Test Continuous Integration/Delivery environment on AWS ECS.
Check valid versions on:
- Github Releases: https://github.com/cn-terraform/terraform-aws-ecs-alb/releases
- Terraform Module Registry: https://registry.terraform.io/modules/cn-terraform/ecs-alb/aws
This terraform module creates an Application Load Balancer and security group rules in order allow traffic to it.
Please run this command right after cloning the repository.
pre-commit install
For that you may need to install the following tools:
In order to run all checks at any point run the following command:
pre-commit run --all-files
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 4 |
| Name | Version |
|---|---|
| aws | 4.48.0 |
| random | 3.4.3 |
| Name | Source | Version |
|---|---|---|
| lb_logs_s3 | cn-terraform/logs-s3-bucket/aws | 1.0.5 |
| Name | Type |
|---|---|
| aws_lb.lb | resource |
| aws_lb_listener.lb_http_listeners | resource |
| aws_lb_listener.lb_https_listeners | resource |
| aws_lb_listener_certificate.additional_certificates_for_https_listeners | resource |
| aws_lb_target_group.lb_http_tgs | resource |
| aws_lb_target_group.lb_https_tgs | resource |
| aws_security_group.lb_access_sg | resource |
| aws_security_group_rule.ingress_through_http | resource |
| aws_security_group_rule.ingress_through_https | resource |
| aws_wafv2_web_acl_association.waf_association | resource |
| random_string.lb_name | resource |
| aws_elb_service_account.default | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_logs_prefix | (Optional) if access logging to an S3 bucket, this sets a prefix in the bucket beneath which this LB's logs will be organized. | string |
null |
no |
| additional_certificates_arn_for_https_listeners | (Optional) List of SSL server certificate ARNs for HTTPS listener. Use it if you need to set additional certificates besides default_certificate_arn | list(any) |
[] |
no |
| block_s3_bucket_public_access | (Optional) If true, public access to the S3 bucket will be blocked. Ignored if log_bucket_id is provided. | bool |
true |
no |
| default_certificate_arn | (Optional) The ARN of the default SSL server certificate. Required if var.https_ports is set. | string |
null |
no |
| deregistration_delay | (Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds. | number |
300 |
no |
| drop_invalid_header_fields | (Optional) Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. | bool |
false |
no |
| enable_cross_zone_load_balancing | (Optional) If true, cross-zone load balancing of the load balancer will be enabled. Defaults to false. | bool |
false |
no |
| enable_deletion_protection | (Optional) If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. Defaults to false. | bool |
false |
no |
| enable_http2 | (Optional) Indicates whether HTTP/2 is enabled in the load balancer. Defaults to true. | bool |
true |
no |
| enable_s3_bucket_server_side_encryption | (Optional) If true, server side encryption will be applied. Ignored if log_bucket_id is provided. | bool |
true |
no |
| enable_s3_logs | (Optional) If true, all LoadBalancer logs will be sent to S3. If true, and log_bucket_id is not provided, this module will create the bucket with other provided s3 bucket configuration options | bool |
true |
no |
| http_ingress_cidr_blocks | List of CIDR blocks to allowed to access the Load Balancer through HTTP | list(string) |
[ |
no |
| http_ingress_prefix_list_ids | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP | list(string) |
[] |
no |
| http_ports | Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code |
map(any) |
{ |
no |
| https_ingress_cidr_blocks | List of CIDR blocks to allowed to access the Load Balancer through HTTPS | list(string) |
[ |
no |
| https_ingress_prefix_list_ids | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS | list(string) |
[] |
no |
| https_ports | Map containing objects to define listeners behaviour based on type field. If type field is forward, include listener_port and the target_group_port. For redirect type, include listener port, host, path, port, protocol, query and status_code. For fixed-response, include listener_port, content_type, message_body and status_code |
map(any) |
{ |
no |
| idle_timeout | (Optional) The time in seconds that the connection is allowed to be idle. Default: 60. | number |
60 |
no |
| internal | (Optional) If true, the LB will be internal. | bool |
false |
no |
| ip_address_type | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4 | string |
"ipv4" |
no |
| load_balancing_algorithm_type | (Optional) Determines how the load balancer selects targets when routing requests. The value is round_robin or least_outstanding_requests. The default is round_robin. | string |
"round_robin" |
no |
| log_bucket_id | (Optional) if provided, the ID of a previously-defined S3 bucket to send LB logs to. | string |
null |
no |
| name_prefix | Name prefix for resources on AWS | any |
n/a | yes |
| private_subnets | A list of private subnet IDs to attach to the LB if it is INTERNAL. | list(string) |
n/a | yes |
| public_subnets | A list of public subnet IDs to attach to the LB if it is NOT internal. | list(string) |
n/a | yes |
| s3_bucket_server_side_encryption_key | (Optional) The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms. Ignored if log_bucket_id is provided. | string |
null |
no |
| s3_bucket_server_side_encryption_sse_algorithm | (Optional) The server-side encryption algorithm to use. Valid values are AES256 and aws:kms. Ignored if log_bucket_id is provided. | string |
"AES256" |
no |
| security_groups | (Optional) A list of security group IDs to assign to the LB. | list(string) |
[] |
no |
| slow_start | (Optional) The amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds. | number |
0 |
no |
| ssl_policy | (Optional) The name of the SSL Policy for the listener. . Required if var.https_ports is set. | string |
null |
no |
| stickiness | (Optional) A Stickiness block. Provide three fields. type, the type of sticky sessions. The only current possible value is lb_cookie. cookie_duration, the time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds). enabled, boolean to enable / disable stickiness. Default is true. | object({ |
{ |
no |
| tags | Resource tags | map(string) |
{} |
no |
| target_group_health_check_enabled | (Optional) Indicates whether health checks are enabled. Defaults to true. | bool |
true |
no |
| target_group_health_check_healthy_threshold | (Optional) The number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3. | number |
3 |
no |
| target_group_health_check_interval | (Optional) The approximate amount of time, in seconds, between health checks of an individual target. Minimum value 5 seconds, Maximum value 300 seconds. Default 30 seconds. | number |
30 |
no |
| target_group_health_check_matcher | The HTTP codes to use when checking for a successful response from a target. You can specify multiple values (for example, "200,202") or a range of values (for example, "200-299"). Default is 200. | string |
"200" |
no |
| target_group_health_check_path | The destination for the health check request. | string |
"/" |
no |
| target_group_health_check_timeout | (Optional) The amount of time, in seconds, during which no response means a failed health check. The range is 2 to 120 seconds, and the default is 5 seconds. | number |
5 |
no |
| target_group_health_check_unhealthy_threshold | (Optional) The number of consecutive health check failures required before considering the target unhealthy. Defaults to 3. | number |
3 |
no |
| use_random_name_for_lb | If true the LB name will be a random string | bool |
false |
no |
| vpc_id | ID of the VPC | any |
n/a | yes |
| waf_web_acl_arn | ARN of a WAFV2 to associate with the ALB | string |
"" |
no |
| Name | Description |
|---|---|
| aws_lb_lb_arn | The ARN of the load balancer (matches id). |
| aws_lb_lb_arn_suffix | The ARN suffix for use with CloudWatch Metrics. |
| aws_lb_lb_dns_name | The DNS name of the load balancer. |
| aws_lb_lb_id | The ARN of the load balancer (matches arn). |
| aws_lb_lb_zone_id | The canonical hosted zone ID of the load balancer (to be used in a Route 53 Alias record). |
| aws_security_group_lb_access_sg_arn | The ARN of the security group |
| aws_security_group_lb_access_sg_description | The description of the security group |
| aws_security_group_lb_access_sg_egress | The egress rules. |
| aws_security_group_lb_access_sg_id | The ID of the security group |
| aws_security_group_lb_access_sg_ingress | The ingress rules. |
| aws_security_group_lb_access_sg_name | The name of the security group |
| aws_security_group_lb_access_sg_owner_id | The owner ID. |
| aws_security_group_lb_access_sg_vpc_id | The VPC ID. |
| lb_http_listeners_arns | List of HTTP Listeners ARNs |
| lb_http_listeners_ids | List of HTTP Listeners IDs |
| lb_http_tgs_arns | List of HTTP Target Groups ARNs |
| lb_http_tgs_ids | List of HTTP Target Groups IDs |
| lb_http_tgs_map_arn_port | n/a |
| lb_http_tgs_names | List of HTTP Target Groups Names |
| lb_http_tgs_ports | List of HTTP Target Groups ports |
| lb_https_listeners_arns | List of HTTPS Listeners ARNs |
| lb_https_listeners_ids | List of HTTPS Listeners IDs |
| lb_https_tgs_arns | List of HTTPS Target Groups ARNs |
| lb_https_tgs_ids | List of HTTPS Target Groups IDs |
| lb_https_tgs_map_arn_port | n/a |
| lb_https_tgs_names | List of HTTPS Target Groups Names |
| lb_https_tgs_ports | List of HTTPS Target Groups ports |
| lb_logs_s3_bucket_arn | LB Logging S3 Bucket ARN |
| lb_logs_s3_bucket_id | LB Logging S3 Bucket ID |
