This module has been deprecated and is no longer maintained. Should you need to continue to use it, please fork the repository. Thank you.
Creates a Lambda function that will update NLB target groups to point to an ALB's IP addresses. This is modeled after the architecture described by AWS.
This is useful for situations where an ALB is in use, but IP addresses must be allowlisted. ALBs do not use static IP addresses, so this module provides a solution to that problem.
This module creates the following resources:
- Lambda function that updates the supplied NLB's target groups to point to the ALB's current IPs
- CloudWatch event rule that triggers the Lambda function every minute
- CloudWatch log group
- IAM policy to allow the Lambda to update the NLB's target groups, save state to an S3 bucket, and log to CloudWatch
This module supports Terraform 1.x.
module "example" {
source = "trussworks/nlb-tg-to-alb/aws"
alb_dns_name = "name-env-1234567890.us-gov-west-1.elb.amazonaws.com"
lambda_job_identifier = "nlb-tg-updater"
lambda_s3_bucket = "s3-bucket-that-stores-deployment-zip-file"
lambda_s3_key = "deployment.zip"
name = "example"
nlb_target_group_arn = "arn:aws-us-gov:elasticloadbalancing:us-gov-west-1:012345678901:loadbalancer/net/nlb-name-env/abcdef0123456789"
status_s3_bucket = "s3-bucket-that-stores-lambda-state"
}This requires that you set up a few things:
- An S3 bucket to store the Lambda ZIP file
- An S3 bucket to store the Lambda state (active and pending IP lists); this can be the same bucket as where the Lambda ZIP file is stored or it can be a separate S3 bucket
- An NLB that will redirect traffic to the ALB
- An ALB that will receive traffic from the NLB
| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | ~> 4.0 |
| Name | Version |
|---|---|
| aws | 4.45.0 |
| Name | Source | Version |
|---|---|---|
| updater | trussworks/lambda/aws | 2.5.0 |
| Name | Type |
|---|---|
| aws_cloudwatch_event_rule.main | resource |
| aws_cloudwatch_event_target.main | resource |
| aws_iam_policy.main | resource |
| aws_iam_policy_document.main | data source |
| aws_partition.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| alb_dns_name | The FQDN of the ALB. | string |
n/a | yes |
| alb_listener_port | The port on which the ALB listens. | number |
443 |
no |
| enable_cloudwatch_metrics | Enable CloudWatch metrics for IP address count. | bool |
true |
no |
| invocations_before_deregistration | The number of required invocations before an IP address is deregistered. | number |
3 |
no |
| lambda_job_identifier | A way to uniquely identify this Lambda function. | string |
n/a | yes |
| lambda_s3_bucket | Name of s3 bucket used to store the Lambda build. | string |
n/a | yes |
| lambda_s3_key | Name of s3 bucket used to store the Lambda build. | string |
n/a | yes |
| log_retention_days | Number of days to retain logs. | number |
30 |
no |
| max_lookup_per_invocation | The maximum number times of a DNS lookup occurs per Lambda invocation. | number |
50 |
no |
| name | Lambda function name. | string |
n/a | yes |
| nlb_target_group_arn | The ARN of the NLB's target group. | string |
n/a | yes |
| status_s3_bucket | The name of the S3 bucket that will store the pending and active IP information produced by the Lambda function. | string |
n/a | yes |
| tags | Tags applied to each AWS resource. | map(string) |
{} |
no |
No outputs.
Install dependencies (macOS)
brew install pre-commit go terraform terraform-docs
pre-commit install --install-hooks