This Terraform module is designed to facilitate the provisioning and configuration of Application, Network, and Gateway Load Balancers, Target Groups, and Load Balancer Listeners. It simplifies the process of creating and managing these resources, enabling efficient deployment and scaling.
- Ensures adherence to AWS security standards through the integration of checkov for code compliance scanning.
- Offers advanced functionality including:
- Creation of single or multiple target groups for the load balancer
- Creation of listeners with advanced features
- Built-in security group with dynamic rule configuration capabilities
- Built-in self-signed certificate support and the ability to integrate external certificates
- Provides ease of setup and utilization through clear instructions and examples.
- Streamlines the process of setting up load balancers and associated resources, leading to time and complexity savings.
Example available here
NOTE: These examples use the latest version of this module
data "aws_vpc" "default" {
default = true
}
data "aws_subnets" "default" {
filter {
name = "vpc-id"
values = [data.aws_vpc.default.id]
}
}
data "aws_security_group" "default" {
vpc_id = data.aws_vpc.default.id
filter {
name = "group-name"
values = ["default"]
}
}
module "minimum" {
source = "boldlink/lb/aws"
name = "minimum-example-lb"
internal = false
subnets = data.aws_subnets.default.ids
security_groups = [data.aws_security_group.default.id]
}
AWS Application Load Balancer documentation
Terraform provider documentation
Name | Version |
---|---|
terraform | >= 0.14.11 |
aws | >= 4.30.0 |
tls | >= 3.2.0 |
Name | Version |
---|---|
aws | 4.63.0 |
tls | 4.0.4 |
No modules.
Name | Type |
---|---|
aws_acm_certificate.main | resource |
aws_lb.main | resource |
aws_lb_listener.main | resource |
aws_lb_target_group.main | resource |
aws_security_group.main | resource |
aws_security_group_rule.egress | resource |
aws_security_group_rule.ingress | resource |
aws_wafv2_web_acl_association.main | resource |
tls_private_key.main | resource |
tls_self_signed_cert.main | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_logs | (Optional) Define an Access Logs block | map(string) |
{} |
no |
associate_with_waf | Whether to associate this load with AWS WAFv2 | bool |
false |
no |
cert_common_name | Enter the ssl certificate common name, e.g "example.com" | string |
"boldlink.io" |
no |
cert_organization | The Organization which the certificate belongs to, e.g "Boldlink-SIG" | string |
"Boldlink-SIG" |
no |
cert_validity_period_hours | The number of hours the certificate is valid | number |
12 |
no |
create_ssl_certificate | Choose whether to create ssl certificate | bool |
false |
no |
customer_owned_ipv4_pool | (Optional) The ID of the customer owned ipv4 pool to use for this load balancer. | string |
null |
no |
desync_mitigation_mode | (Optional) Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest. | string |
"defensive" |
no |
drop_invalid_header_fields | (Optional)Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false | bool |
true |
no |
egress_rules | (Optional) Egress rules to add to the security group | any |
{} |
no |
enable_cross_zone_load_balancing | (Optional) If true, cross-zone load balancing of the load balancer will be enabled. This is a network load balancer feature. Defaults to false |
bool |
false |
no |
enable_deletion_protection | (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | bool |
true |
no |
enable_http2 | (Optional) Indicates whether HTTP/2 is enabled in application load balancers. Defaults to true |
bool |
true |
no |
idle_timeout | The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application . Default: 60 |
string |
60 |
no |
ingress_rules | (Optional) Ingress rules to add to the security group | any |
{} |
no |
internal | (Optional) If true, the LB will be internal. | bool |
false |
no |
ip_address_type | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack |
string |
null |
no |
listeners | A list of maps describing the listeners for the LB | any |
[] |
no |
load_balancer_type | Set the App lb type, can be application or network | string |
"application" |
no |
name | (Optional) The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen. If not specified, Terraform will autogenerate a name beginning with tf-lb. | string |
null |
no |
name_prefix | Creates a unique name beginning with the specified prefix. Conflicts with name |
string |
null |
no |
security_groups | (Optional) A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application. | list(string) |
[] |
no |
subnet_mapping | (Optional) Define subnet mapping block | map(string) |
{} |
no |
subnets | (Optional) A list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type network. Changing this value for load balancers of type network will force a recreation of the resource. | list(string) |
[] |
no |
tags | (Optional) A map of tags to assign to the resource. | map(string) |
{} |
no |
target_groups | A list of maps describing the target groups for the LB | any |
[] |
no |
timeouts | (Optional) Define maximum timeout for creating, updating, and deleting load balancer resources | any |
{} |
no |
vpc_id | Identifier of the VPC in which to create the target group. Required when target_type is instance, ip or alb. Does not apply when target_type is lambda. | string |
null |
no |
web_acl_arn | The ARN of WAF web acl to associate load balancer with | string |
null |
no |
Name | Description |
---|---|
arn | The Amazon Resource Name of the target group |
arn_suffix | ARN suffix for use with CloudWatch Metrics. |
id | ARN of the Target Group (matches arn ) |
lb_arn | The ARN of the load balancer (matches id ). |
lb_arn_suffix | The ARN suffix for use with CloudWatch Metrics. |
lb_dns_name | The DNS name of the load balancer. |
lb_id | The ARN of the load balancer (matches arn ). |
lb_subnet_mapping_outpost_id | ID of the Outpost containing the load balancer. |
lb_tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags . |
lb_zone_id | The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record). |
listener_arn | ARN of the listener (matches id ). |
listener_id | ARN of the listener (matches arn ). |
listener_tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
name | Name of the Target Group. |
tags_all | A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block. |
This repository uses third party software:
- pre-commit - Used to help ensure code and documentation consistency
- Install with
brew install pre-commit
- Manually use with
pre-commit run
- Install with
- terraform 0.14.11 For backwards compatibility we are using version 0.14.11 for testing making this the min version tested and without issues with terraform-docs.
- terraform-docs - Used to generate the Inputs and Outputs sections
- Install with
brew install terraform-docs
- Manually use via pre-commit
- Install with
- tflint - Used to lint the Terraform code
- Install with
brew install tflint
- Manually use via pre-commit
- Install with
The example stacks are used by BOLDLink developers to validate the modules by building an actual stack on AWS.
Some of the modules have dependencies on other modules (ex. Ec2 instance depends on the VPC module) so we create them first and use data sources on the examples to use the stacks.
Any supporting resources will be available on the tests/supportingResources
and the lifecycle is managed by the Makefile
targets.
Resources on the tests/supportingResources
folder are not intended for demo or actual implementation purposes, and can be used for reference.
The makefile contained in this repo is optimized for linux paths and the main purpose is to execute testing for now.
- Create all tests stacks including any supporting resources:
make tests
- Clean all tests except existing supporting resources:
make clean
- Clean supporting resources - this is done separately so you can test your module build/modify/destroy independently.
make cleansupporting
- !!!DANGER!!! Clean the state files from examples and test/supportingResources - use with CAUTION!!!
make cleanstatefiles