AWS Application and Network Load Balancer (ALB & NLB) Terraform module
Terraform module which creates Application and Network Load Balancer resources on AWS.
Usage
When you're using ALB Listener rules, make sure that every rule's actions block ends in a forward, redirect, or fixed-response action so that every rule will resolve to some sort of an HTTP response. Checkout the AWS documentation for more information.
Application Load Balancer
HTTP to HTTPS redirect
module "alb" {
source = "terraform-aws-modules/alb/aws"
name = "my-alb"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
# Security Group
security_group_ingress_rules = {
all_http = {
from_port = 80
to_port = 80
ip_protocol = "tcp"
description = "HTTP web traffic"
cidr_ipv4 = "0.0.0.0/0"
}
all_https = {
from_port = 443
to_port = 443
ip_protocol = "tcp"
description = "HTTPS web traffic"
cidr_ipv4 = "0.0.0.0/0"
}
}
security_group_egress_rules = {
all = {
ip_protocol = "-1"
cidr_ipv4 = "10.0.0.0/16"
}
}
access_logs = {
bucket = "my-alb-logs"
}
listeners = {
ex-http-https-redirect = {
port = 80
protocol = "HTTP"
redirect = {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
ex-https = {
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
forward = {
target_group_key = "ex-instance"
}
}
}
target_groups = {
ex-instance = {
name_prefix = "h1"
protocol = "HTTP"
port = 80
target_type = "instance"
target_id = "i-0f6d38a07d50d080f"
}
}
tags = {
Environment = "Development"
Project = "Example"
}
}
Cognito authentication
module "alb" {
source = "terraform-aws-modules/alb/aws"
# Truncated for brevity ...
listeners = {
ex-http-https-redirect = {
port = 80
protocol = "HTTP"
redirect = {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
ex-cognito = {
port = 444
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
authenticate_cognito = {
authentication_request_extra_params = {
display = "page"
prompt = "login"
}
on_unauthenticated_request = "authenticate"
session_cookie_name = "session-${local.name}"
session_timeout = 3600
user_pool_arn = "arn:aws:cognito-idp:us-west-2:123456789012:userpool/us-west-2_abcdefghi"
user_pool_client_id = "us-west-2_fak3p001B"
user_pool_domain = "https://fak3p001B.auth.us-west-2.amazoncognito.com"
}
forward = {
target_group_key = "ex-instance"
}
rules = {
ex-oidc = {
priority = 2
actions = [
{
authenticate-oidc = {
authentication_request_extra_params = {
display = "page"
prompt = "login"
}
authorization_endpoint = "https://foobar.com/auth"
client_id = "client_id"
client_secret = "client_secret"
issuer = "https://foobar.com"
token_endpoint = "https://foobar.com/token"
user_info_endpoint = "https://foobar.com/user_info"
}
},
{
forward = {
target_group_key = "ex-instance"
}
}
]
}
}
}
}
}
Cognito authentication on certain paths, redirects for others
module "alb" {
source = "terraform-aws-modules/alb/aws"
# Truncated for brevity ...
listeners = {
https = {
port = 443
protocol = "HTTPS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
forward = {
target_group_key = "instance"
}
rules = {
redirect = {
priority = 5000
actions = [{
redirect = {
status_code = "HTTP_302"
host = "www.youtube.com"
path = "/watch"
query = "v=dQw4w9WgXcQ"
protocol = "HTTPS"
}
}]
conditions = [{
path_pattern = {
values = ["/onboarding", "/docs"]
}
}]
}
cognito = {
priority = 2
actions = [
{
authenticate-cognito = {
user_pool_arn = "arn:aws:cognito-idp::123456789012:userpool/test-pool"
user_pool_client_id = "6oRmFiS0JHk="
user_pool_domain = "test-domain-com"
}
},
{
forward = {
target_group_key = "instance"
}
}
]
conditions = [{
path_pattern = {
values = ["/protected-route", "private/*"]
}
}]
}
}
}
}
target_groups = {
instance = {
name_prefix = "default"
protocol = "HTTPS"
port = 443
target_type = "instance"
target_id = "i-0f6d38a07d50d080f"
}
}
}
Network Load Balancer
TCP_UDP, UDP, TCP and TLS listeners
module "nlb" {
source = "terraform-aws-modules/alb/aws"
name = "my-nlb"
load_balancer_type = "network"
vpc_id = "vpc-abcde012"
subnets = ["subnet-abcde012", "subnet-bcde012a"]
# Security Group
enforce_security_group_inbound_rules_on_private_link_traffic = "on"
security_group_ingress_rules = {
all_http = {
from_port = 80
to_port = 82
ip_protocol = "tcp"
description = "HTTP web traffic"
cidr_ipv4 = "0.0.0.0/0"
}
all_https = {
from_port = 443
to_port = 445
ip_protocol = "tcp"
description = "HTTPS web traffic"
cidr_ipv4 = "0.0.0.0/0"
}
}
security_group_egress_rules = {
all = {
ip_protocol = "-1"
cidr_ipv4 = "10.0.0.0/16"
}
}
access_logs = {
bucket = "my-nlb-logs"
}
listeners = {
ex-tcp-udp = {
port = 81
protocol = "TCP_UDP"
forward = {
target_group_key = "ex-target"
}
}
ex-udp = {
port = 82
protocol = "UDP"
forward = {
target_group_key = "ex-target"
}
}
ex-tcp = {
port = 83
protocol = "TCP"
forward = {
target_group_key = "ex-target"
}
}
ex-tls = {
port = 84
protocol = "TLS"
certificate_arn = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
forward = {
target_group_key = "ex-target"
}
}
}
target_groups = {
ex-target = {
name_prefix = "pref-"
protocol = "TCP"
port = 80
target_type = "ip"
target_id = "10.0.47.1"
}
}
tags = {
Environment = "Development"
Project = "Example"
}
}
Conditional creation
The following values are provided to toggle on/off creation of the associated resources as desired:
module "alb" {
source = "terraform-aws-modules/alb/aws"
# Disable creation of the LB and all resources
create = false
# ... omitted
}
Examples
See patterns.md for additional configuration snippets for common usage patterns.
Authors
Module is maintained by Anton Babenko with help from these awesome contributors.
License
Apache 2 Licensed. See LICENSE for full details.
Additional information for users from Russia and Belarus
- Russia has illegally annexed Crimea in 2014 and brought the war in Donbas followed by full-scale invasion of Ukraine in 2022.
- Russia has brought sorrow and devastations to millions of Ukrainians, killed hundreds of innocent people, damaged thousands of buildings, and forced several million people to flee.
- Putin khuylo!