» aws_lb_listener

Provides a Load Balancer Listener resource.

» Example Usage

» Forward Action

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_target_group" "front_end" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = "${aws_lb.front_end.arn}"
  port              = "443"
  protocol          = "HTTPS"
  ssl_policy        = "ELBSecurityPolicy-2015-05"
  certificate_arn   = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"

  default_action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.front_end.arn}"
  }
}

» Redirect Action

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = "${aws_lb.front_end.arn}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }
}

» Fixed-response Action

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = "${aws_lb.front_end.arn}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "Fixed response content"
      status_code  = "200"
    }
  }
}

» Authenticate-cognito Action

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_target_group" "front_end" {
  # ...
}

resource "aws_cognito_user_pool" "pool" {
  # ...
}

resource "aws_cognito_user_pool_client" "client" {
  # ...
}

resource "aws_cognito_user_pool_domain" "domain" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = "${aws_lb.front_end.arn}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn       = "${aws_cognito_user_pool.pool.arn}"
      user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
      user_pool_domain    = "${aws_cognito_user_pool_domain.domain.domain}"
    }
  }

  default_action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.front_end.arn}"
  }
}

» Authenticate-oidc Action

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_target_group" "front_end" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  load_balancer_arn = "${aws_lb.front_end.arn}"
  port              = "80"
  protocol          = "HTTP"

  default_action {
    type = "authenticate-oidc"

    authenticate_oidc {
      authorization_endpoint = "https://example.com/authorization_endpoint"
      client_id              = "client_id"
      client_secret          = "client_secret"
      issuer                 = "https://example.com"
      token_endpoint         = "https://example.com/token_endpoint"
      user_info_endpoint     = "https://example.com/user_info_endpoint"
    }
  }

  default_action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.front_end.arn}"
  }
}

» Argument Reference

The following arguments are supported:

  • load_balancer_arn - (Required, Forces New Resource) The ARN of the load balancer.
  • port - (Required) The port on which the load balancer is listening.
  • protocol - (Optional) The protocol for connections from clients to the load balancer. Valid values are TCP, HTTP and HTTPS. Defaults to HTTP.
  • ssl_policy - (Optional) The name of the SSL Policy for the listener. Required if protocol is HTTPS.
  • certificate_arn - (Optional) The ARN of the default SSL server certificate. Exactly one certificate is required if the protocol is HTTPS. For adding additional SSL certificates, see the aws_lb_listener_certificate resource.
  • default_action - (Required) An Action block. Action blocks are documented below.

Action Blocks (for default_action) support the following:

  • type - (Required) The type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc.
  • target_group_arn - (Optional) The ARN of the Target Group to which to route traffic. Required if type is forward.
  • redirect - (Optional) Information for creating a redirect action. Required if type is redirect.
  • fixed_response - (Optional) Information for creating an action that returns a custom HTTP response. Required if type is fixed-response.

Redirect Blocks (for redirect) support the following:

  • host - (Optional) The hostname. This component is not percent-encoded. The hostname can contain #{host}. Defaults to #{host}.
  • path - (Optional) The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to /#{path}.
  • port - (Optional) The port. Specify a value from 1 to 65535 or #{port}. Defaults to #{port}.
  • protocol - (Optional) The protocol. Valid values are HTTP, HTTPS, or #{protocol}. Defaults to #{protocol}.
  • query - (Optional) The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to #{query}.
  • status_code - (Required) The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).

Fixed-response Blocks (for fixed_response) support the following:

  • content_type - (Required) The content type. Valid values are text/plain, text/css, text/html, application/javascript and application/json.
  • message_body - (Optional) The message body.
  • status_code - (Optional) The HTTP response code. Valid values are 2XX, 4XX, or 5XX.

Authenticate Cognito Blocks (for authenticate_cognito) supports the following:

  • authentication_request_extra_params - (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10.
  • on_unauthenticated_request - (Optional) The behavior if the user is not authenticated. Valid values: deny, allow and authenticate
  • scope - (Optional) The set of user claims to be requested from the IdP.
  • session_cookie_name - (Optional) The name of the cookie used to maintain session information.
  • session_time_out - (Optional) The maximum duration of the authentication session, in seconds.
  • user_pool_arn - (Required) The ARN of the Cognito user pool.
  • user_pool_client_id - (Required) The ID of the Cognito user pool client.
  • user_pool_domain - (Required) The domain prefix or fully-qualified domain name of the Cognito user pool.

Authenticate OIDC Blocks (for authenticate_oidc) supports the following:

Authentication Request Extra Params Blocks (for authentication_request_extra_params) supports the following:

  • key - (Required) The key of query parameter
  • value - (Required) The value of query parameter

» Attributes Reference

The following attributes are exported in addition to the arguments listed above:

  • id - The ARN of the listener (matches arn)
  • arn - The ARN of the listener (matches id)

» Import

Listeners can be imported using their ARN, e.g.

$ terraform import aws_lb_listener.front_end arn:aws:elasticloadbalancing:us-west-2:187416307283:listener/app/front-end-alb/8e4497da625e2d8a/9ab28ade35828f96