| page_title | stackit_application_load_balancer Resource - stackit |
|---|---|
| subcategory | |
| description | Setting up supporting infrastructure The example below creates the supporting infrastructure using the STACKIT Terraform provider, including the network, network interface, a public IP address and server resources. |
The example below creates the supporting infrastructure using the STACKIT Terraform provider, including the network, network interface, a public IP address and server resources.
variable "project_id" {
description = "The STACKIT Project ID"
type = string
default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
variable "image_id" {
description = "A valid Debian 12 Image ID available in all projects"
type = string
default = "939249d1-6f48-4ab7-929b-95170728311a"
}
variable "availability_zone" {
description = "An availability zone"
type = string
default = "eu01-1"
}
variable "machine_type" {
description = "The machine flavor with 2GB of RAM and 1 core"
type = string
default = "c2i.1"
}
variable "label_key" {
description = "An optional label key"
type = string
default = "key"
}
variable "label_value" {
description = "An optional label value"
type = string
default = "value"
}
# Create a network
resource "stackit_network" "network" {
project_id = var.project_id
name = "example-network"
ipv4_nameservers = ["1.1.1.1"]
ipv4_prefix = "192.168.2.0/25"
routed = true
}
# Create a network interface
resource "stackit_network_interface" "nic" {
project_id = var.project_id
network_id = stackit_network.network.network_id
lifecycle {
ignore_changes = [
security_group_ids,
]
}
}
# Create a key pair for accessing the target server instance
resource "stackit_key_pair" "keypair" {
name = "example-key-pair"
public_key = chomp(file("path/to/id_rsa.pub"))
}
# Create a target server instance
resource "stackit_server" "server" {
project_id = var.project_id
name = "example-server"
machine_type = var.machine_type
keypair_name = stackit_key_pair.keypair.name
availability_zone = var.availability_zone
boot_volume = {
size = 20
source_type = "image"
source_id = var.image_id
delete_on_termination = true
}
network_interfaces = [
stackit_network_interface.nic.network_interface_id
]
# Explicit dependencies to ensure ordering
depends_on = [
stackit_network.network,
stackit_key_pair.keypair,
stackit_network_interface.nic
]
}
# Create example credentials for observability of the ALB
# Create real credentials in your stackit observability
resource "stackit_loadbalancer_observability_credential" "observability" {
project_id = var.project_id
display_name = "my-cred"
password = "password"
username = "username"
}
# Create a Application Load Balancer
resource "stackit_application_load_balancer" "example" {
project_id = var.project_id
region = "eu01"
name = "example-load-balancer"
plan_id = "p10"
// Hint: Automatically create an IP for the ALB lifecycle by setting ephemeral_address = true or use:
// external_address = "124.124.124.124"
labels = {
(var.label_key) = var.label_value
}
listeners = [{
name = "my-listener"
port = 443
http = {
hosts = [{
host = "*"
rules = [{
target_pool = "my-target-pool"
web_socket = true
query_parameters = [{
name = "my-query-key"
exact_match = "my-query-value"
}]
headers = [{
name = "my-header-key"
exact_match = "my-header-value"
}]
path = {
prefix = "/path"
}
cookie_persistence = {
name = "my-cookie"
ttl = "60s"
}
}]
}]
}
https = {
certificate_config = {
certificate_ids = [
# Currently no TF provider available, needs to be added with API
# https://docs.api.stackit.cloud/documentation/certificates/version/v2
"name-v1-8c81bd317af8a03b8ef0851ccb074eb17d1ad589b540446244a5e593f78ef820"
]
}
}
protocol = "PROTOCOL_HTTPS"
# Currently no TF provider available, needs to be added with API
# https://docs.api.stackit.cloud/documentation/alb-waf/version/v1alpha
waf_config_name = "my-waf-config"
}
]
networks = [
{
network_id = stackit_network.network.network_id
role = "ROLE_LISTENERS_AND_TARGETS"
}
]
options = {
acl = ["123.123.123.123/24", "12.12.12.12/24"]
ephemeral_address = true
private_network_only = false
observability = {
logs = {
credentials_ref = stackit_loadbalancer_observability_credential.observability.credentials_ref
push_url = "https://logs.stackit<id>.argus.eu01.stackit.cloud/instances/<instance-id>/loki/api/v1/push"
}
metrics = {
credentials_ref = stackit_loadbalancer_observability_credential.observability.credentials_ref
push_url = "https://push.metrics.stackit<id>.argus.eu01.stackit.cloud/instances/<instance-id>/api/v1/receive"
}
}
}
target_pools = [
{
name = "my-target-pool"
active_health_check = {
interval = "0.500s"
interval_jitter = "0.010s"
timeout = "1s"
healthy_threshold = "5"
unhealthy_threshold = "3"
http_health_checks = {
ok_status = ["200", "201"]
path = "/healthy"
}
}
target_port = 80
targets = [
{
display_name = "my-target"
ip = stackit_network_interface.nic.ipv4
}
]
tls_config = {
enabled = true
skip_certificate_validation = false
custom_ca = chomp(file("path/to/PEM_formated_CA"))
}
}
]
disable_target_security_group_assignment = false # only needed if targets are not in the same network
}listeners(Attributes List) List of all listeners which will accept traffic. Limited to 20. (see below for nested schema)name(String) Application Load balancer name.networks(Attributes Set) List of networks that listeners and targets reside in. (see below for nested schema)plan_id(String) Service Plan configures the size of the Application Load Balancer e.g. 'p10'. See available plans via STACKIT CLI 'stackit beta alb plans' or API https://docs.api.stackit.cloud/documentation/alb/version/v2#tag/Project/operation/APIService_ListPlansproject_id(String) STACKIT project ID to which the Application Load Balancer is associated.target_pools(Attributes List) List of all target pools which will be used in the Application Load Balancer. Limited to 20. (see below for nested schema)
disable_target_security_group_assignment(Boolean) Disable target security group assignemt to allow targets outside of the given network. Connectivity to targets need to be ensured by the customer, including routing and Security Groups (targetSecurityGroup can be assigned). Not changeable after creation.external_address(String) The external IP address where this Application Load Balancer is exposed. Not changeable after creation.labels(Map of String) Labels represent user-defined metadata as key-value pairs. Label count cannot exceed 64 per ALB.options(Attributes) Defines any optional functionality you want to have enabled on your Application Load Balancer. (see below for nested schema)region(String) The resource region (e.g. eu01). If not defined, the provider region is used.
errors(Attributes Set) Reports all errors a Application Load Balancer has. (see below for nested schema)id(String) Terraform's internal resource ID. It is structured asproject_id,region,name.load_balancer_security_group(Attributes) Security Group permitting network traffic from the LoadBalancer to the targets. Useful when disableTargetSecurityGroupAssignment=true to manually assign target security groups to targets. (see below for nested schema)private_address(String)target_security_group(Attributes) Security Group that allows the targets to receive traffic from the LoadBalancer. Useful when disableTargetSecurityGroupAssignment=true to manually assign target security groups to targets. (see below for nested schema)version(String) Application Load Balancer resource version. Used for concurrency safe updates.
Required:
http(Attributes) Configuration for HTTP traffic. (see below for nested schema)name(String) Unique name for the listenerport(Number) Port number on which the listener receives incoming traffic.protocol(String) Protocol is the highest network protocol we understand to load balance. Possible values are:PROTOCOL_UNSPECIFIED,PROTOCOL_HTTP,PROTOCOL_HTTPS.
Optional:
https(Attributes) Configuration for handling HTTPS traffic on this listener. (see below for nested schema)waf_config_name(String) Enable Web Application Firewall (WAF), referenced by name. See "Application Load Balancer - Web Application Firewall API" for more information.
Required:
hosts(Attributes List) Defines routing rules grouped by hostname. (see below for nested schema)
Required:
host(String) Hostname to match. Supports wildcards (e.g. *.example.com).rules(Attributes List) Routing rules under the specified host, matched by path prefix. (see below for nested schema)
Required:
target_pool(String) Reference target pool by target pool name.
Optional:
cookie_persistence(Attributes) Routing persistence via cookies. (see below for nested schema)headers(Attributes Set) Headers for the rule. (see below for nested schema)path(Attributes) Routing via path. (see below for nested schema)query_parameters(Attributes Set) Query parameters for the rule. (see below for nested schema)web_socket(Boolean) If enabled, when client sends an HTTP request with and Upgrade header, indicating the desire to establish a Websocket connection, if backend server supports WebSocket, it responds with HTTP 101 status code, switching protocols from HTTP to WebSocket. Hence the client and the server can exchange data in real-time using one long-lived TCP connection.
Required:
name(String) The name of the cookie to use.ttl(String) TTL specifies the time-to-live for the cookie. The default value is 0s, and it acts as a session cookie, expiring when the client session ends.
Required:
name(String) Header name.
Optional:
exact_match(String) Exact match for the header value.
Optional:
exact_match(String) Exact path match. Only a request path exactly equal to the value will match, e.g. '/foo' matches only '/foo', not '/foo/bar' or '/foobar'.prefix(String) Prefix path match. Only matches on full segment boundaries, e.g. '/foo' matches '/foo' and '/foo/bar' but NOT '/foobar'.
Required:
name(String) Query parameter name.
Optional:
exact_match(String) Exact match for the query parameters value.
Required:
certificate_config(Attributes) TLS termination certificate configuration. (see below for nested schema)
Required:
certificate_ids(Set of String) Certificate IDs for TLS termination.
Required:
network_id(String) STACKIT network ID the Application Load Balancer and/or targets are in.role(String) The role defines how the Application Load Balancer is using the network. Possible values are:ROLE_UNSPECIFIED,ROLE_LISTENERS_AND_TARGETS,ROLE_LISTENERS,ROLE_TARGETS.
Required:
name(String) Target pool name.target_port(Number) The number identifying the port where each target listens for traffic.targets(Attributes Set) List of all targets which will be used in the pool. Limited to 250. (see below for nested schema)
Optional:
active_health_check(Attributes) (see below for nested schema)tls_config(Attributes) Configuration for TLS bridging. (see below for nested schema)
Required:
ip(String) Private target IP, which must by unique within a target pool.
Optional:
display_name(String) Target display name
Required:
healthy_threshold(Number) Healthy threshold of the health checking.interval(String) Interval duration of health checking in seconds.interval_jitter(String) Interval duration threshold of the health checking in seconds.timeout(String) Active health checking timeout duration in seconds.unhealthy_threshold(Number) Unhealthy threshold of the health checking.
Optional:
http_health_checks(Attributes) Options for the HTTP health checking. (see below for nested schema)
Required:
ok_status(Set of String) List of HTTP status codes that indicate a healthy response.path(String) Path to send the health check request to.
Optional:
custom_ca(String) Specifies a custom Certificate Authority (CA). When provided, the target pool will trust certificates signed by this CA, in addition to any system-trusted CAs. This is useful for scenarios where the target pool needs to communicate with servers using self-signed or internally-issued certificates. Enabled needs to be set to true and skip validation to false for this option.enabled(Boolean) Enable TLS (Transport Layer Security) bridging for the connection between Application Load Balancer and targets in this pool. When enabled, public CAs are trusted. Can be used in tandem with the options either custom CA or skip validation or alone.skip_certificate_validation(Boolean) Bypass certificate validation for TLS bridging in this target pool. This option is insecure and can only be used with public CAs by setting enabled true. Meant to be used for testing purposes only!
Optional:
access_control(Attributes) Use this option to limit the IP ranges that can use the Application Load Balancer. (see below for nested schema)ephemeral_address(Boolean) This option automates the handling of the external IP address for an Application Load Balancer. If set to true a new IP address will be automatically created. It will also be automatically deleted when the Load Balancer is deleted.observability(Attributes) We offer Load Balancer observability via STACKIT Observability or external solutions. (see below for nested schema)private_network_only(Boolean) Application Load Balancer is accessible only via a private network ip address. Not changeable after creation.
Required:
allowed_source_ranges(Set of String) Application Load Balancer is accessible only from an IP address in this range.
Optional:
logs(Attributes) Observability logs configuration. (see below for nested schema)metrics(Attributes) Observability metrics configuration. (see below for nested schema)
Required:
credentials_ref(String) Credentials reference for logging. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the logging solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.push_url(String) Credentials reference for logging. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the logging solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.
Required:
credentials_ref(String) Credentials reference for metrics. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the metrics solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.push_url(String) Credentials reference for metrics. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the metrics solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.
Read-Only:
description(String) The error description contains additional helpful user information to fix the error state of the Application Load Balancer. For example the IP 45.135.247.139 does not exist in the project, then the description will report: Floating IP "45.135.247.139" could not be found.type(String) The error type specifies which part of the Application Load Balancer encountered the error. I.e. the API will not check if a provided public IP is actually available in the project. Instead the Application Load Balancer with try to use the provided IP and if not available reports TYPE_FIP_NOT_CONFIGURED error. Possible values are:TYPE_UNSPECIFIED,TYPE_INTERNAL,TYPE_QUOTA_SECGROUP_EXCEEDED,TYPE_QUOTA_SECGROUPRULE_EXCEEDED,TYPE_PORT_NOT_CONFIGURED,TYPE_FIP_NOT_CONFIGURED,TYPE_TARGET_NOT_ACTIVE,TYPE_METRICS_MISCONFIGURED,TYPE_LOGS_MISCONFIGURED.
Read-Only:
id(String) ID of the security Groupname(String) Name of the security Group
Read-Only:
id(String) ID of the security Groupname(String) Name of the security Group