Make target_group_port optional, if type not forward (#68)

nickreynke · web-flow · commit 88f3c73103ae · 2025-04-03T19:03:44.000-03:00
diff --git a/README.md b/README.md
@@ -93,10 +93,10 @@ In order to run all checks at any point run the following command:
 | <a name="input_enable_s3_logs"></a> [enable\_s3\_logs](#input\_enable\_s3\_logs) | (Optional) If true, all LoadBalancer logs will be sent to S3.  If true, and log\_bucket\_id is *not* provided, this module will create the bucket with other provided s3 bucket configuration options | `bool` | `true` | no |
 | <a name="input_http_ingress_cidr_blocks"></a> [http\_ingress\_cidr\_blocks](#input\_http\_ingress\_cidr\_blocks) | List of CIDR blocks to allowed to access the Load Balancer through HTTP | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_http_ingress_prefix_list_ids"></a> [http\_ingress\_prefix\_list\_ids](#input\_http\_ingress\_prefix\_list\_ids) | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTP | `list(string)` | `[]` | no |
-| <a name="input_http_ports"></a> [http\_ports](#input\_http\_ports) | Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener\_port and the target\_group\_port. For `redirect` type, include listener port, host, path, port, protocol, query and status\_code. For `fixed-response`, include listener\_port, content\_type, message\_body and status\_code | <pre>map(object({<br/>    type = optional(string)<br/><br/>    listener_port     = number<br/>    target_group_port = number<br/><br/>    target_group_protocol         = optional(string, "HTTP")<br/>    target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC<br/><br/>    # Health check options, overriding default values provided as module variables<br/>    target_group_health_check_enabled             = optional(bool)<br/>    target_group_health_check_interval            = optional(number)<br/>    target_group_health_check_path                = optional(string)<br/>    target_group_health_check_port                = optional(string)<br/>    target_group_health_check_protocol            = optional(string, "HTTP")<br/>    target_group_health_check_timeout             = optional(number)<br/>    target_group_health_check_healthy_threshold   = optional(number)<br/>    target_group_health_check_unhealthy_threshold = optional(number)<br/>    target_group_health_check_matcher             = optional(string)<br/><br/>    host         = optional(string, "#{host}")<br/>    path         = optional(string, "/#{path}")<br/>    port         = optional(string, "#{port}")<br/>    protocol     = optional(string, "#{protocol}")<br/>    query        = optional(string, "#{query}")<br/>    status_code  = optional(string) # Default for `type=redirect`: "HTTP_301". Default for `type=fixed-response`: "200".<br/>    content_type = optional(string, "text/plain")<br/>    message_body = optional(string, "Fixed response content")<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "listener_port": 80,<br/>    "target_group_port": 80,<br/>    "type": "forward"<br/>  }<br/>}</pre> | no |
+| <a name="input_http_ports"></a> [http\_ports](#input\_http\_ports) | Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener\_port and the target\_group\_port. For `redirect` type, include listener\_port, host, path, port, protocol, query and status\_code. For `fixed-response`, include listener\_port, content\_type, message\_body and status\_code | <pre>map(object({<br/>    type = optional(string)<br/><br/>    listener_port = number<br/><br/>    target_group_port             = optional(number)<br/>    target_group_protocol         = optional(string, "HTTP")<br/>    target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC<br/><br/>    # Health check options, overriding default values provided as module variables<br/>    target_group_health_check_enabled             = optional(bool)<br/>    target_group_health_check_interval            = optional(number)<br/>    target_group_health_check_path                = optional(string)<br/>    target_group_health_check_port                = optional(string)<br/>    target_group_health_check_protocol            = optional(string, "HTTP")<br/>    target_group_health_check_timeout             = optional(number)<br/>    target_group_health_check_healthy_threshold   = optional(number)<br/>    target_group_health_check_unhealthy_threshold = optional(number)<br/>    target_group_health_check_matcher             = optional(string)<br/><br/>    host         = optional(string, "#{host}")<br/>    path         = optional(string, "/#{path}")<br/>    port         = optional(string, "#{port}")<br/>    protocol     = optional(string, "#{protocol}")<br/>    query        = optional(string, "#{query}")<br/>    status_code  = optional(string) # Default for `type=redirect`: "HTTP_301". Default for `type=fixed-response`: "200".<br/>    content_type = optional(string, "text/plain")<br/>    message_body = optional(string, "Fixed response content")<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "listener_port": 80,<br/>    "target_group_port": 80,<br/>    "type": "forward"<br/>  }<br/>}</pre> | no |
 | <a name="input_https_ingress_cidr_blocks"></a> [https\_ingress\_cidr\_blocks](#input\_https\_ingress\_cidr\_blocks) | List of CIDR blocks to allowed to access the Load Balancer through HTTPS | `list(string)` | <pre>[<br/>  "0.0.0.0/0"<br/>]</pre> | no |
 | <a name="input_https_ingress_prefix_list_ids"></a> [https\_ingress\_prefix\_list\_ids](#input\_https\_ingress\_prefix\_list\_ids) | List of prefix list IDs blocks to allowed to access the Load Balancer through HTTPS | `list(string)` | `[]` | no |
-| <a name="input_https_ports"></a> [https\_ports](#input\_https\_ports) | Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener\_port and the target\_group\_port. For `redirect` type, include listener port, host, path, port, protocol, query and status\_code. For `fixed-response`, include listener\_port, content\_type, message\_body and status\_code | <pre>map(object({<br/>    type = optional(string)<br/><br/>    listener_port     = number<br/>    target_group_port = number<br/><br/>    target_group_protocol         = optional(string, "HTTP")<br/>    target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC<br/><br/>    # Health check options, overriding default values provided as module variables<br/>    target_group_health_check_enabled             = optional(bool)<br/>    target_group_health_check_interval            = optional(number)<br/>    target_group_health_check_path                = optional(string)<br/>    target_group_health_check_port                = optional(string)<br/>    target_group_health_check_protocol            = optional(string, "HTTP")<br/>    target_group_health_check_timeout             = optional(number)<br/>    target_group_health_check_healthy_threshold   = optional(number)<br/>    target_group_health_check_unhealthy_threshold = optional(number)<br/>    target_group_health_check_matcher             = optional(string)<br/><br/>    host         = optional(string, "#{host}")<br/>    path         = optional(string, "/#{path}")<br/>    port         = optional(string, "#{port}")<br/>    protocol     = optional(string, "#{protocol}")<br/>    query        = optional(string, "#{query}")<br/>    status_code  = optional(string) # Default for `type=redirect`: "HTTP_301". Default for `type=fixed-response`: "200".<br/>    content_type = optional(string, "text/plain")<br/>    message_body = optional(string, "Fixed response content")<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "listener_port": 443,<br/>    "target_group_port": 443,<br/>    "type": "forward"<br/>  }<br/>}</pre> | no |
+| <a name="input_https_ports"></a> [https\_ports](#input\_https\_ports) | Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener\_port and the target\_group\_port. For `redirect` type, include listener\_port, host, path, port, protocol, query and status\_code. For `fixed-response`, include listener\_port, content\_type, message\_body and status\_code | <pre>map(object({<br/>    type = optional(string)<br/><br/>    listener_port = number<br/><br/>    target_group_port             = optional(number)<br/>    target_group_protocol         = optional(string, "HTTP")<br/>    target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC<br/><br/>    # Health check options, overriding default values provided as module variables<br/>    target_group_health_check_enabled             = optional(bool)<br/>    target_group_health_check_interval            = optional(number)<br/>    target_group_health_check_path                = optional(string)<br/>    target_group_health_check_port                = optional(string)<br/>    target_group_health_check_protocol            = optional(string, "HTTP")<br/>    target_group_health_check_timeout             = optional(number)<br/>    target_group_health_check_healthy_threshold   = optional(number)<br/>    target_group_health_check_unhealthy_threshold = optional(number)<br/>    target_group_health_check_matcher             = optional(string)<br/><br/>    host         = optional(string, "#{host}")<br/>    path         = optional(string, "/#{path}")<br/>    port         = optional(string, "#{port}")<br/>    protocol     = optional(string, "#{protocol}")<br/>    query        = optional(string, "#{query}")<br/>    status_code  = optional(string) # Default for `type=redirect`: "HTTP_301". Default for `type=fixed-response`: "200".<br/>    content_type = optional(string, "text/plain")<br/>    message_body = optional(string, "Fixed response content")<br/>  }))</pre> | <pre>{<br/>  "default": {<br/>    "listener_port": 443,<br/>    "target_group_port": 443,<br/>    "type": "forward"<br/>  }<br/>}</pre> | no |
 | <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | (Optional) The time in seconds that the connection is allowed to be idle. Default: 60. | `number` | `60` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | (Optional) If true, the LB will be internal. | `bool` | `false` | no |
 | <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | (Optional) The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack. Defaults to ipv4 | `string` | `"ipv4"` | no |
diff --git a/main.tf b/main.tf
@@ -118,7 +118,7 @@ resource "aws_security_group_rule" "ingress_through_https" {
 resource "null_resource" "lb_http_tgs_config" {
   for_each = {
     for name, config in var.http_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
 
   triggers = {
@@ -131,7 +131,7 @@ resource "null_resource" "lb_http_tgs_config" {
 resource "random_id" "lb_http_tgs_id" {
   for_each = {
     for name, config in var.http_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
 
   byte_length = 2
@@ -147,7 +147,7 @@ resource "random_id" "lb_http_tgs_id" {
 resource "aws_lb_target_group" "lb_http_tgs" {
   for_each = {
     for name, config in var.http_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
   name                          = "${var.name_prefix}-http-${each.value.target_group_port}-${random_id.lb_http_tgs_id[each.key].hex}"
   port                          = each.value.target_group_port
@@ -194,7 +194,7 @@ resource "aws_lb_target_group" "lb_http_tgs" {
 resource "null_resource" "lb_https_tgs_config" {
   for_each = {
     for name, config in var.https_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
 
   triggers = {
@@ -207,7 +207,7 @@ resource "null_resource" "lb_https_tgs_config" {
 resource "random_id" "lb_https_tgs_id" {
   for_each = {
     for name, config in var.https_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
 
   byte_length = 2
@@ -223,7 +223,7 @@ resource "random_id" "lb_https_tgs_id" {
 resource "aws_lb_target_group" "lb_https_tgs" {
   for_each = {
     for name, config in var.https_ports : name => config
-    if config.type == null || config.type == "forward"
+    if(config.type == null || config.type == "forward") && config.target_group_port != null
   }
   name                          = "${var.name_prefix}-https-${each.value.target_group_port}-${random_id.lb_https_tgs_id[each.key].hex}"
   port                          = each.value.target_group_port
diff --git a/variables.tf b/variables.tf
@@ -145,13 +145,13 @@ variable "waf_web_acl_arn" {
 # ACCESS CONTROL TO APPLICATION LOAD BALANCER
 #------------------------------------------------------------------------------
 variable "http_ports" {
-  description = "Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener_port and the target_group_port. For `redirect` type, include listener port, host, path, port, protocol, query and status_code. For `fixed-response`, include listener_port, content_type, message_body and status_code"
+  description = "Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener_port and the target_group_port. For `redirect` type, include listener_port, host, path, port, protocol, query and status_code. For `fixed-response`, include listener_port, content_type, message_body and status_code"
   type = map(object({
     type = optional(string)
 
-    listener_port     = number
-    target_group_port = number
+    listener_port = number
 
+    target_group_port             = optional(number)
     target_group_protocol         = optional(string, "HTTP")
     target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC
 
@@ -182,16 +182,24 @@ variable "http_ports" {
       target_group_port = 80
     }
   }
+  validation {
+    condition     = alltrue([for _, v in var.http_ports : v.type != "forward" || v.target_group_port != null])
+    error_message = "target_group_port must be set if type is forward"
+  }
+  validation {
+    condition     = alltrue([for _, v in var.http_ports : (v.type == "redirect" || v.type == "fixed-response") ? v.status_code != null : true])
+    error_message = "status_code must be set if type is redirect or fixed-response"
+  }
 }
 
 variable "https_ports" {
-  description = "Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener_port and the target_group_port. For `redirect` type, include listener port, host, path, port, protocol, query and status_code. For `fixed-response`, include listener_port, content_type, message_body and status_code"
+  description = "Map containing objects to define listeners behaviour based on type field. If type field is `forward`, include listener_port and the target_group_port. For `redirect` type, include listener_port, host, path, port, protocol, query and status_code. For `fixed-response`, include listener_port, content_type, message_body and status_code"
   type = map(object({
     type = optional(string)
 
-    listener_port     = number
-    target_group_port = number
+    listener_port = number
 
+    target_group_port             = optional(number)
     target_group_protocol         = optional(string, "HTTP")
     target_group_protocol_version = optional(string, "HTTP1") # HTTP1, HTTP2 or GRPC
 
@@ -222,6 +230,14 @@ variable "https_ports" {
       target_group_port = 443
     }
   }
+  validation {
+    condition     = alltrue([for _, v in var.https_ports : v.type != "forward" || v.target_group_port != null])
+    error_message = "target_group_port must be set if type is forward"
+  }
+  validation {
+    condition     = alltrue([for _, v in var.https_ports : (v.type == "redirect" || v.type == "fixed-response") ? v.status_code != null : true])
+    error_message = "status_code must be set if type is redirect or fixed-response"
+  }
 }
 
 /*
