Merge branch 'main' into dependabot/go_modules/test/src/go_modules-f6…

…632a53ef

.github/settings.yml

@@ -5,3 +5,7 @@ repository:
   description: Terraform module to provision a standard ALB for HTTP/HTTP traffic
   homepage: https://cloudposse.com/accelerate
   topics: terraform, terraform-module, aws, alb, load-balancer, ecs, ec2, layer7, ingress, tls, acm, http, https, elb, hcl2
+
+
+
+

.github/workflows/chatops.yml

@@ -8,9 +8,10 @@ permissions:
   pull-requests: write
   id-token: write
   contents: write
+  statuses: write
 
 jobs:
-  terraform-module:
+  test:
     uses: cloudposse/.github/.github/workflows/shared-terraform-chatops.yml@main
-    secrets:
-      github_access_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+    if: ${{ github.event.issue.pull_request && contains(github.event.comment.body, '/terratest') }}
+    secrets: inherit

main.tf

@@ -1,3 +1,13 @@
+locals {
+  # cidrnetmask returns an error for IPv6 addresses
+  # cidrhost works with both IPv4 and IPv6, and returns an error if the argument is not a valid IPv4/IPv6 CIDR prefix
+  http_ingress_cidr_blocks_v4  = [for cidr in var.http_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))]
+  http_ingress_cidr_blocks_v6  = var.ip_address_type == "dualstack" ? [for cidr in var.http_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : []
+  https_ingress_cidr_blocks_v4 = [for cidr in var.https_ingress_cidr_blocks : cidr if can(cidrnetmask(cidr))]
+  https_ingress_cidr_blocks_v6 = var.ip_address_type == "dualstack" ? [for cidr in var.https_ingress_cidr_blocks : cidr if !can(cidrnetmask(cidr)) && can(cidrhost(cidr, 0))] : []
+}
+
+
 resource "aws_security_group" "default" {
   count       = module.this.enabled && var.security_group_enabled ? 1 : 0
   description = "Controls access to the ALB (HTTP/HTTPS)"
@@ -22,7 +32,8 @@ resource "aws_security_group_rule" "http_ingress" {
   from_port         = var.http_port
   to_port           = var.http_port
   protocol          = "tcp"
-  cidr_blocks       = var.http_ingress_cidr_blocks
+  cidr_blocks       = local.http_ingress_cidr_blocks_v4
+  ipv6_cidr_blocks  = local.http_ingress_cidr_blocks_v6
   prefix_list_ids   = var.http_ingress_prefix_list_ids
   security_group_id = one(aws_security_group.default[*].id)
 }
@@ -33,7 +44,8 @@ resource "aws_security_group_rule" "https_ingress" {
   from_port         = var.https_port
   to_port           = var.https_port
   protocol          = "tcp"
-  cidr_blocks       = var.https_ingress_cidr_blocks
+  cidr_blocks       = local.https_ingress_cidr_blocks_v4
+  ipv6_cidr_blocks  = local.https_ingress_cidr_blocks_v6
   prefix_list_ids   = var.https_ingress_prefix_list_ids
   security_group_id = one(aws_security_group.default[*].id)
 }
@@ -90,6 +102,7 @@ resource "aws_lb" "default" {
   drop_invalid_header_fields       = var.drop_invalid_header_fields
   preserve_host_header             = var.preserve_host_header
   xff_header_processing_mode       = var.xff_header_processing_mode
+  client_keep_alive                = var.client_keep_alive
 
   access_logs {
     bucket  = try(element(compact([var.access_logs_s3_bucket_id, module.access_logs.bucket_id]), 0), "")
@@ -203,8 +216,8 @@ resource "aws_lb_listener" "https" {
   tags            = merge(module.this.tags, var.listener_additional_tags)
 
   default_action {
-    target_group_arn = var.listener_https_fixed_response != null ? null : one(aws_lb_target_group.default[*].arn)
-    type             = var.listener_https_fixed_response != null ? "fixed-response" : "forward"
+    target_group_arn = var.listener_https_fixed_response != null || var.listener_https_redirect != null ? null : one(aws_lb_target_group.default[*].arn)
+    type             = var.listener_https_fixed_response != null ? "fixed-response" : var.listener_https_redirect != null ? "redirect" : "forward"
 
     dynamic "fixed_response" {
       for_each = var.listener_https_fixed_response != null ? [var.listener_https_fixed_response] : []
@@ -214,6 +227,18 @@ resource "aws_lb_listener" "https" {
         status_code  = fixed_response.value["status_code"]
       }
     }
+
+    dynamic "redirect" {
+      for_each = var.listener_https_redirect != null ? [var.listener_https_redirect] : []
+      content {
+        host        = redirect.value["host"]
+        path        = redirect.value["path"]
+        port        = redirect.value["port"]
+        protocol    = redirect.value["protocol"]
+        query       = redirect.value["query"]
+        status_code = redirect.value["status_code"]
+      }
+    }
   }
 }
 

test/src/examples_complete_test.go

@@ -72,11 +72,11 @@ func TestExamplesComplete(t *testing.T) {
 
 	// Run `terraform output` to get the value of an output variable
 	defaultTargetGroupArn := terraform.Output(t, terraformOptions, "default_target_group_arn")
-	// Verify we're getting back the outputs we expect something like "arn:aws:elasticloadbalancing:us-east-2:126450723953:targetgroup/eg-test-alb-11514-default/89e9fe401fc63cf7
-	assert.Contains(t, defaultTargetGroupArn, "arn:aws:elasticloadbalancing:us-east-2:126450723953:targetgroup/eg-test-alb-"+attributes[0]+"-default")
+	// Verify we're getting back the outputs we expect something like "arn:aws:elasticloadbalancing:us-east-2:799847381734:targetgroup/eg-test-alb-11514-default/89e9fe401fc63cf7
+	assert.Contains(t, defaultTargetGroupArn, "arn:aws:elasticloadbalancing:us-east-2:799847381734:targetgroup/eg-test-alb-"+attributes[0]+"-default")
 
 	// Run `terraform output` to get the value of an output variable
 	httpListenerArn := terraform.Output(t, terraformOptions, "http_listener_arn")
 	// Verify we're getting back the outputs we expect
-	assert.Contains(t, httpListenerArn, "arn:aws:elasticloadbalancing:us-east-2:126450723953:listener/app/eg-test-alb-"+attributes[0])
+	assert.Contains(t, httpListenerArn, "arn:aws:elasticloadbalancing:us-east-2:799847381734:listener/app/eg-test-alb-"+attributes[0])
 }

variables.tf

@@ -40,8 +40,13 @@ variable "http_redirect" {
 
 variable "http_ingress_cidr_blocks" {
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = ["0.0.0.0/0", "::/0"]
   description = "List of CIDR blocks to allow in HTTP security group"
+
+  validation {
+    condition     = alltrue([for cidr in var.http_ingress_cidr_blocks : can(cidrhost(cidr, 0))])
+    error_message = "Each entry in http_ingress_cidr_blocks must be a valid CIDR block."
+  }
 }
 
 variable "http_ingress_prefix_list_ids" {
@@ -70,8 +75,13 @@ variable "https_enabled" {
 
 variable "https_ingress_cidr_blocks" {
   type        = list(string)
-  default     = ["0.0.0.0/0"]
+  default     = ["0.0.0.0/0", "::/0"]
   description = "List of CIDR blocks to allow in HTTPS security group"
+
+  validation {
+    condition     = alltrue([for cidr in var.https_ingress_cidr_blocks : can(cidrhost(cidr, 0))])
+    error_message = "Each entry in https_ingress_cidr_blocks must be a valid CIDR block."
+  }
 }
 
 variable "https_ingress_prefix_list_ids" {
@@ -132,6 +142,11 @@ variable "ip_address_type" {
   type        = string
   default     = "ipv4"
   description = "The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack`."
+
+  validation {
+    condition     = contains(["ipv4", "dualstack"], var.ip_address_type)
+    error_message = "ip_address_type must be either `ipv4` or `dualstack`."
+  }
 }
 
 variable "deletion_protection_enabled" {
@@ -274,6 +289,20 @@ variable "listener_https_fixed_response" {
   default = null
 }
 
+variable "listener_https_redirect" {
+  description = "Have the HTTPS listener return a redirect response for the default action."
+  # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener#status_code-2
+  type = object({
+    host        = optional(string)
+    path        = optional(string)
+    port        = optional(string)
+    protocol    = optional(string)
+    query       = optional(string)
+    status_code = string
+  })
+  default = null
+}
+
 variable "lifecycle_configuration_rules" {
   type = list(object({
     enabled = bool
@@ -360,3 +389,9 @@ variable "xff_header_processing_mode" {
   default     = "append"
   description = "Determines how the load balancer modifies the X-Forwarded-For header in the HTTP request before sending the request to the target. The possible values are append, preserve, and remove. Only valid for Load Balancers of type application. The default is append"
 }
+
+variable "client_keep_alive" {
+  type        = number
+  default     = 3600
+  description = "Client keep alive value in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds."
+}

versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.0"
+      version = ">= 5.46"
     }
   }
-}
+}