v2.5.0

feat(alb): add desync mitigation mode support @RoseSecurity (#206)

## What and Why

This introduces support for configuring the desync mitigation mode on the AWS load balancer resource. It adds a new variable to control how the load balancer handles potentially risky HTTP desync requests, improving security configuration flexibility.

New desync mitigation mode support:

• Added the desync_mitigation_mode argument to the aws_lb resource in main.tf, allowing the load balancer's HTTP desync handling to be configured.
• Introduced a new desync_mitigation_mode variable in variables.tf with validation for accepted values (monitor, defensive, strictest) and a default of defensive.

v2.4.0

Add `enable_waf_fail_open` flag @tionichm (#205)

## what Add the `enable_waf_fail_open` flag to the ALB resource. Set the default value to `false` as this is the normal behaviour.

why

It is a property that we use in our deployments.

references

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html

v2.3.1

Add support loadbalancer capacity reservation @y3ti (#201)

## what

Add support for minimum capacity units for Application Load Balancers (ALB).

why

AWS launched LCU Reservation support for Application Load Balancers (ALB) and Network Load Balancers (NLB). This feature enables proactive capacity management by allowing customers to set minimum capacity thresholds, ensuring consistent performance during traffic spikes.

Terraform AWS Provider has started supporting this since v5.99

references

• https://github.com/hashicorp/terraform-provider-aws/releases/tag/v5.99.0
• hashicorp/terraform-provider-aws#42685

chore: Replace Makefile with atmos.yaml @osterman (#198)

## what - Switch to atmos for readme generation

🤖 Automatic Updates

Fix go version in tests @osterman (#199)

## what - Update go `1.24`

why

• Error loading shared library libresolv.so.2 in Go 1.20

References

• https://sweetops.slack.com/archives/G014YEKDH4K/p1746672149263629
• golang/go#59305 (comment)
• cloudposse/terraform-aws-cloudfront-s3-cdn#294

v2.3.0

allow alb ingress from security groups @mihaiplesa (#196)

## what

Adds http_ingress_security_group_ids and https_ingress_security_group_ids and clarifies that security_group_ids does not allow access to the ALB from the security groups passed in.

why

Behaviour was misleading.

references

Resolves #197

v2.2.2

🚀 Enhancements

Fixes #134 - Does not create http_forward when aws_lb_target_group.default is disabled @spazm (#149)

## What

Fixes #134 - Does not create http_forward when aws_lb_target_group.default is disabled

• disables aws_lb_listener.http_forward when default_target_group is not enabled
• target_group is required when type is 'redirect'

Why

See #134. Fixes this Validation error when default_target_group_enabled == 0 :

module.alb.aws_lb_listener.http_forward[0]: Creating...
╷
│ Error: creating ELBv2 Listener
(arn:aws:elasticloadbalancing:...:...:loadbalancer/...):
ValidationError: A target group ARN must be specified
│       status code: 400, request id:
7cf9d727-fc77-4d32-a160-deadbeefcafe
│
│   with module.alb.aws_lb_listener.http_forward[0],
│   on .terraform/modules/alb/main.tf line 150, in resource
"aws_lb_listener" "http_forward":
│  150: resource "aws_lb_listener" "http_forward" {

references

closes #134

🐛 Bug Fixes

Fixes #134 - Does not create http_forward when aws_lb_target_group.default is disabled @spazm (#149)

## What

Fixes #134 - Does not create http_forward when aws_lb_target_group.default is disabled

• disables aws_lb_listener.http_forward when default_target_group is not enabled
• target_group is required when type is 'redirect'

Why

See #134. Fixes this Validation error when default_target_group_enabled == 0 :

module.alb.aws_lb_listener.http_forward[0]: Creating...
╷
│ Error: creating ELBv2 Listener
(arn:aws:elasticloadbalancing:...:...:loadbalancer/...):
ValidationError: A target group ARN must be specified
│       status code: 400, request id:
7cf9d727-fc77-4d32-a160-deadbeefcafe
│
│   with module.alb.aws_lb_listener.http_forward[0],
│   on .terraform/modules/alb/main.tf line 150, in resource
"aws_lb_listener" "http_forward":
│  150: resource "aws_lb_listener" "http_forward" {

references

closes #134

v2.2.1

🚀 Enhancements

feat: add load_balancing_anomaly_mitigation to TG @mschfh (#193)

## what

Add load_balancing_anomaly_mitigation variable

references

lb_target_group

v2.2.0

feat: default https_ssl_policy to ELBSecurityPolicy-TLS13-1-2-2021-06 @jestallin (#179)

## what

• Updates default https_ssl_policy to ELBSecurityPolicy-TLS13-1-2-2021-06

why

• ELBSecurityPolicy-TLS13-1-2-2021-06 is the default AWS recommendation.

The ELBSecurityPolicy-TLS13-1-2-2021-06 policy is the default security policy for TLS listeners created using the AWS Management Console.
- We recommend the ELBSecurityPolicy-TLS13-1-2-2021-06 security policy, which includes TLS 1.3, and is backwards compatible with TLS 1.2.

references

• closes #178
• https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html#describe-ssl-policies

v2.1.0

fix: listener default action variable object block [HOTFIX REQUIRED!] @oycyc (#190)

## what

Removes the default object block and changes it to null, making it consistent with the other default actions. The original mindset of having it was to default to HTTP_301 since it's a required attribute, but it doesn't matter because it is not optional() in the Terraform.

why

As described by @mschfh

this adds a redirect by default, as the default for the variable is an object, not null.

https://github.com/cloudposse/terraform-aws-alb/blob/cb8fa6558c4f8a49fa3aebf33505397c1ac74ad6/main.tf#L231-L232

https://github.com/cloudposse/terraform-aws-alb/blob/cb8fa6558c4f8a49fa3aebf33505397c1ac74ad6/variables.tf#L292-L311

Plan:

      ~ default_action {
          ~ type             = "forward" -> "redirect"
            # (2 unchanged attributes hidden)

          + redirect {
              + host        = "#{host}"
              + path        = "/#{path}"
              + port        = "#{port}"
              + protocol    = "#{protocol}"
              + query       = "#{query}"
              + status_code = "HTTP_301"
            }
        }

Explicitly passing listener_https_redirect = null to the module does prevent this change, please update the default or adjust the for_each.

references

Comment referencing this issue
#187 (comment)

v2.0.0

feat: alb client keep alive @oycyc (#189)

## what

• Adds the variable and argument for client_keep_alive.
• This was just introduced pretty recently, in May 2024. hashicorp/terraform-provider-aws#36402
  • Therefore updated the version as well, this requires a major bump from v4 to v5.46.0.

why

references

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb#client_keep_alive-1

v1.12.0

Add IPv6 ingress security group rules @mschfh (#186)

## what

• Added IPv6 support for ingress security groups
• Added variable validation for http_ingress_cidr_blocks and https_ingress_cidr_blocks
• Added variable validation for ip_address_type
• Updated the http_ingress_cidr_blocks and https_ingress_cidr_blocks defaults values to include ::/0

why

The current implementation only configures IPv4 security group rules, causing IPv6 traffic to be dropped by default for dualstack ALBs

references

AWS Load Balancer dual-stack mode: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/application-load-balancers.html#ip-address-type
AWS Security Group IPv6 support: https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-rule-syntax
TF aws_security_group_rule resource: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#ipv6_cidr_blocks