feat: Support http respond headers for ALB listeners (#398)

ekirmayer · bryantbiggs · web-flow · commit 9cf65ccf2a1c · 2025-03-13T07:51:30.000-05:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.1
+    rev: v1.97.4
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
@@ -352,13 +352,13 @@ See [patterns.md](https://github.com/terraform-aws-modules/terraform-aws-alb/blo
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.89 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.89 |
 
 ## Modules
 
diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.89 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.89 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.6 |
 
diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf
@@ -359,6 +359,31 @@ module "alb" {
         target_group_key = "ex-instance"
       }
     }
+
+    ex-response-headers = {
+      port            = "443"
+      protocol        = "HTTPS"
+      ssl_policy      = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06"
+      certificate_arn = module.acm.acm_certificate_arn
+
+      fixed_response = {
+        content_type = "text/plain"
+        message_body = "Fixed message"
+        status_code  = "200"
+      }
+
+      routing_http_response_server_enabled                                = false
+      routing_http_response_strict_transport_security_header_value        = "max-age=31536000; includeSubDomains; preload"
+      routing_http_response_access_control_allow_origin_header_value      = "https://example.com"
+      routing_http_response_access_control_allow_methods_header_value     = "TRACE,GET"
+      routing_http_response_access_control_allow_headers_header_value     = "Accept-Language,Content-Language"
+      routing_http_response_access_control_allow_credentials_header_value = "true"
+      routing_http_response_access_control_expose_headers_header_value    = "Cache-Control"
+      routing_http_response_access_control_max_age_header_value           = 86400
+      routing_http_response_content_security_policy_header_value          = "*"
+      routing_http_response_x_content_type_options_header_value           = "nosniff"
+      routing_http_response_x_frame_options_header_value                  = "SAMEORIGIN"
+    }
   }
 
   target_groups = {
diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.89 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.89 |
 
 ## Modules
 
diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
   }
 }
diff --git a/examples/mutual-auth-alb/README.md b/examples/mutual-auth-alb/README.md
@@ -21,15 +21,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.89 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.89 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
 
diff --git a/examples/mutual-auth-alb/versions.tf b/examples/mutual-auth-alb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/main.tf b/main.tf
@@ -217,6 +217,18 @@ resource "aws_lb_listener" "this" {
     }
   }
 
+  routing_http_response_server_enabled                                = try(each.value.routing_http_response_server_enabled, null)
+  routing_http_response_strict_transport_security_header_value        = try(each.value.routing_http_response_strict_transport_security_header_value, null)
+  routing_http_response_access_control_allow_origin_header_value      = try(each.value.routing_http_response_access_control_allow_origin_header_value, null)
+  routing_http_response_access_control_allow_methods_header_value     = try(each.value.routing_http_response_access_control_allow_methods_header_value, null)
+  routing_http_response_access_control_allow_headers_header_value     = try(each.value.routing_http_response_access_control_allow_headers_header_value, null)
+  routing_http_response_access_control_allow_credentials_header_value = try(each.value.routing_http_response_access_control_allow_credentials_header_value, null)
+  routing_http_response_access_control_expose_headers_header_value    = try(each.value.routing_http_response_access_control_expose_headers_header_value, null)
+  routing_http_response_access_control_max_age_header_value           = try(each.value.routing_http_response_access_control_max_age_header_value, null)
+  routing_http_response_content_security_policy_header_value          = try(each.value.routing_http_response_content_security_policy_header_value, null)
+  routing_http_response_x_content_type_options_header_value           = try(each.value.routing_http_response_x_content_type_options_header_value, null)
+  routing_http_response_x_frame_options_header_value                  = try(each.value.routing_http_response_x_frame_options_header_value, null)
+
   load_balancer_arn        = aws_lb.this[0].arn
   port                     = try(each.value.port, var.default_port)
   protocol                 = try(each.value.protocol, var.default_protocol)
diff --git a/modules/lb_trust_store/README.md b/modules/lb_trust_store/README.md
@@ -30,13 +30,13 @@ module "trust_store" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.82 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.89 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.82 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.89 |
 
 ## Modules
 
diff --git a/modules/lb_trust_store/versions.tf b/modules/lb_trust_store/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
   }
 }
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
   }
 }
diff --git a/wrappers/lb_trust_store/versions.tf b/wrappers/lb_trust_store/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
   }
 }
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 5.82"
+      version = ">= 5.89"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 5.82"`
	`7`	`+ version = ">= 5.89"`
`8`	`8`	`}`
`9`	`9`	`null = {`
`10`	`10`	`source = "hashicorp/null"`