Try SpotterManage an Application Load Balancer
| "added in version" 1.0.0 of community.aws"
Authors: Rob White (@wimnat)
Install with ansible-galaxy collection install community.aws:==3.4.0
collections:
- name: community.aws
version: 3.4.0Manage an AWS Application Elastic Load Balancer. See U(https://aws.amazon.com/blogs/aws/new-aws-application-load-balancer/) for details.
# Note: These examples do not set authentication details, see the AWS Guide for details.
# Create an ALB and attach a listener
- community.aws.elb_application_lb:
name: myalb
security_groups:
- sg-12345678
- my-sec-group
subnets:
- subnet-012345678
- subnet-abcdef000
listeners:
- Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).
Port: 80 # Required. The port on which the load balancer is listening.
# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
SslPolicy: ELBSecurityPolicy-2015-05
Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
- CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
DefaultActions:
- Type: forward # Required.
TargetGroupName: # Required. The name of the target group
state: present
# Create an ALB and attach a listener with logging enabled
- community.aws.elb_application_lb:
access_logs_enabled: yes
access_logs_s3_bucket: mybucket
access_logs_s3_prefix: "logs"
name: myalb
security_groups:
- sg-12345678
- my-sec-group
subnets:
- subnet-012345678
- subnet-abcdef000
listeners:
- Protocol: HTTP # Required. The protocol for connections from clients to the load balancer (HTTP or HTTPS) (case-sensitive).
Port: 80 # Required. The port on which the load balancer is listening.
# The security policy that defines which ciphers and protocols are supported. The default is the current predefined security policy.
SslPolicy: ELBSecurityPolicy-2015-05
Certificates: # The ARN of the certificate (only one certficate ARN should be provided)
- CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
DefaultActions:
- Type: forward # Required.
TargetGroupName: # Required. The name of the target group
state: present
# Create an ALB with listeners and rules
- community.aws.elb_application_lb:
name: test-alb
subnets:
- subnet-12345678
- subnet-87654321
security_groups:
- sg-12345678
scheme: internal
listeners:
- Protocol: HTTPS
Port: 443
DefaultActions:
- Type: forward
TargetGroupName: test-target-group
Certificates:
- CertificateArn: arn:aws:iam::12345678987:server-certificate/test.domain.com
SslPolicy: ELBSecurityPolicy-2015-05
Rules:
- Conditions:
- Field: path-pattern
Values:
- '/test'
Priority: '1'
Actions:
- TargetGroupName: test-target-group
Type: forward
- Conditions:
- Field: path-pattern
Values:
- "/redirect-path/*"
Priority: '2'
Actions:
- Type: redirect
RedirectConfig:
Host: "#{host}"
Path: "/example/redir" # or /#{path}
Port: "#{port}"
Protocol: "#{protocol}"
Query: "#{query}"
StatusCode: "HTTP_302" # or HTTP_301
- Conditions:
- Field: path-pattern
Values:
- "/fixed-response-path/"
Priority: '3'
Actions:
- Type: fixed-response
FixedResponseConfig:
ContentType: "text/plain"
MessageBody: "This is the page you're looking for"
StatusCode: "200"
- Conditions:
- Field: host-header
Values:
- "hostname.domain.com"
- "alternate.domain.com"
Priority: '4'
Actions:
- TargetGroupName: test-target-group
Type: forward
state: present
# Remove an ALB
- community.aws.elb_application_lb:
name: myalb
state: absent
name:
description:
- The name of the load balancer. This name must be unique within your AWS account,
can have a maximum of 32 characters, must contain only alphanumeric characters or
hyphens, and must not begin or end with a hyphen.
required: true
type: str
tags:
description:
- A dictionary of one or more tags to assign to the load balancer.
type: dict
wait:
default: false
description:
- Wait for the load balancer to have a state of 'active' before completing. A status
check is performed every 15 seconds until a successful state is reached. An error
is returned after 40 failed checks.
type: bool
http2:
description:
- Indicates whether to enable HTTP2 routing.
- Defaults to C(True).
type: bool
state:
choices:
- present
- absent
default: present
description:
- Create or destroy the load balancer.
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
scheme:
choices:
- internet-facing
- internal
default: internet-facing
description:
- Internet-facing or internal load balancer. An ALB scheme can not be modified after
creation.
type: str
ec2_url:
aliases:
- aws_endpoint_url
- endpoint_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
profile:
aliases:
- aws_profile
description:
- Using I(profile) will override I(aws_access_key), I(aws_secret_key) and I(security_token)
and support for passing them at the same time as I(profile) has been deprecated.
- I(aws_access_key), I(aws_secret_key) and I(security_token) will be made mutually
exclusive with I(profile) after 2022-06-01.
type: str
subnets:
description:
- A list of the IDs of the subnets to attach to the load balancer. You can specify
only one subnet per Availability Zone. You must specify subnets from at least two
Availability Zones.
- Required if I(state=present).
elements: str
type: list
listeners:
description:
- A list of dicts containing listeners to attach to the ALB. See examples for detail
of the dict required. Note that listener keys are CamelCased.
elements: dict
suboptions:
Certificates:
description: The SSL server certificate.
elements: dict
suboptions:
CertificateArn:
description: The Amazon Resource Name (ARN) of the certificate.
type: str
type: list
DefaultActions:
description: The default actions for the listener.
elements: dict
required: true
suboptions:
TargetGroupArn:
description: The Amazon Resource Name (ARN) of the target group.
type: str
Type:
description: The type of action.
type: str
type: list
Port:
description: The port on which the load balancer is listening.
required: true
type: int
Protocol:
description: The protocol for connections from clients to the load balancer.
required: true
type: str
Rules:
description:
- A list of ALB Listener Rules.
- 'For the complete documentation of possible Conditions and Actions please see
the boto3 documentation:'
- https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/elbv2.html#ElasticLoadBalancingv2.Client.create_rule
elements: dict
suboptions:
Actions:
description: Actions to apply if all of the rule's conditions are met.
elements: dict
type: list
Conditions:
description: Conditions which must be met for the actions to be applied.
elements: dict
type: list
Priority:
description: The rule priority.
type: int
type: list
SslPolicy:
description: The security policy that defines which ciphers and protocols are
supported.
type: str
type: list
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
- Only the 'user_agent' key is used for boto modules. See U(http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto)
for more boto configuration.
type: dict
purge_tags:
default: true
description:
- If yes, existing tags will be purged from the resource to match exactly what is
defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified.
type: bool
purge_rules:
default: true
description:
- When set to C(no), keep the existing load balancer rules in place. Will modify and
add, but will not delete.
type: bool
idle_timeout:
description:
- The number of seconds to wait before an idle connection is closed.
type: int
wait_timeout:
description:
- The time in seconds to use in conjunction with I(wait).
type: int
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- Not used by boto 2 based modules.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
waf_fail_open:
description:
- Indicates whether to allow a AWS WAF-enabled load balancer to route requests to
targets if it is unable to forward the request to AWS WAF.
- Defaults to C(False).
type: bool
version_added: 3.2.0
version_added_collection: community.aws
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_access_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_secret_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
security_token:
aliases:
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(security_token) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
ip_address_type:
choices:
- ipv4
- dualstack
description:
- Sets the type of IP addresses used by the subnets of the specified Application Load
Balancer.
type: str
purge_listeners:
default: true
description:
- If C(yes), existing listeners will be purged from the ALB to match exactly what
is defined by I(listeners) parameter.
- If the I(listeners) parameter is not set then listeners will not be modified.
type: bool
security_groups:
description:
- A list of the names or IDs of the security groups to assign to the load balancer.
- Required if I(state=present).
- If C([]), the VPC's default security group will be used.
elements: str
type: list
access_logs_enabled:
description:
- Whether or not to enable access logs.
- When set, I(access_logs_s3_bucket) must also be set.
type: bool
deletion_protection:
description:
- Indicates whether deletion protection for the ALB is enabled.
- Defaults to C(False).
type: bool
http_xff_client_port:
description:
- Indicates whether the X-Forwarded-For header should preserve the source port that
the client used to connect to the load balancer.
- Defaults to C(False).
type: bool
version_added: 3.2.0
version_added_collection: community.aws
access_logs_s3_bucket:
description:
- The name of the S3 bucket for the access logs.
- The bucket must exist in the same region as the load balancer and have a bucket
policy that grants Elastic Load Balancing permission to write to the bucket.
- Required if access logs in Amazon S3 are enabled.
- When set, I(access_logs_enabled) must also be set.
type: str
access_logs_s3_prefix:
description:
- The prefix for the log location in the S3 bucket.
- If you don't specify a prefix, the access logs are stored in the root of the bucket.
- Cannot begin or end with a slash.
type: str
http_desync_mitigation_mode:
choices:
- monitor
- defensive
- strictest
description:
- Determines how the load balancer handles requests that might pose a security risk
to an application.
- Defaults to C('defensive')
type: str
version_added: 3.2.0
version_added_collection: community.aws
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
http_drop_invalid_header_fields:
description:
- Indicates whether HTTP headers with invalid header fields are removed by the load
balancer C(True) or routed to targets C(False).
- Defaults to C(False).
type: bool
version_added: 3.2.0
version_added_collection: community.aws
http_x_amzn_tls_version_and_cipher_suite:
description:
- Indicates whether the two headers are added to the client request before sending
it to the target.
- Defaults to C(False).
type: bool
version_added: 3.2.0
version_added_collection: community.aws
access_logs_s3_bucket:
description: The name of the S3 bucket for the access logs.
returned: when state is present
sample: mys3bucket
type: str
access_logs_s3_enabled:
description: Indicates whether access logs stored in Amazon S3 are enabled.
returned: when state is present
sample: true
type: bool
access_logs_s3_prefix:
description: The prefix for the location in the S3 bucket.
returned: when state is present
sample: my/logs
type: str
availability_zones:
description: The Availability Zones for the load balancer.
returned: when state is present
sample:
- load_balancer_addresses: []
subnet_id: subnet-aabbccddff
zone_name: ap-southeast-2a
type: list
canonical_hosted_zone_id:
description: The ID of the Amazon Route 53 hosted zone associated with the load
balancer.
returned: when state is present
sample: ABCDEF12345678
type: str
changed:
description: Whether an ALB was created/updated/deleted
returned: always
sample: true
type: bool
created_time:
description: The date and time the load balancer was created.
returned: when state is present
sample: '2015-02-12T02:14:02+00:00'
type: str
deletion_protection_enabled:
description: Indicates whether deletion protection is enabled.
returned: when state is present
sample: true
type: bool
dns_name:
description: The public DNS name of the load balancer.
returned: when state is present
sample: internal-my-elb-123456789.ap-southeast-2.elb.amazonaws.com
type: str
idle_timeout_timeout_seconds:
description: The idle timeout value, in seconds.
returned: when state is present
sample: 60
type: int
ip_address_type:
description: The type of IP addresses used by the subnets for the load balancer.
returned: when state is present
sample: ipv4
type: str
listeners:
contains:
certificates:
contains:
certificate_arn:
description: The Amazon Resource Name (ARN) of the certificate.
returned: when state is present
sample: ''
type: str
description: The SSL server certificate.
returned: when state is present
type: complex
default_actions:
contains:
target_group_arn:
description: The Amazon Resource Name (ARN) of the target group.
returned: when state is present
sample: ''
type: str
type:
description: The type of action.
returned: when state is present
sample: ''
type: str
description: The default actions for the listener.
returned: when state is present
type: str
listener_arn:
description: The Amazon Resource Name (ARN) of the listener.
returned: when state is present
sample: ''
type: str
load_balancer_arn:
description: The Amazon Resource Name (ARN) of the load balancer.
returned: when state is present
sample: ''
type: str
port:
description: The port on which the load balancer is listening.
returned: when state is present
sample: 80
type: int
protocol:
description: The protocol for connections from clients to the load balancer.
returned: when state is present
sample: HTTPS
type: str
ssl_policy:
description: The security policy that defines which ciphers and protocols are
supported.
returned: when state is present
sample: ''
type: str
description: Information about the listeners.
returned: when state is present
type: complex
load_balancer_arn:
description: The Amazon Resource Name (ARN) of the load balancer.
returned: when state is present
sample: arn:aws:elasticloadbalancing:ap-southeast-2:0123456789:loadbalancer/app/my-alb/001122334455
type: str
load_balancer_name:
description: The name of the load balancer.
returned: when state is present
sample: my-alb
type: str
routing_http2_enabled:
description: Indicates whether HTTP/2 is enabled.
returned: when state is present
sample: true
type: bool
routing_http_desync_mitigation_mode:
description: Determines how the load balancer handles requests that might pose a
security risk to an application.
returned: when state is present
sample: defensive
type: str
routing_http_drop_invalid_header_fields_enabled:
description: Indicates whether HTTP headers with invalid header fields are removed
by the load balancer (true) or routed to targets (false).
returned: when state is present
sample: false
type: bool
routing_http_x_amzn_tls_version_and_cipher_suite_enabled:
description: Indicates whether the two headers are added to the client request before
sending it to the target.
returned: when state is present
sample: false
type: bool
routing_http_xff_client_port_enabled:
description: Indicates whether the X-Forwarded-For header should preserve the source
port that the client used to connect to the load balancer.
returned: when state is present
sample: false
type: bool
scheme:
description: Internet-facing or internal load balancer.
returned: when state is present
sample: internal
type: str
security_groups:
description: The IDs of the security groups for the load balancer.
returned: when state is present
sample:
- sg-0011223344
type: list
state:
description: The state of the load balancer.
returned: when state is present
sample:
code: active
type: dict
tags:
description: The tags attached to the load balancer.
returned: when state is present
sample:
Tag: Example
type: dict
type:
description: The type of load balancer.
returned: when state is present
sample: application
type: str
vpc_id:
description: The ID of the VPC for the load balancer.
returned: when state is present
sample: vpc-0011223344
type: str
waf_fail_open_enabled:
description: Indicates whether to allow a AWS WAF-enabled load balancer to route
requests to targets if it is unable to forward the request to AWS WAF.
returned: when state is present
sample: false
type: bool