Skip to content

Latest commit

 

History

History

lattice-service

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
listeners.tf
listeners.tf
 
 
logging.tf
logging.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
policies.tf
policies.tf
 
 
ram-share.tf
ram-share.tf
 
 
resource-group.tf
resource-group.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

lattice-service

This module creates following resources.

  • aws_vpclattice_service
  • aws_vpclattice_auth_policy (optional)
  • aws_vpclattice_resource_policy (optional)
  • aws_vpclattice_listener (optional)
  • aws_vpclattice_listener_rule (optional)
  • aws_vpclattice_service_network_service_association (optional)
  • aws_vpclattice_access_log_subscription (optional)

Requirements

Name Version
terraform >= 1.5
aws >= 5.21

Providers

Name Version
aws 5.22.0

Modules

Name Source Version
listener ../lattice-service-listener n/a
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0
share tedilabs/account/aws//modules/ram-share ~> 0.27.0

Resources

Name Type
aws_vpclattice_access_log_subscription.cloudwatch resource
aws_vpclattice_access_log_subscription.kinesis_data_firehose resource
aws_vpclattice_access_log_subscription.s3 resource
aws_vpclattice_auth_policy.this resource
aws_vpclattice_resource_policy.this resource
aws_vpclattice_service.this resource
aws_vpclattice_service_network_service_association.this resource

Inputs

Name Description Type Default Required
name (Required) The name of the service. The name must be unique within the account. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen. This name will become part of the service DNS and can't be changed after the VPC Lattice service is created. string n/a yes
auth_policy (Optional) The auth policy. Authorization decisions are made based on the service network policy, this policy, and IAM permissions attached to the client identity (if referencing IAM identities in this policy). The policy string in JSON must not contain newlines or blank lines. string null no
auth_type (Optional) The type of authentication and authorization that manages client access to the service. Valid values are AWS_IAM or NONE. Defaults to NONE.
NONE - Authentication and authorization is turned off at the service level. Access to this service remains subject to the service network policy, if present. If a policy is not present, all traffic from VPCs associated to the service network is allowed.
AWS_IAM - Applies an AWS IAM resource policy on the service giving service owners the ability to enforce authentication and write fine grained permissions. This policy is evaluated in addition to any policy present at the service network.		 string "NONE" no
custom_domain (Optional) The configuration for a custom domain name to use in addition to the domain name that is generated by VPC Lattice. For HTTPS requests, you must also specify an SSL/TLS certificate that matches the custom domain name. If you specify a custom domain name, you must configure DNS routing after your service is created. This is to map DNS queries for the custom domain name to the VPC Lattice endpoint. If you’re using Route 53 as your DNS service, you can configure a CNAME record within the hosted zone that you own. custom_domain as defined below.
(Required) name - The name of the custom domain. The custom domain name will be used in addition to the domain name that VPC Lattice generates for the service. You can't change the custom domain name after the service is created. For a custom domain name change, you would need to create a new service.
(Optional) tls_certificate - The ARN (Amazon Resource Name) of the SSL/TLS certificate. The certificate will be required to process HTTPS requests for the custom domain name.		 
object({
    name            = string
    tls_certificate = optional(string)
  })
 null no
description (Optional) The description of the service. This creates a tag with a key of Description and a value that you specify. string "Managed by Terraform." no
listeners (Optional) The configuration to add one or more listeners for the service. Set up listeners and rules to define how network traffic is routed within the service. A listener is a process that checks for connection requests, using the protocol and port that you configure. Each listener has a default action, and you can optionally define rules to enable content-based routing to the target groups that make up your service. Each block of listeners as defined below.
(Required) name - The name of the service listener. The name must be unique within the service. The valid characters are a-z, 0-9, and hyphens (-). You can't use a hyphen as the first or last character, or immediately after another hyphen.
(Optional) port - The number of port on which the listener of the service is listening. Valid values are from 1 to 65535. If port is not specified and protocol is HTTP, the value will default to 80. If port is not specified and protocol is HTTPS, the value will default to 443.
(Required) protocol - The protocol for the service listener. Valid values are HTTP and HTTPS.
(Required) default_action_type - The type of default routing action. Default action apply to traffic that does not meet the conditions of rules on your listener. Rules can be configured after the listener is created. Valid values are FORWARD, FIXED_RESPONSE.
(Optional) default_action_parameters - The configuration for the parameters of the default routing action. default_action_parameters block as defined below.
(Optional) status_code - Custom HTTP status code to drop client requests and return a custom HTTP response. Valid values are 404. Only supported if default_action_type is FIXED_RESPONSE.
(Optional) destinations - A list of one or more target groups to route traffic. Only supported if default_action_type is FORWARD. Each item of destinations block as defined below.
(Required) target_group - The ID or ARN of the target group to which to route traffic.
(Optional) weight - The weight to use routing traffic to target_group. how requests are distributed to the target group. Only required if you specify multiple target groups for a forward action. For example, if you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. Valid value is 0 to 999. Defaults to 100.
(Optional) rules - A list of rules to enable content-based routing to the target groups that make up the service. Each rule consists of a priority, one or more actions, and one or more conditions. Each block of rules block as defined below.
(Required) priority - The priority assigned to the rule. Each rule for a specific listener must have a unique priority. The lower the priority number the higher the priority.
(Optional) name - A rule name can describe the purpose of the rule or the type of traffic it is intended to handle. Rule names can't be changed after creation. Defaults to $(service)-$(priority).
(Required) conditions - The rule conditions. conditions block as defined below.
(Optional) method - The condition of HTTP request method. Valid values are GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH.
(Required) path - The condition of HTTP request path. path block as defined below.
(Required) value - The path pattern. The pattern must start with /.
(Optional) operator - The operator that you want to use to determine whether an HTTP request path matches the conditions. Valid values are EXACT, PREFIX. Defaults to PREFIX.
(Optional) case_sensitive - Whether to match the value condition using a case-sensitive match. Defaults to false.
(Optional) headers - The condition of HTTP request headers. Each block of headers as defined below.
(Required) name - The name of the HTTP header field.
(Required) value - The value of the HTTP header field.
(Optional) operator - The operator that you want to use to determine whether an HTTP header matches the conditions. Valid values are EXACT, PREFIX, CONTAINS. Defaults to EXACT.
(Optional) case_sensitive - Whether to match the value condition using a case-sensitive match. Defaults to false.
(Required) action_type - The action type for the rule of the service. Valid values are FORWARD, FIXED_RESPONSE.
(Optional) action_parameters - The configuration for the parameters of the routing action. action_parameters block as defined below.
(Optional) status_code - Custom HTTP status code to drop client requests and return a custom HTTP response. Valid values are 404. Only supported if action_type is FIXED_RESPONSE.
(Optional) destinations - A list of one or more target groups to route traffic. Only supported if action_type is FORWARD. Each item of destinations block as defined below.
(Required) target_group - The ID or ARN of the target group to which to route traffic.
(Optional) weight - The weight to use routing traffic to target_group. how requests are distributed to the target group. Only required if you specify multiple target groups for a forward action. For example, if you specify two target groups, one with a weight of 10 and the other with a weight of 20, the target group with a weight of 20 receives twice as many requests as the other target group. Valid value is 0 to 999. Defaults to 100.
(Optional) tags - A map of tags to add to the service listeners.		 
list(object({
    name     = string
    port     = optional(number)
    protocol = string

    default_action_type = string
    default_action_parameters = optional(object({
      status_code = optional(number, 404)
      destinations = optional(list(object({
        target_group = string
        weight       = optional(number, 100)
      })), [])
    }), {})

    rules = optional(list(object({
      priority = number
      name     = optional(string)

      conditions = object({
        method = optional(string)
        path = object({
          value          = string
          operator       = optional(string, "PREFIX")
          case_sensitive = optional(bool, false)
        })
        headers = optional(list(object({
          name           = string
          value          = string
          operator       = optional(string, "EXACT")
          case_sensitive = optional(bool, false)
        })), [])
      })

      action_type = string
      action_parameters = optional(object({
        status_code = optional(number, 404)
        destinations = optional(list(object({
          target_group = string
          weight       = optional(number, 100)
        })), [])
      }), {})
    })), [])

    tags = optional(map(string), {})
  }))
 [] no
logging_to_cloudwatch (Optional) The configuration to enable access logs to be sent to Amazon CloudWatch Log Group. The service owner can use the access logs to audit the services in the network. The service owner will only see access logs from clients and services that are associated with their service. Access log entries represent traffic originated from VPCs associated with that network. logging_to_cloudwatch as defined below.
(Optional) enabled - Whether to enable access logs to be sent to Amazon CloudWatch Log Group.
(Optional) log_group - The ARN (Amazon Resource Name) of the CloudWatch Log Group.		 
object({
    enabled   = optional(bool, false)
    log_group = optional(string, "")
  })
 {} no
logging_to_kinesis_data_firehose (Optional) The configuration to enable access logs to be sent to Amazon Kinesis Data Firehose. The service owner can use the access logs to audit the services in the network. The service owner will only see access logs from clients and services that are associated with their service. Access log entries represent traffic originated from VPCs associated with that network. logging_to_kinesis_data_firehose as defined below.
(Optional) enabled - Whether to enable access logs to be sent to Amazon Kinesis Data
Firehose.
(Optional) delivery_stream - The ARN (Amazon Resource Name) of the Kinesis Data Firehose
delivery stream.		 
object({
    enabled         = optional(bool, false)
    delivery_stream = optional(string, "")
  })
 {} no
logging_to_s3 (Optional) The configuration to enable access logs to be sent to Amazon S3 Bucket. The service owner can use the access logs to audit the services in the network. The service owner will only see access logs from clients and services that are associated with their service. Access log entries represent traffic originated from VPCs associated with that network. logging_to_s3 as defined below.
(Optional) enabled - Whether to enable access logs to be sent to Amazon S3 Bucket.
(Optional) bucket - The ARN (Amazon Resource Name) of the S3 Bucket.		 
object({
    enabled = optional(bool, false)
    bucket  = optional(string, "")
  })
 {} no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
policy (Optional) A resource-based permission policy for the service. The policy must contain the same actions and condition statements as the Amazon Web Services Resource Access Manager permission for sharing services and service networks. string null no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
service_network_associations (Optional) The configuration for the service network associations with the service. To facilitate network client access to your service, you will need to associate your service to the relevant service networks. Only service networks created in the same account, or that have been shared with you (by way of Resource Access Manager), are available for you to create associations with. Each block of service_network_associations as defined below.
(Required) name - The name of the service association.
(Required) service_network - The ID or ARN (Amazon Resource Name) of the service network.
(Optional) tags - A map of tags to add to the service association.		 
list(object({
    name            = string
    service_network = string
    tags            = optional(map(string), {})
  }))
 [] no
shares (Optional) A list of resource shares via RAM (Resource Access Manager). 
list(object({
    name = optional(string)

    permissions = optional(set(string), ["AWSRAMPermissionVpcLatticeServiceReadWrite"])

    external_principals_allowed = optional(bool, false)
    principals                  = optional(set(string), [])

    tags = optional(map(string), {})
  }))
 [] no
tags (Optional) A map of tags to add to all resources. map(string) {} no
timeouts (Optional) How long to wait for the service to be created/deleted. 
object({
    create = optional(string, "5m")
    delete = optional(string, "5m")
  })
 {} no

Outputs

Name Description
arn The ARN of the service.
auth_type The type of authentication and authorization that manages client access to the service.
custom_domain The configuration for a custom domain name to use in addition to the domain name that is generated by VPC Lattice.
description The description of the service.
domain The DNS name of the service.
id The ID of the service.
listeners The configuration for listeners of the service.
id - The ID of the service listener.
arn - The ARN of the service listener.
name - The name of the service listener.
port - The number of port on which the listener of the service is listening.
protocol - The protocol for the service listener.
default_action - The configuration for default routing action of the service listener.
rules - The list of rules to enable content-based routing to the target groups that make up the service.
created_at - Date and time that the listener was created, specified in ISO-8601 format.
updated_at - Date and time that the listener was last updated, specified in ISO-8601 format.
logging The configuration for access logs of the service.
cloudwatch - The configuration for access logs to be sent to Amazon CloudWatch Log Group.
kinesis_data_firehose - The configuration for access logs to be sent to Amazon Kinesis Data Firehose Delivery Stream.
s3 - The configuration for access logs to be sent to Amazon S3 BUcket.
name The name of the service.
service_network_associations The configuration for the service network associations with the service.
id - The ID of the association.
arn - The ARN of the Association.
status - The operations status. Valid Values are CREATE_IN_PROGRESS, ACTIVE, DELETE_IN_PROGRESS, CREATE_FAILED, DELETE_FAILED.
created_by - The principal that created the association.

service_network - The ARN (Amazon Resource Name) of the service network.
sharing The configuration for sharing of the Lattice service.
status - An indication of whether the Lattice service is shared with other AWS accounts, or was shared with the current account by another AWS account. Sharing is configured through AWS Resource Access Manager (AWS RAM). Values are NOT_SHARED, SHARED_BY_ME or SHARED_WITH_ME.
shares - The list of resource shares via RAM (Resource Access Manager).
status The status of the service.
zone_id The canonical hosted zone ID of the service to be used in a Route 53 CNAME record.