boldlink
diff --git a/‎.checkov.yml‎
Lines changed: 10 additions & 7 deletions b/‎.checkov.yml‎
Lines changed: 10 additions & 7 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 15 additions & 2 deletions b/‎CHANGELOG.md‎
Lines changed: 15 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 6 additions & 3 deletions b/‎README.md‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎examples/complete/README.md‎
Lines changed: 11 additions & 8 deletions b/‎examples/complete/README.md‎
Lines changed: 11 additions & 8 deletions
@@ -5,10 +5,13 @@ evaluate-variables: true
 external-modules-download-path: .external_modules
 framework: all
 skip-check:
-- CKV_AWS_260 #Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
-- CKV_AWS_336 #Ensure ECS containers are limited to read-only access to root filesystems
-- CKV_AWS_338 #Ensure CloudWatch log groups retains logs for at least 1 year
-- CKV2_AWS_5 #Ensure that Security Groups are attached to another
-- CKV_AWS_150 #Ensure that Load Balancer has deletion protection enabled
-- CKV_TF_1 #Ensure Terraform module sources use a commit hash
-- CKV2_AWS_28 #Ensure public facing ALB are protected by WAF
+- CKV_AWS_260 # Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
+- CKV_AWS_336 # Ensure ECS containers are limited to read-only access to root filesystems
+- CKV_AWS_338 # Ensure CloudWatch log groups retains logs for at least 1 year
+- CKV2_AWS_5 # Ensure that Security Groups are attached to another
+- CKV_AWS_150 # Ensure that Load Balancer has deletion protection enabled
+- CKV_TF_1 # Ensure Terraform module sources use a commit hash
+- CKV2_AWS_28 # Ensure public facing ALB are protected by WAF
+- CKV_AWS_152 # Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
+- CKV2_AWS_20 # Ensure that ALB redirects HTTP requests into HTTPS ones
+- CKV_AWS_261 # Ensure HTTP HTTPS Target group defines Healthcheck
@@ -5,12 +5,15 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- major: Remove the WAF KMS and ALB/NLB resources from the module and use external modules to provide these configurations.
 - fix: CKV_AWS_260 Ensure no security groups allow ingress from 0.0.0.0:0 to port 80
 - fix: CKV_AWS_336 Ensure ECS containers are limited to read-only access to root filesystems
 - fix: CKV_AWS_338 Ensure CloudWatch log groups retains logs for at least 1 year
 - fix: CKV2_AWS_5 Ensure that Security Groups are attached to another
 - fix: CKV_AWS_150 Ensure that Load Balancer has deletion protection enabled
-- fix: CKV_TF_1:Ensure Terraform module sources use a commit hash
+- fix: CKV_AWS_152 Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled
+- fix: CKV2_AWS_20 Ensure that ALB redirects HTTP requests into HTTPS ones
+- fix: CKV_AWS_261 Ensure HTTP HTTPS Target group defines Healthcheck
 - feat: showcase load balancer protection using WAF
 - feat: more than one security group for ecs service
 - feat: Add EC2 usage example
@@ -23,6 +26,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: Add missing aws_ecs_task_definition arguments and showcase them in examples
 - feat: expand volume block of the task definition as it has more configuration
 
+## [1.7.0] - 2023-12-03
+### Changes
+- feat: add complete example for alb and nlb service
+- feat: Enable ALB idle timeout configuration - this feature only works with ALB and not NLB.
+- fix: Separate listeners and target groups according to the `load_balancer_type = "application/network"`.
+- fix: Change the complete example s3 bucket policy and acl to support alb+nlb log delivery
+- fix: Force the s3 bucket encryption to be `AES256` since nlb only support AES256 or CMK kms encryption.
+- feat: Configure the nlb listerner to use TLS by default, note the current complete example doesnt implement end-to-end encyrption.
+
 ## [1.6.0] - 2023-10-26
 ### Changes
 - fix: confusing names for assume role policies for both the task role and task execution role
@@ -130,8 +142,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - feat: feature update.
 - feat: initial code commit
 
-[Unreleased]: https://github.com/boldlink/terraform-aws-ecs-service/compare/1.5.3...HEAD
+[Unreleased]: https://github.com/boldlink/terraform-aws-ecs-service/compare/1.7.0...HEAD
 
+[1.7.0]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.7.0
 [1.6.0]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.6.0
 [1.5.3]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.5.3
 [1.5.2]: https://github.com/boldlink/terraform-aws-ecs-service/releases/tag/1.5.2
 
@@ -186,7 +186,7 @@ module "ecs_service" {
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.23.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | 4.0.4 |
 
 ## Modules
@@ -211,7 +211,9 @@ No modules.
 | [aws_lb.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource |
 | [aws_lb_listener.http_redirect](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
 | [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
-| [aws_lb_target_group.main_tg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_listener.nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource |
+| [aws_lb_target_group.main_alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
+| [aws_lb_target_group.main_nlb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
 | [aws_security_group.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group.service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.lb_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
@@ -255,6 +257,7 @@ No modules.
 | <a name="input_family"></a> [family](#input\_family) | (Required) A unique name for your task definition. | `string` | `null` | no |
 | <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g., myimage:latest), roll Fargate tasks onto a newer platform version, or immediately deploy ordered\_placement\_strategy and placement\_constraints updates. | `bool` | `false` | no |
 | <a name="input_healthy_threshold"></a> [healthy\_threshold](#input\_healthy\_threshold) | (Optional) Number of consecutive health checks successes required before considering an unhealthy target healthy. Defaults to 3. | `number` | `3` | no |
+| <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | (Optional) The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application. Default: 60 | `number` | `60` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | (Optional) If true, the LB will be internal. | `bool` | `false` | no |
 | <a name="input_interval"></a> [interval](#input\_interval) | (Optional) Approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. For lambda target groups, it needs to be greater than the timeout of the underlying lambda. Defaults to 30. | `number` | `30` | no |
 | <a name="input_key_deletion_window_in_days"></a> [key\_deletion\_window\_in\_days](#input\_key\_deletion\_window\_in\_days) | The number of days before the key is deleted | `number` | `7` | no |
@@ -265,7 +268,7 @@ No modules.
 | <a name="input_listener_protocol"></a> [listener\_protocol](#input\_listener\_protocol) | (Required) The protocol to listen on. Valid values are HTTP, HTTPS, TCP, or SSL | `string` | `"HTTP"` | no |
 | <a name="input_load_balancer"></a> [load\_balancer](#input\_load\_balancer) | (Optional) Configuration block for load balancers | `any` | `[]` | no |
 | <a name="input_load_balancer_type"></a> [load\_balancer\_type](#input\_load\_balancer\_type) | (Optional) The type of load balancer to create. Possible values are application, gateway, or network. The default value is application. | `string` | `"application"` | no |
-| <a name="input_matcher"></a> [matcher](#input\_matcher) | (May be required) Response codes to use when checking for a healthy responses from a target. You can specify multiple values (for example, 200,202 for HTTP(s)) | `string` | `"200,202"` | no |
+| <a name="input_matcher"></a> [matcher](#input\_matcher) | (May be required) Response codes to use when checking for a healthy responses from a target. You can specify multiple values (for example, 200,202 for HTTP(s)) | `string` | `null` | no |
 | <a name="input_max_capacity"></a> [max\_capacity](#input\_max\_capacity) | (Required) The max capacity of the scalable target. | `number` | `2` | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | Amount (in MiB) of memory used by the task. If the requires\_compatibilities is FARGATE this field is required. | `number` | `1024` | no |
 | <a name="input_metric_aggregation_type"></a> [metric\_aggregation\_type](#input\_metric\_aggregation\_type) | (Optional) The aggregation type for the policy's metrics. Valid values are `Minimum`, `Maximum`, and `Average`. Without a value, AWS will treat the aggregation type as `Average`. | `string` | `"Maximum"` | no |
 
@@ -17,6 +17,8 @@
 - Add HTTPS inbound rule to load balancer security group for HTTPS to work
 - For this example `deletion_protection` is enabled for the load balancer. Change the argument ` enable_deletion_protection = true` to `  enable_deletion_protection = false` or delete it to disable this feature. Terraform will not be able to delete the resource if this feature is not enabled.
 - Ensure that traffic on port `5000` is allowed in the ALB security group. This example uses an image that is configured to listen on port `5000`. If you are using your own image, make sure to allow traffic for the port that your application is configured to.
+- This example also contains now a NLB configuration, no SSL/TLS is specified for the NLB, so it will be created as a TCP NLB. If you want to use a HTTP NLB, you need to specify a certificate for the NLB. See the [NLB documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html) for more information.
+- SSL/TLS support is enabled at the alb/nlb endpoint not end-to-end encryption, the certificate used is a self-signed certificate for testing and example purposes.
 
 ## Testing the deployment
 To test the deployment, follow these steps:
@@ -37,19 +39,21 @@ To test the deployment, follow these steps:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.23.1 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.24.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_access_logs_bucket"></a> [access\_logs\_bucket](#module\_access\_logs\_bucket) | boldlink/s3/aws | 2.2.0 |
-| <a name="module_ecs_service_lb"></a> [ecs\_service\_lb](#module\_ecs\_service\_lb) | ../../ | n/a |
+| <a name="module_access_logs_bucket"></a> [access\_logs\_bucket](#module\_access\_logs\_bucket) | boldlink/s3/aws | 2.3.1 |
+| <a name="module_ecs_service_alb"></a> [ecs\_service\_alb](#module\_ecs\_service\_alb) | ../../ | n/a |
+| <a name="module_ecs_service_nlb"></a> [ecs\_service\_nlb](#module\_ecs\_service\_nlb) | ../../ | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ecs_cluster.ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ecs_cluster) | data source |
 | [aws_elb_service_account.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.access_logs_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -69,6 +73,7 @@ To test the deployment, follow these steps:
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_access_logs_enabled"></a> [access\_logs\_enabled](#input\_access\_logs\_enabled) | Whether to enable access logs for the lb | `bool` | `true` | no |
+| <a name="input_alb_ingress_rules"></a> [alb\_ingress\_rules](#input\_alb\_ingress\_rules) | Incoming traffic configuration for the load balancer security group | `list(any)` | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to load balancer on port 443",<br>    "from_port": 443,<br>    "protocol": "tcp",<br>    "to_port": 443<br>  },<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to alb load balancer on port 80",<br>    "from_port": 80,<br>    "protocol": "tcp",<br>    "to_port": 80<br>  }<br>]</pre> | no |
 | <a name="input_containerport"></a> [containerport](#input\_containerport) | Specify container port | `number` | `5000` | no |
 | <a name="input_cpu"></a> [cpu](#input\_cpu) | The number of cpu units to allocate | `number` | `10` | no |
 | <a name="input_create_load_balancer"></a> [create\_load\_balancer](#input\_create\_load\_balancer) | Whether to create a load balancer for ecs. | `bool` | `true` | no |
@@ -80,10 +85,10 @@ To test the deployment, follow these steps:
 | <a name="input_force_new_deployment"></a> [force\_new\_deployment](#input\_force\_new\_deployment) | Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g., myimage:latest), roll Fargate tasks onto a newer platform version, or immediately deploy ordered\_placement\_strategy and placement\_constraints updates. | `bool` | `true` | no |
 | <a name="input_hostport"></a> [hostport](#input\_hostport) | Specify host port | `number` | `5000` | no |
 | <a name="input_image"></a> [image](#input\_image) | Name of image to pull from dockerhub | `string` | `"boldlink/flaskapp:latest"` | no |
-| <a name="input_lb_ingress_rules"></a> [lb\_ingress\_rules](#input\_lb\_ingress\_rules) | Incoming traffic configuration for the load balancer security group | `list(any)` | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to load balancer on port 443",<br>    "from_port": 443,<br>    "protocol": "tcp",<br>    "to_port": 443<br>  },<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to load balancer on port 80",<br>    "from_port": 80,<br>    "protocol": "tcp",<br>    "to_port": 80<br>  }<br>]</pre> | no |
 | <a name="input_memory"></a> [memory](#input\_memory) | The size of memory to allocate in MiBs | `number` | `512` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the stack | `string` | `"complete-ecs-example"` | no |
 | <a name="input_network_mode"></a> [network\_mode](#input\_network\_mode) | Docker networking mode to use for the containers in the task. Valid values are none, bridge, awsvpc, and host. | `string` | `"awsvpc"` | no |
+| <a name="input_nlb_ingress_rules"></a> [nlb\_ingress\_rules](#input\_nlb\_ingress\_rules) | Incoming traffic configuration for the NLB load balancer security group | `list(any)` | <pre>[<br>  {<br>    "cidr_blocks": [<br>      "0.0.0.0/0"<br>    ],<br>    "description": "Allow traffic to nlb load balancer on port 5000",<br>    "from_port": 5000,<br>    "protocol": "tcp",<br>    "to_port": 5000<br>  }<br>]</pre> | no |
 | <a name="input_path"></a> [path](#input\_path) | Destination for the health check request. Required for HTTP/HTTPS ALB and HTTP NLB. Only applies to HTTP/HTTPS. | `string` | `"/healthz"` | no |
 | <a name="input_requires_compatibilities"></a> [requires\_compatibilities](#input\_requires\_compatibilities) | Set of launch types required by the task. The valid values are EC2 and FARGATE. | `list(string)` | <pre>[<br>  "FARGATE"<br>]</pre> | no |
 | <a name="input_retention_in_days"></a> [retention\_in\_days](#input\_retention\_in\_days) | Number of days you want to retain log events in the specified log group. | `number` | `1` | no |
@@ -97,10 +102,8 @@ To test the deployment, follow these steps:
 
 | Name | Description |
 |------|-------------|
-| <a name="output_lb_arn"></a> [lb\_arn](#output\_lb\_arn) | The load balancer arn/id |
-| <a name="output_lb_sg_id"></a> [lb\_sg\_id](#output\_lb\_sg\_id) | The ID of the load balancer security group |
-| <a name="output_service_sg_id"></a> [service\_sg\_id](#output\_service\_sg\_id) | The ID of the service security group |
-| <a name="output_task_definition_arn"></a> [task\_definition\_arn](#output\_task\_definition\_arn) | The task definition arn |
+| <a name="output_alb_service_url"></a> [alb\_service\_url](#output\_alb\_service\_url) | The task definition arn |
+| <a name="output_nlb_service_url"></a> [nlb\_service\_url](#output\_nlb\_service\_url) | The task definition arn |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 
 ## Third party software