Elastic Load Balancer (ELB)

Deploy the Application Load Balancer (ALB) for load balancing HTTP and HTTPS, with support for routing rules and WebSockets.

View on GitHub

Reference

Inputs

• access_logs_s3_bucket_name — The name to use for the S3 bucket where the ALB access logs will be stored. If you set this to null, a name will be generated automatically based on alb_name.

• acm_cert_statuses — When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs with the given statuses. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED.

• acm_cert_types — When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs of the given types. Valid values are AMAZON_ISSUED and IMPORTED.

• alb_name — The name of the ALB.

• allow_all_outbound — Set to true to enable all outbound traffic on this ALB. If set to false, the ALB will allow no outbound traffic by default. This will make the ALB unusuable, so some other code must then update the ALB Security Group to enable outbound access!

• allow_inbound_from_cidr_blocks — The CIDR-formatted IP Address range from which this ALB will allow incoming requests. If is_internal_alb is false, use the default value. If is_internal_alb is true, consider setting this to the VPC's CIDR Block, or something even more restrictive.

• allow_inbound_from_security_group_ids — The list of IDs of security groups that should have access to the ALB

• create_route53_entry — Set to true to create a Route 53 DNS A record for this ALB?

• custom_tags — A map of custom tags to apply to the ALB and its Security Group. The key is the tag name and the value is the tag value.

• default_action_body — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this body.

• default_action_content_type — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this content type.

• default_action_status_code — If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this status code.

• domain_names — The list of domain names for the DNS A record to add for the ALB (e.g. alb.foo.com). Only used if create_route53_entry is true.

• drop_invalid_header_fields — If true, the ALB will drop invalid headers. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.

• enable_deletion_protection — Enable deletion protection on the ALB instance. If this is enabled, the load balancer cannot be deleted prior to disabling

• force_destroy — A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false.

• hosted_zone_id — The ID of the hosted zone for the DNS A record to add for the ALB. Only used if create_route53_entry is true.

• http_listener_ports — A list of ports for which an HTTP Listener should be created on the ALB. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.

• https_listener_ports_and_acm_ssl_certs — A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_domain_name', the domain name of an SSL/TLS certificate issued by the Amazon Certificate Manager (ACM) to associate with the Listener to be created. If your certificate isn't issued by ACM, specify https_listener_ports_and_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.

• https_listener_ports_and_ssl_certs — A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_arn', the Amazon Resource Name (ARN) of the SSL/TLS certificate to associate with the Listener to be created. If your certificate is issued by the Amazon Certificate Manager (ACM), specify https_listener_ports_and_acm_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.

• idle_timeout — The time in seconds that the client TCP connection to the ALB is allowed to be idle before the ALB closes the TCP connection.

• is_internal_alb — If the ALB should only accept traffic from within the VPC, set this to true. If it should accept traffic from the public Internet, set it to false.

• num_days_after_which_archive_log_data — After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data.

• num_days_after_which_delete_log_data — After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.

• should_create_access_logs_bucket — If true, create a new S3 bucket for access logs with the name in access_logs_s3_bucket_name. If false, assume the S3 bucket for access logs with the name in access_logs_s3_bucket_name already exists, and don't create a new one. Note that if you set this to false, it's up to you to ensure that the S3 bucket has a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket.

• ssl_policy — The AWS predefined TLS/SSL policy for the ALB. A List of policies can be found here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. AWS recommends ELBSecurityPolicy-2016-08 policy for general use but this policy includes TLSv1.0 which is rapidly being phased out. ELBSecurityPolicy-TLS-1-1-2017-01 is the next policy up that doesn't include TLSv1.0.

• vpc_id — ID of the VPC where the ALB will be deployed

• vpc_subnet_ids — The ids of the subnets that the ALB can use to source its IP

Outputs

• alb_access_logs_bucket — The name of the S3 bucket containing the ALB access logs

• alb_arn — The ARN of the ALB resource.

• alb_dns_names — The list of DNS records for the ALB as specified in the input.

• alb_hosted_zone_id — The AWS-managed zone ID for the ALB's DNS record.

• alb_name — A human friendly name for the ALB.

• alb_security_group_id — The ID of the security group associated with the ALB.

• http_listener_arns — The map of HTTP listener ports to ARNs. There will be one listener per entry in http_listener_ports.

• https_listener_acm_cert_arns — The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_acm_ssl_certs.

• https_listener_non_acm_cert_arns — The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_ssl_certs.

• listener_arns — The map of listener ports to ARNs. This will include all listeners both HTTP and HTTPS.

• original_alb_dns_name — The AWS-managed DNS name assigned to the ALB.