | A map of tags to add to all https listeners | `map(string)` | `{}` | no | -| [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `60` | no | -| [internal](#input\_internal) | Boolean determining if the load balancer is internal or externally facing. | `bool` | `false` | no | -| [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | `string` | `"ipv4"` | no | -| [lb\_tags](#input\_lb\_tags) | A map of tags to add to load balancer | `map(string)` | `{}` | no | -| [listener\_ssl\_policy\_default](#input\_listener\_ssl\_policy\_default) | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | `string` | `"ELBSecurityPolicy-2016-08"` | no | -| [load\_balancer\_create\_timeout](#input\_load\_balancer\_create\_timeout) | Timeout value when creating the ALB. | `string` | `"10m"` | no | -| [load\_balancer\_delete\_timeout](#input\_load\_balancer\_delete\_timeout) | Timeout value when deleting the ALB. | `string` | `"10m"` | no | -| [load\_balancer\_type](#input\_load\_balancer\_type) | The type of load balancer to create. Possible values are application or network. | `string` | `"application"` | no | -| [load\_balancer\_update\_timeout](#input\_load\_balancer\_update\_timeout) | Timeout value when updating the ALB. | `string` | `"10m"` | no | -| [name](#input\_name) | The resource name and Name tag of the load balancer. | `string` | `null` | no | -| [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | -| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | -| [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | -| [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | -| [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | -| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | -| [target\_group\_tags](#input\_target\_group\_tags) | A map of tags to add to all target groups | `map(string)` | `{}` | no | -| [target\_groups](#input\_target\_groups) | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend\_protocol, backend\_port | `any` | `[]` | no | -| [vpc\_id](#input\_vpc\_id) | VPC id where the load balancer and other resources will be deployed. | `string` | `null` | no | +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | +| [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | +| [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | +| [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | +| [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | +| [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | +| [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | +| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | +| [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | +| [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | +| [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | +| [http\_tcp\_listeners](#input\_http\_tcp\_listeners) | A list of maps describing the HTTP listeners or TCP ports for this ALB. Required key/values: port, protocol. Optional key/values: target\_group\_index (defaults to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | +| [http\_tcp\_listeners\_tags](#input\_http\_tcp\_listeners\_tags) | A map of tags to add to all http listeners | `map(string)` | `{}` | no | +| [https\_listener\_rules](#input\_https\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, https\_listener\_index (default to https\_listeners[count.index]) | `any` | `[]` | no | +| [https\_listener\_rules\_tags](#input\_https\_listener\_rules\_tags) | A map of tags to add to all https listener rules | `map(string)` | `{}` | no | +| [https\_listeners](#input\_https\_listeners) | A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate\_arn. Optional key/values: ssl\_policy (defaults to ELBSecurityPolicy-2016-08), target\_group\_index (defaults to https\_listeners[count.index]) | `any` | `[]` | no | +| [https\_listeners\_tags](#input\_https\_listeners\_tags) | A map of tags to add to all https listeners | `map(string)` | `{}` | no | +| [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. | `number` | `60` | no | +| [internal](#input\_internal) | Boolean determining if the load balancer is internal or externally facing. | `bool` | `false` | no | +| [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | `string` | `"ipv4"` | no | +| [lb\_tags](#input\_lb\_tags) | A map of tags to add to load balancer | `map(string)` | `{}` | no | +| [listener\_ssl\_policy\_default](#input\_listener\_ssl\_policy\_default) | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | `string` | `"ELBSecurityPolicy-2016-08"` | no | +| [load\_balancer\_create\_timeout](#input\_load\_balancer\_create\_timeout) | Timeout value when creating the ALB. | `string` | `"10m"` | no | +| [load\_balancer\_delete\_timeout](#input\_load\_balancer\_delete\_timeout) | Timeout value when deleting the ALB. | `string` | `"10m"` | no | +| [load\_balancer\_type](#input\_load\_balancer\_type) | The type of load balancer to create. Possible values are application or network. | `string` | `"application"` | no | +| [load\_balancer\_update\_timeout](#input\_load\_balancer\_update\_timeout) | Timeout value when updating the ALB. | `string` | `"10m"` | no | +| [name](#input\_name) | The resource name and Name tag of the load balancer. | `string` | `null` | no | +| [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | +| [preserve\_host\_header](#input\_preserve\_host\_header) | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | `bool` | `false` | no | +| [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | +| [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | +| [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | +| [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | +| [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no | +| [target\_group\_tags](#input\_target\_group\_tags) | A map of tags to add to all target groups | `map(string)` | `{}` | no | +| [target\_groups](#input\_target\_groups) | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend\_protocol, backend\_port | `any` | `[]` | no | +| [vpc\_id](#input\_vpc\_id) | VPC id where the load balancer and other resources will be deployed. | `string` | `null` | no | ## Outputs | Name | Description | |------|-------------| -| [http\_tcp\_listener\_arns](#output\_http\_tcp\_listener\_arns) | The ARN of the TCP and HTTP load balancer listeners created. | -| [http\_tcp\_listener\_ids](#output\_http\_tcp\_listener\_ids) | The IDs of the TCP and HTTP load balancer listeners created. | -| [https\_listener\_arns](#output\_https\_listener\_arns) | The ARNs of the HTTPS load balancer listeners created. | -| [https\_listener\_ids](#output\_https\_listener\_ids) | The IDs of the load balancer listeners created. | -| [lb\_arn](#output\_lb\_arn) | The ID and ARN of the load balancer we created. | -| [lb\_arn\_suffix](#output\_lb\_arn\_suffix) | ARN suffix of our load balancer - can be used with CloudWatch. | -| [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer. | -| [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created. | -| [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records. | -| [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch. | -| [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group. | -| [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs. | -| [target\_group\_names](#output\_target\_group\_names) | Name of the target group. Useful for passing to your CodeDeploy Deployment Group. | +| [http\_tcp\_listener\_arns](#output\_http\_tcp\_listener\_arns) | The ARN of the TCP and HTTP load balancer listeners created | +| [http\_tcp\_listener\_ids](#output\_http\_tcp\_listener\_ids) | The IDs of the TCP and HTTP load balancer listeners created | +| [https\_listener\_arns](#output\_https\_listener\_arns) | The ARNs of the HTTPS load balancer listeners created | +| [https\_listener\_ids](#output\_https\_listener\_ids) | The IDs of the load balancer listeners created | +| [lb\_arn](#output\_lb\_arn) | The ID and ARN of the load balancer we created | +| [lb\_arn\_suffix](#output\_lb\_arn\_suffix) | ARN suffix of our load balancer - can be used with CloudWatch | +| [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer | +| [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created | +| [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records | +| [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch | +| [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group | +| [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs | +| [target\_group\_names](#output\_target\_group\_names) | Name of the target group. Useful for passing to your CodeDeploy Deployment Group | ## Authors diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index 4cc0e1f..4574e5b 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -19,8 +19,8 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.27.0 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.27 | | [null](#requirement\_null) | >= 2.0 | | [random](#requirement\_random) | >= 2.0 | @@ -28,7 +28,7 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27.0 | +| [aws](#provider\_aws) | >= 4.27 | | [null](#provider\_null) | >= 2.0 | | [random](#provider\_random) | >= 2.0 | diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf index 5d92edf..e5fe0c8 100644 --- a/examples/complete-alb/versions.tf +++ b/examples/complete-alb/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27.0" + version = ">= 4.27" } random = { source = "hashicorp/random" diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index db8a2c9..57c4f52 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -19,15 +19,15 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| -| [terraform](#requirement\_terraform) | >= 1.0.0 | -| [aws](#requirement\_aws) | >= 4.27.0 | +| [terraform](#requirement\_terraform) | >= 1.0 | +| [aws](#requirement\_aws) | >= 4.27 | | [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27.0 | +| [aws](#provider\_aws) | >= 4.27 | | [random](#provider\_random) | >= 2.0 | ## Modules diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf index af77374..021d385 100644 --- a/examples/complete-nlb/versions.tf +++ b/examples/complete-nlb/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27.0" + version = ">= 4.27" } random = { source = "hashicorp/random" diff --git a/outputs.tf b/outputs.tf index cc5bf1c..32c9b6f 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,66 +1,64 @@ output "lb_id" { - description = "The ID and ARN of the load balancer we created." - value = concat(aws_lb.this.*.id, [""])[0] + description = "The ID and ARN of the load balancer we created" + value = try(aws_lb.this[0].id, "") } output "lb_arn" { - description = "The ID and ARN of the load balancer we created." - value = concat(aws_lb.this.*.arn, [""])[0] + description = "The ID and ARN of the load balancer we created" + value = try(aws_lb.this[0].arn, "") } output "lb_dns_name" { - description = "The DNS name of the load balancer." - value = concat(aws_lb.this.*.dns_name, [""])[0] + description = "The DNS name of the load balancer" + value = try(aws_lb.this[0].dns_name, "") } output "lb_arn_suffix" { - description = "ARN suffix of our load balancer - can be used with CloudWatch." - value = concat(aws_lb.this.*.arn_suffix, [""])[0] + description = "ARN suffix of our load balancer - can be used with CloudWatch" + value = try(aws_lb.this[0].arn_suffix, "") } output "lb_zone_id" { - description = "The zone_id of the load balancer to assist with creating DNS records." - value = concat(aws_lb.this.*.zone_id, [""])[0] + description = "The zone_id of the load balancer to assist with creating DNS records" + value = try(aws_lb.this[0].zone_id, "") } output "http_tcp_listener_arns" { - description = "The ARN of the TCP and HTTP load balancer listeners created." - value = aws_lb_listener.frontend_http_tcp.*.arn + description = "The ARN of the TCP and HTTP load balancer listeners created" + value = aws_lb_listener.frontend_http_tcp[*].arn } output "http_tcp_listener_ids" { - description = "The IDs of the TCP and HTTP load balancer listeners created." - value = aws_lb_listener.frontend_http_tcp.*.id + description = "The IDs of the TCP and HTTP load balancer listeners created" + value = aws_lb_listener.frontend_http_tcp[*].id } output "https_listener_arns" { - description = "The ARNs of the HTTPS load balancer listeners created." - value = aws_lb_listener.frontend_https.*.arn + description = "The ARNs of the HTTPS load balancer listeners created" + value = aws_lb_listener.frontend_https[*].arn } output "https_listener_ids" { - description = "The IDs of the load balancer listeners created." - value = aws_lb_listener.frontend_https.*.id + description = "The IDs of the load balancer listeners created" + value = aws_lb_listener.frontend_https[*].id } output "target_group_arns" { - description = "ARNs of the target groups. Useful for passing to your Auto Scaling group." - value = aws_lb_target_group.main.*.arn + description = "ARNs of the target groups. Useful for passing to your Auto Scaling group" + value = aws_lb_target_group.main[*].arn } output "target_group_arn_suffixes" { - description = "ARN suffixes of our target groups - can be used with CloudWatch." - value = aws_lb_target_group.main.*.arn_suffix + description = "ARN suffixes of our target groups - can be used with CloudWatch" + value = aws_lb_target_group.main[*].arn_suffix } output "target_group_names" { - description = "Name of the target group. Useful for passing to your CodeDeploy Deployment Group." - value = aws_lb_target_group.main.*.name + description = "Name of the target group. Useful for passing to your CodeDeploy Deployment Group" + value = aws_lb_target_group.main[*].name } output "target_group_attachments" { - description = "ARNs of the target group attachment IDs." - value = { - for k, v in aws_lb_target_group_attachment.this : k => v.id - } + description = "ARNs of the target group attachment IDs" + value = { for k, v in aws_lb_target_group_attachment.this : k => v.id } } diff --git a/versions.tf b/versions.tf index 65759b7..f59f81e 100644 --- a/versions.tf +++ b/versions.tf @@ -1,10 +1,10 @@ terraform { - required_version = ">= 1.0.0" + required_version = ">= 1.0" required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27.0" + version = ">= 4.27" } } } diff --git a/wrappers/README.md b/wrappers/README.md index 909f5ab..573ee64 100644 --- a/wrappers/README.md +++ b/wrappers/README.md @@ -14,7 +14,7 @@ This wrapper does not implement any extra functionality. terraform { source = "tfr:///terraform-aws-modules/alb/aws//wrappers" # Alternative source: - # source = "git::git@github.com:terraform-aws-modules/terraform-aws-alb.git?ref=master//wrappers" + # source = "git::git@github.com:terraform-aws-modules/terraform-aws-alb.git//wrappers?ref=master" } inputs = { @@ -72,7 +72,7 @@ module "wrapper" { terraform { source = "tfr:///terraform-aws-modules/s3-bucket/aws//wrappers" # Alternative source: - # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git?ref=master//wrappers" + # source = "git::git@github.com:terraform-aws-modules/terraform-aws-s3-bucket.git//wrappers?ref=master" } inputs = { diff --git a/wrappers/main.tf b/wrappers/main.tf index 53caf0e..5098d5a 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -5,7 +5,7 @@ module "wrapper" { create_lb = try(each.value.create_lb, var.defaults.create_lb, true) drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, false) - preserve_host_header = try(each.value.preserve_host_header, var.preserve_host_header, false) + preserve_host_header = try(each.value.preserve_host_header, var.defaults.preserve_host_header, false) enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, false) enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, true) enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, false) From 6cde6adf0d625b4c9a89c192bca5c26dcd94aedd Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Mon, 14 Nov 2022 08:12:43 +0000 Subject: [PATCH 27/41] chore(release): version 8.2.1 [skip ci] ### [8.2.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.0...v8.2.1) (2022-11-14) ### Bug Fixes * Update CI configuration files to use latest version ([#264](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/264)) ([dd692c7](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/dd692c740690f76808cc055a62335a7080b8242f)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a15a53..525cd76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [8.2.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.0...v8.2.1) (2022-11-14) + + +### Bug Fixes + +* Update CI configuration files to use latest version ([#264](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/264)) ([dd692c7](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/dd692c740690f76808cc055a62335a7080b8242f)) + ## [8.2.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.1.2...v8.2.0) (2022-10-31) From 66eb6d27e69fc1ffdcf9117cc80e821cc1c36660 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Tue, 3 Jan 2023 09:16:44 -0500 Subject: [PATCH 28/41] fix: Use a version for to avoid GitHub API rate limiting on CI workflows (#270) --- .github/workflows/pre-commit.yml | 12 ++++++++---- .pre-commit-config.yaml | 4 ++-- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml index b198c6c..cb82671 100644 --- a/.github/workflows/pre-commit.yml +++ b/.github/workflows/pre-commit.yml @@ -8,6 +8,7 @@ on: env: TERRAFORM_DOCS_VERSION: v0.16.0 + TFLINT_VERSION: v0.44.1 jobs: collectInputs: @@ -21,7 +22,7 @@ jobs: - name: Get root directories id: dirs - uses: clowdhaus/terraform-composite-actions/directories@v1.8.2 + uses: clowdhaus/terraform-composite-actions/directories@v1.8.3 preCommitMinVersions: name: Min TF pre-commit @@ -43,17 +44,19 @@ jobs: - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory != '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} + tflint-version: ${{ env.TFLINT_VERSION }} args: 'terraform_validate --color=always --show-diff-on-failure --files ${{ matrix.directory }}/*' - name: Pre-commit Terraform ${{ steps.minMax.outputs.minVersion }} # Run only validate pre-commit check on min version supported if: ${{ matrix.directory == '.' }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 with: terraform-version: ${{ steps.minMax.outputs.minVersion }} + tflint-version: ${{ env.TFLINT_VERSION }} args: 'terraform_validate --color=always --show-diff-on-failure --files $(ls *.tf)' preCommitMaxVersion: @@ -72,8 +75,9 @@ jobs: uses: clowdhaus/terraform-min-max@v1.2.4 - name: Pre-commit Terraform ${{ steps.minMax.outputs.maxVersion }} - uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.2 + uses: clowdhaus/terraform-composite-actions/pre-commit@v1.8.3 with: terraform-version: ${{ steps.minMax.outputs.maxVersion }} + tflint-version: ${{ env.TFLINT_VERSION }} terraform-docs-version: ${{ env.TERRAFORM_DOCS_VERSION }} install-hcledit: true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 314c02b..75deea3 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.76.0 + rev: v1.77.0 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each @@ -24,7 +24,7 @@ repos: - '--args=--only=terraform_standard_module_structure' - '--args=--only=terraform_workspace_remote' - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.3.0 + rev: v4.4.0 hooks: - id: check-merge-conflict - id: end-of-file-fixer From e1365f4d1f41b829708ddb1014cea048d8d86c36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?P=C3=A5l-Magnus=20Sl=C3=A5tto?= Date: Tue, 24 Jan 2023 22:38:54 +0100 Subject: [PATCH 29/41] chore: Upgrade CI workflows to use non-deprecated runtimes (#272) --- .github/workflows/lock.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml index d887a66..6b6c9ce 100644 --- a/.github/workflows/lock.yml +++ b/.github/workflows/lock.yml @@ -8,7 +8,7 @@ jobs: lock: runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v3 + - uses: dessant/lock-threads@v4 with: github-token: ${{ secrets.GITHUB_TOKEN }} issue-comment: > diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d2556e0..68c0179 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 - name: Release - uses: cycjimmy/semantic-release-action@v2 + uses: cycjimmy/semantic-release-action@v3 with: semantic_version: 18.0.0 extra_plugins: | From 7ba7833d45f665f51283746d7be95c3d36d2367e Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 24 Jan 2023 21:39:22 +0000 Subject: [PATCH 30/41] chore(release): version 8.2.2 [skip ci] ### [8.2.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.1...v8.2.2) (2023-01-24) ### Bug Fixes * Use a version for to avoid GitHub API rate limiting on CI workflows ([#270](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/270)) ([66eb6d2](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/66eb6d27e69fc1ffdcf9117cc80e821cc1c36660)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 525cd76..623cf9d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [8.2.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.1...v8.2.2) (2023-01-24) + + +### Bug Fixes + +* Use a version for to avoid GitHub API rate limiting on CI workflows ([#270](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/270)) ([66eb6d2](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/66eb6d27e69fc1ffdcf9117cc80e821cc1c36660)) + ### [8.2.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.0...v8.2.1) (2022-11-14) From 8232b477aa0291ce5a4f2475efed0b05dfad31af Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Tue, 7 Feb 2023 14:20:15 -0500 Subject: [PATCH 31/41] feat: Add support for creating a security group along with the load balancer (#273) --- .pre-commit-config.yaml | 2 +- README.md | 10 ++ examples/complete-alb/README.md | 10 +- examples/complete-alb/main.tf | 206 +++++++++++++++++------------- examples/complete-alb/outputs.tf | 14 ++ examples/complete-alb/versions.tf | 4 - main.tf | 109 +++++++++++----- outputs.tf | 14 ++ variables.tf | 40 ++++++ wrappers/main.tf | 6 + 10 files changed, 283 insertions(+), 132 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 75deea3..a8206b6 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/antonbabenko/pre-commit-terraform - rev: v1.77.0 + rev: v1.77.1 hooks: - id: terraform_fmt - id: terraform_wrapper_module_for_each diff --git a/README.md b/README.md index 1e900cc..7726d4e 100644 --- a/README.md +++ b/README.md @@ -320,6 +320,8 @@ No modules. | [aws_lb_listener_rule.https_listener_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | | [aws_lb_target_group.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | | [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource | +| [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | ## Inputs @@ -327,6 +329,7 @@ No modules. |------|-------------|------|---------|:--------:| | [access\_logs](#input\_access\_logs) | Map containing access logging configuration for load balancer. | `map(string)` | `{}` | no | | [create\_lb](#input\_create\_lb) | Controls if the Load Balancer should be created | `bool` | `true` | no | +| [create\_security\_group](#input\_create\_security\_group) | Determines if a security group is created | `bool` | `true` | no | | [desync\_mitigation\_mode](#input\_desync\_mitigation\_mode) | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. | `string` | `"defensive"` | no | | [drop\_invalid\_header\_fields](#input\_drop\_invalid\_header\_fields) | Indicates whether invalid header fields are dropped in application load balancers. Defaults to false. | `bool` | `false` | no | | [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | @@ -355,6 +358,11 @@ No modules. | [name\_prefix](#input\_name\_prefix) | The resource name prefix and Name tag of the load balancer. Cannot be longer than 6 characters | `string` | `null` | no | | [preserve\_host\_header](#input\_preserve\_host\_header) | Indicates whether Host header should be preserve and forward to targets without any change. Defaults to false. | `bool` | `false` | no | | [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no | +| [security\_group\_description](#input\_security\_group\_description) | Description of the security group created | `string` | `null` | no | +| [security\_group\_name](#input\_security\_group\_name) | Name to use on security group created | `string` | `null` | no | +| [security\_group\_rules](#input\_security\_group\_rules) | Security group rules to add to the security group created | `any` | `{}` | no | +| [security\_group\_tags](#input\_security\_group\_tags) | A map of additional tags to add to the security group created | `map(string)` | `{}` | no | +| [security\_group\_use\_name\_prefix](#input\_security\_group\_use\_name\_prefix) | Determines whether the security group name (`security_group_name`) is used as a prefix | `bool` | `true` | no | | [security\_groups](#input\_security\_groups) | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | `list(string)` | `[]` | no | | [subnet\_mapping](#input\_subnet\_mapping) | A list of subnet mapping blocks describing subnets to attach to network load balancer | `list(map(string))` | `[]` | no | | [subnets](#input\_subnets) | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | `list(string)` | `null` | no | @@ -376,6 +384,8 @@ No modules. | [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer | | [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created | | [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records | +| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group | +| [security\_group\_id](#output\_security\_group\_id) | ID of the security group | | [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch | | [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group | | [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs | diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index 4574e5b..5ce1cc9 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -22,7 +22,6 @@ Note that this example may create resources which cost money. Run `terraform des | [terraform](#requirement\_terraform) | >= 1.0 | | [aws](#requirement\_aws) | >= 4.27 | | [null](#requirement\_null) | >= 2.0 | -| [random](#requirement\_random) | >= 2.0 | ## Providers @@ -30,7 +29,6 @@ Note that this example may create resources which cost money. Run `terraform des |------|---------| | [aws](#provider\_aws) | >= 4.27 | | [null](#provider\_null) | >= 2.0 | -| [random](#provider\_random) | >= 2.0 | ## Modules @@ -41,7 +39,7 @@ Note that this example may create resources which cost money. Run `terraform des | [lambda\_with\_allowed\_triggers](#module\_lambda\_with\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 | | [lambda\_without\_allowed\_triggers](#module\_lambda\_without\_allowed\_triggers) | terraform-aws-modules/lambda/aws | ~> 3.0 | | [lb\_disabled](#module\_lb\_disabled) | ../../ | n/a | -| [security\_group](#module\_security\_group) | terraform-aws-modules/security-group/aws | ~> 4.0 | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | | [wildcard\_cert](#module\_wildcard\_cert) | terraform-aws-modules/acm/aws | ~> 3.0 | ## Resources @@ -53,11 +51,9 @@ Note that this example may create resources which cost money. Run `terraform des | [aws_cognito_user_pool_domain.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cognito_user_pool_domain) | resource | | [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | | [null_resource.download_package](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource | -| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | | [aws_ami.amazon_linux](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | -| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs @@ -76,6 +72,8 @@ No inputs. | [lb\_dns\_name](#output\_lb\_dns\_name) | The DNS name of the load balancer. | | [lb\_id](#output\_lb\_id) | The ID and ARN of the load balancer we created. | | [lb\_zone\_id](#output\_lb\_zone\_id) | The zone\_id of the load balancer to assist with creating DNS records. | +| [security\_group\_arn](#output\_security\_group\_arn) | Amazon Resource Name (ARN) of the security group | +| [security\_group\_id](#output\_security\_group\_id) | ID of the security group | | [target\_group\_arn\_suffixes](#output\_target\_group\_arn\_suffixes) | ARN suffixes of our target groups - can be used with CloudWatch. | | [target\_group\_arns](#output\_target\_group\_arns) | ARNs of the target groups. Useful for passing to your Auto Scaling group. | | [target\_group\_attachments](#output\_target\_group\_attachments) | ARNs of the target group attachment IDs. | diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index d7b2317..d363f1c 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -1,107 +1,66 @@ provider "aws" { - region = "eu-west-1" -} - -locals { - domain_name = "terraform-aws-modules.modules.tf" -} - -################################################################## -# Data sources to get VPC and subnets -################################################################## -data "aws_vpc" "default" { - default = true -} - -data "aws_subnets" "all" { - filter { - name = "vpc-id" - values = [data.aws_vpc.default.id] - } -} - -resource "random_pet" "this" { - length = 2 -} - -data "aws_route53_zone" "this" { - name = local.domain_name + region = local.region } -module "security_group" { - source = "terraform-aws-modules/security-group/aws" - version = "~> 4.0" - - name = "alb-sg-${random_pet.this.id}" - description = "Security group for example usage with ALB" - vpc_id = data.aws_vpc.default.id - - ingress_cidr_blocks = ["0.0.0.0/0"] - ingress_rules = ["http-80-tcp", "all-icmp"] - egress_rules = ["all-all"] -} +data "aws_availability_zones" "available" {} -#module "log_bucket" { -# source = "terraform-aws-modules/s3-bucket/aws" -# version = "~> 3.0" -# -# bucket = "logs-${random_pet.this.id}" -# acl = "log-delivery-write" -# force_destroy = true -# attach_elb_log_delivery_policy = true -#} - -module "acm" { - source = "terraform-aws-modules/acm/aws" - version = "~> 3.0" - - domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") - zone_id = data.aws_route53_zone.this.id -} +locals { + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" -module "wildcard_cert" { - source = "terraform-aws-modules/acm/aws" - version = "~> 3.0" + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) - domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".") - zone_id = data.aws_route53_zone.this.id -} - -################################################################## -# AWS Cognito User Pool -################################################################## -resource "aws_cognito_user_pool" "this" { - name = "user-pool-${random_pet.this.id}" -} - -resource "aws_cognito_user_pool_client" "this" { - name = "user-pool-client-${random_pet.this.id}" - user_pool_id = aws_cognito_user_pool.this.id - generate_secret = true - allowed_oauth_flows = ["code", "implicit"] - callback_urls = ["https://${local.domain_name}/callback"] - allowed_oauth_scopes = ["email", "openid"] - allowed_oauth_flows_user_pool_client = true -} + domain_name = "terraform-aws-modules.modules.tf" -resource "aws_cognito_user_pool_domain" "this" { - domain = random_pet.this.id - user_pool_id = aws_cognito_user_pool.this.id + tags = { + Example = local.name + GithubRepo = "terraform-aws-alb" + GithubOrg = "terraform-aws-modules" + } } ################################################################## # Application Load Balancer ################################################################## + module "alb" { source = "../../" - name = "complete-alb-${random_pet.this.id}" + name = local.name load_balancer_type = "application" - vpc_id = data.aws_vpc.default.id - security_groups = [module.security_group.security_group_id] - subnets = data.aws_subnets.all.ids + vpc_id = module.vpc.vpc_id + subnets = module.vpc.public_subnets + # Attach security groups + security_groups = [module.vpc.default_security_group_id] + # Attach rules to the created security group + security_group_rules = { + ingress_all_http = { + type = "ingress" + from_port = 80 + to_port = 80 + protocol = "http" + description = "HTTP web traffic" + cidr_blocks = ["0.0.0.0/0"] + } + ingress_all_icmp = { + type = "ingress" + from_port = -1 + to_port = -1 + protocol = "icmp" + description = "ICMP" + cidr_blocks = ["0.0.0.0/0"] + } + egress_all = { + type = "egress" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + } # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) # access_logs = { @@ -158,7 +117,7 @@ module "alb" { prompt = "login" } on_unauthenticated_request = "authenticate" - session_cookie_name = "session-${random_pet.this.id}" + session_cookie_name = "session-${local.name}" session_timeout = 3600 user_pool_arn = aws_cognito_user_pool.this.arn user_pool_client_id = aws_cognito_user_pool_client.this.id @@ -202,7 +161,7 @@ module "alb" { type = "authenticate-cognito" on_unauthenticated_request = "authenticate" - session_cookie_name = "session-${random_pet.this.id}" + session_cookie_name = "session-${local.name}" session_timeout = 3600 user_pool_arn = aws_cognito_user_pool.this.arn user_pool_client_id = aws_cognito_user_pool_client.this.id @@ -465,6 +424,7 @@ module "alb" { ######################### # LB will not be created ######################### + module "lb_disabled" { source = "../../" @@ -474,6 +434,7 @@ module "lb_disabled" { ################## # Extra resources ################## + data "aws_ami" "amazon_linux" { most_recent = true @@ -524,7 +485,7 @@ module "lambda_with_allowed_triggers" { source = "terraform-aws-modules/lambda/aws" version = "~> 3.0" - function_name = "${random_pet.this.id}-with-allowed-triggers" + function_name = "${local.name}-with-allowed-triggers" description = "My awesome lambda function (with allowed triggers)" handler = "index.lambda_handler" runtime = "python3.8" @@ -548,7 +509,7 @@ module "lambda_without_allowed_triggers" { source = "terraform-aws-modules/lambda/aws" version = "~> 3.0" - function_name = "${random_pet.this.id}-without-allowed-triggers" + function_name = "${local.name}-without-allowed-triggers" description = "My awesome lambda function (without allowed triggers)" handler = "index.lambda_handler" runtime = "python3.8" @@ -563,3 +524,68 @@ module "lambda_without_allowed_triggers" { depends_on = [null_resource.download_package] } + +################################################################## +# Data sources to get VPC and subnets +################################################################## + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 3.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + tags = local.tags +} + +data "aws_route53_zone" "this" { + name = local.domain_name +} + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> 3.0" + + domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") + zone_id = data.aws_route53_zone.this.id +} + +module "wildcard_cert" { + source = "terraform-aws-modules/acm/aws" + version = "~> 3.0" + + domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".") + zone_id = data.aws_route53_zone.this.id +} + +################################################################## +# AWS Cognito User Pool +################################################################## + +resource "aws_cognito_user_pool" "this" { + name = "user-pool-${local.name}" +} + +resource "aws_cognito_user_pool_client" "this" { + name = "user-pool-client-${local.name}" + user_pool_id = aws_cognito_user_pool.this.id + generate_secret = true + allowed_oauth_flows = ["code", "implicit"] + callback_urls = ["https://${local.domain_name}/callback"] + allowed_oauth_scopes = ["email", "openid"] + allowed_oauth_flows_user_pool_client = true +} + +resource "aws_cognito_user_pool_domain" "this" { + domain = local.name + user_pool_id = aws_cognito_user_pool.this.id +} diff --git a/examples/complete-alb/outputs.tf b/examples/complete-alb/outputs.tf index 864b493..f80e8b5 100644 --- a/examples/complete-alb/outputs.tf +++ b/examples/complete-alb/outputs.tf @@ -62,3 +62,17 @@ output "target_group_attachments" { description = "ARNs of the target group attachment IDs." value = module.alb.target_group_attachments } + +################################################################################ +# Security Group +################################################################################ + +output "security_group_arn" { + description = "Amazon Resource Name (ARN) of the security group" + value = module.alb.security_group_arn +} + +output "security_group_id" { + description = "ID of the security group" + value = module.alb.security_group_id +} diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf index e5fe0c8..81088aa 100644 --- a/examples/complete-alb/versions.tf +++ b/examples/complete-alb/versions.tf @@ -6,10 +6,6 @@ terraform { source = "hashicorp/aws" version = ">= 4.27" } - random = { - source = "hashicorp/random" - version = ">= 2.0" - } null = { source = "hashicorp/null" version = ">= 2.0" diff --git a/main.tf b/main.tf index 5b9ff31..deda284 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ resource "aws_lb" "this" { load_balancer_type = var.load_balancer_type internal = var.internal - security_groups = var.security_groups + security_groups = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups subnets = var.subnets idle_timeout = var.idle_timeout @@ -24,7 +24,7 @@ resource "aws_lb" "this" { desync_mitigation_mode = var.desync_mitigation_mode dynamic "access_logs" { - for_each = length(keys(var.access_logs)) == 0 ? [] : [var.access_logs] + for_each = length(var.access_logs) > 0 ? [var.access_logs] : [] content { enabled = try(access_logs.value.enabled, try(access_logs.value.bucket, null) != null) @@ -66,44 +66,44 @@ resource "aws_lb_target_group" "main" { name_prefix = lookup(var.target_groups[count.index], "name_prefix", null) vpc_id = var.vpc_id - port = lookup(var.target_groups[count.index], "backend_port", null) - protocol = lookup(var.target_groups[count.index], "backend_protocol", null) != null ? upper(lookup(var.target_groups[count.index], "backend_protocol")) : null - protocol_version = lookup(var.target_groups[count.index], "protocol_version", null) != null ? upper(lookup(var.target_groups[count.index], "protocol_version")) : null - target_type = lookup(var.target_groups[count.index], "target_type", null) - - connection_termination = lookup(var.target_groups[count.index], "connection_termination", null) - deregistration_delay = lookup(var.target_groups[count.index], "deregistration_delay", null) - slow_start = lookup(var.target_groups[count.index], "slow_start", null) - proxy_protocol_v2 = lookup(var.target_groups[count.index], "proxy_protocol_v2", false) - lambda_multi_value_headers_enabled = lookup(var.target_groups[count.index], "lambda_multi_value_headers_enabled", false) - load_balancing_algorithm_type = lookup(var.target_groups[count.index], "load_balancing_algorithm_type", null) - preserve_client_ip = lookup(var.target_groups[count.index], "preserve_client_ip", null) - ip_address_type = lookup(var.target_groups[count.index], "ip_address_type", null) + port = try(var.target_groups[count.index].backend_port, null) + protocol = try(upper(var.target_groups[count.index].backend_protocol), null) + protocol_version = try(upper(var.target_groups[count.index].protocol_version), null) + target_type = try(var.target_groups[count.index].target_type, null) + + connection_termination = try(var.target_groups[count.index].connection_termination, null) + deregistration_delay = try(var.target_groups[count.index].deregistration_delay, null) + slow_start = try(var.target_groups[count.index].slow_start, null) + proxy_protocol_v2 = try(var.target_groups[count.index].proxy_protocol_v2, false) + lambda_multi_value_headers_enabled = try(var.target_groups[count.index].lambda_multi_value_headers_enabled, false) + load_balancing_algorithm_type = try(var.target_groups[count.index].load_balancing_algorithm_type, null) + preserve_client_ip = try(var.target_groups[count.index].preserve_client_ip, null) + ip_address_type = try(var.target_groups[count.index].ip_address_type, null) dynamic "health_check" { - for_each = length(keys(lookup(var.target_groups[count.index], "health_check", {}))) == 0 ? [] : [lookup(var.target_groups[count.index], "health_check", {})] + for_each = try([var.target_groups[count.index].health_check], []) content { - enabled = lookup(health_check.value, "enabled", null) - interval = lookup(health_check.value, "interval", null) - path = lookup(health_check.value, "path", null) - port = lookup(health_check.value, "port", null) - healthy_threshold = lookup(health_check.value, "healthy_threshold", null) - unhealthy_threshold = lookup(health_check.value, "unhealthy_threshold", null) - timeout = lookup(health_check.value, "timeout", null) - protocol = lookup(health_check.value, "protocol", null) - matcher = lookup(health_check.value, "matcher", null) + enabled = try(health_check.value.enabled, null) + interval = try(health_check.value.interval, null) + path = try(health_check.value.path, null) + port = try(health_check.value.port, null) + healthy_threshold = try(health_check.value.healthy_threshold, null) + unhealthy_threshold = try(health_check.value.unhealthy_threshold, null) + timeout = try(health_check.value.timeout, null) + protocol = try(health_check.value.protocol, null) + matcher = try(health_check.value.matcher, null) } } dynamic "stickiness" { - for_each = length(keys(lookup(var.target_groups[count.index], "stickiness", {}))) == 0 ? [] : [lookup(var.target_groups[count.index], "stickiness", {})] + for_each = try([var.target_groups[count.index].stickiness], []) content { - enabled = lookup(stickiness.value, "enabled", null) - cookie_duration = lookup(stickiness.value, "cookie_duration", null) - type = lookup(stickiness.value, "type", null) - cookie_name = lookup(stickiness.value, "cookie_name", null) + enabled = lookup(stickiness.value.enabled, null) + cookie_duration = lookup(stickiness.value.cookie_duration, null) + type = lookup(stickiness.value.type, null) + cookie_name = lookup(stickiness.value.cookie_name, null) } } @@ -112,7 +112,7 @@ resource "aws_lb_target_group" "main" { var.target_group_tags, lookup(var.target_groups[count.index], "tags", {}), { - "Name" = lookup(var.target_groups[count.index], "name", lookup(var.target_groups[count.index], "name_prefix", "")) + "Name" = try(var.target_groups[count.index].name, var.target_groups[count.index].name_prefix, "") }, ) @@ -764,3 +764,50 @@ resource "aws_lb_listener_certificate" "https_listener" { listener_arn = aws_lb_listener.frontend_https[var.extra_ssl_certs[count.index]["https_listener_index"]].arn certificate_arn = var.extra_ssl_certs[count.index]["certificate_arn"] } + +################################################################################ +# Security Group +################################################################################ + +locals { + create_security_group = local.create_lb && var.create_security_group + security_group_name = try(coalesce(var.security_group_name, var.name, var.name_prefix), "") +} + +resource "aws_security_group" "this" { + count = local.create_security_group ? 1 : 0 + + name = var.security_group_use_name_prefix ? null : local.security_group_name + name_prefix = var.security_group_use_name_prefix ? "${local.security_group_name}-" : null + description = var.security_group_description + vpc_id = var.vpc_id + + tags = merge( + var.tags, + var.security_group_tags, + { "Name" = local.security_group_name }, + ) + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_security_group_rule" "this" { + for_each = { for k, v in var.security_group_rules : k => v if local.create_security_group } + + # Required + security_group_id = aws_security_group.this[0].id + protocol = each.value.protocol + from_port = each.value.from_port + to_port = each.value.to_port + type = each.value.type + + # Optional + description = lookup(each.value, "description", null) + cidr_blocks = lookup(each.value, "cidr_blocks", null) + ipv6_cidr_blocks = lookup(each.value, "ipv6_cidr_blocks", null) + prefix_list_ids = lookup(each.value, "prefix_list_ids", null) + self = lookup(each.value, "self", null) + source_security_group_id = lookup(each.value, "source_security_group_id", null) +} diff --git a/outputs.tf b/outputs.tf index 32c9b6f..816edc6 100644 --- a/outputs.tf +++ b/outputs.tf @@ -62,3 +62,17 @@ output "target_group_attachments" { description = "ARNs of the target group attachment IDs" value = { for k, v in aws_lb_target_group_attachment.this : k => v.id } } + +################################################################################ +# Security Group +################################################################################ + +output "security_group_arn" { + description = "Amazon Resource Name (ARN) of the security group" + value = try(aws_security_group.this[0].arn, null) +} + +output "security_group_id" { + description = "ID of the security group" + value = try(aws_security_group.this[0].id, null) +} diff --git a/variables.tf b/variables.tf index aa9860d..cf10f06 100644 --- a/variables.tf +++ b/variables.tf @@ -219,3 +219,43 @@ variable "putin_khuylo" { type = bool default = true } + +################################################################################ +# Security Group +################################################################################ + +variable "create_security_group" { + description = "Determines if a security group is created" + type = bool + default = true +} + +variable "security_group_name" { + description = "Name to use on security group created" + type = string + default = null +} + +variable "security_group_use_name_prefix" { + description = "Determines whether the security group name (`security_group_name`) is used as a prefix" + type = bool + default = true +} + +variable "security_group_description" { + description = "Description of the security group created" + type = string + default = null +} + +variable "security_group_rules" { + description = "Security group rules to add to the security group created" + type = any + default = {} +} + +variable "security_group_tags" { + description = "A map of additional tags to add to the security group created" + type = map(string) + default = {} +} diff --git a/wrappers/main.tf b/wrappers/main.tf index 5098d5a..44f2337 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -40,4 +40,10 @@ module "wrapper" { enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, false) desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, "defensive") putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) + create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) + security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null) + security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true) + security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null) + security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {}) + security_group_tags = try(each.value.security_group_tags, var.defaults.security_group_tags, {}) } From ffc7c9bca387f71f24d3da9b786adf58e112f606 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Tue, 7 Feb 2023 19:20:47 +0000 Subject: [PATCH 32/41] chore(release): version 8.3.0 [skip ci] ## [8.3.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.2...v8.3.0) (2023-02-07) ### Features * Add support for creating a security group along with the load balancer ([#273](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/273)) ([8232b47](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/8232b477aa0291ce5a4f2475efed0b05dfad31af)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 623cf9d..5d49c36 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.3.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.2...v8.3.0) (2023-02-07) + + +### Features + +* Add support for creating a security group along with the load balancer ([#273](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/273)) ([8232b47](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/8232b477aa0291ce5a4f2475efed0b05dfad31af)) + ### [8.2.2](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.1...v8.2.2) (2023-01-24) From 0c02a23863838002eb1a596b53e9a234e01fb9d5 Mon Sep 17 00:00:00 2001 From: Bryant Biggs Date: Wed, 8 Feb 2023 09:50:38 -0500 Subject: [PATCH 33/41] fix: Correct stickiness syntax and ensure that security group is not created for network load balancers (#277) Resolves undefined --- examples/complete-alb/README.md | 4 +- examples/complete-alb/main.tf | 43 +++++----- examples/complete-alb/variables.tf | 5 ++ examples/complete-nlb/README.md | 11 ++- examples/complete-nlb/main.tf | 124 +++++++++++++++-------------- examples/complete-nlb/variables.tf | 5 ++ examples/complete-nlb/versions.tf | 4 - main.tf | 12 +-- 8 files changed, 110 insertions(+), 98 deletions(-) diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index 5ce1cc9..ce6b772 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -57,7 +57,9 @@ Note that this example may create resources which cost money. Run `terraform des ## Inputs -No inputs. +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no | ## Outputs diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index d363f1c..e9a7663 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -11,8 +11,6 @@ locals { vpc_cidr = "10.0.0.0/16" azs = slice(data.aws_availability_zones.available.names, 0, 3) - domain_name = "terraform-aws-modules.modules.tf" - tags = { Example = local.name GithubRepo = "terraform-aws-alb" @@ -41,7 +39,7 @@ module "alb" { type = "ingress" from_port = 80 to_port = 80 - protocol = "http" + protocol = "tcp" description = "HTTP web traffic" cidr_blocks = ["0.0.0.0/0"] } @@ -62,10 +60,10 @@ module "alb" { } } - # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) - # access_logs = { - # bucket = module.log_bucket.s3_bucket_id - # } + # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) + # access_logs = { + # bucket = module.log_bucket.s3_bucket_id + # } http_tcp_listeners = [ # Forward action is default, either when defined or undefined @@ -135,12 +133,12 @@ module "alb" { display = "page" prompt = "login" } - authorization_endpoint = "https://${local.domain_name}/auth" + authorization_endpoint = "https://${var.domain_name}/auth" client_id = "client_id" client_secret = "client_secret" - issuer = "https://${local.domain_name}" - token_endpoint = "https://${local.domain_name}/token" - user_info_endpoint = "https://${local.domain_name}/user_info" + issuer = "https://${var.domain_name}" + token_endpoint = "https://${var.domain_name}/token" + user_info_endpoint = "https://${var.domain_name}/user_info" } }, ] @@ -189,12 +187,12 @@ module "alb" { display = "page" prompt = "login" } - authorization_endpoint = "https://${local.domain_name}/auth" + authorization_endpoint = "https://${var.domain_name}/auth" client_id = "client_id" client_secret = "client_secret" - issuer = "https://${local.domain_name}" - token_endpoint = "https://${local.domain_name}/token" - user_info_endpoint = "https://${local.domain_name}/user_info" + issuer = "https://${var.domain_name}" + token_endpoint = "https://${var.domain_name}/token" + user_info_endpoint = "https://${var.domain_name}/user_info" }, { type = "forward" @@ -460,6 +458,7 @@ data "aws_ami" "amazon_linux" { resource "aws_instance" "this" { ami = data.aws_ami.amazon_linux.id instance_type = "t3.nano" + subnet_id = element(module.vpc.private_subnets, 0) } ############################################# @@ -525,9 +524,9 @@ module "lambda_without_allowed_triggers" { depends_on = [null_resource.download_package] } -################################################################## -# Data sources to get VPC and subnets -################################################################## +################################################################################ +# Supporting resources +################################################################################ module "vpc" { source = "terraform-aws-modules/vpc/aws" @@ -548,14 +547,14 @@ module "vpc" { } data "aws_route53_zone" "this" { - name = local.domain_name + name = var.domain_name } module "acm" { source = "terraform-aws-modules/acm/aws" version = "~> 3.0" - domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") + domain_name = var.domain_name zone_id = data.aws_route53_zone.this.id } @@ -563,7 +562,7 @@ module "wildcard_cert" { source = "terraform-aws-modules/acm/aws" version = "~> 3.0" - domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".") + domain_name = "*.${var.domain_name}" zone_id = data.aws_route53_zone.this.id } @@ -580,7 +579,7 @@ resource "aws_cognito_user_pool_client" "this" { user_pool_id = aws_cognito_user_pool.this.id generate_secret = true allowed_oauth_flows = ["code", "implicit"] - callback_urls = ["https://${local.domain_name}/callback"] + callback_urls = ["https://${var.domain_name}/callback"] allowed_oauth_scopes = ["email", "openid"] allowed_oauth_flows_user_pool_client = true } diff --git a/examples/complete-alb/variables.tf b/examples/complete-alb/variables.tf index e69de29..a5e6aab 100644 --- a/examples/complete-alb/variables.tf +++ b/examples/complete-alb/variables.tf @@ -0,0 +1,5 @@ +variable "domain_name" { + description = "The domain name for which the certificate should be issued" + type = string + default = "terraform-aws-modules.modules.tf" +} diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index 57c4f52..72ccad0 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -21,14 +21,12 @@ Note that this example may create resources which cost money. Run `terraform des |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | | [aws](#requirement\_aws) | >= 4.27 | -| [random](#requirement\_random) | >= 2.0 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | >= 4.27 | -| [random](#provider\_random) | >= 2.0 | ## Modules @@ -36,20 +34,21 @@ Note that this example may create resources which cost money. Run `terraform des |------|--------|---------| | [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 | | [nlb](#module\_nlb) | ../../ | n/a | +| [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 | ## Resources | Name | Type | |------|------| | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | -| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource | +| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source | | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | -| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source | -| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | ## Inputs -No inputs. +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no | ## Outputs diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf index e88059f..f189ca8 100644 --- a/examples/complete-nlb/main.tf +++ b/examples/complete-nlb/main.tf @@ -1,82 +1,47 @@ provider "aws" { - region = "eu-west-1" + region = local.region } +data "aws_availability_zones" "available" {} + locals { - domain_name = "terraform-aws-modules.modules.tf" -} + name = "ex-${basename(path.cwd)}" + region = "eu-west-1" -################################################################## -# Data sources to get VPC and subnets -################################################################## -data "aws_vpc" "default" { - default = true -} + vpc_cidr = "10.0.0.0/16" + azs = slice(data.aws_availability_zones.available.names, 0, 3) -data "aws_subnets" "all" { - filter { - name = "vpc-id" - values = [data.aws_vpc.default.id] + tags = { + Example = local.name + GithubRepo = "terraform-aws-alb" + GithubOrg = "terraform-aws-modules" } } -resource "random_pet" "this" { - length = 2 -} - -data "aws_route53_zone" "this" { - name = local.domain_name -} - -# module "log_bucket" { -# source = "terraform-aws-modules/s3-bucket/aws" -# version = "~> 3.0" -# -# bucket = "logs-${random_pet.this.id}" -# acl = "log-delivery-write" -# force_destroy = true -# attach_elb_log_delivery_policy = true -# } - -module "acm" { - source = "terraform-aws-modules/acm/aws" - version = "~> 3.0" - - domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".") - zone_id = data.aws_route53_zone.this.id -} - -resource "aws_eip" "this" { - count = length(data.aws_subnets.all.ids) - - vpc = true -} - ################################################################## -# Network Load Balancer with Elastic IPs attached +# Network Load Balancer ################################################################## + module "nlb" { source = "../../" - name = "complete-nlb-${random_pet.this.id}" + name = local.name load_balancer_type = "network" + vpc_id = module.vpc.vpc_id - vpc_id = data.aws_vpc.default.id + # Use `subnets` if you don't want to attach EIPs + # subnets = module.vpc.private_subnets - # Use `subnets` if you don't want to attach EIPs - # subnets = tolist(data.aws_subnet_ids.all.ids) + # Use `subnet_mapping` to attach EIPs + subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : module.vpc.private_subnets[i] }] - # Use `subnet_mapping` to attach EIPs - subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : tolist(data.aws_subnets.all.ids)[i] }] + # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) + # access_logs = { + # bucket = module.log_bucket.s3_bucket_id + # } - # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987) - # access_logs = { - # bucket = module.log_bucket.s3_bucket_id - # } - - - # TCP_UDP, UDP, TCP + # TCP_UDP, UDP, TCP http_tcp_listeners = [ { port = 81 @@ -150,4 +115,45 @@ module "nlb" { target_type = "instance" }, ] + + tags = local.tags +} + +################################################################################ +# Supporting resources +################################################################################ + +module "vpc" { + source = "terraform-aws-modules/vpc/aws" + version = "~> 3.0" + + name = local.name + cidr = local.vpc_cidr + + azs = local.azs + private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)] + public_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)] + + enable_nat_gateway = true + single_nat_gateway = true + enable_dns_hostnames = true + + tags = local.tags +} + +data "aws_route53_zone" "this" { + name = var.domain_name +} + +module "acm" { + source = "terraform-aws-modules/acm/aws" + version = "~> 3.0" + + domain_name = var.domain_name + zone_id = data.aws_route53_zone.this.id +} + +resource "aws_eip" "this" { + count = length(local.azs) + vpc = true } diff --git a/examples/complete-nlb/variables.tf b/examples/complete-nlb/variables.tf index e69de29..a5e6aab 100644 --- a/examples/complete-nlb/variables.tf +++ b/examples/complete-nlb/variables.tf @@ -0,0 +1,5 @@ +variable "domain_name" { + description = "The domain name for which the certificate should be issued" + type = string + default = "terraform-aws-modules.modules.tf" +} diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf index 021d385..f59f81e 100644 --- a/examples/complete-nlb/versions.tf +++ b/examples/complete-nlb/versions.tf @@ -6,9 +6,5 @@ terraform { source = "hashicorp/aws" version = ">= 4.27" } - random = { - source = "hashicorp/random" - version = ">= 2.0" - } } } diff --git a/main.tf b/main.tf index deda284..7aedd4e 100644 --- a/main.tf +++ b/main.tf @@ -10,7 +10,7 @@ resource "aws_lb" "this" { load_balancer_type = var.load_balancer_type internal = var.internal - security_groups = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups + security_groups = var.create_security_group && var.load_balancer_type == "application" ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups subnets = var.subnets idle_timeout = var.idle_timeout @@ -100,10 +100,10 @@ resource "aws_lb_target_group" "main" { for_each = try([var.target_groups[count.index].stickiness], []) content { - enabled = lookup(stickiness.value.enabled, null) - cookie_duration = lookup(stickiness.value.cookie_duration, null) - type = lookup(stickiness.value.type, null) - cookie_name = lookup(stickiness.value.cookie_name, null) + enabled = try(stickiness.value.enabled, null) + cookie_duration = try(stickiness.value.cookie_duration, null) + type = try(stickiness.value.type, null) + cookie_name = try(stickiness.value.cookie_name, null) } } @@ -770,7 +770,7 @@ resource "aws_lb_listener_certificate" "https_listener" { ################################################################################ locals { - create_security_group = local.create_lb && var.create_security_group + create_security_group = local.create_lb && var.create_security_group && var.load_balancer_type == "application" security_group_name = try(coalesce(var.security_group_name, var.name, var.name_prefix), "") } From 96ea16ae041a2ebe5fd47f696b4c34560b842bda Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Wed, 8 Feb 2023 14:51:14 +0000 Subject: [PATCH 34/41] chore(release): version 8.3.1 [skip ci] ### [8.3.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.0...v8.3.1) (2023-02-08) ### Bug Fixes * Correct stickiness syntax and ensure that security group is not created for network load balancers ([#277](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/277)) ([0c02a23](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/0c02a23863838002eb1a596b53e9a234e01fb9d5)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5d49c36..f67e5cd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +### [8.3.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.0...v8.3.1) (2023-02-08) + + +### Bug Fixes + +* Correct stickiness syntax and ensure that security group is not created for network load balancers ([#277](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/277)) ([0c02a23](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/0c02a23863838002eb1a596b53e9a234e01fb9d5)) + ## [8.3.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.2.2...v8.3.0) (2023-02-07) From 4a1407553d1459eefa387249d37b971ac5cdccbf Mon Sep 17 00:00:00 2001 From: michaelact <86778470+michaelact@users.noreply.github.com> Date: Fri, 3 Mar 2023 18:32:51 +0700 Subject: [PATCH 35/41] feat: Default action forward action type (#269) Co-authored-by: Anton Babenko --- examples/complete-alb/main.tf | 19 ++++++++++++++++++- main.tf | 26 +++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index e9a7663..f95cfb6 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -76,6 +76,23 @@ module "alb" { { port = 81 protocol = "HTTP" + action_type = "forward" + forward = { + target_groups = [ + { + target_group_index = 0 + weight = 100 + }, + { + target_group_index = 1 + weight = 0 + } + ] + } + }, + { + port = 82 + protocol = "HTTP" action_type = "redirect" redirect = { port = "443" @@ -84,7 +101,7 @@ module "alb" { } }, { - port = 82 + port = 83 protocol = "HTTP" action_type = "fixed-response" fixed_response = { diff --git a/main.tf b/main.tf index 7aedd4e..43b87f5 100644 --- a/main.tf +++ b/main.tf @@ -629,7 +629,7 @@ resource "aws_lb_listener" "frontend_http_tcp" { # Defaults to forward action if action_type not specified content { type = lookup(default_action.value, "action_type", "forward") - target_group_arn = contains([null, "", "forward"], lookup(default_action.value, "action_type", "")) ? aws_lb_target_group.main[lookup(default_action.value, "target_group_index", count.index)].id : null + target_group_arn = contains([null, ""], lookup(default_action.value, "action_type", "")) ? aws_lb_target_group.main[lookup(default_action.value, "target_group_index", count.index)].id : null dynamic "redirect" { for_each = length(keys(lookup(default_action.value, "redirect", {}))) == 0 ? [] : [lookup(default_action.value, "redirect", {})] @@ -653,6 +653,30 @@ resource "aws_lb_listener" "frontend_http_tcp" { status_code = lookup(fixed_response.value, "status_code", null) } } + + dynamic "forward" { + for_each = length(keys(lookup(default_action.value, "forward", {}))) == 0 ? [] : [lookup(default_action.value, "forward", {})] + + content { + dynamic "target_group" { + for_each = forward.value["target_groups"] + + content { + arn = aws_lb_target_group.main[target_group.value["target_group_index"]].id + weight = lookup(target_group.value, "weight", null) + } + } + + dynamic "stickiness" { + for_each = length(keys(lookup(forward.value, "stickiness", {}))) == 0 ? [] : [lookup(forward.value, "stickiness", {})] + + content { + enabled = lookup(stickiness.value, "enabled", false) + duration = lookup(stickiness.value, "duration", 60) + } + } + } + } } } From e7c33bacd585a12dc6ecbd757da3d727dac06955 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 3 Mar 2023 11:33:20 +0000 Subject: [PATCH 36/41] chore(release): version 8.4.0 [skip ci] ## [8.4.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.1...v8.4.0) (2023-03-03) ### Features * Default action forward action type ([#269](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/269)) ([4a14075](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/4a1407553d1459eefa387249d37b971ac5cdccbf)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f67e5cd..f75446b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.4.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.1...v8.4.0) (2023-03-03) + + +### Features + +* Default action forward action type ([#269](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/269)) ([4a14075](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/4a1407553d1459eefa387249d37b971ac5cdccbf)) + ### [8.3.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.0...v8.3.1) (2023-02-08) From 0178d70cd3a4e80b15e5f4bdd3f476057c4d1db1 Mon Sep 17 00:00:00 2001 From: Melissa Greenbaum <69476188+magreenbaum@users.noreply.github.com> Date: Sat, 18 Mar 2023 18:05:39 -0400 Subject: [PATCH 37/41] feat: Add `load_balancing_cross_zone_enabled` option to `aws_lb_target_group` (#282) Co-authored-by: magreenbaum --- README.md | 4 ++-- examples/complete-alb/README.md | 4 ++-- examples/complete-alb/main.tf | 11 ++++++----- examples/complete-alb/versions.tf | 2 +- examples/complete-nlb/README.md | 4 ++-- examples/complete-nlb/versions.tf | 2 +- main.tf | 1 + versions.tf | 2 +- 8 files changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 7726d4e..6198792 100644 --- a/README.md +++ b/README.md @@ -295,13 +295,13 @@ module "lb" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.27 | +| [aws](#requirement\_aws) | >= 4.59 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27 | +| [aws](#provider\_aws) | >= 4.59 | ## Modules diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md index ce6b772..bd3241e 100644 --- a/examples/complete-alb/README.md +++ b/examples/complete-alb/README.md @@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.27 | +| [aws](#requirement\_aws) | >= 4.59 | | [null](#requirement\_null) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27 | +| [aws](#provider\_aws) | >= 4.59 | | [null](#provider\_null) | >= 2.0 | ## Modules diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf index f95cfb6..7ac5476 100644 --- a/examples/complete-alb/main.tf +++ b/examples/complete-alb/main.tf @@ -358,11 +358,12 @@ module "alb" { target_groups = [ { - name_prefix = "h1" - backend_protocol = "HTTP" - backend_port = 80 - target_type = "instance" - deregistration_delay = 10 + name_prefix = "h1" + backend_protocol = "HTTP" + backend_port = 80 + target_type = "instance" + deregistration_delay = 10 + load_balancing_cross_zone_enabled = false health_check = { enabled = true interval = 30 diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf index 81088aa..d12294a 100644 --- a/examples/complete-alb/versions.tf +++ b/examples/complete-alb/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27" + version = ">= 4.59" } null = { source = "hashicorp/null" diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md index 72ccad0..ce75f9a 100644 --- a/examples/complete-nlb/README.md +++ b/examples/complete-nlb/README.md @@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.0 | -| [aws](#requirement\_aws) | >= 4.27 | +| [aws](#requirement\_aws) | >= 4.59 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | >= 4.27 | +| [aws](#provider\_aws) | >= 4.59 | ## Modules diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf index f59f81e..33eb30c 100644 --- a/examples/complete-nlb/versions.tf +++ b/examples/complete-nlb/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27" + version = ">= 4.59" } } } diff --git a/main.tf b/main.tf index 43b87f5..4a67a4b 100644 --- a/main.tf +++ b/main.tf @@ -79,6 +79,7 @@ resource "aws_lb_target_group" "main" { load_balancing_algorithm_type = try(var.target_groups[count.index].load_balancing_algorithm_type, null) preserve_client_ip = try(var.target_groups[count.index].preserve_client_ip, null) ip_address_type = try(var.target_groups[count.index].ip_address_type, null) + load_balancing_cross_zone_enabled = try(var.target_groups[count.index].load_balancing_cross_zone_enabled, null) dynamic "health_check" { for_each = try([var.target_groups[count.index].health_check], []) diff --git a/versions.tf b/versions.tf index f59f81e..33eb30c 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = ">= 4.27" + version = ">= 4.59" } } } From f801a2d8a0adcce5e252a28c5336e5b90effb261 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Sat, 18 Mar 2023 22:06:26 +0000 Subject: [PATCH 38/41] chore(release): version 8.5.0 [skip ci] ## [8.5.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.4.0...v8.5.0) (2023-03-18) ### Features * Add `load_balancing_cross_zone_enabled` option to `aws_lb_target_group` ([#282](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/282)) ([0178d70](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/0178d70cd3a4e80b15e5f4bdd3f476057c4d1db1)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f75446b..d8047bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.5.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.4.0...v8.5.0) (2023-03-18) + + +### Features + +* Add `load_balancing_cross_zone_enabled` option to `aws_lb_target_group` ([#282](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/282)) ([0178d70](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/0178d70cd3a4e80b15e5f4bdd3f476057c4d1db1)) + ## [8.4.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.3.1...v8.4.0) (2023-03-03) From 2d7fcb92ffd86ec03d1b38e32e18edde314d7834 Mon Sep 17 00:00:00 2001 From: Michael Strache Date: Fri, 24 Mar 2023 12:16:07 +0100 Subject: [PATCH 39/41] feat: Add support for XFF/TLS headers (#284) --- README.md | 3 ++ main.tf | 21 +++++++----- variables.tf | 18 ++++++++++ wrappers/main.tf | 89 +++++++++++++++++++++++++----------------------- 4 files changed, 79 insertions(+), 52 deletions(-) diff --git a/README.md b/README.md index 6198792..b45e968 100644 --- a/README.md +++ b/README.md @@ -335,7 +335,9 @@ No modules. | [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Indicates whether cross zone load balancing should be enabled in application load balancers. | `bool` | `false` | no | | [enable\_deletion\_protection](#input\_enable\_deletion\_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | `bool` | `false` | no | | [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. | `bool` | `true` | no | +| [enable\_tls\_version\_and\_cipher\_suite\_headers](#input\_enable\_tls\_version\_and\_cipher\_suite\_headers) | Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. | `bool` | `false` | no | | [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to route requests to targets if lb fails to forward the request to AWS WAF | `bool` | `false` | no | +| [enable\_xff\_client\_port](#input\_enable\_xff\_client\_port) | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in application load balancers. | `bool` | `true` | no | | [extra\_ssl\_certs](#input\_extra\_ssl\_certs) | A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate\_arn, https\_listener\_index (the index of the listener within https\_listeners which the cert applies toward). | `list(map(string))` | `[]` | no | | [http\_tcp\_listener\_rules](#input\_http\_tcp\_listener\_rules) | A list of maps describing the Listener Rules for this ALB. Required key/values: actions, conditions. Optional key/values: priority, http\_tcp\_listener\_index (default to http\_tcp\_listeners[count.index]) | `any` | `[]` | no | | [http\_tcp\_listener\_rules\_tags](#input\_http\_tcp\_listener\_rules\_tags) | A map of tags to add to all http listener rules | `map(string)` | `{}` | no | @@ -370,6 +372,7 @@ No modules. | [target\_group\_tags](#input\_target\_group\_tags) | A map of tags to add to all target groups | `map(string)` | `{}` | no | | [target\_groups](#input\_target\_groups) | A list of maps containing key/value pairs that define the target groups to be created. Order of these maps is important and the index of these are to be referenced in listener definitions. Required key/values: name, backend\_protocol, backend\_port | `any` | `[]` | no | | [vpc\_id](#input\_vpc\_id) | VPC id where the load balancer and other resources will be deployed. | `string` | `null` | no | +| [xff\_header\_processing\_mode](#input\_xff\_header\_processing\_mode) | Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. | `string` | `"append"` | no | ## Outputs diff --git a/main.tf b/main.tf index 4a67a4b..4748a6a 100644 --- a/main.tf +++ b/main.tf @@ -13,15 +13,18 @@ resource "aws_lb" "this" { security_groups = var.create_security_group && var.load_balancer_type == "application" ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups subnets = var.subnets - idle_timeout = var.idle_timeout - enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing - enable_deletion_protection = var.enable_deletion_protection - enable_http2 = var.enable_http2 - ip_address_type = var.ip_address_type - drop_invalid_header_fields = var.drop_invalid_header_fields - preserve_host_header = var.preserve_host_header - enable_waf_fail_open = var.enable_waf_fail_open - desync_mitigation_mode = var.desync_mitigation_mode + idle_timeout = var.idle_timeout + enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing + enable_deletion_protection = var.enable_deletion_protection + enable_http2 = var.enable_http2 + enable_tls_version_and_cipher_suite_headers = var.enable_tls_version_and_cipher_suite_headers + enable_xff_client_port = var.enable_xff_client_port + ip_address_type = var.ip_address_type + drop_invalid_header_fields = var.drop_invalid_header_fields + preserve_host_header = var.preserve_host_header + enable_waf_fail_open = var.enable_waf_fail_open + desync_mitigation_mode = var.desync_mitigation_mode + xff_header_processing_mode = var.xff_header_processing_mode dynamic "access_logs" { for_each = length(var.access_logs) > 0 ? [var.access_logs] : [] diff --git a/variables.tf b/variables.tf index cf10f06..66021ea 100644 --- a/variables.tf +++ b/variables.tf @@ -34,6 +34,18 @@ variable "enable_cross_zone_load_balancing" { default = false } +variable "enable_tls_version_and_cipher_suite_headers" { + description = "Indicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target." + type = bool + default = false +} + +variable "enable_xff_client_port" { + description = "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in application load balancers." + type = bool + default = true +} + variable "extra_ssl_certs" { description = "A list of maps describing any extra SSL certificates to apply to the HTTPS listeners. Required key/values: certificate_arn, https_listener_index (the index of the listener within https_listeners which the cert applies toward)." type = list(map(string)) @@ -214,6 +226,12 @@ variable "desync_mitigation_mode" { default = "defensive" } +variable "xff_header_processing_mode" { + description = "Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target." + type = string + default = "append" +} + variable "putin_khuylo" { description = "Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!" type = bool diff --git a/wrappers/main.tf b/wrappers/main.tf index 44f2337..7496b64 100644 --- a/wrappers/main.tf +++ b/wrappers/main.tf @@ -3,47 +3,50 @@ module "wrapper" { for_each = var.items - create_lb = try(each.value.create_lb, var.defaults.create_lb, true) - drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, false) - preserve_host_header = try(each.value.preserve_host_header, var.defaults.preserve_host_header, false) - enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, false) - enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, true) - enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, false) - extra_ssl_certs = try(each.value.extra_ssl_certs, var.defaults.extra_ssl_certs, []) - https_listeners = try(each.value.https_listeners, var.defaults.https_listeners, []) - http_tcp_listeners = try(each.value.http_tcp_listeners, var.defaults.http_tcp_listeners, []) - https_listener_rules = try(each.value.https_listener_rules, var.defaults.https_listener_rules, []) - http_tcp_listener_rules = try(each.value.http_tcp_listener_rules, var.defaults.http_tcp_listener_rules, []) - idle_timeout = try(each.value.idle_timeout, var.defaults.idle_timeout, 60) - ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, "ipv4") - listener_ssl_policy_default = try(each.value.listener_ssl_policy_default, var.defaults.listener_ssl_policy_default, "ELBSecurityPolicy-2016-08") - internal = try(each.value.internal, var.defaults.internal, false) - load_balancer_create_timeout = try(each.value.load_balancer_create_timeout, var.defaults.load_balancer_create_timeout, "10m") - load_balancer_delete_timeout = try(each.value.load_balancer_delete_timeout, var.defaults.load_balancer_delete_timeout, "10m") - name = try(each.value.name, var.defaults.name, null) - name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) - load_balancer_type = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application") - load_balancer_update_timeout = try(each.value.load_balancer_update_timeout, var.defaults.load_balancer_update_timeout, "10m") - access_logs = try(each.value.access_logs, var.defaults.access_logs, {}) - subnets = try(each.value.subnets, var.defaults.subnets, null) - subnet_mapping = try(each.value.subnet_mapping, var.defaults.subnet_mapping, []) - tags = try(each.value.tags, var.defaults.tags, {}) - lb_tags = try(each.value.lb_tags, var.defaults.lb_tags, {}) - target_group_tags = try(each.value.target_group_tags, var.defaults.target_group_tags, {}) - https_listener_rules_tags = try(each.value.https_listener_rules_tags, var.defaults.https_listener_rules_tags, {}) - http_tcp_listener_rules_tags = try(each.value.http_tcp_listener_rules_tags, var.defaults.http_tcp_listener_rules_tags, {}) - https_listeners_tags = try(each.value.https_listeners_tags, var.defaults.https_listeners_tags, {}) - http_tcp_listeners_tags = try(each.value.http_tcp_listeners_tags, var.defaults.http_tcp_listeners_tags, {}) - security_groups = try(each.value.security_groups, var.defaults.security_groups, []) - target_groups = try(each.value.target_groups, var.defaults.target_groups, []) - vpc_id = try(each.value.vpc_id, var.defaults.vpc_id, null) - enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, false) - desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, "defensive") - putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) - create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) - security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null) - security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true) - security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null) - security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {}) - security_group_tags = try(each.value.security_group_tags, var.defaults.security_group_tags, {}) + create_lb = try(each.value.create_lb, var.defaults.create_lb, true) + drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, false) + preserve_host_header = try(each.value.preserve_host_header, var.defaults.preserve_host_header, false) + enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, false) + enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, true) + enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, false) + enable_tls_version_and_cipher_suite_headers = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, false) + enable_xff_client_port = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, true) + extra_ssl_certs = try(each.value.extra_ssl_certs, var.defaults.extra_ssl_certs, []) + https_listeners = try(each.value.https_listeners, var.defaults.https_listeners, []) + http_tcp_listeners = try(each.value.http_tcp_listeners, var.defaults.http_tcp_listeners, []) + https_listener_rules = try(each.value.https_listener_rules, var.defaults.https_listener_rules, []) + http_tcp_listener_rules = try(each.value.http_tcp_listener_rules, var.defaults.http_tcp_listener_rules, []) + idle_timeout = try(each.value.idle_timeout, var.defaults.idle_timeout, 60) + ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, "ipv4") + listener_ssl_policy_default = try(each.value.listener_ssl_policy_default, var.defaults.listener_ssl_policy_default, "ELBSecurityPolicy-2016-08") + internal = try(each.value.internal, var.defaults.internal, false) + load_balancer_create_timeout = try(each.value.load_balancer_create_timeout, var.defaults.load_balancer_create_timeout, "10m") + load_balancer_delete_timeout = try(each.value.load_balancer_delete_timeout, var.defaults.load_balancer_delete_timeout, "10m") + name = try(each.value.name, var.defaults.name, null) + name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null) + load_balancer_type = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application") + load_balancer_update_timeout = try(each.value.load_balancer_update_timeout, var.defaults.load_balancer_update_timeout, "10m") + access_logs = try(each.value.access_logs, var.defaults.access_logs, {}) + subnets = try(each.value.subnets, var.defaults.subnets, null) + subnet_mapping = try(each.value.subnet_mapping, var.defaults.subnet_mapping, []) + tags = try(each.value.tags, var.defaults.tags, {}) + lb_tags = try(each.value.lb_tags, var.defaults.lb_tags, {}) + target_group_tags = try(each.value.target_group_tags, var.defaults.target_group_tags, {}) + https_listener_rules_tags = try(each.value.https_listener_rules_tags, var.defaults.https_listener_rules_tags, {}) + http_tcp_listener_rules_tags = try(each.value.http_tcp_listener_rules_tags, var.defaults.http_tcp_listener_rules_tags, {}) + https_listeners_tags = try(each.value.https_listeners_tags, var.defaults.https_listeners_tags, {}) + http_tcp_listeners_tags = try(each.value.http_tcp_listeners_tags, var.defaults.http_tcp_listeners_tags, {}) + security_groups = try(each.value.security_groups, var.defaults.security_groups, []) + target_groups = try(each.value.target_groups, var.defaults.target_groups, []) + vpc_id = try(each.value.vpc_id, var.defaults.vpc_id, null) + enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, false) + desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, "defensive") + xff_header_processing_mode = try(each.value.xff_header_processing_mode, var.defaults.xff_header_processing_mode, "append") + putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true) + create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true) + security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null) + security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true) + security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null) + security_group_rules = try(each.value.security_group_rules, var.defaults.security_group_rules, {}) + security_group_tags = try(each.value.security_group_tags, var.defaults.security_group_tags, {}) } From b8b73ccbb55ed696d2cf7efa89606cbdbca218c7 Mon Sep 17 00:00:00 2001 From: semantic-release-bot Date: Fri, 24 Mar 2023 11:16:35 +0000 Subject: [PATCH 40/41] chore(release): version 8.6.0 [skip ci] ## [8.6.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.5.0...v8.6.0) (2023-03-24) ### Features * Add support for XFF/TLS headers ([#284](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/284)) ([2d7fcb9](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/2d7fcb92ffd86ec03d1b38e32e18edde314d7834)) --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d8047bd..061c35b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,13 @@ All notable changes to this project will be documented in this file. +## [8.6.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.5.0...v8.6.0) (2023-03-24) + + +### Features + +* Add support for XFF/TLS headers ([#284](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/284)) ([2d7fcb9](https://github.com/terraform-aws-modules/terraform-aws-alb/commit/2d7fcb92ffd86ec03d1b38e32e18edde314d7834)) + ## [8.5.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v8.4.0...v8.5.0) (2023-03-18) From 72e0ce42118ddf61dd71f8ae0ea8e68f80b7b3f3 Mon Sep 17 00:00:00 2001 From: Nylre Jel <77520606+nylrejco@users.noreply.github.com> Date: Mon, 10 Apr 2023 15:07:26 +0800 Subject: [PATCH 41/41] docs: Add lambda_function_arn format for lambda_function_name (#288) --- main.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4748a6a..64de078 100644 --- a/main.tf +++ b/main.tf @@ -142,7 +142,9 @@ locals { ])...) # Filter out the attachments for lambda functions. The ALB target group needs permission to forward a request on to - # the specified lambda function. This filtered list is used to create those permission resources + # the specified lambda function. This filtered list is used to create those permission resources. + # To get the lambda_function_name, the 6th index is taken from the lambda_function_arn format below + # arn:aws:lambda:::function:my-function-name: target_group_attachments_lambda = { for k, v in local.target_group_attachments : (k) => merge(v, { lambda_function_name = split(":", v.target_id)[6] })