terraform-aws-alb icon indicating copy to clipboard operation
terraform-aws-alb copied to clipboard

Published 20 hours ago β€’ verified publisher icon terraform-aws-modules

Not able to create alb listeners rule with multiple conditions

Open Aniketvaidhya opened this issue 1 year ago β€’ 7 comments

Hello Team,

I am trying to create the alb listeners rule with the multiple condition in (my case first condition Path Pattern is /v2/* and second condition HTTP Header myapp-secret is myapp-secret-value).

I have tried the below configuration under the rules : conditions = [{ path_patterns = ["/v2/*"], http_header = { http_header_name = "myapp-secret" values = ["myapp-secret-value"] } }]

When I run the terraform plan, it is not able to identify the second condition and hence, only the condition path_patterns = ["/v2/*"] is applied to the listeners.

Alternately, I have also tried the below configuration : conditions = [{ path_patterns = ["/v2/*"] }]

  conditions = [{
    http_header = {
      http_header_name = "myapp-secret"
      values           = ["myapp-secret-value"]
    }
  }]

In this case, after terraform plan I am getting this error :

β•· β”‚ Error: Insufficient condition blocks β”‚ ...... β”‚ At least 1 "condition" blocks are required.

Can someone please confirm what I am missing or do I need to use some dynamic conditions here?

Aniketvaidhya avatar Feb 01 '24 11:02 Aniketvaidhya

This is an interesting one as the documentation for the underlying aws_lb_listener_rule rule resource requires you to do:-

resource "aws_lb_listener_rule" "static" {
  .......
  condition {
    path_pattern {
      values = ["/v2/*"]
    }
  }

  condition {
    http_header {
      http_header_name = "myapp-secret"
      values = ["myapp-secret-value"]
    }
  }
}

with multiple condition blocks but the code in this module at https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/main.tf#L363 looks to create a single condition block with multiple conditions

I tried:-

conditions = [{
  path_pattern = {
    values = [
      "/v2/*"
    ]
  },
  http_header = {
    http_header_name = "myapp-secret"
    values           = ["myapp-secret-value"]
  }
}]

which seemed to work but then errored out with

β”‚ Error: Only one of host_header, http_header, http_request_method, path_pattern, query_string or source_ip can be set in a condition block

I think it's possibly a bug or maybe we're just not understanding correctly what we need to pass in.

trevorrea avatar Feb 06 '24 10:02 trevorrea

@trevorrea I have also tried different ways but would not be able to create it. If it is a bug, how to raise it here?

Aniketvaidhya avatar Feb 07 '24 05:02 Aniketvaidhya

Hello, I have the same usecase when I need to define more than one condition in the ALB Listener rule. I agree with @trevorrea that this module creates only one condition block but when I tried locally change it I catch another issue: when you define more than one condition you see this error:

β”‚ Error: Invalid value for input variable
β”‚
β”‚   on vars.tf line 183:
β”‚   183: variable "listeners" {
β”‚
β”‚ Unsuitable value for var.listeners set using the TF_VAR_listeners
β”‚ environment variable: all map elements must have the same type.

I tried different options to set it but it looks like here we are limited with the maps limitation. Any ideas?

loki-dv avatar Feb 13 '24 05:02 loki-dv

I think the solution would be to deal with the condition blocks in much the same way as the action blocks at https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/main.tf#L247

For the action blocks you can do the following

resource "aws_lb_listener_rule" "admin" {
  listener_arn = aws_lb_listener.front_end.arn

  action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn       = aws_cognito_user_pool.pool.arn
      user_pool_client_id = aws_cognito_user_pool_client.client.id
      user_pool_domain    = aws_cognito_user_pool_domain.domain.domain
    }
  }

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.static.arn
  }
}

This is a bit more difficult as there is no equivalent of the type values in the condition blocks currently supported.

I'll see if I can do a PR and test it locally.

trevorrea avatar Feb 13 '24 08:02 trevorrea

I have a quick and dirty change at https://github.com/trevorrea/terraform-aws-alb if anyone would like to test. Commit is https://github.com/terraform-aws-modules/terraform-aws-alb/compare/master...trevorrea:terraform-aws-alb:master to change the condition blocks to be the same format as the action blocks.

I tested locally really quickly and it seemed to work. I'll need to do a bit more testing before opening an MR.

trevorrea avatar Feb 13 '24 09:02 trevorrea

Hi, It's a major issue and your fix is working great. Please merge it :) Regards

florianmagnin avatar Feb 27 '24 10:02 florianmagnin

hi, the same issue, pls fix it.

alexgoddity avatar Mar 07 '24 07:03 alexgoddity

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions[bot] avatar Apr 08 '24 02:04 github-actions[bot]