feat: Support for jwt_validation in aws_lb_listener and aws_lb_listener_rule (#426)

pavelkovar · bryantbiggs · web-flow · commit e75497464c2b · 2025-11-21T10:27:56.000-06:00
Co-authored-by: Bryant Biggs &lt;bryantbiggs@gmail.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.103.0
+    rev: v1.104.0
     hooks:
       - id: terraform_fmt
       - id: terraform_wrapper_module_for_each
diff --git a/README.md b/README.md
diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md
@@ -20,15 +20,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.19 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.22 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.6 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.19 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.22 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.6 |
 
diff --git a/examples/complete-alb/main.tf b/examples/complete-alb/main.tf
@@ -395,6 +395,45 @@ module "alb" {
         target_group_key = "ex-instance"
       }
     }
+
+    ex-jwt = {
+      port            = 445
+      protocol        = "HTTPS"
+      certificate_arn = module.acm.acm_certificate_arn
+
+      forward = {
+        target_group_key = "ex-instance"
+      }
+
+      rules = {
+        ex-jwt = {
+          priority = 5
+
+          actions = [
+            {
+              jwt_validation = {
+                issuer        = "https://${var.domain_name}"
+                jwks_endpoint = "https://${var.domain_name}/jwks.json"
+                additional_claim = [
+                  { format = "space-separated-values", name = "scp", values = ["read", "write"] }
+                ]
+              }
+            },
+            {
+              forward = {
+                target_group_key = "ex-lambda-with-trigger"
+              }
+            }
+          ]
+
+          conditions = [{
+            host_header = {
+              values = ["foobar.com"]
+            }
+          }]
+        }
+      }
+    }
   }
 
   target_groups = {
diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.19 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.22 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.19 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.22 |
 
 ## Modules
 
diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
   }
 }
diff --git a/examples/mutual-auth-alb/README.md b/examples/mutual-auth-alb/README.md
@@ -21,15 +21,15 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.19 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.22 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 2.0 |
 | <a name="requirement_tls"></a> [tls](#requirement\_tls) | >= 4.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.19 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.22 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 2.0 |
 | <a name="provider_tls"></a> [tls](#provider\_tls) | >= 4.0 |
 
diff --git a/examples/mutual-auth-alb/versions.tf b/examples/mutual-auth-alb/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
     null = {
       source  = "hashicorp/null"
diff --git a/main.tf b/main.tf
@@ -164,6 +164,30 @@ resource "aws_lb_listener" "this" {
     }
   }
 
+  dynamic "default_action" {
+    for_each = each.value.jwt_validation != null ? [each.value.jwt_validation] : []
+
+    content {
+      jwt_validation {
+        issuer        = default_action.value.issuer
+        jwks_endpoint = default_action.value.jwks_endpoint
+
+        dynamic "additional_claim" {
+          for_each = default_action.value.additional_claim != null ? default_action.value.additional_claim : []
+
+          content {
+            format = additional_claim.value.format
+            name   = additional_claim.value.name
+            values = additional_claim.value.values
+          }
+        }
+      }
+
+      order = each.value.order
+      type  = "jwt-validation"
+    }
+  }
+
   dynamic "default_action" {
     for_each = each.value.fixed_response != null ? [each.value.fixed_response] : []
 
@@ -354,6 +378,35 @@ resource "aws_lb_listener_rule" "this" {
     }
   }
 
+  # JWT validation
+  dynamic "action" {
+    for_each = [for action in each.value.actions : action if action.jwt_validation != null]
+
+    content {
+      dynamic "jwt_validation" {
+        for_each = [action.value.jwt_validation]
+
+        content {
+          issuer        = jwt_validation.value.issuer
+          jwks_endpoint = jwt_validation.value.jwks_endpoint
+
+          dynamic "additional_claim" {
+            for_each = jwt_validation.value.additional_claim != null ? jwt_validation.value.additional_claim : []
+
+            content {
+              format = additional_claim.value.format
+              name   = additional_claim.value.name
+              values = additional_claim.value.values
+            }
+          }
+        }
+      }
+
+      order = action.value.order
+      type  = "jwt-validation"
+    }
+  }
+
   # Fixed response
   dynamic "action" {
     for_each = [for action in each.value.actions : action if action.fixed_response != null]
diff --git a/modules/lb_trust_store/README.md b/modules/lb_trust_store/README.md
@@ -30,13 +30,13 @@ module "trust_store" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5.7 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.19 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 6.22 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.19 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 6.22 |
 
 ## Modules
 
diff --git a/modules/lb_trust_store/versions.tf b/modules/lb_trust_store/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
   }
 }
diff --git a/variables.tf b/variables.tf
@@ -269,6 +269,15 @@ variable "listeners" {
       target_group_arn = optional(string)
       target_group_key = optional(string)
     }))
+    jwt_validation = optional(object({
+      issuer        = string
+      jwks_endpoint = string
+      additional_claim = optional(list(object({
+        format = string
+        name   = string
+        values = list(string)
+      })))
+    }))
     weighted_forward = optional(object({
       target_groups = optional(list(object({
         target_group_arn = optional(string)
@@ -346,6 +355,15 @@ variable "listeners" {
           token_endpoint                      = string
           user_info_endpoint                  = string
         }))
+        jwt_validation = optional(object({
+          issuer        = string
+          jwks_endpoint = string
+          additional_claim = optional(list(object({
+            format = string
+            name   = string
+            values = list(string)
+          })))
+        }))
         fixed_response = optional(object({
           content_type = string
           message_body = optional(string)
diff --git a/versions.tf b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
   }
 }
diff --git a/wrappers/lb_trust_store/versions.tf b/wrappers/lb_trust_store/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
   }
 }
diff --git a/wrappers/versions.tf b/wrappers/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 6.19"
+      version = ">= 6.22"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ terraform {`
`4`	`4`	`required_providers {`
`5`	`5`	`aws = {`
`6`	`6`	`source = "hashicorp/aws"`
`7`		`- version = ">= 6.19"`
	`7`	`+ version = ">= 6.22"`
`8`	`8`	`}`
`9`	`9`	`null = {`
`10`	`10`	`source = "hashicorp/null"`