Application Load Balancer
Overview
This service contains code to deploy Application Load Balancer on AWS.
ALB architecture
Features
- Deploy public or internal Application Load Balancers
- Configure DNS in Route 53
- Configure TLS in AWS Certificate Manager (ACM)
- Send access logs into S3
- Manage access with security groups or CIDR blocks
Learn
note
This repo is a part of the Gruntwork Service Catalog, a collection of reusable, battle-tested, production ready infrastructure code. If you’ve never used the Service Catalog before, make sure to read How to use the Gruntwork Service Catalog!
Gruntwork Documentation on ALBs: Background information from Gruntwork about ALBs including what it is, differences from other ELB flavors, and when you should use ALBs.
ALB Documentation: Amazon’s docs for ALB that cover core concepts such as listeners, target groups, autoscaling, TLS and migrations.
Deploy
Non-production deployment (quick start for learning)
If you just want to try this repo out for experimenting and learning, check out the following resources:
- examples/for-learning-and-testing folder: The
examples/for-learning-and-testing
folder contains standalone sample code optimized for learning, experimenting, and testing (but not direct production usage).
Production deployment
If you want to deploy this repo in production, check out the following resources:
- examples/for-production folder: The
examples/for-production
folder contains sample code optimized for direct usage in production. This is code from the Gruntwork Reference Architecture, and it shows you how we build an end-to-end, integrated tech stack on top of the Gruntwork Service Catalog.
Reference
- Inputs
- Outputs
Required
alb_name
stringThe name of the ALB.
is_internal_alb
boolIf the ALB should only accept traffic from within the VPC, set this to true. If it should accept traffic from the public Internet, set it to false.
After this number of days, log files should be transitioned from S3 to Glacier. Enter 0 to never archive log data.
After this number of days, log files should be deleted from S3. Enter 0 to never delete log data.
vpc_id
stringID of the VPC where the ALB will be deployed
vpc_subnet_ids
list(string)The ids of the subnets that the ALB can use to source its IP
Optional
The name to use for the S3 bucket where the ALB access logs will be stored. If you set this to null, a name will be generated automatically based on alb_name
.
null
acm_cert_statuses
list(string)When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs with the given statuses. Valid values are PENDING_VALIDATION, ISSUED, INACTIVE, EXPIRED, VALIDATION_TIMED_OUT, REVOKED and FAILED.
[ "ISSUED"
]
acm_cert_types
list(string)When looking up the ACM certs passed in via https_listener_ports_and_acm_ssl_certs, only match certs of the given types. Valid values are AMAZON_ISSUED and IMPORTED.
[
"AMAZON_ISSUED",
"IMPORTED"
]
additional_ssl_certs_for_ports
map(list(…))List of additional SSL certs (non-ACM and ACM) to bind to the given listener port. Note that this must not overlap with the certificates defined in https_listener_ports_and_ssl_certs
and https_listener_ports_and_acm_ssl_certs
. The keys are the listener ports.
map(list(object({
# Exactly one of the following must be set, with the other set to null.
# The domain name to use when looking up the ACM cert to associate.
tls_domain_name = string
# The ARN of the TLS cert to associate with the listener.
tls_arn = string
})))
{}
Set to true to enable all outbound traffic on this ALB. If set to false, the ALB will allow no outbound traffic by default. This will make the ALB unusuable, so some other code must then update the ALB Security Group to enable outbound access!
true
allow_inbound_from_cidr_blocks
list(string)The CIDR-formatted IP Address range from which this ALB will allow incoming requests. If is_internal_alb
is false, use the default value. If is_internal_alb
is true, consider setting this to the VPC's CIDR Block, or something even more restrictive.
[]
allow_inbound_from_security_group_ids
list(string)The list of IDs of security groups that should have access to the ALB
[]
Set to true to create a Route 53 DNS A record for this ALB?
false
Prefix to use for access logs to create a sub-folder in S3 Bucket name where ALB logs should be stored. Only used if enable_custom_alb_access_logs_s3_prefix
is true.
null
custom_tags
map(string)A map of custom tags to apply to the ALB and its Security Group. The key is the tag name and the value is the tag value.
{}
default_action_body
stringIf a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this body.
null
If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this content type.
"text/plain"
If a request to the load balancer does not match any of your listener rules, the default action will return a fixed response with this status code.
404
domain_names
list(string)The list of domain names for the DNS A record to add for the ALB (e.g. alb.foo.com). Only used if create_route53_entry
is true.
[]
If true, the ALB will drop invalid headers. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
false
Set to true to use the value of alb_access_logs_s3_prefix for access logs prefix. If false, the alb_name will be used. This is useful if you wish to disable the S3 prefix. Only used if enable_alb_access_logs
is true.
false
Enable deletion protection on the ALB instance. If this is enabled, the load balancer cannot be deleted prior to disabling
false
force_destroy
boolA boolean that indicates whether the access logs bucket should be destroyed, even if there are files in it, when you run Terraform destroy. Unless you are using this bucket only for test purposes, you'll want to leave this variable set to false.
false
hosted_zone_id
stringThe ID of the hosted zone for the DNS A record to add for the ALB. Only used if create_route53_entry
is true.
null
http_listener_ports
list(string)A list of ports for which an HTTP Listener should be created on the ALB. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
[]
https_listener_ports_and_acm_ssl_certs
list(object(…))A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_domain_name', the domain name of an SSL/TLS certificate issued by the Amazon Certificate Manager (ACM) to associate with the Listener to be created. If your certificate isn't issued by ACM, specify https_listener_ports_and_ssl_certs
instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
list(object({
port = number
tls_domain_name = string
}))
[]
https_listener_ports_and_ssl_certs
list(object(…))A list of the ports for which an HTTPS Listener should be created on the ALB. Each item in the list should be a map with the keys 'port', the port number to listen on, and 'tls_arn', the Amazon Resource Name (ARN) of the SSL/TLS certificate to associate with the Listener to be created. If your certificate is issued by the Amazon Certificate Manager (ACM), specify https_listener_ports_and_acm_ssl_certs
instead. Tip: When you define Listener Rules for these Listeners, be sure that, for each Listener, at least one Listener Rule uses the '*' path to ensure that every possible request path for that Listener is handled by a Listener Rule. Otherwise some requests won't route to any Target Group.
list(object({
port = number
tls_arn = string
}))
[]
idle_timeout
numberThe time in seconds that the client TCP connection to the ALB is allowed to be idle before the ALB closes the TCP connection.
60
If true, create a new S3 bucket for access logs with the name in access_logs_s3_bucket_name
. If false, assume the S3 bucket for access logs with the name in access_logs_s3_bucket_name
already exists, and don't create a new one. Note that if you set this to false, it's up to you to ensure that the S3 bucket has a bucket policy that grants Elastic Load Balancing permission to write the access logs to your bucket.
true
ssl_policy
stringThe AWS predefined TLS/SSL policy for the ALB. A List of policies can be found here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies. AWS recommends ELBSecurityPolicy-2016-08 policy for general use but this policy includes TLSv1.0 which is rapidly being phased out. ELBSecurityPolicy-TLS-1-1-2017-01 is the next policy up that doesn't include TLSv1.0.
"ELBSecurityPolicy-2016-08"
The name of the S3 bucket containing the ALB access logs
The ARN of the ALB resource.
The list of DNS records for the ALB as specified in the input.
The AWS-managed zone ID for the ALB's DNS record.
A human friendly name for the ALB.
The ID of the security group associated with the ALB.
The map of HTTP listener ports to ARNs. There will be one listener per entry in http_listener_ports
.
The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_acm_ssl_certs
.
The map of HTTPS listener ports to ARNs. There will be one listener per entry in https_listener_ports_and_ssl_certs
.
The map of listener ports to ARNs. This will include all listeners both HTTP and HTTPS.
The AWS-managed DNS name assigned to the ALB.