» Resource: aws_lb_listener_rule
Provides a Load Balancer Listener Rule resource.
Note: aws_alb_listener_rule is known as aws_lb_listener_rule. The functionality is identical.
» Example Usage
resource "aws_lb" "front_end" {
# ...
}
resource "aws_lb_listener" "front_end" {
# Other parameters
}
resource "aws_lb_listener_rule" "static" {
listener_arn = "${aws_lb_listener.front_end.arn}"
priority = 100
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
condition {
field = "path-pattern"
values = ["/static/*"]
}
}
# Forward action
resource "aws_lb_listener_rule" "host_based_routing" {
listener_arn = "${aws_lb_listener.front_end.arn}"
priority = 99
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
condition {
field = "host-header"
values = ["my-service.*.terraform.io"]
}
}
# Redirect action
resource "aws_lb_listener_rule" "redirect_http_to_https" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
condition {
field = "host-header"
values = ["my-service.*.terraform.io"]
}
}
# Fixed-response action
resource "aws_lb_listener_rule" "health_check" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "fixed-response"
fixed_response {
content_type = "text/plain"
message_body = "HEALTHY"
status_code = "200"
}
}
condition {
field = "path-pattern"
values = ["/health"]
}
}
# Authenticate-cognito Action
resource "aws_cognito_user_pool" "pool" {
# ...
}
resource "aws_cognito_user_pool_client" "client" {
# ...
}
resource "aws_cognito_user_pool_domain" "domain" {
# ...
}
resource "aws_lb_listener_rule" "admin" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "authenticate-cognito"
authenticate_cognito {
user_pool_arn = "${aws_cognito_user_pool.pool.arn}"
user_pool_client_id = "${aws_cognito_user_pool_client.client.id}"
user_pool_domain = "${aws_cognito_user_pool_domain.domain.domain}"
}
}
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
}
# Authenticate-oidc Action
resource "aws_lb_listener" "admin" {
listener_arn = "${aws_lb_listener.front_end.arn}"
action {
type = "authenticate-oidc"
authenticate_oidc {
authorization_endpoint = "https://example.com/authorization_endpoint"
client_id = "client_id"
client_secret = "client_secret"
issuer = "https://example.com"
token_endpoint = "https://example.com/token_endpoint"
user_info_endpoint = "https://example.com/user_info_endpoint"
}
}
action {
type = "forward"
target_group_arn = "${aws_lb_target_group.static.arn}"
}
}
» Argument Reference
The following arguments are supported:
-
listener_arn- (Required, Forces New Resource) The ARN of the listener to which to attach the rule. -
priority- (Optional) The priority for the rule between1and50000. Leaving it unset will automatically set the rule with next available priority after currently existing highest rule. A listener can't have multiple rules with the same priority. -
action- (Required) An Action block. Action blocks are documented below. -
condition- (Required) A Condition block. Condition blocks are documented below.
Action Blocks (for action) support the following:
-
type- (Required) The type of routing action. Valid values areforward,redirect,fixed-response,authenticate-cognitoandauthenticate-oidc. -
target_group_arn- (Optional) The ARN of the Target Group to which to route traffic. Required iftypeisforward. -
redirect- (Optional) Information for creating a redirect action. Required iftypeisredirect. -
fixed_response- (Optional) Information for creating an action that returns a custom HTTP response. Required iftypeisfixed-response. -
authenticate_cognito- (Optional) Information for creating an authenticate action using Cognito. Required iftypeisauthenticate-cognito. -
authenticate_oidc- (Optional) Information for creating an authenticate action using OIDC. Required iftypeisauthenticate-oidc.
Redirect Blocks (for redirect) support the following:
NOTE:: You can reuse URI components using the following reserved keywords: #{protocol}, #{host}, #{port}, #{path} (the leading "/" is removed) and #{query}.
-
host- (Optional) The hostname. This component is not percent-encoded. The hostname can contain#{host}. Defaults to#{host}. -
path- (Optional) The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to/#{path}. -
port- (Optional) The port. Specify a value from1to65535or#{port}. Defaults to#{port}. -
protocol- (Optional) The protocol. Valid values areHTTP,HTTPS, or#{protocol}. Defaults to#{protocol}. -
query- (Optional) The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to#{query}. -
status_code- (Required) The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).
Fixed-response Blocks (for fixed_response) support the following:
-
content_type- (Required) The content type. Valid values aretext/plain,text/css,text/html,application/javascriptandapplication/json. -
message_body- (Optional) The message body. -
status_code- (Optional) The HTTP response code. Valid values are2XX,4XX, or5XX.
Authenticate Cognito Blocks (for authenticate_cognito) supports the following:
-
authentication_request_extra_params- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
on_unauthenticated_request- (Optional) The behavior if the user is not authenticated. Valid values:deny,allowandauthenticate -
scope- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name- (Optional) The name of the cookie used to maintain session information. -
session_timeout- (Optional) The maximum duration of the authentication session, in seconds. -
user_pool_arn- (Required) The ARN of the Cognito user pool. -
user_pool_client_id- (Required) The ID of the Cognito user pool client. -
user_pool_domain- (Required) The domain prefix or fully-qualified domain name of the Cognito user pool.
Authenticate OIDC Blocks (for authenticate_oidc) supports the following:
-
authentication_request_extra_params- (Optional) The query parameters to include in the redirect request to the authorization endpoint. Max: 10. -
authorization_endpoint- (Required) The authorization endpoint of the IdP. -
client_id- (Required) The OAuth 2.0 client identifier. -
client_secret- (Required) The OAuth 2.0 client secret. -
issuer- (Required) The OIDC issuer identifier of the IdP. -
on_unauthenticated_request- (Optional) The behavior if the user is not authenticated. Valid values:deny,allowandauthenticate -
scope- (Optional) The set of user claims to be requested from the IdP. -
session_cookie_name- (Optional) The name of the cookie used to maintain session information. -
session_timeout- (Optional) The maximum duration of the authentication session, in seconds. -
token_endpoint- (Required) The token endpoint of the IdP. -
user_info_endpoint- (Required) The user info endpoint of the IdP.
Authentication Request Extra Params Blocks (for authentication_request_extra_params) supports the following:
Condition Blocks (for condition) support the following:
-
field- (Required) The name of the field. Must be one ofpath-patternfor path based routing orhost-headerfor host based routing. -
values- (Required) The path patterns to match. A maximum of 1 can be defined.
» Attributes Reference
The following attributes are exported in addition to the arguments listed above:
» Import
Rules can be imported using their ARN, e.g.
$ terraform import aws_lb_listener_rule.front_end arn:aws:elasticloadbalancing:us-west-2:187416307283:listener-rule/app/test/8e4497da625e2d8a/9ab28ade35828f96/67b3d2d36dd7c26b