disabled logging now possible

.pre-commit-config.yaml

@@ -2,12 +2,14 @@
 # See http://pre-commit.com/hooks.html for more hooks
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.7.0
+  rev: v1.7.1
+  sha: 091f8b15d7b458e5a0aca642483deb2205e7db02
   hooks:
     - id: terraform_fmt
-    - id: terraform_docs
+    # - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
   rev: v1.2.3
+  sha: 92e1570c282e3c69a1f8b5b8dd8d286fe27cfaa7
   hooks:
     - id: check-merge-conflict
     -   id: trailing-whitespace

CHANGELOG.md

@@ -5,6 +5,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/) and this
 project adheres to [Semantic Versioning](http://semver.org/).
 
+## [[v3.4.0](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v3.3.1...v3.4.0)] - 2018-05-17]
+
+### Changed
+
+* resources supporting the not logging scenario added. Outputs now accommodate.
+* reorganized the resource explosion to separate files.
+* tests reorganized to confine cruft.
+* `terraform-docs` now supported and generating documentation. (Kiitos, @antonbabenko 🍒)
+
 ## [[v3.3.1](https://github.com/terraform-aws-modules/terraform-aws-alb/compare/v3.3.0...v3.3.1)] - 2018-05-06]
 
 ### Changed

README.md

@@ -1,7 +1,7 @@
 # terraform-aws-alb
 
 A Terraform module containing common configurations for an AWS Application Load
-Balancer (ALB) running over HTTP/HTTPS. Available through the [terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/alb/aws).
+Balancer (ALB) running over HTTP/HTTPS. Available through the [Terraform registry](https://registry.terraform.io/modules/terraform-aws-modules/alb/aws).
 
 | Branch | Build status                                                                                                                                                      |
 | ------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -31,11 +31,11 @@ to the ASG immediately or will result in failure. The value of `target_group[n][
 
 ## Why ALB instead of ELB
 
-The use-case presented here appears almost identical to how one would use an ELB
-but we inherit a few bonuses by moving to ALB like the ability to leverage WAF.
+ALB has the ability to replace what several ELBs can do by routing based on URI matchers.
+Additionally, operating at layer 7 opens the ability to shape traffic using WAF.
 [AWS's documentation](https://aws.amazon.com/elasticloadbalancing/applicationloadbalancer/) has a more
 exhaustive set of reasons. Alternatively, if using ALB with ECS look no further than
-the [Hashicorp example](https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/ecs-alb).
+the [HashiCorp example](https://github.com/terraform-providers/terraform-provider-aws/blob/master/examples/ecs-alb).
 
 ## Usage example
 
@@ -60,7 +60,52 @@ module "alb" {
 }
 ```
 
-<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Testing
+
+This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them:
+
+1. Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/Gemfile).
+2. Install bundler and the gems from our Gemfile:
+
+    ```bash
+    gem install bundler && bundle install
+    ```
+
+3. Ensure your AWS environment is configured (i.e. credentials and region) for test and set TF_VAR_region to a valid AWS region (e.g. `export TF_VAR_region=${AWS_REGION}`).
+4. Test using `bundle exec kitchen test` from the root of the repo.
+
+## Doc generation
+
+Documentation should be modified within `main.tf` and generated using [terraform-docs](https://github.com/segmentio/terraform-docs).
+Generate them like so:
+
+```bash
+terraform-docs md ./ | cat -s | ghead -n -1 > README.md
+```
+
+## Contributing
+
+Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/new) section.
+
+Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/CONTRIBUTING.md).
+
+## IAM Permissions
+
+Testing and using this repo requires a minimum set of IAM permissions. Test permissions
+are listed in the [alb_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/examples/alb_test_fixture/README.md).
+
+## Change log
+
+The [changelog](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/CHANGELOG.md) captures all important release notes.
+
+## Authors
+
+Created and maintained by [Brandon O'Connor](https://github.com/brandoconnor) - brandon@atscale.run.
+Many thanks to [the contributors listed here](https://github.com/terraform-aws-modules/terraform-aws-alb/graphs/contributors)!
+
+## License
+
+MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/LICENSE) for full details.
 
 ## Inputs
 
@@ -76,14 +121,15 @@ module "alb" {
 | https_listeners_count | A manually provided count/length of the https_listeners list of maps since the list cannot be computed. | string | `0` | no |
 | idle_timeout | The time in seconds that the connection is allowed to be idle. | string | `60` | no |
 | ip_address_type | The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. | string | `ipv4` | no |
-| listener_ssl_policy_default | The security policy if using HTTPS externally on the load balancer. See: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html | string | `ELBSecurityPolicy-2016-08` | no |
+| listener_ssl_policy_default | The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html). | string | `ELBSecurityPolicy-2016-08` | no |
 | load_balancer_create_timeout | Timeout value when creating the ALB. | string | `10m` | no |
 | load_balancer_delete_timeout | Timeout value when deleting the ALB. | string | `10m` | no |
 | load_balancer_is_internal | Boolean determining if the load balancer is internal or externally facing. | string | `false` | no |
 | load_balancer_name | The resource name and Name tag of the load balancer. | string | - | yes |
 | load_balancer_update_timeout | Timeout value when updating the ALB. | string | `10m` | no |
-| log_bucket_name | S3 bucket (externally created) for storing load balancer access logs. | string | - | yes |
+| log_bucket_name | S3 bucket (externally created) for storing load balancer access logs. Required if logging_enabled is true. | string | `` | no |
 | log_location_prefix | S3 prefix within the log_bucket_name under which logs are stored. | string | `` | no |
+| logging_enabled | Controls if the ALB will log requests to S3. | string | `true` | no |
 | security_groups | The security groups to attach to the load balancer. e.g. ["sg-edcd9784","sg-edcd9785"] | list | - | yes |
 | subnets | A list of subnets to associate with the load balancer. e.g. ['subnet-1a2b3c4d','subnet-1a2b3c4e','subnet-1a2b3c4f'] | list | - | yes |
 | tags | A map of tags to add to all resources | string | `<map>` | no |
@@ -107,43 +153,3 @@ module "alb" {
 | target_group_arn_suffixes | ARN suffixes of our target groups - can be used with CloudWatch. |
 | target_group_arns | ARNs of the target groups. Useful for passing to your Auto Scaling group. |
 | target_group_names | Name of the target group. Useful for passing to your CodeDeploy Deployment Group. |
-
-<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
-
-## Testing
-
-This module has been packaged with [awspec](https://github.com/k1LoW/awspec) tests through [kitchen](https://kitchen.ci/) and [kitchen-terraform](https://newcontext-oss.github.io/kitchen-terraform/). To run them:
-
-1.  Install [rvm](https://rvm.io/rvm/install) and the ruby version specified in the [Gemfile](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/Gemfile).
-2.  Install bundler and the gems from our Gemfile:
-
-    ```bash
-    gem install bundler && bundle install
-    ```
-
-3.  Ensure your AWS environment is configured (i.e. credentials and region) for test and set TF_VAR_region to a valid AWS region (e.g. `export TF_VAR_region=${AWS_REGION}`).
-4.  Test using `bundle exec kitchen test` from the root of the repo.
-
-## Contributing
-
-Report issues/questions/feature requests on in the [issues](https://github.com/terraform-aws-modules/terraform-aws-alb/issues/new) section.
-
-Full contributing [guidelines are covered here](https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/CONTRIBUTING.md).
-
-## IAM Permissions
-
-Testing and using this repo requires a minimum set of IAM permissions. Test permissions
-are listed in the [alb_test_fixture README](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/examples/alb_test_fixture/README.md).
-
-## Change log
-
-The [changelog](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/CHANGELOG.md) captures all important release notes.
-
-## Authors
-
-Created and maintained by [Brandon O'Connor](https://github.com/brandoconnor) - brandon@atscale.run.
-Many thanks to [the contributors listed here](https://github.com/terraform-aws-modules/terraform-aws-alb/graphs/contributors)!
-
-## License
-
-MIT Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-alb/tree/master/LICENSE) for full details.

alb_no_logs.tf

@@ -0,0 +1,86 @@
+resource "aws_lb" "application_no_logs" {
+  load_balancer_type         = "application"
+  name                       = "${var.load_balancer_name}"
+  internal                   = "${var.load_balancer_is_internal}"
+  security_groups            = ["${var.security_groups}"]
+  subnets                    = ["${var.subnets}"]
+  idle_timeout               = "${var.idle_timeout}"
+  enable_deletion_protection = "${var.enable_deletion_protection}"
+  enable_http2               = "${var.enable_http2}"
+  ip_address_type            = "${var.ip_address_type}"
+  tags                       = "${merge(var.tags, map("Name", var.load_balancer_name))}"
+
+  timeouts {
+    create = "${var.load_balancer_create_timeout}"
+    delete = "${var.load_balancer_delete_timeout}"
+    update = "${var.load_balancer_update_timeout}"
+  }
+
+  count = "${var.logging_enabled ? 0 : 1}"
+}
+
+resource "aws_lb_target_group" "main_no_logs" {
+  name                 = "${lookup(var.target_groups[count.index], "name")}"
+  vpc_id               = "${var.vpc_id}"
+  port                 = "${lookup(var.target_groups[count.index], "backend_port")}"
+  protocol             = "${upper(lookup(var.target_groups[count.index], "backend_protocol"))}"
+  deregistration_delay = "${lookup(var.target_groups[count.index], "deregistration_delay", lookup(var.target_groups_defaults, "deregistration_delay"))}"
+  target_type          = "${lookup(var.target_groups[count.index], "target_type", lookup(var.target_groups_defaults, "target_type"))}"
+
+  health_check {
+    interval            = "${lookup(var.target_groups[count.index], "health_check_interval", lookup(var.target_groups_defaults, "health_check_interval"))}"
+    path                = "${lookup(var.target_groups[count.index], "health_check_path", lookup(var.target_groups_defaults, "health_check_path"))}"
+    port                = "${lookup(var.target_groups[count.index], "health_check_port", lookup(var.target_groups_defaults, "health_check_port"))}"
+    healthy_threshold   = "${lookup(var.target_groups[count.index], "health_check_healthy_threshold", lookup(var.target_groups_defaults, "health_check_healthy_threshold"))}"
+    unhealthy_threshold = "${lookup(var.target_groups[count.index], "health_check_unhealthy_threshold", lookup(var.target_groups_defaults, "health_check_unhealthy_threshold"))}"
+    timeout             = "${lookup(var.target_groups[count.index], "health_check_timeout", lookup(var.target_groups_defaults, "health_check_timeout"))}"
+    protocol            = "${upper(lookup(var.target_groups[count.index], "healthcheck_protocol", lookup(var.target_groups[count.index], "backend_protocol")))}"
+    matcher             = "${lookup(var.target_groups[count.index], "health_check_matcher", lookup(var.target_groups_defaults, "health_check_matcher"))}"
+  }
+
+  stickiness {
+    type            = "lb_cookie"
+    cookie_duration = "${lookup(var.target_groups[count.index], "cookie_duration", lookup(var.target_groups_defaults, "cookie_duration"))}"
+    enabled         = "${lookup(var.target_groups[count.index], "stickiness_enabled", lookup(var.target_groups_defaults, "stickiness_enabled"))}"
+  }
+
+  tags       = "${merge(var.tags, map("Name", lookup(var.target_groups[count.index], "name")))}"
+  count      = "${var.logging_enabled ? 0 : var.target_groups_count}"
+  depends_on = ["aws_lb.application_no_logs"]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_listener" "frontend_http_tcp_no_logs" {
+  load_balancer_arn = "${element(concat(aws_lb.application_no_logs.*.arn, list("")), 0)}"
+  port              = "${lookup(var.http_tcp_listeners[count.index], "port")}"
+  protocol          = "${lookup(var.http_tcp_listeners[count.index], "protocol")}"
+  count             = "${var.logging_enabled ? 0 : var.http_tcp_listeners_count}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.main_no_logs.*.id[lookup(var.http_tcp_listeners[count.index], "target_group_index", 0)]}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "frontend_https_no_logs" {
+  load_balancer_arn = "${element(concat(aws_lb.application_no_logs.*.arn, list("")), 0)}"
+  port              = "${lookup(var.https_listeners[count.index], "port")}"
+  protocol          = "HTTPS"
+  certificate_arn   = "${lookup(var.https_listeners[count.index], "certificate_arn")}"
+  ssl_policy        = "${lookup(var.https_listeners[count.index], "ssl_policy", var.listener_ssl_policy_default)}"
+  count             = "${var.logging_enabled ? 0 : var.https_listeners_count}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.main_no_logs.*.id[lookup(var.https_listeners[count.index], "target_group_index", 0)]}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener_certificate" "https_listener_no_logs" {
+  listener_arn    = "${aws_lb_listener.frontend_https_no_logs.*.arn[lookup(var.extra_ssl_certs[count.index], "https_listener_index")]}"
+  certificate_arn = "${lookup(var.extra_ssl_certs[count.index], "certificate_arn")}"
+  count           = "${var.logging_enabled ? 0 : var.extra_ssl_certs_count}"
+}

alb_w_logs.tf

@@ -0,0 +1,92 @@
+resource "aws_lb" "application" {
+  load_balancer_type         = "application"
+  name                       = "${var.load_balancer_name}"
+  internal                   = "${var.load_balancer_is_internal}"
+  security_groups            = ["${var.security_groups}"]
+  subnets                    = ["${var.subnets}"]
+  idle_timeout               = "${var.idle_timeout}"
+  enable_deletion_protection = "${var.enable_deletion_protection}"
+  enable_http2               = "${var.enable_http2}"
+  ip_address_type            = "${var.ip_address_type}"
+  tags                       = "${merge(var.tags, map("Name", var.load_balancer_name))}"
+
+  access_logs {
+    enabled = true
+    bucket  = "${var.log_bucket_name}"
+    prefix  = "${var.log_location_prefix}"
+  }
+
+  timeouts {
+    create = "${var.load_balancer_create_timeout}"
+    delete = "${var.load_balancer_delete_timeout}"
+    update = "${var.load_balancer_update_timeout}"
+  }
+
+  count = "${var.logging_enabled ? 1 : 0}"
+}
+
+resource "aws_lb_target_group" "main" {
+  name                 = "${lookup(var.target_groups[count.index], "name")}"
+  vpc_id               = "${var.vpc_id}"
+  port                 = "${lookup(var.target_groups[count.index], "backend_port")}"
+  protocol             = "${upper(lookup(var.target_groups[count.index], "backend_protocol"))}"
+  deregistration_delay = "${lookup(var.target_groups[count.index], "deregistration_delay", lookup(var.target_groups_defaults, "deregistration_delay"))}"
+  target_type          = "${lookup(var.target_groups[count.index], "target_type", lookup(var.target_groups_defaults, "target_type"))}"
+
+  health_check {
+    interval            = "${lookup(var.target_groups[count.index], "health_check_interval", lookup(var.target_groups_defaults, "health_check_interval"))}"
+    path                = "${lookup(var.target_groups[count.index], "health_check_path", lookup(var.target_groups_defaults, "health_check_path"))}"
+    port                = "${lookup(var.target_groups[count.index], "health_check_port", lookup(var.target_groups_defaults, "health_check_port"))}"
+    healthy_threshold   = "${lookup(var.target_groups[count.index], "health_check_healthy_threshold", lookup(var.target_groups_defaults, "health_check_healthy_threshold"))}"
+    unhealthy_threshold = "${lookup(var.target_groups[count.index], "health_check_unhealthy_threshold", lookup(var.target_groups_defaults, "health_check_unhealthy_threshold"))}"
+    timeout             = "${lookup(var.target_groups[count.index], "health_check_timeout", lookup(var.target_groups_defaults, "health_check_timeout"))}"
+    protocol            = "${upper(lookup(var.target_groups[count.index], "healthcheck_protocol", lookup(var.target_groups[count.index], "backend_protocol")))}"
+    matcher             = "${lookup(var.target_groups[count.index], "health_check_matcher", lookup(var.target_groups_defaults, "health_check_matcher"))}"
+  }
+
+  stickiness {
+    type            = "lb_cookie"
+    cookie_duration = "${lookup(var.target_groups[count.index], "cookie_duration", lookup(var.target_groups_defaults, "cookie_duration"))}"
+    enabled         = "${lookup(var.target_groups[count.index], "stickiness_enabled", lookup(var.target_groups_defaults, "stickiness_enabled"))}"
+  }
+
+  tags       = "${merge(var.tags, map("Name", lookup(var.target_groups[count.index], "name")))}"
+  count      = "${var.logging_enabled ? var.target_groups_count : 0}"
+  depends_on = ["aws_lb.application"]
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_lb_listener" "frontend_http_tcp" {
+  load_balancer_arn = "${element(concat(aws_lb.application.*.arn, aws_lb.application_no_logs.*.arn), 0)}"
+  port              = "${lookup(var.http_tcp_listeners[count.index], "port")}"
+  protocol          = "${lookup(var.http_tcp_listeners[count.index], "protocol")}"
+  count             = "${var.logging_enabled ? var.http_tcp_listeners_count : 0}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.main.*.id[lookup(var.http_tcp_listeners[count.index], "target_group_index", 0)]}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener" "frontend_https" {
+  load_balancer_arn = "${element(concat(aws_lb.application.*.arn, aws_lb.application_no_logs.*.arn), 0)}"
+  port              = "${lookup(var.https_listeners[count.index], "port")}"
+  protocol          = "HTTPS"
+  certificate_arn   = "${lookup(var.https_listeners[count.index], "certificate_arn")}"
+  ssl_policy        = "${lookup(var.https_listeners[count.index], "ssl_policy", var.listener_ssl_policy_default)}"
+  count             = "${var.logging_enabled ? var.https_listeners_count : 0}"
+
+  default_action {
+    target_group_arn = "${aws_lb_target_group.main.*.id[lookup(var.https_listeners[count.index], "target_group_index", 0)]}"
+    type             = "forward"
+  }
+}
+
+resource "aws_lb_listener_certificate" "https_listener" {
+  listener_arn    = "${aws_lb_listener.frontend_https.*.arn[lookup(var.extra_ssl_certs[count.index], "https_listener_index")]}"
+  certificate_arn = "${lookup(var.extra_ssl_certs[count.index], "certificate_arn")}"
+  count           = "${var.logging_enabled ? var.extra_ssl_certs_count : 0}"
+}