Error creating NLB using v9.9.0 for TLS Listener & Target group

Question

Error creating NLB using v9.9.0 for TLS Listener & Target group

shriyo101 opened this issue 6 months ago · 3 comments

Hi,
I'm facing issue with the NLB creation using v9.9.0, but the same works with v8.7.0.

My requirement:
Need to create NLB with listener with a client certificate and an empty target group since my target needs to be created in a different account and I need to pass it later on.

Terraform v1.9.0
on linux_amd64

I'm either seeing Health check incorrect and if health check part is commented, target_id or target_type is thrown as error.

How do I fix it? is this a bug? Am I missing any required fields?
Checked multiple times documentation provided below, it seems correct.

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#target-group-routing-configuration

https://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html
"If you add a TLS listener to your Network Load Balancer, we perform a listener connectivity test. As TLS termination also terminates a TCP connection, a new TCP connection is established between your load balancer and your targets. Therefore, you might see the TCP connections for this test sent from your load balancer to the targets that are registered with your TLS listener. You can identify these TCP connections because they have the source IP address of your Network Load Balancer and the connections do not contain data packets."

code of v9.9.0:

module "nlb" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-alb.git?ref=454d2cbf78d48b9eaeb499bfe6dd05fe30b4ae0c"
//source = "terraform-aws-modules/alb/aws"
//version = "9.9.0"

create = var.create_nlb
name = "${local.prefix}-nlb-ext"
load_balancer_type = "network"
vpc_id = local.vpc_id
subnets = local.pub_snet_ids
count = 1
enable_deletion_protection = var.deletion_protection
enable_cross_zone_load_balancing = var.cross_zone_load_balancing
internal = false
access_logs = {
"bucket" = "s3-extlb-bucket"
"prefix" = "extlb-${var.environment}"
}

listeners = {
l1 = {
port = 443
protocol = "TLS"
certificate_arn = "${aws_acm_certificate.ocm-cert-api[count.index].certificate_authority_arn}" //enable this for new environment
forward = {
target_group_key = "t1"
}
}
}
target_groups = {
t1= {
name = "${local.prefix}-tgp-tls"
protocol = "TLS"
port = 443
target_type = "ip"
deregistration_delay = 10
health_check = {
enabled = true
protocol = "TCP"
interval = 30
healthy_threshold = 5
unhealthy_threshold = 2
timeout = 10
}
}
}

tags = {
Name = "${local.prefix}-nlb"
}
}

Error:
│ Error: Unsupported attribute
│
│ on .terraform/modules/nlb/main.tf line 568, in resource "aws_lb_target_group_attachment" "this":
│ 568: target_id = each.value.target_id
│ ├────────────────
│ │ each.value is object with 6 attributes
│
│ This object does not have an attribute named "target_id".
╵
Operation failed: failed running terraform plan (exit 1)

or

Error 2:
╷
│ Error: Attribute "health_check[0].protocol" cannot have value "TCP" when "protocol" is "HTTP".
│
│ with module.nlb_pvt_api[0].aws_lb_target_group.this["0"],
│ on .terraform/modules/nlb_pvt_api/main.tf line 487, in resource "aws_lb_target_group" "this":
│ 487: resource "aws_lb_target_group" "this" {
│
╵
╷
│ Error: Attribute "health_check[0].protocol" cannot have value "TCP" when "protocol" is "HTTP".
│
│ with module.nlb[0].aws_lb_target_group.this["0"],
│ on .terraform/modules/nlb/main.tf line 487, in resource "aws_lb_target_group" "this":
│ 487: resource "aws_lb_target_group" "this" {
│
╵
Operation failed: failed running terraform plan (exit 1)

Working Code

code of v8.7.0

module "nlb" {
source = "git::https://github.com/terraform-aws-modules/terraform-aws-alb.git?ref=cb8e43d456a863e954f6b97a4a821f41d4280ab8"
//source = "terraform-aws-modules/alb/aws"
//version = "~> 8.0" #8.7.0

create_lb = var.create_nlb
name = "${local.prefix}-nlb-ext"
load_balancer_type = var.lb_type
vpc_id = local.vpc_id
subnets = local.pub_snet_ids
count = 1
enable_deletion_protection = var.deletion_protection
enable_cross_zone_load_balancing = var.cross_zone_load_balancing
access_logs = {
"bucket" = "s3-extlb-logs"
"prefix" = "extlb-${var.environment}"
}

target_groups = [
{
name = "${local.prefix}-tgp-tls"
backend_protocol = "TLS"
backend_port = 443
target_type = "ip"
deregistration_delay = 10
health_check = {
enabled = true
protocol = "TCP"
interval = 30
healthy_threshold = 5
unhealthy_threshold = 2
timeout = 10
}
}
]

https_listeners = [
{
port = 443
protocol = "TLS"
certificate_arn = "${aws_acm_certificate.ocm-cert-api[count.index].certificate_authority_arn}"
target_group_index = 0
}
]

tags = {}
}

Answer 1 · 2024-07-29T00:25:28.000Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

Answer 2 · 2024-08-09T00:24:39.000Z

This issue was automatically closed because of stale in 10 days