Application Load Balancer
Overview
This service contains code to deploy Application Load Balancer on AWS.
ALB architecture
Features
- Deploy public or internal Application Load Balancers
- Configure DNS in Route 53
- Configure TLS in AWS Certificate Manager (ACM)
- Send access logs into S3
- Manage access with security groups or CIDR blocks
Learn
note
This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!
Gruntwork Documentation on ALBs: Background information from Gruntwork about ALBs including what it is, differences from other ELB flavors, and when you should use ALBs.
ALB Documentation: Amazon’s docs for ALB that cover core concepts such as listeners, target groups, autoscaling, TLS and migrations.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples/for-learning-and-testing folder: The
examples/for-learning-and-testingfolder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
- examples/for-production folder: The
examples/for-productionfolder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog.
Reference
- Inputs
- Outputs
Required
alb_namestring(required)The name of the ALB.
is_internal_albbool(required)If the ALB should only accept traffic from within the VPC, set this to true. If it should accept traffic from the public Internet, set it to false.
num_days_after_which_archive_log_datanumber(required)After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data.
num_days_after_which_delete_log_datanumber(required)After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.
vpc_idstring(required)ID of the VPC where the ALB will be deployed
vpc_subnet_idslist(required)The ids of the subnets that the ALB can use to source its IP
list(string)
Optional
access_logs_s3_bucket_namestring(optional)The name to use for the S3 bucket where the ALB access logs will be stored. If you set this to null, a name will be generated automatically based on alb_name.
nullacm_cert_statuseslist(optional)When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs with the given statuses. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED.
list(string)
[ 'ISSUED'
]acm_cert_typeslist(optional)When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs of the given types. Valid values are AMAZON_ISSUED and IMPORTED.
list(string)
[
"AMAZON_ISSUED",
"IMPORTED"
]
allow_all_outboundbool(optional)Set to true to enable all outbound traffic on this ALB. If set to false, the ALB will allow no outbound traffic by default. This will make the ALB unusuable, so some other code must then update the ALB Security Group to enable outbound access!
trueallow_inbound_from_cidr_blockslist(optional)The CIDR-formatted IP Address range from which this ALB will allow incoming requests. If is_internal_alb is false, use the default value. If is_internal_alb is true, consider setting this to the VPC's CIDR Block, or something even more restrictive.
list(string)
[]allow_inbound_from_security_group_idslist(optional)The list of IDs of security groups that should have access to the ALB
list(string)
[]create_route53_entrybool(optional)Set to true to create a Route 53 DNS A record for this ALB?
falsecustom_tagsmap(optional)A map of custom tags to apply to the ALB and its Security Group. The key is the tag name and the value is the tag value.
map(string)
{}default_action_bodystring(optional)If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this body.
nulldefault_action_content_typestring(optional)If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this content type.
text/plaindefault_action_status_codenumber(optional)If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this status code.
404domain_nameslist(optional)The list of domain names for the DNS A record to add for the ALB (e.g. alb.foo.com). Only used if create_route53_entry is true.
list(string)
[]drop_invalid_header_fieldsbool(optional)If true, the ALB will drop invalid headers. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
falseenable_deletion_protectionbool(optional)Enable deletion protection on the ALB instance. If this is enabled, the load balancer cannot be deleted prior to disabling
falseforce_destroybool(optional)A boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false.
falsehosted_zone_idstring(optional)The ID of the hosted zone for the DNS A record to add for the ALB. Only used if create_route53_entry is true.
nullhttp_listener_portslist(optional)A list of ports for which an HTTP Listener should be created on the ALB. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
list(string)
[]https_listener_ports_and_acm_ssl_certslist(optional)A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_domain_name', the domain name of an SSL/TLS certificate issued by the Amazon Certificate Manager (ACM) to associate with the Listener to be created. If your certificate isn't issued by ACM, specify https_listener_ports_and_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
list(object({
port = number
tls_domain_name = string
}))
[]https_listener_ports_and_ssl_certslist(optional)A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_arn', the Amazon Resource Name (ARN) of the SSL/TLS certificate to associate with the Listener to be created. If your certificate is issued by the Amazon Certificate Manager (ACM), specify https_listener_ports_and_acm_ssl_certs instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
list(object({
port = number
tls_arn = string
}))
[]idle_timeoutnumber(optional)The time in seconds that the client TCP connection to the ALB is allowed to be idle before the ALB closes the TCP connection.
60should_create_access_logs_bucketbool(optional)If true, create a new S3 bucket for access logs with the name in access_logs_s3_bucket_name. If false, assume the S3 bucket for access logs with the name in access_logs_s3_bucket_name already exists, and don't create a new one. Note that if you set this to false, it's up to you to ensure that the S3 bucket has a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket.
truessl_policystring(optional)The AWS predefined TLS/SSL policy for the ALB. A List of policies can be found here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. AWS recommends ELBSecurityPolicy-2016-08 policy for general use but this policy includes TLSv1.0 which is rapidly being phased out. ELBSecurityPolicy-TLS-1-1-2017-01 is the next policy up that doesn't include TLSv1.0.
ELBSecurityPolicy-2016-08The name of the S3 bucket containing the ALB access logs
The ARN of the ALB resource.
The list of DNS records for the ALB as specified in the input.
The AWS-managed zone ID for the ALB's DNS record.
A human friendly name for the ALB.
The ID of the security group associated with the ALB.
The map of HTTP listener ports to ARNs. There will be one listener per entry in http_listener_ports.
The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_acm_ssl_certs.
The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_ssl_certs.
The map of listener ports to ARNs. This will include all listeners both HTTP and HTTPS.
The AWS-managed DNS name assigned to the ALB.