AWS Application and Network Load Balancer (ALB & NLB) Terraform module
Upstream version 10.5.0
0 controls from Registry requirements
Terraform Module Source
registry.compliance.tf/terraform-aws-modules/alb/aws50 unique
| Name | Type | Default | Description |
|---|---|---|---|
| Optional | |||
access_logs | object({...}) | null | Map containing access logging configuration for load balancer |
additional_target_group_attachments | map({...}) | null | Map of additional target group attachments to create. Use `target_group_key` to attach to the target group created in `target_groups` |
associate_web_acl | bool | false | Indicates whether a Web Application Firewall (WAF) ACL should be associated with the load balancer |
client_keep_alive | number | null | Client keep alive value in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds |
connection_logs | object({...}) | null | Map containing access logging configuration for load balancer |
create | bool | true | Controls if resources should be created (affects nearly all resources) |
create_security_group | bool | true | Determines if a security group is created |
customer_owned_ipv4_pool | string | null | The ID of the customer owned ipv4 pool to use for this load balancer |
default_port | number | 80 | Default port used across the listener and target group |
default_protocol | string | "HTTP" | Default protocol used across the listener and target group |
desync_mitigation_mode | string | null | Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are `monitor`, `defensive` (default), `strictest` |
dns_record_client_routing_policy | string | null | Indicates how traffic is distributed among the load balancer Availability Zones. Possible values are any_availability_zone (default), availability_zone_affinity, or partial_availability_zone_affinity. Only valid for network type load balancers |
drop_invalid_header_fields | bool | true | Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (`true`) or routed to targets (`false`). The default is `true`. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type `application` |
enable_cross_zone_load_balancing | bool | true | If `true`, cross-zone load balancing of the load balancer will be enabled. For application load balancer this feature is always enabled (`true`) and cannot be disabled. Defaults to `true` |
enable_deletion_protection | bool | true | If `true`, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to `true` |
enable_http2 | bool | null | Indicates whether HTTP/2 is enabled in application load balancers. Defaults to `true` |
enable_tls_version_and_cipher_suite_headers | bool | null | Indicates whether the two headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Only valid for Load Balancers of type `application`. Defaults to `false` |
enable_waf_fail_open | bool | null | Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to `false` |
enable_xff_client_port | bool | null | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `false` |
enable_zonal_shift | bool | null | Whether zonal shift is enabled |
enforce_security_group_inbound_rules_on_private_link_traffic | string | null | Indicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off |
health_check_logs | object({...}) | null | Map containing health check logging configuration for application load balancers |
idle_timeout | number | null | The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type `application`. Default: `60` |
internal | bool | null | If true, the LB will be internal. Defaults to `false` |
ip_address_type | string | null | The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack` |
ipam_pools | object({...}) | null | The IPAM pools to use with the load balancer |
listeners | map({...}) | {} | Map of listener configurations to create |
load_balancer_type | string | "application" | The type of load balancer to create. Possible values are `application`, `gateway`, or `network`. The default value is `application` |
minimum_load_balancer_capacity | object({...}) | null | Minimum capacity for a load balancer. Only valid for Load Balancers of type `application` or `network` |
name | string | null | The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen |
name_prefix | string | null | Creates a unique name beginning with the specified prefix. Conflicts with `name` |
preserve_host_header | bool | null | Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to `false` |
putin_khuylo | bool | true | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! |
region | string | null | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration |
route53_records | map({...}) | null | Map of Route53 records to create. Each record map should contain `zone_id`, `name`, and `type` |
security_group_description | string | null | Description of the security group created |
security_group_egress_rules | map({...}) | null | Security group egress rules to add to the security group created |
security_group_ingress_rules | map({...}) | null | Security group ingress rules to add to the security group created |
security_group_name | string | null | Name to use on security group created |
security_group_tags | map(string) | {} | A map of additional tags to add to the security group created |
security_group_use_name_prefix | bool | true | Determines whether the security group name (`security_group_name`) is used as a prefix |
security_groups | list(string) | [] | A list of security group IDs to assign to the LB |
subnet_mapping | list({...}) | null | A list of subnet mapping blocks describing subnets to attach to load balancer |
subnets | list(string) | null | A list of subnet IDs to attach to the LB. Subnets cannot be updated for Load Balancers of type `network`. Changing this value for load balancers of type `network` will force a recreation of the resource |
tags | map(string) | {} | A map of tags to add to all resources |
target_groups | map({...}) | null | Map of target group configurations to create |
timeouts | object({...}) | null | Create, update, and delete timeout configurations for the load balancer |
vpc_id | string | null | Identifier of the VPC where the security group will be created |
web_acl_arn | string | null | Web Application Firewall (WAF) ARN of the resource to associate with the load balancer |
xff_header_processing_mode | string | null | Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. The possible values are `append`, `preserve`, and `remove`. Only valid for Load Balancers of type `application`. The default is `append` |