Skip to content

aws.elbv2-listener resource

Description

Listener is an ELBv2 listener: the port and protocol a load balancer accepts connections on, and the default action it takes for traffic that matches no rule. The fields mirror CreateListener, which is also the call an update makes through ModifyListener. The load balancer the listener belongs to is fixed at creation, so a change to it replaces the listener; the port, protocol, security policy, default certificate, ALPN policy, default actions, and tags all change in place.

CertificateArn is the listener's default certificate, set on the create and modify call itself through a one-element Certificates list. It is distinct from the SNI certificates an HTTPS or TLS listener offers beyond its default, which are the separate elbv2-listener-certificate resource.

The cross-field rules on protocol and the per-action rules are declared as constraints; Create and Update check only the residue a constraint cannot express (the fixed-response status pattern, the forward arn-match, and an explicitly empty action list).

Source: internal/service/elbv2/listener_rsrc.go:45

Example usage:

imports: {
  aws: 'github.com/cloudboss/unobin-library-aws'
}

resources: {
  example: aws.elbv2-listener {
    # Set input fields here.
  }
}

Inputs

load-balancer-arn

string

required

port

optional(integer)

protocol

optional(string)

ssl-policy

optional(string)

certificate-arn

optional(string)

alpn-policy

optional(string)

default-action

list(object) 
list(
  object({
    type: string
    order: optional(integer)
    target-group-arn: optional(string)
    forward: optional(
      object({
        target-groups: list(
          object({
            arn: string
            weight: optional(integer)
          })
        )
        stickiness: optional(
          object({
            enabled: optional(boolean)
            duration-seconds: optional(integer)
          })
        )
      })
    )
    redirect: optional(
      object({
        host: optional(string)
        path: optional(string)
        port: optional(string)
        protocol: optional(string)
        query: optional(string)
        status-code: string
      })
    )
    fixed-response: optional(
      object({
        content-type: optional(string)
        message-body: optional(string)
        status-code: string
      })
    )
  })
)

required

tags

map(string)

Input Constraints

Protocol rules

an HTTPS or TLS listener requires ssl-policy and certificate-arn.

Rule logic
When
input.protocol == 'HTTPS'
|| input.protocol == 'TLS'
Require
input.ssl-policy != null
&& input.certificate-arn != null

only an HTTPS or TLS listener accepts ssl-policy, certificate-arn, or alpn-policy.

Rule logic
When
input.protocol == 'HTTP'
|| input.protocol == 'TCP'
|| input.protocol == 'UDP'
|| input.protocol == 'TCP_UDP'
|| input.protocol == 'GENEVE'
|| input.protocol == 'QUIC'
|| input.protocol == 'TCP_QUIC'
Require
input.ssl-policy == null
&& input.certificate-arn == null
&& input.alpn-policy == null

Alpn policy rules

alpn-policy must be HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, or None.

Rule logic
When
input.alpn-policy != null
Require
input.alpn-policy == 'HTTP1Only'
|| input.alpn-policy == 'HTTP2Only'
|| input.alpn-policy == 'HTTP2Optional'
|| input.alpn-policy == 'HTTP2Preferred'
|| input.alpn-policy == 'None'

Default action rules

default-action must list at least one action.

Rule logic
Require
input.default-action != null
&& @core.length(input.default-action) >= 1

an action type must be forward, redirect, or fixed-response.

Rule logic
For each
input.default-action
Require
@each.value.type == 'forward'
|| @each.value.type == 'redirect'
|| @each.value.type == 'fixed-response'

a forward action takes target-group-arn or a forward block only.

Rule logic
For each
input.default-action
When
@each.value.type == 'forward'
Require
((@each.value.target-group-arn != null) || (@each.value.forward != null))
&& @each.value.redirect == null
&& @each.value.fixed-response == null

a redirect action takes a redirect block only.

Rule logic
For each
input.default-action
When
@each.value.type == 'redirect'
Require
@each.value.redirect != null
&& @each.value.target-group-arn == null
&& @each.value.forward == null
&& @each.value.fixed-response == null

a fixed-response action takes a fixed-response block only.

Rule logic
For each
input.default-action
When
@each.value.type == 'fixed-response'
Require
@each.value.fixed-response != null
&& @each.value.target-group-arn == null
&& @each.value.forward == null
&& @each.value.redirect == null

a redirect status-code must be HTTP_301 or HTTP_302.

Rule logic
For each
input.default-action
When
@each.value.redirect.status-code != null
Require
@each.value.redirect.status-code == 'HTTP_301'
|| @each.value.redirect.status-code == 'HTTP_302'

a redirect protocol must be HTTP, HTTPS, or #{protocol}.

Rule logic
For each
input.default-action
When
@each.value.redirect.protocol != null
Require
@each.value.redirect.protocol == '#{protocol}'
|| @each.value.redirect.protocol == 'HTTP'
|| @each.value.redirect.protocol == 'HTTPS'

a fixed-response content-type must be one of the accepted types.

Rule logic
For each
input.default-action
When
@each.value.fixed-response.content-type != null
Require
@each.value.fixed-response.content-type == 'text/plain'
|| @each.value.fixed-response.content-type == 'text/css'
|| @each.value.fixed-response.content-type == 'text/html'
|| @each.value.fixed-response.content-type == 'application/javascript'
|| @each.value.fixed-response.content-type == 'application/json'

a forward block takes one to five target-groups.

Rule logic
For each
input.default-action
When
@each.value.forward != null
Require
((@each.value.forward.target-groups != null) && (@core.length(@each.value.forward.target-groups) >= 1))
&& (@each.value.forward.target-groups == null || @core.length(@each.value.forward.target-groups) <= 5)

with target-group-arn set, the forward block must name exactly one target group.

Rule logic
For each
input.default-action
When
@each.value.target-group-arn != null
&& @each.value.forward != null
Require
@each.value.forward.target-groups == null
|| @core.length(@each.value.forward.target-groups) <= 1

a target group weight must be between 0 and 999.

Rule logic
For each
@a in input.default-action
@g in @a.value.forward.target-groups
When
@g.value.weight != null
Require
(@g.value.weight == null || @g.value.weight >= 0)
&& (@g.value.weight == null || @g.value.weight <= 999)

target-group-arn must match the forward block's target group.

Rule logic
For each
@a in input.default-action
@g in @a.value.forward.target-groups
When
@a.value.target-group-arn != null
Require
@g.value.arn == @a.value.target-group-arn

enabled forward stickiness requires duration-seconds.

Rule logic
For each
input.default-action
When
@each.value.forward.stickiness.enabled == true
Require
@each.value.forward.stickiness.duration-seconds != null

stickiness duration-seconds must be between 1 and 604800.

Rule logic
For each
input.default-action
When
@each.value.forward.stickiness.duration-seconds != null
Require
(@each.value.forward.stickiness.duration-seconds == null || @each.value.forward.stickiness.duration-seconds >= 1)
&& (@each.value.forward.stickiness.duration-seconds == null || @each.value.forward.stickiness.duration-seconds <= 604800)

Outputs

arn

string

protocol

string

ssl-policy

string