Home

Awesome

AWS Application and Network Load Balancer (ALB & NLB) Terraform module

Terraform module which creates Application and Network Load Balancer resources on AWS.

SWUbanner

Usage

When you're using ALB Listener rules, make sure that every rule's actions block ends in a forward, redirect, or fixed-response action so that every rule will resolve to some sort of an HTTP response. Checkout the AWS documentation for more information.

Application Load Balancer

HTTP to HTTPS redirect

module "alb" {
  source = "terraform-aws-modules/alb/aws"

  name    = "my-alb"
  vpc_id  = "vpc-abcde012"
  subnets = ["subnet-abcde012", "subnet-bcde012a"]

  # Security Group
  security_group_ingress_rules = {
    all_http = {
      from_port   = 80
      to_port     = 80
      ip_protocol = "tcp"
      description = "HTTP web traffic"
      cidr_ipv4   = "0.0.0.0/0"
    }
    all_https = {
      from_port   = 443
      to_port     = 443
      ip_protocol = "tcp"
      description = "HTTPS web traffic"
      cidr_ipv4   = "0.0.0.0/0"
    }
  }
  security_group_egress_rules = {
    all = {
      ip_protocol = "-1"
      cidr_ipv4   = "10.0.0.0/16"
    }
  }

  access_logs = {
    bucket = "my-alb-logs"
  }

  listeners = {
    ex-http-https-redirect = {
      port     = 80
      protocol = "HTTP"
      redirect = {
        port        = "443"
        protocol    = "HTTPS"
        status_code = "HTTP_301"
      }
    }
    ex-https = {
      port            = 443
      protocol        = "HTTPS"
      certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"

      forward = {
        target_group_key = "ex-instance"
      }
    }
  }

  target_groups = {
    ex-instance = {
      name_prefix      = "h1"
      protocol         = "HTTP"
      port             = 80
      target_type      = "instance"
      target_id        = "i-0f6d38a07d50d080f"
    }
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Cognito authentication

module "alb" {
  source = "terraform-aws-modules/alb/aws"

  # Truncated for brevity ...

  listeners = {
    ex-http-https-redirect = {
      port     = 80
      protocol = "HTTP"
      redirect = {
        port        = "443"
        protocol    = "HTTPS"
        status_code = "HTTP_301"
      }
    }
    ex-cognito = {
      port            = 444
      protocol        = "HTTPS"
      certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"

      authenticate_cognito = {
        authentication_request_extra_params = {
          display = "page"
          prompt  = "login"
        }
        on_unauthenticated_request = "authenticate"
        session_cookie_name        = "session-${local.name}"
        session_timeout            = 3600
        user_pool_arn              = "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_abcdefghi"
        user_pool_client_id        = "us-west-2_fak3p001B"
        user_pool_domain           = "https://fak3p001B.auth.us-west-2.amazoncognito.com"
      }

      forward = {
        target_group_key = "ex-instance"
      }

      rules = {
        ex-oidc = {
          priority = 2

          actions = [
            {
              type = "authenticate-oidc"
              authentication_request_extra_params = {
                display = "page"
                prompt  = "login"
              }
              authorization_endpoint = "https://foobar.com/auth"
              client_id              = "client_id"
              client_secret          = "client_secret"
              issuer                 = "https://foobar.com"
              token_endpoint         = "https://foobar.com/token"
              user_info_endpoint     = "https://foobar.com/user_info"
            },
            {
              type             = "forward"
              target_group_key = "ex-instance"
            }
          ]
        }
      }
    }
  }
}

Cognito authentication on certain paths, redirects for others

module "alb" {
  source = "terraform-aws-modules/alb/aws"

  # Truncated for brevity ...

  listeners = {
    https = {
      port            = 443
      protocol        = "HTTPS"
      certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"

      forward = {
        target_group_key = "instance"
      }

      rules = {
        redirect = {
          priority = 5000
          actions = [{
            type        = "redirect"
            status_code = "HTTP_302"
            host        = "www.youtube.com"
            path        = "/watch"
            query       = "v=dQw4w9WgXcQ"
            protocol    = "HTTPS"
          }]

          conditions = [{
            path_pattern = {
              values = ["/onboarding", "/docs"]
            }
          }]
        }

        cognito = {
          priority = 2
          actions = [
            {
              type                = "authenticate-cognito"
              user_pool_arn       = "arn:aws:cognito-idp::123456789012:userpool/test-pool"
              user_pool_client_id = "6oRmFiS0JHk="
              user_pool_domain    = "test-domain-com"
            },
            {
              type             = "forward"
              target_group_key = "instance"
            }
          ]

          conditions = [{
            path_pattern = {
              values = ["/protected-route", "private/*"]
            }
          }]
        }
      }
    }
  }

  target_groups = {
    instance = {
      name_prefix = "default"
      protocol    = "HTTPS"
      port        = 443
      target_type = "instance"
      target_id   = "i-0f6d38a07d50d080f"
    }
  }
}

Network Load Balancer

TCP_UDP, UDP, TCP and TLS listeners

module "nlb" {
  source = "terraform-aws-modules/alb/aws"

  name               = "my-nlb"
  load_balancer_type = "network"
  vpc_id             = "vpc-abcde012"
  subnets            = ["subnet-abcde012", "subnet-bcde012a"]

  # Security Group
  enforce_security_group_inbound_rules_on_private_link_traffic = "on"
  security_group_ingress_rules = {
    all_http = {
      from_port   = 80
      to_port     = 82
      ip_protocol = "tcp"
      description = "HTTP web traffic"
      cidr_ipv4   = "0.0.0.0/0"
    }
    all_https = {
      from_port   = 443
      to_port     = 445
      ip_protocol = "tcp"
      description = "HTTPS web traffic"
      cidr_ipv4   = "0.0.0.0/0"
    }
  }
  security_group_egress_rules = {
    all = {
      ip_protocol = "-1"
      cidr_ipv4   = "10.0.0.0/16"
    }
  }

  access_logs = {
    bucket = "my-nlb-logs"
  }

  listeners = {
    ex-tcp-udp = {
      port     = 81
      protocol = "TCP_UDP"
      forward = {
        target_group_key = "ex-target"
      }
    }

    ex-udp = {
      port     = 82
      protocol = "UDP"
      forward = {
        target_group_key = "ex-target"
      }
    }

    ex-tcp = {
      port     = 83
      protocol = "TCP"
      forward = {
        target_group_key = "ex-target"
      }
    }

    ex-tls = {
      port            = 84
      protocol        = "TLS"
      certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
      forward = {
        target_group_key = "ex-target"
      }
    }
  }

  target_groups = {
    ex-target = {
      name_prefix = "pref-"
      protocol    = "TCP"
      port        = 80
      target_type = "ip"
      target_id   = "10.0.47.1"
    }
  }

  tags = {
    Environment = "Development"
    Project     = "Example"
  }
}

Conditional creation

The following values are provided to toggle on/off creation of the associated resources as desired:

module "alb" {
  source = "terraform-aws-modules/alb/aws"

  # Disable creation of the LB and all resources
  create = false

 # ... omitted
}

Examples

See patterns.md for additional configuration snippets for common usage patterns.

<!-- BEGIN_TF_DOCS -->

Requirements

NameVersion
<a name="requirement_terraform"></a> terraform>= 1.0
<a name="requirement_aws"></a> aws>= 5.82

Providers

NameVersion
<a name="provider_aws"></a> aws>= 5.82

Modules

No modules.

Resources

NameType
aws_lambda_permission.thisresource
aws_lb.thisresource
aws_lb_listener.thisresource
aws_lb_listener_certificate.thisresource
aws_lb_listener_rule.thisresource
aws_lb_target_group.thisresource
aws_lb_target_group_attachment.additionalresource
aws_lb_target_group_attachment.thisresource
aws_route53_record.thisresource
aws_security_group.thisresource
aws_vpc_security_group_egress_rule.thisresource
aws_vpc_security_group_ingress_rule.thisresource
aws_wafv2_web_acl_association.thisresource
aws_partition.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_access_logs"></a> access_logsMap containing access logging configuration for load balancermap(string){}no
<a name="input_additional_target_group_attachments"></a> additional_target_group_attachmentsMap of additional target group attachments to create. Use target_group_key to attach to the target group created in target_groupsany{}no
<a name="input_associate_web_acl"></a> associate_web_aclIndicates whether a Web Application Firewall (WAF) ACL should be associated with the load balancerboolfalseno
<a name="input_client_keep_alive"></a> client_keep_aliveClient keep alive value in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds.numbernullno
<a name="input_connection_logs"></a> connection_logsMap containing access logging configuration for load balancermap(string){}no
<a name="input_create"></a> createControls if resources should be created (affects nearly all resources)booltrueno
<a name="input_create_security_group"></a> create_security_groupDetermines if a security group is createdbooltrueno
<a name="input_customer_owned_ipv4_pool"></a> customer_owned_ipv4_poolThe ID of the customer owned ipv4 pool to use for this load balancerstringnullno
<a name="input_default_port"></a> default_portDefault port used across the listener and target groupnumber80no
<a name="input_default_protocol"></a> default_protocolDefault protocol used across the listener and target groupstring"HTTP"no
<a name="input_desync_mitigation_mode"></a> desync_mitigation_modeDetermines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), stricteststringnullno
<a name="input_dns_record_client_routing_policy"></a> dns_record_client_routing_policyIndicates how traffic is distributed among the load balancer Availability Zones. Possible values are any_availability_zone (default), availability_zone_affinity, or partial_availability_zone_affinity. Only valid for network type load balancers.stringnullno
<a name="input_drop_invalid_header_fields"></a> drop_invalid_header_fieldsIndicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is true. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type applicationbooltrueno
<a name="input_enable_cross_zone_load_balancing"></a> enable_cross_zone_load_balancingIf true, cross-zone load balancing of the load balancer will be enabled. For application load balancer this feature is always enabled (true) and cannot be disabled. Defaults to truebooltrueno
<a name="input_enable_deletion_protection"></a> enable_deletion_protectionIf true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to truebooltrueno
<a name="input_enable_http2"></a> enable_http2Indicates whether HTTP/2 is enabled in application load balancers. Defaults to trueboolnullno
<a name="input_enable_tls_version_and_cipher_suite_headers"></a> enable_tls_version_and_cipher_suite_headersIndicates whether the two headers (x-amzn-tls-version and x-amzn-tls-cipher-suite), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Only valid for Load Balancers of type application. Defaults to falseboolnullno
<a name="input_enable_waf_fail_open"></a> enable_waf_fail_openIndicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to falseboolnullno
<a name="input_enable_xff_client_port"></a> enable_xff_client_portIndicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in application load balancers. Defaults to falseboolnullno
<a name="input_enable_zonal_shift"></a> enable_zonal_shiftWhether zonal shift is enabledboolnullno
<a name="input_enforce_security_group_inbound_rules_on_private_link_traffic"></a> enforce_security_group_inbound_rules_on_private_link_trafficIndicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off.stringnullno
<a name="input_idle_timeout"></a> idle_timeoutThe time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application. Default: 60numbernullno
<a name="input_internal"></a> internalIf true, the LB will be internal. Defaults to falseboolnullno
<a name="input_ip_address_type"></a> ip_address_typeThe type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstackstringnullno
<a name="input_listeners"></a> listenersMap of listener configurations to createany{}no
<a name="input_load_balancer_type"></a> load_balancer_typeThe type of load balancer to create. Possible values are application, gateway, or network. The default value is applicationstring"application"no
<a name="input_name"></a> nameThe name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphenstringnullno
<a name="input_name_prefix"></a> name_prefixCreates a unique name beginning with the specified prefix. Conflicts with namestringnullno
<a name="input_preserve_host_header"></a> preserve_host_headerIndicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to falseboolnullno
<a name="input_putin_khuylo"></a> putin_khuyloDo you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo!booltrueno
<a name="input_route53_records"></a> route53_recordsMap of Route53 records to create. Each record map should contain zone_id, name, and typeany{}no
<a name="input_security_group_description"></a> security_group_descriptionDescription of the security group createdstringnullno
<a name="input_security_group_egress_rules"></a> security_group_egress_rulesSecurity group egress rules to add to the security group createdany{}no
<a name="input_security_group_ingress_rules"></a> security_group_ingress_rulesSecurity group ingress rules to add to the security group createdany{}no
<a name="input_security_group_name"></a> security_group_nameName to use on security group createdstringnullno
<a name="input_security_group_tags"></a> security_group_tagsA map of additional tags to add to the security group createdmap(string){}no
<a name="input_security_group_use_name_prefix"></a> security_group_use_name_prefixDetermines whether the security group name (security_group_name) is used as a prefixbooltrueno
<a name="input_security_groups"></a> security_groupsA list of security group IDs to assign to the LBlist(string)[]no
<a name="input_subnet_mapping"></a> subnet_mappingA list of subnet mapping blocks describing subnets to attach to load balancerlist(map(string))[]no
<a name="input_subnets"></a> subnetsA list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type network. Changing this value for load balancers of type network will force a recreation of the resourcelist(string)nullno
<a name="input_tags"></a> tagsA map of tags to add to all resourcesmap(string){}no
<a name="input_target_groups"></a> target_groupsMap of target group configurations to createany{}no
<a name="input_timeouts"></a> timeoutsCreate, update, and delete timeout configurations for the load balancermap(string){}no
<a name="input_vpc_id"></a> vpc_idIdentifier of the VPC where the security group will be createdstringnullno
<a name="input_web_acl_arn"></a> web_acl_arnWeb Application Firewall (WAF) ARN of the resource to associate with the load balancerstringnullno
<a name="input_xff_header_processing_mode"></a> xff_header_processing_modeDetermines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. The possible values are append, preserve, and remove. Only valid for Load Balancers of type application. The default is appendstringnullno

Outputs

NameDescription
<a name="output_arn"></a> arnThe ID and ARN of the load balancer we created
<a name="output_arn_suffix"></a> arn_suffixARN suffix of our load balancer - can be used with CloudWatch
<a name="output_dns_name"></a> dns_nameThe DNS name of the load balancer
<a name="output_id"></a> idThe ID and ARN of the load balancer we created
<a name="output_listener_rules"></a> listener_rulesMap of listeners rules created and their attributes
<a name="output_listeners"></a> listenersMap of listeners created and their attributes
<a name="output_route53_records"></a> route53_recordsThe Route53 records created and attached to the load balancer
<a name="output_security_group_arn"></a> security_group_arnAmazon Resource Name (ARN) of the security group
<a name="output_security_group_id"></a> security_group_idID of the security group
<a name="output_target_groups"></a> target_groupsMap of target groups created and their attributes
<a name="output_zone_id"></a> zone_idThe zone_id of the load balancer to assist with creating DNS records
<!-- END_TF_DOCS -->

Authors

Module is maintained by Anton Babenko with help from these awesome contributors.

License

Apache 2 Licensed. See LICENSE for full details.

Additional information for users from Russia and Belarus