aws_elbv2_load_balancer
account_id
Type: STRING
attributes
Type: UNORDERED_LIST_STRUCT
Provider name: Attributes
Description: Information about the load balancer attributes.
key
Type: STRING
Provider name: Key
Description: The name of the attribute. The following attributes are supported by all load balancers:deletion_protection.enabled
- Indicates whether deletion protection is enabled. The value is true
or false
. The default is false
.load_balancing.cross_zone.enabled
- Indicates whether cross-zone load balancing is enabled. The possible values are true
and false
. The default for Network Load Balancers and Gateway Load Balancers is false
. The default for Application Load Balancers is true
, and can’t be changed.
The following attributes are supported by both Application Load Balancers and Network Load Balancers:access_logs.s3.enabled
- Indicates whether access logs are enabled. The value is true
or false
. The default is false
.access_logs.s3.bucket
- The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.access_logs.s3.prefix
- The prefix for the location in the S3 bucket for the access logs.ipv6.deny_all_igw_traffic
- Blocks internet gateway (IGW) access to the load balancer. It is set to false
for internet-facing load balancers and true
for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.zonal_shift.config.enabled
- Indicates whether zonal shift is enabled. The possible values are true
and false
. The default is false
.
The following attributes are supported by only Application Load Balancers:idle_timeout.timeout_seconds
- The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.client_keep_alive.seconds
- The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds.connection_logs.s3.enabled
- Indicates whether connection logs are enabled. The value is true
or false
. The default is false
.connection_logs.s3.bucket
- The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.connection_logs.s3.prefix
- The prefix for the location in the S3 bucket for the connection logs.routing.http.desync_mitigation_mode
- Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are monitor
, defensive
, and strictest
. The default is defensive
.routing.http.drop_invalid_header_fields.enabled
- Indicates whether HTTP headers with invalid header fields are removed by the load balancer (true
) or routed to targets (false
). The default is false
.routing.http.preserve_host_header.enabled
- Indicates whether the Application Load Balancer should preserve the Host
header in the HTTP request and send it to the target without any change. The possible values are true
and false
. The default is false
.routing.http.x_amzn_tls_version_and_cipher_suite.enabled
- Indicates whether the two headers (x-amzn-tls-version
and x-amzn-tls-cipher-suite
), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The x-amzn-tls-version
header has information about the TLS protocol version negotiated with the client, and the x-amzn-tls-cipher-suite
header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are true
and false
. The default is false
.routing.http.xff_client_port.enabled
- Indicates whether the X-Forwarded-For
header should preserve the source port that the client used to connect to the load balancer. The possible values are true
and false
. The default is false
.routing.http.xff_header_processing.mode
- Enables you to modify, preserve, or remove the X-Forwarded-For
header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are append
, preserve
, and remove
. The default is append
.- If the value is
append
, the Application Load Balancer adds the client IP address (of the last hop) to the X-Forwarded-For
header in the HTTP request before it sends it to targets. - If the value is
preserve
the Application Load Balancer preserves the X-Forwarded-For
header in the HTTP request, and sends it to targets without any change. - If the value is
remove
, the Application Load Balancer removes the X-Forwarded-For
header in the HTTP request before it sends it to targets.
routing.http2.enabled
- Indicates whether HTTP/2 is enabled. The possible values are true
and false
. The default is true
. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.waf.fail_open.enabled
- Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to Amazon Web Services WAF. The possible values are true
and false
. The default is false
.
The following attributes are supported by only Network Load Balancers:dns_record.client_routing_policy
- Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are availability_zone_affinity
with 100 percent zonal affinity, partial_availability_zone_affinity
with 85 percent zonal affinity, and any_availability_zone
with 0 percent zonal affinity.
value
Type: STRING
Provider name: Value
Description: The value of the attribute.
availability_zones
Type: UNORDERED_LIST_STRUCT
Provider name: AvailabilityZones
Description: The subnets for the load balancer.
load_balancer_addresses
Type: UNORDERED_LIST_STRUCT
Provider name: LoadBalancerAddresses
Description: [Network Load Balancers] If you need static IP addresses for your load balancer, you can specify one Elastic IP address per Availability Zone when you create an internal-facing load balancer. For internal load balancers, you can specify a private IP address from the IPv4 range of the subnet.
allocation_id
Type: STRING
Provider name: AllocationId
Description: [Network Load Balancers] The allocation ID of the Elastic IP address for an internal-facing load balancer.
i_pv6_address
Type: STRING
Provider name: IPv6Address
Description: [Network Load Balancers] The IPv6 address.
ip_address
Type: STRING
Provider name: IpAddress
Description: The static IP address.
private_ipv4_address
Type: STRING
Provider name: PrivateIPv4Address
Description: [Network Load Balancers] The private IPv4 address for an internal load balancer.
outpost_id
Type: STRING
Provider name: OutpostId
Description: [Application Load Balancers on Outposts] The ID of the Outpost.
source_nat_ipv6_prefixes
Type: UNORDERED_LIST_STRING
Provider name: SourceNatIpv6Prefixes
Description: [Network Load Balancers with UDP listeners] The IPv6 prefixes to use for source NAT. For each subnet, specify an IPv6 prefix (/80 netmask) from the subnet CIDR block or auto_assigned
to use an IPv6 prefix selected at random from the subnet CIDR block.
subnet_id
Type: STRING
Provider name: SubnetId
Description: The ID of the subnet. You can specify one subnet per Availability Zone.
zone_name
Type: STRING
Provider name: ZoneName
Description: The name of the Availability Zone.
canonical_hosted_zone_id
Type: STRING
Provider name: CanonicalHostedZoneId
Description: The ID of the Amazon Route 53 hosted zone associated with the load balancer.
created_time
Type: TIMESTAMP
Provider name: CreatedTime
Description: The date and time the load balancer was created.
customer_owned_ipv4_pool
Type: STRING
Provider name: CustomerOwnedIpv4Pool
Description: [Application Load Balancers on Outposts] The ID of the customer-owned address pool.
dns_name
Type: STRING
Provider name: DNSName
Description: The public DNS name of the load balancer.
enable_prefix_for_ipv6_source_nat
Type: STRING
Provider name: EnablePrefixForIpv6SourceNat
Description: [Network Load Balancers with UDP listeners] Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be dualstack
. The default value is off
.
enforce_inbound_rules_on_private_link_traffic
Type: STRING
Provider name: EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic
Description: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through Amazon Web Services PrivateLink.
ip_address_type
Type: STRING
Provider name: IpAddressType
Description: The type of IP addresses used for public or private connections by the subnets attached to your load balancer. [Application Load Balancers] The possible values are ipv4
(IPv4 addresses), dualstack
(IPv4 and IPv6 addresses), and dualstack-without-public-ipv4
(public IPv6 addresses and private IPv4 and IPv6 addresses). [Network Load Balancers and Gateway Load Balancers] The possible values are ipv4
(IPv4 addresses) and dualstack
(IPv4 and IPv6 addresses).
listeners
Type: UNORDERED_LIST_STRUCT
Provider name: Listeners
Description: Information about the listeners.
alpn_policy
Type: UNORDERED_LIST_STRING
Provider name: AlpnPolicy
Description: [TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy.
certificates
Type: UNORDERED_LIST_STRUCT
Provider name: Certificates
Description: [HTTPS or TLS listener] The default certificate for the listener.
certificate_arn
Type: STRING
Provider name: CertificateArn
Description: The Amazon Resource Name (ARN) of the certificate.
is_default
Type: BOOLEAN
Provider name: IsDefault
Description: Indicates whether the certificate is the default certificate. Do not set this value when specifying a certificate as an input. This value is not included in the output when describing a listener, but is included when describing listener certificates.
default_actions
Type: UNORDERED_LIST_STRUCT
Provider name: DefaultActions
Description: The default actions for the listener.
authenticate_cognito_config
Type: STRUCT
Provider name: AuthenticateCognitoConfig
Description: [HTTPS listeners] Information for using Amazon Cognito to authenticate users. Specify only when Type
is authenticate-cognito
.
authentication_request_extra_params
Type: MAP_STRING_STRING
Provider name: AuthenticationRequestExtraParams
Description: The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
on_unauthenticated_request
Type: STRING
Provider name: OnUnauthenticatedRequest
Description: The behavior if the user is not authenticated. The following are possible values:- deny
- Return an HTTP 401 Unauthorized error.
- allow
- Allow the request to be forwarded to the target.
- authenticate
- Redirect the request to the IdP authorization endpoint. This is the default value.
scope
Type: STRING
Provider name: Scope
Description: The set of user claims to be requested from the IdP. The default is openid
. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
session_cookie_name
Type: STRING
Provider name: SessionCookieName
Description: The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
session_timeout
Type: INT64
Provider name: SessionTimeout
Description: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
user_pool_arn
Type: STRING
Provider name: UserPoolArn
Description: The Amazon Resource Name (ARN) of the Amazon Cognito user pool.
user_pool_client_id
Type: STRING
Provider name: UserPoolClientId
Description: The ID of the Amazon Cognito user pool client.
user_pool_domain
Type: STRING
Provider name: UserPoolDomain
Description: The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
authenticate_oidc_config
Type: STRUCT
Provider name: AuthenticateOidcConfig
Description: [HTTPS listeners] Information about an identity provider that is compliant with OpenID Connect (OIDC). Specify only when Type
is authenticate-oidc
.
authentication_request_extra_params
Type: MAP_STRING_STRING
Provider name: AuthenticationRequestExtraParams
Description: The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
authorization_endpoint
Type: STRING
Provider name: AuthorizationEndpoint
Description: The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
client_id
Type: STRING
Provider name: ClientId
Description: The OAuth 2.0 client identifier.
client_secret
Type: STRING
Provider name: ClientSecret
Description: The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you set UseExistingClientSecret
to true.
issuer
Type: STRING
Provider name: Issuer
Description: The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
on_unauthenticated_request
Type: STRING
Provider name: OnUnauthenticatedRequest
Description: The behavior if the user is not authenticated. The following are possible values:- deny
- Return an HTTP 401 Unauthorized error.
- allow
- Allow the request to be forwarded to the target.
- authenticate
- Redirect the request to the IdP authorization endpoint. This is the default value.
scope
Type: STRING
Provider name: Scope
Description: The set of user claims to be requested from the IdP. The default is openid
. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
session_cookie_name
Type: STRING
Provider name: SessionCookieName
Description: The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
session_timeout
Type: INT64
Provider name: SessionTimeout
Description: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
token_endpoint
Type: STRING
Provider name: TokenEndpoint
Description: The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
use_existing_client_secret
Type: BOOLEAN
Provider name: UseExistingClientSecret
Description: Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false.
user_info_endpoint
Type: STRING
Provider name: UserInfoEndpoint
Description: The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
fixed_response_config
Type: STRUCT
Provider name: FixedResponseConfig
Description: [Application Load Balancer] Information for creating an action that returns a custom HTTP response. Specify only when Type
is fixed-response
.
content_type
Type: STRING
Provider name: ContentType
Description: The content type. Valid Values: text/plain | text/css | text/html | application/javascript | application/json
message_body
Type: STRING
Provider name: MessageBody
Description: The message.
status_code
Type: STRING
Provider name: StatusCode
Description: The HTTP response code (2XX, 4XX, or 5XX).
forward_config
Type: STRUCT
Provider name: ForwardConfig
Description: Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when Type
is forward
. If you specify both ForwardConfig
and TargetGroupArn
, you can specify only one target group using ForwardConfig
and it must be the same target group specified in TargetGroupArn
.
target_group_stickiness_config
Type: STRUCT
Provider name: TargetGroupStickinessConfig
Description: The target group stickiness for the rule.
duration_seconds
Type: INT32
Provider name: DurationSeconds
Description: The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
enabled
Type: BOOLEAN
Provider name: Enabled
Description: Indicates whether target group stickiness is enabled.
target_groups
Type: UNORDERED_LIST_STRUCT
Provider name: TargetGroups
Description: The target groups. For Network Load Balancers, you can specify a single target group.
target_group_arn
Type: STRING
Provider name: TargetGroupArn
Description: The Amazon Resource Name (ARN) of the target group.
weight
Type: INT32
Provider name: Weight
Description: The weight. The range is 0 to 999.
order
Type: INT32
Provider name: Order
Description: The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first.
redirect_config
Type: STRUCT
Provider name: RedirectConfig
Description: [Application Load Balancer] Information for creating a redirect action. Specify only when Type
is redirect
.
host
Type: STRING
Provider name: Host
Description: The hostname. This component is not percent-encoded. The hostname can contain #{host}.
path
Type: STRING
Provider name: Path
Description: The absolute path, starting with the leading “/”. This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}.
port
Type: STRING
Provider name: Port
Description: The port. You can specify a value from 1 to 65535 or #{port}.
protocol
Type: STRING
Provider name: Protocol
Description: The protocol. You can specify HTTP, HTTPS, or #{protocol}. You can redirect HTTP to HTTP, HTTP to HTTPS, and HTTPS to HTTPS. You can’t redirect HTTPS to HTTP.
query
Type: STRING
Provider name: Query
Description: The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading “?”, as it is automatically added. You can specify any of the reserved keywords.
status_code
Type: STRING
Provider name: StatusCode
Description: The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302).
target_group_arn
Type: STRING
Provider name: TargetGroupArn
Description: The Amazon Resource Name (ARN) of the target group. Specify only when Type
is forward
and you want to route to a single target group. To route to one or more target groups, use ForwardConfig
instead.
type
Type: STRING
Provider name: Type
Description: The type of action.
listener_arn
Type: STRING
Provider name: ListenerArn
Description: The Amazon Resource Name (ARN) of the listener.
load_balancer_arn
Type: STRING
Provider name: LoadBalancerArn
Description: The Amazon Resource Name (ARN) of the load balancer.
mutual_authentication
Type: STRUCT
Provider name: MutualAuthentication
Description: The mutual authentication configuration information.
advertise_trust_store_ca_names
Type: STRING
Provider name: AdvertiseTrustStoreCaNames
Description: Indicates whether trust store CA certificate names are advertised.
ignore_client_certificate_expiry
Type: BOOLEAN
Provider name: IgnoreClientCertificateExpiry
Description: Indicates whether expired client certificates are ignored.
mode
Type: STRING
Provider name: Mode
Description: The client certificate handling method. Options are off
, passthrough
or verify
. The default value is off
.
trust_store_arn
Type: STRING
Provider name: TrustStoreArn
Description: The Amazon Resource Name (ARN) of the trust store.
trust_store_association_status
Type: STRING
Provider name: TrustStoreAssociationStatus
Description: Indicates a shared trust stores association status.
port
Type: INT32
Provider name: Port
Description: The port on which the load balancer is listening.
protocol
Type: STRING
Provider name: Protocol
Description: The protocol for connections from clients to the load balancer.
ssl_policy
Type: STRING
Provider name: SslPolicy
Description: [HTTPS or TLS listener] The security policy that defines which protocols and ciphers are supported.
load_balancer_arn
Type: STRING
Provider name: LoadBalancerArn
Description: The Amazon Resource Name (ARN) of the load balancer.
load_balancer_name
Type: STRING
Provider name: LoadBalancerName
Description: The name of the load balancer.
scheme
Type: STRING
Provider name: Scheme
Description: The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet. The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer.
security_groups
Type: UNORDERED_LIST_STRING
Provider name: SecurityGroups
Description: The IDs of the security groups for the load balancer.
state
Type: STRUCT
Provider name: State
Description: The state of the load balancer.
code
Type: STRING
Provider name: Code
Description: The state code. The initial state of the load balancer is provisioning
. After the load balancer is fully set up and ready to route traffic, its state is active
. If load balancer is routing traffic but does not have the resources it needs to scale, its state isactive_impaired
. If the load balancer could not be set up, its state is failed
.
reason
Type: STRING
Provider name: Reason
Description: A description of the state.
Type: UNORDERED_LIST_STRING
type
Type: STRING
Provider name: Type
Description: The type of load balancer.
vpc_id
Type: STRING
Provider name: VpcId
Description: The ID of the VPC for the load balancer.