---
title: Getting Started with Datadog
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Infrastructure > Datadog Resource Catalog
---

# aws_elbv2_load_balancer{% #aws_elbv2_load_balancer %}

## `account_id`{% #account_id %}

**Type**: `STRING`

## `attributes`{% #attributes %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Attributes`**Description**: Information about the load balancer attributes.

- `key`**Type**: `STRING`**Provider name**: `Key`**Description**: The name of the attribute. The following attributes are supported by all load balancers:
  - `deletion_protection.enabled` - Indicates whether deletion protection is enabled. The value is `true` or `false`. The default is `false`.
  - `load_balancing.cross_zone.enabled` - Indicates whether cross-zone load balancing is enabled. The possible values are `true` and `false`. The default for Network Load Balancers and Gateway Load Balancers is `false`. The default for Application Load Balancers is `true`, and can't be changed.
The following attributes are supported by both Application Load Balancers and Network Load Balancers:
  - `access_logs.s3.enabled` - Indicates whether access logs are enabled. The value is `true` or `false`. The default is `false`.
  - `access_logs.s3.bucket` - The name of the S3 bucket for the access logs. This attribute is required if access logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
  - `access_logs.s3.prefix` - The prefix for the location in the S3 bucket for the access logs.
  - `ipv6.deny_all_igw_traffic` - Blocks internet gateway (IGW) access to the load balancer. It is set to `false` for internet-facing load balancers and `true` for internal load balancers, preventing unintended access to your internal load balancer through an internet gateway.
  - `zonal_shift.config.enabled` - Indicates whether zonal shift is enabled. The possible values are `true` and `false`. The default is `false`.
The following attributes are supported by only Application Load Balancers:
  - `idle_timeout.timeout_seconds` - The idle timeout value, in seconds. The valid range is 1-4000 seconds. The default is 60 seconds.
  - `client_keep_alive.seconds` - The client keep alive value, in seconds. The valid range is 60-604800 seconds. The default is 3600 seconds.
  - `connection_logs.s3.enabled` - Indicates whether connection logs are enabled. The value is `true` or `false`. The default is `false`.
  - `connection_logs.s3.bucket` - The name of the S3 bucket for the connection logs. This attribute is required if connection logs are enabled. The bucket must exist in the same region as the load balancer and have a bucket policy that grants Elastic Load Balancing permissions to write to the bucket.
  - `connection_logs.s3.prefix` - The prefix for the location in the S3 bucket for the connection logs.
  - `routing.http.desync_mitigation_mode` - Determines how the load balancer handles requests that might pose a security risk to your application. The possible values are `monitor`, `defensive`, and `strictest`. The default is `defensive`.
  - `routing.http.drop_invalid_header_fields.enabled` - Indicates whether HTTP headers with invalid header fields are removed by the load balancer (`true`) or routed to targets (`false`). The default is `false`.
  - `routing.http.preserve_host_header.enabled` - Indicates whether the Application Load Balancer should preserve the `Host` header in the HTTP request and send it to the target without any change. The possible values are `true` and `false`. The default is `false`.
  - `routing.http.x_amzn_tls_version_and_cipher_suite.enabled` - Indicates whether the two headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. The `x-amzn-tls-version` header has information about the TLS protocol version negotiated with the client, and the `x-amzn-tls-cipher-suite` header has information about the cipher suite negotiated with the client. Both headers are in OpenSSL format. The possible values for the attribute are `true` and `false`. The default is `false`.
  - `routing.http.xff_client_port.enabled` - Indicates whether the `X-Forwarded-For` header should preserve the source port that the client used to connect to the load balancer. The possible values are `true` and `false`. The default is `false`.
  - `routing.http.xff_header_processing.mode` - Enables you to modify, preserve, or remove the `X-Forwarded-For` header in the HTTP request before the Application Load Balancer sends the request to the target. The possible values are `append`, `preserve`, and `remove`. The default is `append`.
    - If the value is `append`, the Application Load Balancer adds the client IP address (of the last hop) to the `X-Forwarded-For` header in the HTTP request before it sends it to targets.
    - If the value is `preserve` the Application Load Balancer preserves the `X-Forwarded-For` header in the HTTP request, and sends it to targets without any change.
    - If the value is `remove`, the Application Load Balancer removes the `X-Forwarded-For` header in the HTTP request before it sends it to targets.
  - `routing.http2.enabled` - Indicates whether HTTP/2 is enabled. The possible values are `true` and `false`. The default is `true`. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens.
  - `waf.fail_open.enabled` - Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to Amazon Web Services WAF. The possible values are `true` and `false`. The default is `false`.
The following attributes are supported by only Network Load Balancers:
  - `dns_record.client_routing_policy` - Indicates how traffic is distributed among the load balancer Availability Zones. The possible values are `availability_zone_affinity` with 100 percent zonal affinity, `partial_availability_zone_affinity` with 85 percent zonal affinity, and `any_availability_zone` with 0 percent zonal affinity.
- `value`**Type**: `STRING`**Provider name**: `Value`**Description**: The value of the attribute.

## `availability_zones`{% #availability_zones %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `AvailabilityZones`**Description**: The subnets for the load balancer.

- `load_balancer_addresses`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `LoadBalancerAddresses`**Description**: [Network Load Balancers] If you need static IP addresses for your load balancer, you can specify one Elastic IP address per Availability Zone when you create an internal-facing load balancer. For internal load balancers, you can specify a private IP address from the IPv4 range of the subnet.
  - `allocation_id`**Type**: `STRING`**Provider name**: `AllocationId`**Description**: [Network Load Balancers] The allocation ID of the Elastic IP address for an internal-facing load balancer.
  - `i_pv6_address`**Type**: `STRING`**Provider name**: `IPv6Address`**Description**: [Network Load Balancers] The IPv6 address.
  - `ip_address`**Type**: `STRING`**Provider name**: `IpAddress`**Description**: The static IP address.
  - `private_ipv4_address`**Type**: `STRING`**Provider name**: `PrivateIPv4Address`**Description**: [Network Load Balancers] The private IPv4 address for an internal load balancer.
- `outpost_id`**Type**: `STRING`**Provider name**: `OutpostId`**Description**: [Application Load Balancers on Outposts] The ID of the Outpost.
- `source_nat_ipv6_prefixes`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `SourceNatIpv6Prefixes`**Description**: [Network Load Balancers with UDP listeners] The IPv6 prefixes to use for source NAT. For each subnet, specify an IPv6 prefix (/80 netmask) from the subnet CIDR block or `auto_assigned` to use an IPv6 prefix selected at random from the subnet CIDR block.
- `subnet_id`**Type**: `STRING`**Provider name**: `SubnetId`**Description**: The ID of the subnet. You can specify one subnet per Availability Zone.
- `zone_name`**Type**: `STRING`**Provider name**: `ZoneName`**Description**: The name of the Availability Zone.

## `canonical_hosted_zone_id`{% #canonical_hosted_zone_id %}

**Type**: `STRING`**Provider name**: `CanonicalHostedZoneId`**Description**: The ID of the Amazon Route 53 hosted zone associated with the load balancer.

## `created_time`{% #created_time %}

**Type**: `TIMESTAMP`**Provider name**: `CreatedTime`**Description**: The date and time the load balancer was created.

## `customer_owned_ipv4_pool`{% #customer_owned_ipv4_pool %}

**Type**: `STRING`**Provider name**: `CustomerOwnedIpv4Pool`**Description**: [Application Load Balancers on Outposts] The ID of the customer-owned address pool.

## `dns_name`{% #dns_name %}

**Type**: `STRING`**Provider name**: `DNSName`**Description**: The public DNS name of the load balancer.

## `enable_prefix_for_ipv6_source_nat`{% #enable_prefix_for_ipv6_source_nat %}

**Type**: `STRING`**Provider name**: `EnablePrefixForIpv6SourceNat`**Description**: [Network Load Balancers with UDP listeners] Indicates whether to use an IPv6 prefix from each subnet for source NAT. The IP address type must be `dualstack`. The default value is `off`.

## `enforce_inbound_rules_on_private_link_traffic`{% #enforce_inbound_rules_on_private_link_traffic %}

**Type**: `STRING`**Provider name**: `EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic`**Description**: Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through Amazon Web Services PrivateLink.

## `ip_address_type`{% #ip_address_type %}

**Type**: `STRING`**Provider name**: `IpAddressType`**Description**: The type of IP addresses used for public or private connections by the subnets attached to your load balancer. [Application Load Balancers] The possible values are `ipv4` (IPv4 addresses), `dualstack` (IPv4 and IPv6 addresses), and `dualstack-without-public-ipv4` (public IPv6 addresses and private IPv4 and IPv6 addresses). [Network Load Balancers and Gateway Load Balancers] The possible values are `ipv4` (IPv4 addresses) and `dualstack` (IPv4 and IPv6 addresses).

## `listeners`{% #listeners %}

**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Listeners`**Description**: Information about the listeners.

- `alpn_policy`**Type**: `UNORDERED_LIST_STRING`**Provider name**: `AlpnPolicy`**Description**: [TLS listener] The name of the Application-Layer Protocol Negotiation (ALPN) policy.
- `certificates`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `Certificates`**Description**: [HTTPS or TLS listener] The default certificate for the listener.
  - `certificate_arn`**Type**: `STRING`**Provider name**: `CertificateArn`**Description**: The Amazon Resource Name (ARN) of the certificate.
  - `is_default`**Type**: `BOOLEAN`**Provider name**: `IsDefault`**Description**: Indicates whether the certificate is the default certificate. Do not set this value when specifying a certificate as an input. This value is not included in the output when describing a listener, but is included when describing listener certificates.
- `default_actions`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `DefaultActions`**Description**: The default actions for the listener.
  - `authenticate_cognito_config`**Type**: `STRUCT`**Provider name**: `AuthenticateCognitoConfig`**Description**: [HTTPS listeners] Information for using Amazon Cognito to authenticate users. Specify only when `Type` is `authenticate-cognito`.
    - `authentication_request_extra_params`**Type**: `MAP_STRING_STRING`**Provider name**: `AuthenticationRequestExtraParams`**Description**: The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
    - `on_unauthenticated_request`**Type**: `STRING`**Provider name**: `OnUnauthenticatedRequest`**Description**: The behavior if the user is not authenticated. The following are possible values:
      - deny`- Return an HTTP 401 Unauthorized error.`
      - allow`- Allow the request to be forwarded to the target.`
      - authenticate`- Redirect the request to the IdP authorization endpoint. This is the default value.`
    - `scope`**Type**: `STRING`**Provider name**: `Scope`**Description**: The set of user claims to be requested from the IdP. The default is `openid`. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
    - `session_cookie_name`**Type**: `STRING`**Provider name**: `SessionCookieName`**Description**: The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
    - `session_timeout`**Type**: `INT64`**Provider name**: `SessionTimeout`**Description**: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
    - `user_pool_arn`**Type**: `STRING`**Provider name**: `UserPoolArn`**Description**: The Amazon Resource Name (ARN) of the Amazon Cognito user pool.
    - `user_pool_client_id`**Type**: `STRING`**Provider name**: `UserPoolClientId`**Description**: The ID of the Amazon Cognito user pool client.
    - `user_pool_domain`**Type**: `STRING`**Provider name**: `UserPoolDomain`**Description**: The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
  - `authenticate_oidc_config`**Type**: `STRUCT`**Provider name**: `AuthenticateOidcConfig`**Description**: [HTTPS listeners] Information about an identity provider that is compliant with OpenID Connect (OIDC). Specify only when `Type` is `authenticate-oidc`.
    - `authentication_request_extra_params`**Type**: `MAP_STRING_STRING`**Provider name**: `AuthenticationRequestExtraParams`**Description**: The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
    - `authorization_endpoint`**Type**: `STRING`**Provider name**: `AuthorizationEndpoint`**Description**: The authorization endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
    - `client_id`**Type**: `STRING`**Provider name**: `ClientId`**Description**: The OAuth 2.0 client identifier.
    - `client_secret`**Type**: `STRING`**Provider name**: `ClientSecret`**Description**: The OAuth 2.0 client secret. This parameter is required if you are creating a rule. If you are modifying a rule, you can omit this parameter if you set `UseExistingClientSecret` to true.
    - `issuer`**Type**: `STRING`**Provider name**: `Issuer`**Description**: The OIDC issuer identifier of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
    - `on_unauthenticated_request`**Type**: `STRING`**Provider name**: `OnUnauthenticatedRequest`**Description**: The behavior if the user is not authenticated. The following are possible values:
      - deny`- Return an HTTP 401 Unauthorized error.`
      - allow`- Allow the request to be forwarded to the target.`
      - authenticate`- Redirect the request to the IdP authorization endpoint. This is the default value.`
    - `scope`**Type**: `STRING`**Provider name**: `Scope`**Description**: The set of user claims to be requested from the IdP. The default is `openid`. To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
    - `session_cookie_name`**Type**: `STRING`**Provider name**: `SessionCookieName`**Description**: The name of the cookie used to maintain session information. The default is AWSELBAuthSessionCookie.
    - `session_timeout`**Type**: `INT64`**Provider name**: `SessionTimeout`**Description**: The maximum duration of the authentication session, in seconds. The default is 604800 seconds (7 days).
    - `token_endpoint`**Type**: `STRING`**Provider name**: `TokenEndpoint`**Description**: The token endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
    - `use_existing_client_secret`**Type**: `BOOLEAN`**Provider name**: `UseExistingClientSecret`**Description**: Indicates whether to use the existing client secret when modifying a rule. If you are creating a rule, you can omit this parameter or set it to false.
    - `user_info_endpoint`**Type**: `STRING`**Provider name**: `UserInfoEndpoint`**Description**: The user info endpoint of the IdP. This must be a full URL, including the HTTPS protocol, the domain, and the path.
  - `fixed_response_config`**Type**: `STRUCT`**Provider name**: `FixedResponseConfig`**Description**: [Application Load Balancer] Information for creating an action that returns a custom HTTP response. Specify only when `Type` is `fixed-response`.
    - `content_type`**Type**: `STRING`**Provider name**: `ContentType`**Description**: The content type. Valid Values: text/plain | text/css | text/html | application/javascript | application/json
    - `message_body`**Type**: `STRING`**Provider name**: `MessageBody`**Description**: The message.
    - `status_code`**Type**: `STRING`**Provider name**: `StatusCode`**Description**: The HTTP response code (2XX, 4XX, or 5XX).
  - `forward_config`**Type**: `STRUCT`**Provider name**: `ForwardConfig`**Description**: Information for creating an action that distributes requests among one or more target groups. For Network Load Balancers, you can specify a single target group. Specify only when `Type` is `forward`. If you specify both `ForwardConfig` and `TargetGroupArn`, you can specify only one target group using `ForwardConfig` and it must be the same target group specified in `TargetGroupArn`.
    - `target_group_stickiness_config`**Type**: `STRUCT`**Provider name**: `TargetGroupStickinessConfig`**Description**: The target group stickiness for the rule.
      - `duration_seconds`**Type**: `INT32`**Provider name**: `DurationSeconds`**Description**: The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
      - `enabled`**Type**: `BOOLEAN`**Provider name**: `Enabled`**Description**: Indicates whether target group stickiness is enabled.
    - `target_groups`**Type**: `UNORDERED_LIST_STRUCT`**Provider name**: `TargetGroups`**Description**: The target groups. For Network Load Balancers, you can specify a single target group.
      - `target_group_arn`**Type**: `STRING`**Provider name**: `TargetGroupArn`**Description**: The Amazon Resource Name (ARN) of the target group.
      - `weight`**Type**: `INT32`**Provider name**: `Weight`**Description**: The weight. The range is 0 to 999.
  - `order`**Type**: `INT32`**Provider name**: `Order`**Description**: The order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first.
  - `redirect_config`**Type**: `STRUCT`**Provider name**: `RedirectConfig`**Description**: [Application Load Balancer] Information for creating a redirect action. Specify only when `Type` is `redirect`.
    - `host`**Type**: `STRING`**Provider name**: `Host`**Description**: The hostname. This component is not percent-encoded. The hostname can contain #{host}.
    - `path`**Type**: `STRING`**Provider name**: `Path`**Description**: The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}.
    - `port`**Type**: `STRING`**Provider name**: `Port`**Description**: The port. You can specify a value from 1 to 65535 or #{port}.
    - `protocol`**Type**: `STRING`**Provider name**: `Protocol`**Description**: The protocol. You can specify HTTP, HTTPS, or #{protocol}. You can redirect HTTP to HTTP, HTTP to HTTPS, and HTTPS to HTTPS. You can't redirect HTTPS to HTTP.
    - `query`**Type**: `STRING`**Provider name**: `Query`**Description**: The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?", as it is automatically added. You can specify any of the reserved keywords.
    - `status_code`**Type**: `STRING`**Provider name**: `StatusCode`**Description**: The HTTP redirect code. The redirect is either permanent (HTTP 301) or temporary (HTTP 302).
  - `target_group_arn`**Type**: `STRING`**Provider name**: `TargetGroupArn`**Description**: The Amazon Resource Name (ARN) of the target group. Specify only when `Type` is `forward` and you want to route to a single target group. To route to one or more target groups, use `ForwardConfig` instead.
  - `type`**Type**: `STRING`**Provider name**: `Type`**Description**: The type of action.
- `listener_arn`**Type**: `STRING`**Provider name**: `ListenerArn`**Description**: The Amazon Resource Name (ARN) of the listener.
- `load_balancer_arn`**Type**: `STRING`**Provider name**: `LoadBalancerArn`**Description**: The Amazon Resource Name (ARN) of the load balancer.
- `mutual_authentication`**Type**: `STRUCT`**Provider name**: `MutualAuthentication`**Description**: The mutual authentication configuration information.
  - `advertise_trust_store_ca_names`**Type**: `STRING`**Provider name**: `AdvertiseTrustStoreCaNames`**Description**: Indicates whether trust store CA certificate names are advertised.
  - `ignore_client_certificate_expiry`**Type**: `BOOLEAN`**Provider name**: `IgnoreClientCertificateExpiry`**Description**: Indicates whether expired client certificates are ignored.
  - `mode`**Type**: `STRING`**Provider name**: `Mode`**Description**: The client certificate handling method. Options are `off`, `passthrough` or `verify`. The default value is `off`.
  - `trust_store_arn`**Type**: `STRING`**Provider name**: `TrustStoreArn`**Description**: The Amazon Resource Name (ARN) of the trust store.
  - `trust_store_association_status`**Type**: `STRING`**Provider name**: `TrustStoreAssociationStatus`**Description**: Indicates a shared trust stores association status.
- `port`**Type**: `INT32`**Provider name**: `Port`**Description**: The port on which the load balancer is listening.
- `protocol`**Type**: `STRING`**Provider name**: `Protocol`**Description**: The protocol for connections from clients to the load balancer.
- `ssl_policy`**Type**: `STRING`**Provider name**: `SslPolicy`**Description**: [HTTPS or TLS listener] The security policy that defines which protocols and ciphers are supported.

## `load_balancer_arn`{% #load_balancer_arn %}

**Type**: `STRING`**Provider name**: `LoadBalancerArn`**Description**: The Amazon Resource Name (ARN) of the load balancer.

## `load_balancer_name`{% #load_balancer_name %}

**Type**: `STRING`**Provider name**: `LoadBalancerName`**Description**: The name of the load balancer.

## `scheme`{% #scheme %}

**Type**: `STRING`**Provider name**: `Scheme`**Description**: The nodes of an Internet-facing load balancer have public IP addresses. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes. Therefore, Internet-facing load balancers can route requests from clients over the internet. The nodes of an internal load balancer have only private IP addresses. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes. Therefore, internal load balancers can route requests only from clients with access to the VPC for the load balancer.

## `security_groups`{% #security_groups %}

**Type**: `UNORDERED_LIST_STRING`**Provider name**: `SecurityGroups`**Description**: The IDs of the security groups for the load balancer.

## `state`{% #state %}

**Type**: `STRUCT`**Provider name**: `State`**Description**: The state of the load balancer.

- `code`**Type**: `STRING`**Provider name**: `Code`**Description**: The state code. The initial state of the load balancer is `provisioning`. After the load balancer is fully set up and ready to route traffic, its state is `active`. If load balancer is routing traffic but does not have the resources it needs to scale, its state is`active_impaired`. If the load balancer could not be set up, its state is `failed`.
- `reason`**Type**: `STRING`**Provider name**: `Reason`**Description**: A description of the state.

## `tags`{% #tags %}

**Type**: `UNORDERED_LIST_STRING`

## `type`{% #type %}

**Type**: `STRING`**Provider name**: `Type`**Description**: The type of load balancer.

## `vpc_id`{% #vpc_id %}

**Type**: `STRING`**Provider name**: `VpcId`**Description**: The ID of the VPC for the load balancer.