Not able to create alb listeners rule with multiple conditions

[Aniketvaidhya]

Hello Team,

I am trying to create the alb listeners rule with the multiple condition in (my case first condition Path Pattern is /v2/* and second condition HTTP Header myapp-secret is myapp-secret-value).

I have tried the below configuration under the rules :
conditions = [{
path_patterns = ["/v2/*"],
http_header = {
http_header_name = "myapp-secret"
values = ["myapp-secret-value"]
}
}]

When I run the terraform plan, it is not able to identify the second condition and hence, only the condition path_patterns = ["/v2/*"] is applied to the listeners.

Alternately, I have also tried the below configuration :
conditions = [{
path_patterns = ["/v2/*"]
}]

  conditions = [{
    http_header = {
      http_header_name = "myapp-secret"
      values           = ["myapp-secret-value"]
    }
  }]   

In this case, after terraform plan I am getting this error :

╷
│ Error: Insufficient condition blocks
│ ......
│ At least 1 "condition" blocks are required.

Can someone please confirm what I am missing or do I need to use some dynamic conditions here?

[trevorrea]

This is an interesting one as the documentation for the underlying aws_lb_listener_rule rule resource requires you to do:-

resource "aws_lb_listener_rule" "static" {
  .......
  condition {
    path_pattern {
      values = ["/v2/*"]
    }
  }

  condition {
    http_header {
      http_header_name = "myapp-secret"
      values = ["myapp-secret-value"]
    }
  }
}

with multiple condition blocks but the code in this module at https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/main.tf#L363 looks to create a single condition block with multiple conditions

I tried:-

conditions = [{
  path_pattern = {
    values = [
      "/v2/*"
    ]
  },
  http_header = {
    http_header_name = "myapp-secret"
    values           = ["myapp-secret-value"]
  }
}]

which seemed to work but then errored out with

│ Error: Only one of host_header, http_header, http_request_method, path_pattern, query_string or source_ip can be set in a condition block

I think it's possibly a bug or maybe we're just not understanding correctly what we need to pass in.

[Aniketvaidhya]

@trevorrea I have also tried different ways but would not be able to create it. If it is a bug, how to raise it here?

[loki-dv]

Hello, I have the same usecase when I need to define more than one condition in the ALB Listener rule.
I agree with @trevorrea that this module creates only one condition block but when I tried locally change it I catch another issue: when you define more than one condition you see this error:

│ Error: Invalid value for input variable
│
│   on vars.tf line 183:
│   183: variable "listeners" {
│
│ Unsuitable value for var.listeners set using the TF_VAR_listeners
│ environment variable: all map elements must have the same type.

I tried different options to set it but it looks like here we are limited with the maps limitation. Any ideas?

[trevorrea]

I think the solution would be to deal with the condition blocks in much the same way as the action blocks at https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/main.tf#L247

For the action blocks you can do the following

resource "aws_lb_listener_rule" "admin" {
  listener_arn = aws_lb_listener.front_end.arn

  action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn       = aws_cognito_user_pool.pool.arn
      user_pool_client_id = aws_cognito_user_pool_client.client.id
      user_pool_domain    = aws_cognito_user_pool_domain.domain.domain
    }
  }

  action {
    type             = "forward"
    target_group_arn = aws_lb_target_group.static.arn
  }
}

This is a bit more difficult as there is no equivalent of the type values in the condition blocks currently supported.

I'll see if I can do a PR and test it locally.

[trevorrea]

I have a quick and dirty change at https://github.com/trevorrea/terraform-aws-alb if anyone would like to test. Commit is master...trevorrea:terraform-aws-alb:master to change the condition blocks to be the same format as the action blocks.

I tested locally really quickly and it seemed to work. I'll need to do a bit more testing before opening an MR.

[florianmagnin]

Hi,
It's a major issue and your fix is working great.
Please merge it :)
Regards

[alexgoddity]

hi, the same issue, pls fix it.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.