fix: Correct stickiness syntax and ensure that security group is not created for network load balancers (#277)

Resolves undefined

Author: bryantbiggs

examples/complete-alb/README.md

@@ -57,7 +57,9 @@ Note that this example may create resources which cost money. Run `terraform des
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no |
 
 ## Outputs
 

examples/complete-alb/main.tf

@@ -11,8 +11,6 @@ locals {
   vpc_cidr = "10.0.0.0/16"
   azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
-  domain_name = "terraform-aws-modules.modules.tf"
-
   tags = {
     Example    = local.name
     GithubRepo = "terraform-aws-alb"
@@ -41,7 +39,7 @@ module "alb" {
       type        = "ingress"
       from_port   = 80
       to_port     = 80
-      protocol    = "http"
+      protocol    = "tcp"
       description = "HTTP web traffic"
       cidr_blocks = ["0.0.0.0/0"]
     }
@@ -62,10 +60,10 @@ module "alb" {
     }
   }
 
-  #   # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987)
-  #   access_logs = {
-  #     bucket = module.log_bucket.s3_bucket_id
-  #   }
+  # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987)
+  # access_logs = {
+  #   bucket = module.log_bucket.s3_bucket_id
+  # }
 
   http_tcp_listeners = [
     # Forward action is default, either when defined or undefined
@@ -135,12 +133,12 @@ module "alb" {
           display = "page"
           prompt  = "login"
         }
-        authorization_endpoint = "https://${local.domain_name}/auth"
+        authorization_endpoint = "https://${var.domain_name}/auth"
         client_id              = "client_id"
         client_secret          = "client_secret"
-        issuer                 = "https://${local.domain_name}"
-        token_endpoint         = "https://${local.domain_name}/token"
-        user_info_endpoint     = "https://${local.domain_name}/user_info"
+        issuer                 = "https://${var.domain_name}"
+        token_endpoint         = "https://${var.domain_name}/token"
+        user_info_endpoint     = "https://${var.domain_name}/user_info"
       }
     },
   ]
@@ -189,12 +187,12 @@ module "alb" {
             display = "page"
             prompt  = "login"
           }
-          authorization_endpoint = "https://${local.domain_name}/auth"
+          authorization_endpoint = "https://${var.domain_name}/auth"
           client_id              = "client_id"
           client_secret          = "client_secret"
-          issuer                 = "https://${local.domain_name}"
-          token_endpoint         = "https://${local.domain_name}/token"
-          user_info_endpoint     = "https://${local.domain_name}/user_info"
+          issuer                 = "https://${var.domain_name}"
+          token_endpoint         = "https://${var.domain_name}/token"
+          user_info_endpoint     = "https://${var.domain_name}/user_info"
         },
         {
           type               = "forward"
@@ -460,6 +458,7 @@ data "aws_ami" "amazon_linux" {
 resource "aws_instance" "this" {
   ami           = data.aws_ami.amazon_linux.id
   instance_type = "t3.nano"
+  subnet_id     = element(module.vpc.private_subnets, 0)
 }
 
 #############################################
@@ -525,9 +524,9 @@ module "lambda_without_allowed_triggers" {
   depends_on = [null_resource.download_package]
 }
 
-##################################################################
-# Data sources to get VPC and subnets
-##################################################################
+################################################################################
+# Supporting resources
+################################################################################
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
@@ -548,22 +547,22 @@ module "vpc" {
 }
 
 data "aws_route53_zone" "this" {
-  name = local.domain_name
+  name = var.domain_name
 }
 
 module "acm" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 3.0"
 
-  domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".")
+  domain_name = var.domain_name
   zone_id     = data.aws_route53_zone.this.id
 }
 
 module "wildcard_cert" {
   source  = "terraform-aws-modules/acm/aws"
   version = "~> 3.0"
 
-  domain_name = "*.${local.domain_name}" # trimsuffix(data.aws_route53_zone.this.name, ".")
+  domain_name = "*.${var.domain_name}"
   zone_id     = data.aws_route53_zone.this.id
 }
 
@@ -580,7 +579,7 @@ resource "aws_cognito_user_pool_client" "this" {
   user_pool_id                         = aws_cognito_user_pool.this.id
   generate_secret                      = true
   allowed_oauth_flows                  = ["code", "implicit"]
-  callback_urls                        = ["https://${local.domain_name}/callback"]
+  callback_urls                        = ["https://${var.domain_name}/callback"]
   allowed_oauth_scopes                 = ["email", "openid"]
   allowed_oauth_flows_user_pool_client = true
 }

examples/complete-alb/variables.tf

@@ -0,0 +1,5 @@
+variable "domain_name" {
+  description = "The domain name for which the certificate should be issued"
+  type        = string
+  default     = "terraform-aws-modules.modules.tf"
+}

examples/complete-nlb/README.md

@@ -21,35 +21,34 @@ Note that this example may create resources which cost money. Run `terraform des
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
 | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.27 |
-| <a name="requirement_random"></a> [random](#requirement\_random) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
 | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.27 |
-| <a name="provider_random"></a> [random](#provider\_random) | >= 2.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | ~> 3.0 |
 | <a name="module_nlb"></a> [nlb](#module\_nlb) | ../../ | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | ~> 3.0 |
 
 ## Resources
 
 | Name | Type |
 |------|------|
 | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
-| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zones) | data source |
 | [aws_route53_zone.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |
-| [aws_subnets.all](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/subnets) | data source |
-| [aws_vpc.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_domain_name"></a> [domain\_name](#input\_domain\_name) | The domain name for which the certificate should be issued | `string` | `"terraform-aws-modules.modules.tf"` | no |
 
 ## Outputs
 

examples/complete-nlb/main.tf

@@ -1,82 +1,47 @@
 provider "aws" {
-  region = "eu-west-1"
+  region = local.region
 }
 
+data "aws_availability_zones" "available" {}
+
 locals {
-  domain_name = "terraform-aws-modules.modules.tf"
-}
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
 
-##################################################################
-# Data sources to get VPC and subnets
-##################################################################
-data "aws_vpc" "default" {
-  default = true
-}
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
 
-data "aws_subnets" "all" {
-  filter {
-    name   = "vpc-id"
-    values = [data.aws_vpc.default.id]
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-alb"
+    GithubOrg  = "terraform-aws-modules"
   }
 }
 
-resource "random_pet" "this" {
-  length = 2
-}
-
-data "aws_route53_zone" "this" {
-  name = local.domain_name
-}
-
-# module "log_bucket" {
-#   source  = "terraform-aws-modules/s3-bucket/aws"
-#   version = "~> 3.0"
-#
-#   bucket                         = "logs-${random_pet.this.id}"
-#   acl                            = "log-delivery-write"
-#   force_destroy                  = true
-#   attach_elb_log_delivery_policy = true
-# }
-
-module "acm" {
-  source  = "terraform-aws-modules/acm/aws"
-  version = "~> 3.0"
-
-  domain_name = local.domain_name # trimsuffix(data.aws_route53_zone.this.name, ".")
-  zone_id     = data.aws_route53_zone.this.id
-}
-
-resource "aws_eip" "this" {
-  count = length(data.aws_subnets.all.ids)
-
-  vpc = true
-}
-
 ##################################################################
-# Network Load Balancer with Elastic IPs attached
+# Network Load Balancer
 ##################################################################
+
 module "nlb" {
   source = "../../"
 
-  name = "complete-nlb-${random_pet.this.id}"
+  name = local.name
 
   load_balancer_type = "network"
+  vpc_id             = module.vpc.vpc_id
 
-  vpc_id = data.aws_vpc.default.id
+  # Use `subnets` if you don't want to attach EIPs
+  # subnets = module.vpc.private_subnets
 
-  #   Use `subnets` if you don't want to attach EIPs
-  #   subnets = tolist(data.aws_subnet_ids.all.ids)
+  # Use `subnet_mapping` to attach EIPs
+  subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : module.vpc.private_subnets[i] }]
 
-  #   Use `subnet_mapping` to attach EIPs
-  subnet_mapping = [for i, eip in aws_eip.this : { allocation_id : eip.id, subnet_id : tolist(data.aws_subnets.all.ids)[i] }]
+  # # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987)
+  # access_logs = {
+  #   bucket = module.log_bucket.s3_bucket_id
+  # }
 
-  #   # See notes in README (ref: https://github.com/terraform-providers/terraform-provider-aws/issues/7987)
-  #   access_logs = {
-  #     bucket = module.log_bucket.s3_bucket_id
-  #   }
-
-
-  #  TCP_UDP, UDP, TCP
+  # TCP_UDP, UDP, TCP
   http_tcp_listeners = [
     {
       port               = 81
@@ -150,4 +115,45 @@ module "nlb" {
       target_type      = "instance"
     },
   ]
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 3.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  tags = local.tags
+}
+
+data "aws_route53_zone" "this" {
+  name = var.domain_name
+}
+
+module "acm" {
+  source  = "terraform-aws-modules/acm/aws"
+  version = "~> 3.0"
+
+  domain_name = var.domain_name
+  zone_id     = data.aws_route53_zone.this.id
+}
+
+resource "aws_eip" "this" {
+  count = length(local.azs)
+  vpc   = true
 }

examples/complete-nlb/variables.tf

@@ -0,0 +1,5 @@
+variable "domain_name" {
+  description = "The domain name for which the certificate should be issued"
+  type        = string
+  default     = "terraform-aws-modules.modules.tf"
+}

examples/complete-nlb/versions.tf

@@ -6,9 +6,5 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 4.27"
     }
-    random = {
-      source  = "hashicorp/random"
-      version = ">= 2.0"
-    }
   }
 }

main.tf

@@ -10,7 +10,7 @@ resource "aws_lb" "this" {
 
   load_balancer_type = var.load_balancer_type
   internal           = var.internal
-  security_groups    = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
+  security_groups    = var.create_security_group && var.load_balancer_type == "application" ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
   subnets            = var.subnets
 
   idle_timeout                     = var.idle_timeout
@@ -100,10 +100,10 @@ resource "aws_lb_target_group" "main" {
     for_each = try([var.target_groups[count.index].stickiness], [])
 
     content {
-      enabled         = lookup(stickiness.value.enabled, null)
-      cookie_duration = lookup(stickiness.value.cookie_duration, null)
-      type            = lookup(stickiness.value.type, null)
-      cookie_name     = lookup(stickiness.value.cookie_name, null)
+      enabled         = try(stickiness.value.enabled, null)
+      cookie_duration = try(stickiness.value.cookie_duration, null)
+      type            = try(stickiness.value.type, null)
+      cookie_name     = try(stickiness.value.cookie_name, null)
     }
   }
 
@@ -770,7 +770,7 @@ resource "aws_lb_listener_certificate" "https_listener" {
 ################################################################################
 
 locals {
-  create_security_group = local.create_lb && var.create_security_group
+  create_security_group = local.create_lb && var.create_security_group && var.load_balancer_type == "application"
   security_group_name   = try(coalesce(var.security_group_name, var.name, var.name_prefix), "")
 }