» aws_lb_listener_rule

Provides a Load Balancer Listener Rule resource.

» Example Usage

resource "aws_lb" "front_end" {
  # ...
}

resource "aws_lb_listener" "front_end" {
  # Other parameters
}

resource "aws_lb_listener_rule" "static" {
  listener_arn = "${aws_lb_listener.front_end.arn}"
  priority     = 100

  action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.static.arn}"
  }

  condition {
    field  = "path-pattern"
    values = ["/static/*"]
  }
}

# Forward action

resource "aws_lb_listener_rule" "host_based_routing" {
  listener_arn = "${aws_lb_listener.front_end.arn}"
  priority     = 99

  action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.static.arn}"
  }

  condition {
    field  = "host-header"
    values = ["my-service.*.terraform.io"]
  }
}

# Redirect action

resource "aws_lb_listener_rule" "redirect_http_to_https" {
  listener_arn = "${aws_lb_listener.front_end.arn}"

  action {
    type = "redirect"

    redirect {
      port        = "443"
      protocol    = "HTTPS"
      status_code = "HTTP_301"
    }
  }

  condition {
    field  = "host-header"
    values = ["my-service.*.terraform.io"]
  }
}

# Fixed-response action

resource "aws_lb_listener_rule" "health_check" {
  listener_arn = "${aws_lb_listener.front_end.arn}"

  action {
    type = "fixed-response"

    fixed_response {
      content_type = "text/plain"
      message_body = "HEALTHY"
      status_code  = "200"
    }
  }

  condition {
    field  = "path-pattern"
    values = ["/health"]
  }
}

# Authenticate-cognito Action

resource "aws_cognito_user_pool" "pool" {
  # ...
}

resource "aws_cognito_user_pool_client" "client" {
  # ...
}

resource "aws_cognito_user_pool_domain" "domain" {
  # ...
}

resource "aws_lb_listener_rule" "admin" {
  listener_arn = "${aws_lb_listener.front_end.arn}"

  action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn       = "${aws_cognito_user_pool.pool.arn}"
      user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
      user_pool_domain    = "${aws_cognito_user_pool_domain.domain.domain}"
    }
  }

  action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.static.arn}"
  }
}

# Authenticate-oidc Action

resource "aws_lb_listener" "admin" {
  listener_arn = "${aws_lb_listener.front_end.arn}"

  action {
    type = "authenticate-oidc"

    authenticate_oidc {
      authorization_endpoint = "https://example.com/authorization_endpoint"
      client_id              = "client_id"
      client_secret          = "client_secret"
      issuer                 = "https://example.com"
      token_endpoint         = "https://example.com/token_endpoint"
      user_info_endpoint     = "https://example.com/user_info_endpoint"
    }
  }

  action {
    type             = "forward"
    target_group_arn = "${aws_lb_target_group.static.arn}"
  }
}

» Argument Reference

The following arguments are supported:

  • listener_arn - (Required, Forces New Resource) The ARN of the listener to which to attach the rule.
  • priority - (Optional) The priority for the rule between 1 and 50000. Leaving it unset will automatically set the rule with next available priority after currently existing highest rule. A listener can't have multiple rules with the same priority.
  • action - (Required) An Action block. Action blocks are documented below.
  • condition - (Required) A Condition block. Condition blocks are documented below.

Action Blocks (for action) support the following:

  • type - (Required) The type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc.
  • target_group_arn - (Optional) The ARN of the Target Group to which to route traffic. Required if type is forward.
  • redirect - (Optional) Information for creating a redirect action. Required if type is redirect.
  • fixed_response - (Optional) Information for creating an action that returns a custom HTTP response. Required if type is fixed-response.
  • authenticate_cognito - (Optional) Information for creating an authenticate action using Cognito. Required if type is authenticate-cognito.
  • authenticate_oidc - (Optional) Information for creating an authenticate action using OIDC. Required if type is authenticate-oidc.

Redirect Blocks (for redirect) support the following:

  • host - (Optional) The hostname. This component is not percent-encoded. The hostname can contain #{host}. Defaults to #{host}.
  • path - (Optional) The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to /#{path}.
  • port - (Optional) The port. Specify a value from 1 to 65535 or #{port}. Defaults to #{port}.
  • protocol - (Optional) The protocol. Valid values are HTTP, HTTPS, or #{protocol}. Defaults to #{protocol}.
  • query - (Optional) The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to #{query}.
  • status_code - (Required) The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).

Fixed-response Blocks (for fixed_response) support the following:

  • content_type - (Required) The content type. Valid values are text/plain, text/css, text/html, application/javascript and application/json.
  • message_body - (Optional) The message body.
  • status_code - (Optional) The HTTP response code. Valid values are 2XX, 4XX, or 5XX.

Authenticate Cognito Blocks (for authenticate_cognito) supports the following:

  • authentication_request_extra_params - (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10.
  • on_unauthenticated_request - (Optional) The behavior if the user is not authenticated. Valid values: deny, allow and authenticate
  • scope - (Optional) The set of user claims to be requested from the IdP.
  • session_cookie_name - (Optional) The name of the cookie used to maintain session information.
  • session_time_out - (Optional) The maximum duration of the authentication session, in seconds.
  • user_pool_arn - (Required) The ARN of the Cognito user pool.
  • user_pool_client_id - (Required) The ID of the Cognito user pool client.
  • user_pool_domain - (Required) The domain prefix or fully-qualified domain name of the Cognito user pool.

Authenticate OIDC Blocks (for authenticate_oidc) supports the following:

Authentication Request Extra Params Blocks (for authentication_request_extra_params) supports the following:

  • key - (Required) The key of query parameter
  • value - (Required) The value of query parameter

Condition Blocks (for condition) support the following:

  • field - (Required) The name of the field. Must be one of path-pattern for path based routing or host-header for host based routing.
  • values - (Required) The path patterns to match. A maximum of 1 can be defined.

» Attributes Reference

The following attributes are exported in addition to the arguments listed above:

  • id - The ARN of the rule (matches arn)
  • arn - The ARN of the rule (matches id)

» Import

Rules can be imported using their ARN, e.g.

$ terraform import aws_lb_listener_rule.front_end arn:aws:elasticloadbalancing:us-west-2:187416307283:listener-rule/app/test/8e4497da625e2d8a/9ab28ade35828f96/67b3d2d36dd7c26b