» Resource: aws_lb_listener_rule
Provides a Load Balancer Listener Rule resource.
Note: aws_alb_listener_rule
is known as aws_lb_listener_rule
. The functionality is identical.
» Example Usage
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
# Other parameters
}
resource "aws_lb_listener_rule" "static" {
listener_arn = "${aws_lb_listener.front_end.arn}"
priority = 100
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
condition {
field = "path-pattern"
values = ["/static/*"]
}
}
# Forward action
resource "aws_lb_listener_rule" "host_based_routing" {
listener_arn = "${aws_lb_listener.front_end.arn}"
priority = 99
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
condition {
field = "host-header"
values = ["my-service.*.terraform.io"]
}
}
# Redirect action
resource "aws_lb_listener_rule" "redirect_http_to_https" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
condition {
field = "host-header"
values = ["my-service.*.terraform.io"]
}
}
# Fixed-response action
resource "aws_lb_listener_rule" "health_check" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "HEALTHY"
status_code = "200"
}
}
condition {
field = "path-pattern"
values = ["/health"]
}
}
# Authenticate-cognito Action
resource "aws_cognito_user_pool" "pool" {
# ...
}
resource "aws_cognito_user_pool_client" "client" {
# ...
}
resource "aws_cognito_user_pool_domain" "domain" {
# ...
}
resource "aws_lb_listener_rule" "admin" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "authenticate-cognito"
authenticate_cognito {
user_pool_arn = "${aws_cognito_user_pool.pool.arn}"
user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
user_pool_domain = "${aws_cognito_user_pool_domain.domain.domain}"
}
}
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
}
# Authenticate-oidc Action
resource "aws_lb_listener" "admin" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "authenticate-oidc"
authenticate_oidc {
authorization_endpoint = "https://example.com/authorization_endpoint"
client_id = "client_id"
client_secret = "client_secret"
issuer = "https://example.com"
token_endpoint = "https://example.com/token_endpoint"
user_info_endpoint = "https://example.com/user_info_endpoint"
}
}
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
}
» Argument Reference
The following arguments are supported:
-
listener_arn
- (Required, Forces New Resource) The ARN of the listener to which to attach the rule. -
priority
- (Optional) The priority for the rule between1
and50000
. Leaving it unset will automatically set the rule with next available priority after currently existing highest rule. A listener can't have multiple rules with the same priority. -
action
- (Required) An Action block. Action blocks are documented below. -
condition
- (Required) A Condition block. Condition blocks are documented below.
Action Blocks (for action
) support the following:
-
type
- (Required) The type of routing action. Valid values areforward
,redirect
,fixed-response
,authenticate-cognito
andauthenticate-oidc
. -
target_group_arn
- (Optional) The ARN of the Target Group to which to route traffic. Required iftype
isforward
. -
redirect
- (Optional) Information for creating a redirect action. Required iftype
isredirect
. -
fixed_response
- (Optional) Information for creating an action that returns a custom HTTP response. Required iftype
isfixed-response
. -
authenticate_cognito
- (Optional) Information for creating an authenticate action using Cognito. Required iftype
isauthenticate-cognito
. -
authenticate_oidc
- (Optional) Information for creating an authenticate action using OIDC. Required iftype
isauthenticate-oidc
.
Redirect Blocks (for redirect
) support the following:
NOTE:: You can reuse URI components using the following reserved keywords: #{protocol}
, #{host}
, #{port}
, #{path}
(the leading "/" is removed) and #{query}
.
-
host
- (Optional) The hostname. This component is not percent-encoded. The hostname can contain#{host}
. Defaults to#{host}
. -
path
- (Optional) The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to/#{path}
. -
port
- (Optional) The port. Specify a value from1
to65535
or#{port}
. Defaults to#{port}
. -
protocol
- (Optional) The protocol. Valid values areHTTP
,HTTPS
, or#{protocol}
. Defaults to#{protocol}
. -
query
- (Optional) The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to#{query}
. -
status_code
- (Required) The HTTP redirect code. The redirect is either permanent (HTTP_301
) or temporary (HTTP_302
).
Fixed-response Blocks (for fixed_response
) support the following:
-
content_type
- (Required) The content type. Valid values aretext/plain
,text/css
,text/html
,application/javascript
andapplication/json
. -
message_body
- (Optional) The message body. -
status_code
- (Optional) The HTTP response code. Valid values are2XX
,4XX
, or5XX
.
Authenticate Cognito Blocks (for authenticate_cognito
) supports the following:
-
authentication_request_extra_params
- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
on_unauthenticated_request
- (Optional) The behavior if the user is not authenticated. Valid values:deny
,allow
andauthenticate
-
scope
- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name
- (Optional) The name of the cookie used to maintain session information. -
session_timeout
- (Optional) The maximum duration of the authentication session, in seconds. -
user_pool_arn
- (Required) The ARN of the Cognito user pool. -
user_pool_client_id
- (Required) The ID of the Cognito user pool client. -
user_pool_domain
- (Required) The domain prefix or fully-qualified domain name of the Cognito user pool.
Authenticate OIDC Blocks (for authenticate_oidc
) supports the following:
-
authentication_request_extra_params
- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
authorization_endpoint
- (Required) The authorization endpoint of the IdP. -
client_id
- (Required) The OAuth 2.0 client identifier. -
client_secret
- (Required) The OAuth 2.0 client secret. -
issuer
- (Required) The OIDC issuer identifier of the IdP. -
on_unauthenticated_request
- (Optional) The behavior if the user is not authenticated. Valid values:deny
,allow
andauthenticate
-
scope
- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name
- (Optional) The name of the cookie used to maintain session information. -
session_timeout
- (Optional) The maximum duration of the authentication session, in seconds. -
token_endpoint
- (Required) The token endpoint of the IdP. -
user_info_endpoint
- (Required) The user info endpoint of the IdP.
Authentication Request Extra Params Blocks (for authentication_request_extra_params
) supports the following:
Condition Blocks (for condition
) support the following:
-
field
- (Required) The name of the field. Must be one ofpath-pattern
for path based routing orhost-header
for host based routing. -
values
- (Required) The path patterns to match. A maximum of 1 can be defined.
» Attributes Reference
The following attributes are exported in addition to the arguments listed above:
» Import
Rules can be imported using their ARN, e.g.
$ terraform import aws_lb_listener_rule.front_end arn:aws:elasticloadbalancing:us-west-2:187416307283:listener-rule/app/test/8e4497da625e2d8a/9ab28ade35828f96/67b3d2d36dd7c26b