Skip to content

Commit df586b1

Browse files
feat(ELB): add ACM certs data block and listener cert var (#17)
1 parent ab7ea42 commit df586b1

6 files changed

Lines changed: 30 additions & 7 deletions

File tree

AWS_ElasticLoadBalancers/README.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -56,12 +56,13 @@ No modules.
5656
| [aws_lb_listener_rule.map](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
5757
| [aws_lb_target_group.map](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
5858
| [aws_lb_target_group_attachment.map](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
59+
| [aws_acm_certificate.map](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acm_certificate) | data source |
5960

6061
### Inputs
6162

6263
| Name | Description | Type | Default | Required |
6364
|------|-------------|------|---------|:--------:|
64-
| <a name="input_listeners"></a> [listeners](#input\_listeners) | Map of arbitrary LB listener names to config objects. LB listeners do not<br>have names in AWS, but the provided names are used internally by this module<br>to properly identify listeners and their associated parameters.<br>"load\_balancer\_name" must exist as a key within var.load\_balancers.<br><br>Within "actions", "type" must be one of "forward", "redirect", or "fixed-response".<br>Each listener must have at least 1 action where "is\_default\_action" is true.<br>Support for auth-related types "authenticate-cognito" and "authenticate-oidc" will<br>be added in the future. Each default action object is configured using the property<br>which matches its type. Default actions can not have "conditions". | <pre>map(<br> # map keys: arbitrary LB listener "names"<br> object({<br> load_balancer_name = string<br> port = optional(number)<br> protocol = optional(string)<br> certificate_arn = optional(string)<br> ssl_policy = optional(string) # Required for protocols HTTPS or TLS<br> tls_alpn_policy = optional(string)<br> tags = optional(map(string))<br> actions = list(object({<br> # TODO Add support for listeners of type "authenticate-oidc" and "authenticate-cognito"<br> type = string # "forward", "redirect", or "fixed-response"<br> is_default_action = optional(bool, false)<br> priority = optional(number) # Required if >1 actions<br> forward = optional(object({<br> target_groups = list(object({<br> name = string # name must match a key in var.target_groups<br> weight = optional(number) # 0 to 999<br> }))<br> stickiness = optional(object({<br> duration = number # 1 - 604800 seconds (7 days)<br> enabled = optional(bool, false)<br> }))<br> }))<br> redirect = optional(object({<br> status_code = string # "HTTP_301" (permanent), or "HTTP_302" (temporary)<br> host = optional(string)<br> port = optional(string)<br> path = optional(string)<br> protocol = optional(string)<br> query = optional(string)<br> }))<br> fixed_response = optional(object({<br> content_type = string # "text/plain", "text/css", "text/html", "application/javascript", or "application/json"<br> message_body = optional(string)<br> status_code = optional(string)<br> }))<br> # Conditions only apply to non-default actions<br> conditions = optional(list(object({<br> source_ips = optional(list(string))<br> host_header_values = optional(list(string))<br> http_request_methods = optional(list(string))<br> path_patterns = optional(list(string))<br> http_headers = optional(list(object({<br> http_header_name = string<br> values = list(string)<br> })))<br> query_strings = optional(list(object({<br> key = optional(string)<br> value = string<br> })))<br> })))<br> }))<br> })<br> )</pre> | n/a | yes |
65+
| <a name="input_listeners"></a> [listeners](#input\_listeners) | Map of arbitrary LB listener names to config objects. LB listeners do not<br>have names in AWS, but the provided names are used internally by this module<br>to properly identify listeners and their associated parameters.<br>"load\_balancer\_name" must exist as a key within var.load\_balancers.<br><br>Within "actions", "type" must be one of "forward", "redirect", or "fixed-response".<br>Each listener must have at least 1 action where "is\_default\_action" is true.<br>Support for auth-related types "authenticate-cognito" and "authenticate-oidc" will<br>be added in the future. Each default action object is configured using the property<br>which matches its type. Default actions can not have "conditions". | <pre>map(<br> # map keys: arbitrary LB listener "names"<br> object({<br> load_balancer_name = string<br> port = optional(number)<br> protocol = optional(string)<br> certificate_arn = optional(string)<br> certificate = optional(object({<br> domain = string<br> type = optional(string, "AMAZON_ISSUED")<br> status = optional(string, "ISSUED")<br> most_recent = optional(bool, true)<br> }))<br> ssl_policy = optional(string) # Required for protocols HTTPS or TLS<br> tls_alpn_policy = optional(string)<br> tags = optional(map(string))<br> actions = list(object({<br> # TODO Add support for listeners of type "authenticate-oidc" and "authenticate-cognito"<br> type = string # "forward", "redirect", or "fixed-response"<br> is_default_action = optional(bool, false)<br> priority = optional(number) # Required if >1 actions<br> forward = optional(object({<br> target_groups = list(object({<br> name = string # name must match a key in var.target_groups<br> weight = optional(number) # 0 to 999<br> }))<br> stickiness = optional(object({<br> duration = number # 1 - 604800 seconds (7 days)<br> enabled = optional(bool, false)<br> }))<br> }))<br> redirect = optional(object({<br> status_code = string # "HTTP_301" (permanent), or "HTTP_302" (temporary)<br> host = optional(string)<br> port = optional(string)<br> path = optional(string)<br> protocol = optional(string)<br> query = optional(string)<br> }))<br> fixed_response = optional(object({<br> content_type = string # "text/plain", "text/css", "text/html", "application/javascript", or "application/json"<br> message_body = optional(string)<br> status_code = optional(string)<br> }))<br> # Conditions only apply to non-default actions<br> conditions = optional(list(object({<br> source_ips = optional(list(string))<br> host_header_values = optional(list(string))<br> http_request_methods = optional(list(string))<br> path_patterns = optional(list(string))<br> http_headers = optional(list(object({<br> http_header_name = string<br> values = list(string)<br> })))<br> query_strings = optional(list(object({<br> key = optional(string)<br> value = string<br> })))<br> })))<br> }))<br> })<br> )</pre> | n/a | yes |
6566
| <a name="input_load_balancers"></a> [load\_balancers](#input\_load\_balancers) | Map of load balancer names to config objects. "type" must be either<br>"application", "network", or "gateway". "alb\_should\_enable\_http2" is<br>only applicable to Application LBs. "nlb\_enable\_cross\_zone\_load\_balancing"<br>is only applicable to Network LBs. | <pre>map(<br> # map keys: load balancer names<br> object({<br> type = string<br> is_internal = optional(bool, false)<br> is_dualstack = optional(bool, false)<br> subnets = optional(map(<br> # map keys: subnet names<br> object({<br> subnet_id = string<br> elastic_ip_allocation_id = optional(string)<br> private_ipv4_address = optional(string)<br> ipv6_address = optional(string)<br> })<br> ))<br> alb_security_group_ids = optional(list(string))<br> alb_should_enable_http2 = optional(bool, true)<br> nlb_enable_cross_zone_load_balancing = optional(bool, false)<br> enable_deletion_protection = optional(bool, true)<br> desync_mitigation_mode = optional(string, "defensive")<br> idle_timeout_seconds = optional(number, 60)<br> access_logging = optional(object({<br> s3_bucket_name = string<br> log_prefix = optional(string)<br> is_enabled = optional(bool, true)<br> }))<br> tags = optional(map(string))<br> })<br> )</pre> | n/a | yes |
6667
| <a name="input_target_groups"></a> [target\_groups](#input\_target\_groups) | Map of ELB Target Group names to config objects. "target\_type" must be one<br>of "instance", "ip", "lambda", or "alb". For non-Lambda targets, "port" and<br>"protocol" must be provided; "protocol" must be one of GENEVE, HTTP, HTTPS,<br>TCP, TCP\_UDP, TLS, or UDP. If "protocol" is HTTP or HTTPS, you must provide<br>"protocol\_version", which must be one of HTTP1, HTTP2, or GRPC.<br><br>To register targets to a target group, specify "targets" (note: ECS Services<br>can be configured to handle registration of its containers with an ALB, don't<br>manually register such containers). | <pre>map(<br> # map keys: target group names<br> object({<br> target_type = string # instance/ip/lambda/alb<br> port = optional(number) # not required for lambda<br> protocol = optional(string) # not required for lambda<br> protocol_version = optional(string) # required for HTTP/HTTPS protocols<br> ip_address_type = optional(string) # required for ip types, "ipv4" or "ipv6"<br> vpc_id = optional(string)<br> slow_start_warmup_seconds = optional(number, 0)<br> load_balancing_algorithm_type = optional(string, "round_robin") # can also be "least_outstanding_requests"<br> lambda_multi_value_headers_enabled = optional(bool, false) # applies to lambda only<br> health_check = optional(object({<br> is_enabled = optional(bool, true)<br> healthy_threshold = optional(number, 3)<br> unhealthy_threshold = optional(number)<br> interval = optional(number, 30)<br> matcher = optional(string)<br> path = optional(string)<br> port = optional(string, "traffic-port")<br> protocol = optional(string, "HTTP")<br> timeout = optional(number)<br> }))<br> targets = optional(list(object({<br> id = string<br> port = optional(number)<br> availability_zone = optional(number)<br> })))<br> tags = optional(map(string))<br> })<br> )</pre> | n/a | yes |
6768

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
######################################################################
2+
### ACM Certificates
3+
4+
data "aws_acm_certificate" "map" {
5+
for_each = {
6+
for listener_name, listener_config in var.listeners : listener_name => listener_config
7+
if listener_config.certificate != null
8+
}
9+
10+
domain = each.value.certificate.domain
11+
types = [each.value.certificate.type]
12+
statuses = [each.value.certificate.status]
13+
most_recent = each.value.certificate.most_recent
14+
}
15+
16+
######################################################################

AWS_ElasticLoadBalancers/examples/terraform.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ module "AWS_ELB" {
3333
load_balancer_name = "Simple_ALB"
3434
port = 443
3535
protocol = "HTTPS"
36-
certificate_arn = "arn:aws:iam::111111111111:server-certificate/test_cert_1a1a1a1a1a1a1a1a1a1a1a1a1a"
36+
certificate = { domain = "example.com" }
3737
ssl_policy = "ELBSecurityPolicy-2016-08"
3838
actions = [
3939
{

AWS_ElasticLoadBalancers/examples/terragrunt.hcl

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ inputs = {
4242
load_balancer_name = "Simple_ALB"
4343
port = 443
4444
protocol = "HTTPS"
45-
certificate_arn = "arn:aws:iam::111111111111:server-certificate/test_cert_1a1a1a1a1a1a1a1a1a1a1a1a1a"
45+
certificate = { domain = "example.com" }
4646
ssl_policy = "ELBSecurityPolicy-2016-08"
4747
actions = [
4848
{

AWS_ElasticLoadBalancers/main.ELB_Listeners.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ resource "aws_lb_listener" "map" {
1111
protocol = each.value.protocol
1212
ssl_policy = each.value.ssl_policy
1313
alpn_policy = each.value.tls_alpn_policy
14-
certificate_arn = each.value.certificate_arn
14+
certificate_arn = try(data.aws_acm_certificate.map[each.key].arn, each.value.certificate_arn)
1515
tags = each.value.tags
1616

1717
# DEFAULT ACTIONS:

AWS_ElasticLoadBalancers/variables.tf

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -63,9 +63,15 @@ variable "listeners" {
6363
port = optional(number)
6464
protocol = optional(string)
6565
certificate_arn = optional(string)
66-
ssl_policy = optional(string) # Required for protocols HTTPS or TLS
67-
tls_alpn_policy = optional(string)
68-
tags = optional(map(string))
66+
certificate = optional(object({
67+
domain = string
68+
type = optional(string, "AMAZON_ISSUED")
69+
status = optional(string, "ISSUED")
70+
most_recent = optional(bool, true)
71+
}))
72+
ssl_policy = optional(string) # Required for protocols HTTPS or TLS
73+
tls_alpn_policy = optional(string)
74+
tags = optional(map(string))
6975
actions = list(object({
7076
# TODO Add support for listeners of type "authenticate-oidc" and "authenticate-cognito"
7177
type = string # "forward", "redirect", or "fixed-response"

0 commit comments

Comments
 (0)