fix potential bug in health listener/target-group creation

dnks0 · dnks0 · commit 704acfd992e6 · 2026-01-22T09:19:29.000+01:00
diff --git a/terraform/aws/modules/load-balancer/nlb.tf b/terraform/aws/modules/load-balancer/nlb.tf
@@ -24,12 +24,7 @@ resource "aws_vpc_security_group_egress_rule" "this" {
   description       = local.nlb_sg_egress_rules[count.index].description
 }
 
-# Optional: expose the dbx-proxy health port via the NLB so callers can reach it directly
-# (e.g. through the PrivateLink endpoint). If the health port is already used as a regular
-# listener port, we skip creating this additional listener/TG to avoid a conflict.
 resource "aws_lb_target_group" "health" {
-  count = contains([for l in var.dbx_proxy_listener : l.port], var.dbx_proxy_health_port) ? 0 : 1
-
   name        = "dbx-proxy-tg-health"
   port        = var.dbx_proxy_health_port
   protocol    = "TCP"
@@ -49,16 +44,21 @@ resource "aws_lb_target_group" "health" {
 }
 
 resource "aws_lb_listener" "health" {
-  count = length(aws_lb_target_group.health)
-
   load_balancer_arn = local.nlb_arn
   port              = var.dbx_proxy_health_port
   protocol          = "TCP"
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.health[0].arn
+    target_group_arn = aws_lb_target_group.health.arn
   }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.prefix}-l-health"
+    },
+  )
 }
 
 # One target group per listener port for simple configuration.
@@ -94,4 +94,11 @@ resource "aws_lb_listener" "this" {
     type             = "forward"
     target_group_arn = each.value.arn
   }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.prefix}-l-${each.key}"
+    },
+  )
 }
diff --git a/terraform/aws/modules/load-balancer/outputs.tf b/terraform/aws/modules/load-balancer/outputs.tf
@@ -12,7 +12,7 @@ output "nlb_target_group_arns" {
   description = "ARNs of the NLB target groups, keyed by listener name (plus health when created)."
   value = merge(
     { for name, tg in aws_lb_target_group.this : name => tg.arn },
-    length(aws_lb_target_group.health) > 0 ? { health = aws_lb_target_group.health[0].arn } : {},
+    { health = aws_lb_target_group.health.arn },
   )
 }
 
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -145,4 +145,8 @@ EOT
     }))
   }))
   default = []
+  validation {
+    condition     = alltrue([for listener in var.dbx_proxy_listener : listener.port != var.dbx_proxy_health_port])
+    error_message = "dbx_proxy_health_port must not overlap with any dbx_proxy_listener port."
+  }
 }

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ output "nlb_target_group_arns" {`
`12`	`12`	`description = "ARNs of the NLB target groups, keyed by listener name (plus health when created)."`
`13`	`13`	`value = merge(`
`14`	`14`	`{ for name, tg in aws_lb_target_group.this : name => tg.arn },`
`15`		`- length(aws_lb_target_group.health) > 0 ? { health = aws_lb_target_group.health[0].arn } : {},`
	`15`	`+ { health = aws_lb_target_group.health.arn },`
`16`	`16`	`)`
`17`	`17`	`}`
`18`	`18`
Original file line number	Diff line number	Diff line change
`@@ -145,4 +145,8 @@ EOT`
`145`	`145`	`}))`
`146`	`146`	`}))`
`147`	`147`	`default = []`
	`148`	`+ validation {`
	`149`	`+ condition = alltrue([for listener in var.dbx_proxy_listener : listener.port != var.dbx_proxy_health_port])`
	`150`	`+ error_message = "dbx_proxy_health_port must not overlap with any dbx_proxy_listener port."`
	`151`	`+ }`
`148`	`152`	`}`