» Resource: aws_lb_listener
Provides a Load Balancer Listener resource.
Note: aws_alb_listener is known as aws_lb_listener. The functionality is identical.
» Example Usage
» Forward Action
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_target_group" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = "${aws_lb.front_end.arn}"
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "arn:aws:iam::187416307283:server-certificate/test_cert_rab3wuqwgja25ct3n4jdj2tzu4"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.front_end.arn}"
}
}
» Redirect Action
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = "${aws_lb.front_end.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
» Fixed-response Action
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = "${aws_lb.front_end.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "Fixed response content"
status_code = "200"
}
}
}
» Authenticate-cognito Action
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_target_group" "front_end" {
# ...
}
resource "aws_cognito_user_pool" "pool" {
# ...
}
resource "aws_cognito_user_pool_client" "client" {
# ...
}
resource "aws_cognito_user_pool_domain" "domain" {
# ...
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = "${aws_lb.front_end.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "authenticate-cognito"
authenticate_cognito {
user_pool_arn = "${aws_cognito_user_pool.pool.arn}"
user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
user_pool_domain = "${aws_cognito_user_pool_domain.domain.domain}"
}
}
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.front_end.arn}"
}
}
» Authenticate-oidc Action
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_target_group" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
load_balancer_arn = "${aws_lb.front_end.arn}"
port = "80"
protocol = "HTTP"
default_action {
type = "authenticate-oidc"
authenticate_oidc {
authorization_endpoint = "https://example.com/authorization_endpoint"
client_id = "client_id"
client_secret = "client_secret"
issuer = "https://example.com"
token_endpoint = "https://example.com/token_endpoint"
user_info_endpoint = "https://example.com/user_info_endpoint"
}
}
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.front_end.arn}"
}
}
» Argument Reference
The following arguments are supported:
-
load_balancer_arn- (Required, Forces New Resource) The ARN of the load balancer. -
port- (Required) The port on which the load balancer is listening. -
protocol- (Optional) The protocol for connections from clients to the load balancer. Valid values areTCP,TLS,HTTPandHTTPS. Defaults toHTTP. -
ssl_policy- (Optional) The name of the SSL Policy for the listener. Required ifprotocolisHTTPSorTLS. -
certificate_arn- (Optional) The ARN of the default SSL server certificate. Exactly one certificate is required if the protocol is HTTPS. For adding additional SSL certificates, see theaws_lb_listener_certificateresource. -
default_action- (Required) An Action block. Action blocks are documented below.
NOTE:: Please note that listeners that are attached to Application Load Balancers must use either HTTP or HTTPS protocols while listeners that are attached to Network Load Balancers must use the TCP protocol.
Action Blocks (for default_action) support the following:
-
type- (Required) The type of routing action. Valid values areforward,redirect,fixed-response,authenticate-cognitoandauthenticate-oidc. -
target_group_arn- (Optional) The ARN of the Target Group to which to route traffic. Required iftypeisforward. -
redirect- (Optional) Information for creating a redirect action. Required iftypeisredirect. -
fixed_response- (Optional) Information for creating an action that returns a custom HTTP response. Required iftypeisfixed-response.
Redirect Blocks (for redirect) support the following:
NOTE:: You can reuse URI components using the following reserved keywords: #{protocol}, #{host}, #{port}, #{path} (the leading "/" is removed) and #{query}.
-
host- (Optional) The hostname. This component is not percent-encoded. The hostname can contain#{host}. Defaults to#{host}. -
path- (Optional) The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to/#{path}. -
port- (Optional) The port. Specify a value from1to65535or#{port}. Defaults to#{port}. -
protocol- (Optional) The protocol. Valid values areHTTP,HTTPS, or#{protocol}. Defaults to#{protocol}. -
query- (Optional) The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to#{query}. -
status_code- (Required) The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).
Fixed-response Blocks (for fixed_response) support the following:
-
content_type- (Required) The content type. Valid values aretext/plain,text/css,text/html,application/javascriptandapplication/json. -
message_body- (Optional) The message body. -
status_code- (Optional) The HTTP response code. Valid values are2XX,4XX, or5XX.
Authenticate Cognito Blocks (for authenticate_cognito) supports the following:
-
authentication_request_extra_params- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
on_unauthenticated_request- (Optional) The behavior if the user is not authenticated. Valid values:deny,allowandauthenticate -
scope- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name- (Optional) The name of the cookie used to maintain session information. -
session_timeout- (Optional) The maximum duration of the authentication session, in seconds. -
user_pool_arn- (Required) The ARN of the Cognito user pool. -
user_pool_client_id- (Required) The ID of the Cognito user pool client. -
user_pool_domain- (Required) The domain prefix or fully-qualified domain name of the Cognito user pool.
Authenticate OIDC Blocks (for authenticate_oidc) supports the following:
-
authentication_request_extra_params- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
authorization_endpoint- (Required) The authorization endpoint of the IdP. -
client_id- (Required) The OAuth 2.0 client identifier. -
client_secret- (Required) The OAuth 2.0 client secret. -
issuer- (Required) The OIDC issuer identifier of the IdP. -
on_unauthenticated_request- (Optional) The behavior if the user is not authenticated. Valid values:deny,allowandauthenticate -
scope- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name- (Optional) The name of the cookie used to maintain session information. -
session_timeout- (Optional) The maximum duration of the authentication session, in seconds. -
token_endpoint- (Required) The token endpoint of the IdP. -
user_info_endpoint- (Required) The user info endpoint of the IdP.
Authentication Request Extra Params Blocks (for authentication_request_extra_params) supports the following:
» Attributes Reference
The following attributes are exported in addition to the arguments listed above:
» Import
Listeners can be imported using their ARN, e.g.
$ terraform import aws_lb_listener.front_end arn:aws:elasticloadbalancing:us-west-2:187416307283:listener/app/front-end-alb/8e4497da625e2d8a/9ab28ade35828f96