Skip to content

Commit 02cf639

Browse files
aknyshaknysh
authored
Add authentication action to ALB listener rules (cloudposse#12)
* Bump `terraform-terraform-label` version * Add authentication action to ALB listener rules * Rename local var
1 parent 1a67199 commit 02cf639

File tree

3 files changed

+103
-25
lines changed

3 files changed

+103
-25
lines changed

LICENSE

+1-1
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,7 @@
186186
same "printed page" as the copyright notice for easier
187187
identification within third-party archives.
188188

189-
Copyright 2018 Cloud Posse, LLC
189+
Copyright 2018-2019 Cloud Posse, LLC
190190

191191
Licensed under the Apache License, Version 2.0 (the "License");
192192
you may not use this file except in compliance with the License.

main.tf

+89-23
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,16 @@
11
locals {
2-
create_target_group = "${var.target_group_arn == "" ? "true" : "false"}"
3-
}
4-
5-
locals {
6-
target_group_arn = "${local.create_target_group == "true" ? aws_lb_target_group.default.arn : var.target_group_arn}"
2+
target_group_enabled = "${var.target_group_arn == "" ? "true" : "false"}"
3+
target_group_arn = "${local.target_group_enabled == "true" ? aws_lb_target_group.default.arn : var.target_group_arn}"
4+
authentication_enabled = "${var.authentication_enabled == "true" ? true : false}"
75
}
86

97
data "aws_lb_target_group" "default" {
108
arn = "${local.target_group_arn}"
119
}
1210

1311
module "default_label" {
14-
enabled = "${local.create_target_group}"
15-
source = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.1.3"
12+
enabled = "${local.target_group_enabled}"
13+
source = "git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.2.1"
1614
attributes = "${var.attributes}"
1715
delimiter = "${var.delimiter}"
1816
name = "${var.name}"
@@ -22,7 +20,7 @@ module "default_label" {
2220
}
2321

2422
resource "aws_lb_target_group" "default" {
25-
count = "${local.create_target_group == "true" ? 1 : 0}"
23+
count = "${local.target_group_enabled == "true" ? 1 : 0}"
2624
name = "${module.default_label.id}"
2725
port = "${var.port}"
2826
protocol = "${var.protocol}"
@@ -45,48 +43,116 @@ resource "aws_lb_target_group" "default" {
4543
}
4644
}
4745

48-
resource "aws_lb_listener_rule" "paths" {
49-
count = "${length(var.paths) > 0 && length(var.hosts) == 0 ? var.listener_arns_count : 0}"
46+
resource "aws_lb_listener_rule" "paths_no_authentication" {
47+
count = "${length(var.paths) > 0 && length(var.hosts) == 0 && local.authentication_enabled == false ? var.listener_arns_count : 0}"
5048
listener_arn = "${var.listener_arns[count.index]}"
5149
priority = "${var.priority + count.index}"
5250

53-
action {
54-
type = "forward"
55-
target_group_arn = "${local.target_group_arn}"
51+
action = [
52+
{
53+
type = "forward"
54+
target_group_arn = "${local.target_group_arn}"
55+
},
56+
]
57+
58+
condition {
59+
field = "path-pattern"
60+
values = ["${var.paths}"]
5661
}
62+
}
63+
64+
resource "aws_lb_listener_rule" "paths_with_authentication" {
65+
count = "${length(var.paths) > 0 && length(var.hosts) == 0 && local.authentication_enabled == true ? var.listener_arns_count : 0}"
66+
listener_arn = "${var.listener_arns[count.index]}"
67+
priority = "${var.priority + count.index}"
68+
69+
action = [
70+
"${var.authentication_action}",
71+
{
72+
type = "forward"
73+
target_group_arn = "${local.target_group_arn}"
74+
},
75+
]
5776

5877
condition {
5978
field = "path-pattern"
6079
values = ["${var.paths}"]
6180
}
6281
}
6382

64-
resource "aws_lb_listener_rule" "hosts" {
65-
count = "${length(var.hosts) > 0 && length(var.paths) == 0 ? var.listener_arns_count : 0}"
83+
resource "aws_lb_listener_rule" "hosts_no_authentication" {
84+
count = "${length(var.hosts) > 0 && length(var.paths) == 0 && local.authentication_enabled == false ? var.listener_arns_count : 0}"
6685
listener_arn = "${var.listener_arns[count.index]}"
6786
priority = "${var.priority + count.index}"
6887

69-
action {
70-
type = "forward"
71-
target_group_arn = "${local.target_group_arn}"
88+
action = [
89+
{
90+
type = "forward"
91+
target_group_arn = "${local.target_group_arn}"
92+
},
93+
]
94+
95+
condition {
96+
field = "host-header"
97+
values = ["${var.hosts}"]
7298
}
99+
}
100+
101+
resource "aws_lb_listener_rule" "hosts_with_authentication" {
102+
count = "${length(var.hosts) > 0 && length(var.paths) == 0 && local.authentication_enabled == true ? var.listener_arns_count : 0}"
103+
listener_arn = "${var.listener_arns[count.index]}"
104+
priority = "${var.priority + count.index}"
105+
106+
action = [
107+
"${var.authentication_action}",
108+
{
109+
type = "forward"
110+
target_group_arn = "${local.target_group_arn}"
111+
},
112+
]
73113

74114
condition {
75115
field = "host-header"
76116
values = ["${var.hosts}"]
77117
}
78118
}
79119

80-
resource "aws_lb_listener_rule" "hosts_paths" {
81-
count = "${length(var.paths) > 0 && length(var.hosts) > 0 ? var.listener_arns_count : 0}"
120+
resource "aws_lb_listener_rule" "hosts_paths_no_authentication" {
121+
count = "${length(var.paths) > 0 && length(var.hosts) > 0 && local.authentication_enabled == false ? var.listener_arns_count : 0}"
82122
listener_arn = "${var.listener_arns[count.index]}"
83123
priority = "${var.priority + count.index}"
84124

85-
action {
86-
type = "forward"
87-
target_group_arn = "${local.target_group_arn}"
125+
action = [
126+
{
127+
type = "forward"
128+
target_group_arn = "${local.target_group_arn}"
129+
},
130+
]
131+
132+
condition {
133+
field = "host-header"
134+
values = ["${var.hosts}"]
88135
}
89136

137+
condition {
138+
field = "path-pattern"
139+
values = ["${var.paths}"]
140+
}
141+
}
142+
143+
resource "aws_lb_listener_rule" "hosts_paths_with_authentication" {
144+
count = "${length(var.paths) > 0 && length(var.hosts) > 0 && local.authentication_enabled == true ? var.listener_arns_count : 0}"
145+
listener_arn = "${var.listener_arns[count.index]}"
146+
priority = "${var.priority + count.index}"
147+
148+
action = [
149+
"${var.authentication_action}",
150+
{
151+
type = "forward"
152+
target_group_arn = "${local.target_group_arn}"
153+
},
154+
]
155+
90156
condition {
91157
field = "host-header"
92158
values = ["${var.hosts}"]

variables.tf

+13-1
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ variable "listener_arns" {
4646
variable "listener_arns_count" {
4747
type = "string"
4848
default = "0"
49-
description = "The number of ARNs in listener_arns, this is necessary to work around a limitation in Terraform where counts cannot be computed"
49+
description = "The number of ARNs in `listener_arns`. This is necessary to work around a limitation in Terraform where counts cannot be computed"
5050
}
5151

5252
variable "deregistration_delay" {
@@ -130,3 +130,15 @@ variable "paths" {
130130
default = []
131131
description = "Path pattern to match (a maximum of 1 can be defined), at least one of hosts or paths must be set"
132132
}
133+
134+
variable "authentication_enabled" {
135+
type = "string"
136+
default = "false"
137+
description = "Whether to enable authentication action for ALB listener to authenticate users with Cognito or OIDC"
138+
}
139+
140+
variable "authentication_action" {
141+
type = "map"
142+
default = {}
143+
description = "Authentication action to be placed in front of all other ALB listener actions to authenticate users with Cognito or OIDC. Required when `authentication_enabled=true`"
144+
}

0 commit comments

Comments
 (0)