feat: Added listener rules support (#155)

terraform-aws-modules · Sep 11, 2020 · 03cad59 · 03cad59
1 parent 28e29f5
commit 03cad59
Show file tree

Hide file tree

Showing 4 changed files with 391 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -8,11 +8,11 @@ These types of resources are supported:
 * [Load Balancer Listener](https://www.terraform.io/docs/providers/aws/r/lb_listener.html)
 * [Load Balancer Listener Certificate](https://www.terraform.io/docs/providers/aws/r/lb_listener_certificate.html)
 * [Load Balancer Listener default actions](https://www.terraform.io/docs/providers/aws/r/lb_listener.html) - All actions supported.
+* [Load Balancer Listener Rule](https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html)
 * [Target Group](https://www.terraform.io/docs/providers/aws/r/lb_target_group.html)
 
 Not supported (yet):
 
-* [Load Balancer Listener Rule](https://www.terraform.io/docs/providers/aws/r/lb_listener_rule.html)
 * [Target Group Attachment](https://www.terraform.io/docs/providers/aws/r/lb_target_group_attachment.html)
 
 ## Terraform versions
@@ -138,6 +138,87 @@ module "alb" {
 }
 ```
 
+Cognito Authentication only on certain routes, with redirects for other routes:
+
+```hcl
+module "alb" {
+  source  = "terraform-aws-modules/alb/aws"
+  version = "~> 5.0"
+  
+  name = "my-alb"
+
+  load_balancer_type = "application"
+
+  vpc_id             = "vpc-abcde012"
+  subnets            = ["subnet-abcde012", "subnet-bcde012a"]
+  security_groups    = ["sg-edcd9784", "sg-edcd9785"]
+  
+  access_logs = {
+    bucket = "my-alb-logs"
+  }
+
+  target_groups = [
+    {
+      name_prefix      = "default"
+      backend_protocol = "HTTPS"
+      backend_port     = 443
+      target_type      = "instance"
+    }
+  ]
+
+  https_listeners = [
+    {
+      port                 = 443
+      certificate_arn      = "arn:aws:iam::123456789012:server-certificate/test_cert-123456789012"
+    }
+  ]
+
+  https_listener_rules = [
+    {
+      https_listener_index = 0
+      priority             = 5000
+
+      actions = [{
+        type        = "redirect"
+        status_code = "HTTP_302"
+        host        = "www.youtube.com"
+        path        = "/watch"
+        query       = "v=dQw4w9WgXcQ"
+        protocol    = "HTTPS"
+      }]
+
+      conditions = [{
+        path_patterns = ["/onboarding", "/docs"]
+      }]
+    },
+    {
+      https_listener_index = 0
+      priority             = 2
+
+      actions = [
+        {
+          type = "authenticate-cognito"
+
+          user_pool_arn       = "arn:aws:cognito-idp::123456789012:userpool/test-pool"
+          user_pool_client_id = "6oRmFiS0JHk="
+          user_pool_domain    = "test-domain-com"
+        },
+        {
+          type               = "forward"
+          target_group_index = 0
+        }
+      ]
+
+      conditions = [{
+        path_patterns = ["/protected-route", "private/*"]
+      }]
+    }
+  ]
+}
+```
+
+When you're using ALB Listener rules, make sure that every rule's `actions` block ends in a `forward`, `redirect`, or `fixed-response` action so that every rule will resolve to some sort of an HTTP response. Checkout the [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html) for more information.
+
 ### Network Load Balancer (TCP_UDP, UDP, TCP and TLS listeners)
 
 ```hcl

diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf
@@ -175,6 +175,98 @@ module "alb" {
     },
   ]
 
+  https_listener_rules = [
+    {
+      https_listener_index = 0
+
+      actions = [
+        {
+          type = "authenticate-cognito"
+
+          on_unauthenticated_request = "authenticate"
+          session_cookie_name        = "session-${random_pet.this.id}"
+          session_timeout            = 3600
+          user_pool_arn              = aws_cognito_user_pool.this.arn
+          user_pool_client_id        = aws_cognito_user_pool_client.this.id
+          user_pool_domain           = aws_cognito_user_pool_domain.this.domain
+        },
+        {
+          type               = "forward"
+          target_group_index = 0
+        }
+      ]
+
+      conditions = [{
+        path_patterns = ["/some/auth/required/route"]
+      }]
+    },
+    {
+      https_listener_index = 1
+      priority             = 2
+
+      actions = [
+        {
+          type = "authenticate-oidc"
+
+          authentication_request_extra_params = {
+            display = "page"
+            prompt  = "login"
+          }
+          authorization_endpoint = "https://${local.domain_name}/auth"
+          client_id              = "client_id"
+          client_secret          = "client_secret"
+          issuer                 = "https://${local.domain_name}"
+          token_endpoint         = "https://${local.domain_name}/token"
+          user_info_endpoint     = "https://${local.domain_name}/user_info"
+        },
+        {
+          type               = "forward"
+          target_group_index = 1
+        }
+      ]
+
+      conditions = [{
+        host_headers = ["foobar.com"]
+      }]
+    },
+    {
+      https_listener_index = 0
+      priority             = 3
+      actions = [{
+        type         = "fixed-response"
+        content_type = "text/plain"
+        status_code  = 200
+        message_body = "This is a fixed response"
+      }]
+
+      conditions = [{
+        http_headers = [{
+          http_header_name = "x-Gimme-Fixed-Response"
+          values           = ["yes", "please", "right now"]
+        }]
+      }]
+    },
+    {
+      https_listener_index = 0
+      priority             = 5000
+      actions = [{
+        type        = "redirect"
+        status_code = "HTTP_302"
+        host        = "www.youtube.com"
+        path        = "/watch"
+        query       = "v=dQw4w9WgXcQ"
+        protocol    = "HTTPS"
+      }]
+
+      conditions = [{
+        query_strings = [{
+          key   = "video"
+          value = "random"
+        }]
+      }]
+    },
+  ]
+
   target_groups = [
     {
       name_prefix          = "h1"