diff --git a/README.md b/README.md
index 9705459..1612868 100644
--- a/README.md
+++ b/README.md
@@ -242,6 +242,7 @@ module "nlb" {
subnets = ["subnet-abcde012", "subnet-bcde012a"]
# Security Group
+ enforce_security_group_inbound_rules_on_private_link_traffic = "on"
security_group_ingress_rules = {
all_http = {
from_port = 80
@@ -348,13 +349,13 @@ See [patterns.md](https://github.com/terraform-aws-modules/terraform-aws-alb/blo
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.23 |
+| [aws](#requirement\_aws) | >= 5.31 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.23 |
+| [aws](#provider\_aws) | >= 5.31 |
## Modules
@@ -398,6 +399,7 @@ No modules.
| [enable\_tls\_version\_and\_cipher\_suite\_headers](#input\_enable\_tls\_version\_and\_cipher\_suite\_headers) | Indicates whether the two headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Only valid for Load Balancers of type `application`. Defaults to `false` | `bool` | `null` | no |
| [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to `false` | `bool` | `null` | no |
| [enable\_xff\_client\_port](#input\_enable\_xff\_client\_port) | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `false` | `bool` | `null` | no |
+| [enforce\_security\_group\_inbound\_rules\_on\_private\_link\_traffic](#input\_enforce\_security\_group\_inbound\_rules\_on\_private\_link\_traffic) | Indicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off. | `string` | `null` | no |
| [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type `application`. Default: `60` | `number` | `null` | no |
| [internal](#input\_internal) | If true, the LB will be internal. Defaults to `false` | `bool` | `null` | no |
| [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack` | `string` | `null` | no |
diff --git a/examples/complete-alb/README.md b/examples/complete-alb/README.md
index 1e93422..b11c268 100644
--- a/examples/complete-alb/README.md
+++ b/examples/complete-alb/README.md
@@ -20,14 +20,14 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.23 |
+| [aws](#requirement\_aws) | >= 5.31 |
| [null](#requirement\_null) | >= 2.0 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.23 |
+| [aws](#provider\_aws) | >= 5.31 |
| [null](#provider\_null) | >= 2.0 |
## Modules
diff --git a/examples/complete-alb/versions.tf b/examples/complete-alb/versions.tf
index 7a23a05..7d29031 100644
--- a/examples/complete-alb/versions.tf
+++ b/examples/complete-alb/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.23"
+ version = ">= 5.31"
}
null = {
source = "hashicorp/null"
diff --git a/examples/complete-nlb/README.md b/examples/complete-nlb/README.md
index 3c7efe3..ecdad36 100644
--- a/examples/complete-nlb/README.md
+++ b/examples/complete-nlb/README.md
@@ -20,13 +20,13 @@ Note that this example may create resources which cost money. Run `terraform des
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
-| [aws](#requirement\_aws) | >= 5.23 |
+| [aws](#requirement\_aws) | >= 5.31 |
## Providers
| Name | Version |
|------|---------|
-| [aws](#provider\_aws) | >= 5.23 |
+| [aws](#provider\_aws) | >= 5.31 |
## Modules
diff --git a/examples/complete-nlb/main.tf b/examples/complete-nlb/main.tf
index f5f3964..8de943e 100644
--- a/examples/complete-nlb/main.tf
+++ b/examples/complete-nlb/main.tf
@@ -46,6 +46,7 @@ module "nlb" {
enable_deletion_protection = false
# Security Group
+ enforce_security_group_inbound_rules_on_private_link_traffic = "off"
security_group_ingress_rules = {
all_tcp = {
from_port = 80
diff --git a/examples/complete-nlb/versions.tf b/examples/complete-nlb/versions.tf
index a1705fa..1b260a1 100644
--- a/examples/complete-nlb/versions.tf
+++ b/examples/complete-nlb/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.23"
+ version = ">= 5.31"
}
}
}
diff --git a/main.tf b/main.tf
index e08de0f..b376130 100644
--- a/main.tf
+++ b/main.tf
@@ -22,24 +22,25 @@ resource "aws_lb" "this" {
}
}
- customer_owned_ipv4_pool = var.customer_owned_ipv4_pool
- desync_mitigation_mode = var.desync_mitigation_mode
- dns_record_client_routing_policy = var.dns_record_client_routing_policy
- drop_invalid_header_fields = var.drop_invalid_header_fields
- enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
- enable_deletion_protection = var.enable_deletion_protection
- enable_http2 = var.enable_http2
- enable_tls_version_and_cipher_suite_headers = var.enable_tls_version_and_cipher_suite_headers
- enable_waf_fail_open = var.enable_waf_fail_open
- enable_xff_client_port = var.enable_xff_client_port
- idle_timeout = var.idle_timeout
- internal = var.internal
- ip_address_type = var.ip_address_type
- load_balancer_type = var.load_balancer_type
- name = var.name
- name_prefix = var.name_prefix
- preserve_host_header = var.preserve_host_header
- security_groups = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
+ customer_owned_ipv4_pool = var.customer_owned_ipv4_pool
+ desync_mitigation_mode = var.desync_mitigation_mode
+ dns_record_client_routing_policy = var.dns_record_client_routing_policy
+ drop_invalid_header_fields = var.drop_invalid_header_fields
+ enable_cross_zone_load_balancing = var.enable_cross_zone_load_balancing
+ enable_deletion_protection = var.enable_deletion_protection
+ enable_http2 = var.enable_http2
+ enable_tls_version_and_cipher_suite_headers = var.enable_tls_version_and_cipher_suite_headers
+ enable_waf_fail_open = var.enable_waf_fail_open
+ enable_xff_client_port = var.enable_xff_client_port
+ enforce_security_group_inbound_rules_on_private_link_traffic = var.enforce_security_group_inbound_rules_on_private_link_traffic
+ idle_timeout = var.idle_timeout
+ internal = var.internal
+ ip_address_type = var.ip_address_type
+ load_balancer_type = var.load_balancer_type
+ name = var.name
+ name_prefix = var.name_prefix
+ preserve_host_header = var.preserve_host_header
+ security_groups = var.create_security_group ? concat([aws_security_group.this[0].id], var.security_groups) : var.security_groups
dynamic "subnet_mapping" {
for_each = var.subnet_mapping
diff --git a/variables.tf b/variables.tf
index d69c99d..7a272f7 100644
--- a/variables.tf
+++ b/variables.tf
@@ -104,6 +104,12 @@ variable "load_balancer_type" {
default = "application"
}
+variable "enforce_security_group_inbound_rules_on_private_link_traffic" {
+ description = "Indicates whether inbound security group rules are enforced for traffic originating from a PrivateLink. Only valid for Load Balancers of type network. The possible values are on and off."
+ type = string
+ default = null
+}
+
variable "name" {
description = "The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters, must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen"
type = string
diff --git a/versions.tf b/versions.tf
index a1705fa..1b260a1 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
- version = ">= 5.23"
+ version = ">= 5.31"
}
}
}
diff --git a/wrappers/main.tf b/wrappers/main.tf
index 6f90205..6362691 100644
--- a/wrappers/main.tf
+++ b/wrappers/main.tf
@@ -3,45 +3,46 @@ module "wrapper" {
for_each = var.items
- access_logs = try(each.value.access_logs, var.defaults.access_logs, {})
- associate_web_acl = try(each.value.associate_web_acl, var.defaults.associate_web_acl, false)
- create = try(each.value.create, var.defaults.create, true)
- create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
- customer_owned_ipv4_pool = try(each.value.customer_owned_ipv4_pool, var.defaults.customer_owned_ipv4_pool, null)
- default_port = try(each.value.default_port, var.defaults.default_port, 80)
- default_protocol = try(each.value.default_protocol, var.defaults.default_protocol, "HTTP")
- desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, null)
- dns_record_client_routing_policy = try(each.value.dns_record_client_routing_policy, var.defaults.dns_record_client_routing_policy, null)
- drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, true)
- enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, true)
- enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, true)
- enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, null)
- enable_tls_version_and_cipher_suite_headers = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, null)
- enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, null)
- enable_xff_client_port = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, null)
- idle_timeout = try(each.value.idle_timeout, var.defaults.idle_timeout, null)
- internal = try(each.value.internal, var.defaults.internal, null)
- ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
- listeners = try(each.value.listeners, var.defaults.listeners, {})
- load_balancer_type = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application")
- name = try(each.value.name, var.defaults.name, null)
- name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null)
- preserve_host_header = try(each.value.preserve_host_header, var.defaults.preserve_host_header, null)
- putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
- route53_records = try(each.value.route53_records, var.defaults.route53_records, {})
- security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
- security_group_egress_rules = try(each.value.security_group_egress_rules, var.defaults.security_group_egress_rules, {})
- security_group_ingress_rules = try(each.value.security_group_ingress_rules, var.defaults.security_group_ingress_rules, {})
- security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
- security_group_tags = try(each.value.security_group_tags, var.defaults.security_group_tags, {})
- security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true)
- security_groups = try(each.value.security_groups, var.defaults.security_groups, [])
- subnet_mapping = try(each.value.subnet_mapping, var.defaults.subnet_mapping, [])
- subnets = try(each.value.subnets, var.defaults.subnets, [])
- tags = try(each.value.tags, var.defaults.tags, {})
- target_groups = try(each.value.target_groups, var.defaults.target_groups, {})
- timeouts = try(each.value.timeouts, var.defaults.timeouts, {})
- vpc_id = try(each.value.vpc_id, var.defaults.vpc_id, null)
- web_acl_arn = try(each.value.web_acl_arn, var.defaults.web_acl_arn, null)
- xff_header_processing_mode = try(each.value.xff_header_processing_mode, var.defaults.xff_header_processing_mode, null)
+ access_logs = try(each.value.access_logs, var.defaults.access_logs, {})
+ associate_web_acl = try(each.value.associate_web_acl, var.defaults.associate_web_acl, false)
+ create = try(each.value.create, var.defaults.create, true)
+ create_security_group = try(each.value.create_security_group, var.defaults.create_security_group, true)
+ customer_owned_ipv4_pool = try(each.value.customer_owned_ipv4_pool, var.defaults.customer_owned_ipv4_pool, null)
+ default_port = try(each.value.default_port, var.defaults.default_port, 80)
+ default_protocol = try(each.value.default_protocol, var.defaults.default_protocol, "HTTP")
+ desync_mitigation_mode = try(each.value.desync_mitigation_mode, var.defaults.desync_mitigation_mode, null)
+ dns_record_client_routing_policy = try(each.value.dns_record_client_routing_policy, var.defaults.dns_record_client_routing_policy, null)
+ drop_invalid_header_fields = try(each.value.drop_invalid_header_fields, var.defaults.drop_invalid_header_fields, true)
+ enable_cross_zone_load_balancing = try(each.value.enable_cross_zone_load_balancing, var.defaults.enable_cross_zone_load_balancing, true)
+ enable_deletion_protection = try(each.value.enable_deletion_protection, var.defaults.enable_deletion_protection, true)
+ enable_http2 = try(each.value.enable_http2, var.defaults.enable_http2, null)
+ enable_tls_version_and_cipher_suite_headers = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, null)
+ enable_waf_fail_open = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, null)
+ enable_xff_client_port = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, null)
+ enforce_security_group_inbound_rules_on_private_link_traffic = try(each.value.enforce_security_group_inbound_rules_on_private_link_traffic, var.defaults.enforce_security_group_inbound_rules_on_private_link_traffic, null)
+ idle_timeout = try(each.value.idle_timeout, var.defaults.idle_timeout, null)
+ internal = try(each.value.internal, var.defaults.internal, null)
+ ip_address_type = try(each.value.ip_address_type, var.defaults.ip_address_type, null)
+ listeners = try(each.value.listeners, var.defaults.listeners, {})
+ load_balancer_type = try(each.value.load_balancer_type, var.defaults.load_balancer_type, "application")
+ name = try(each.value.name, var.defaults.name, null)
+ name_prefix = try(each.value.name_prefix, var.defaults.name_prefix, null)
+ preserve_host_header = try(each.value.preserve_host_header, var.defaults.preserve_host_header, null)
+ putin_khuylo = try(each.value.putin_khuylo, var.defaults.putin_khuylo, true)
+ route53_records = try(each.value.route53_records, var.defaults.route53_records, {})
+ security_group_description = try(each.value.security_group_description, var.defaults.security_group_description, null)
+ security_group_egress_rules = try(each.value.security_group_egress_rules, var.defaults.security_group_egress_rules, {})
+ security_group_ingress_rules = try(each.value.security_group_ingress_rules, var.defaults.security_group_ingress_rules, {})
+ security_group_name = try(each.value.security_group_name, var.defaults.security_group_name, null)
+ security_group_tags = try(each.value.security_group_tags, var.defaults.security_group_tags, {})
+ security_group_use_name_prefix = try(each.value.security_group_use_name_prefix, var.defaults.security_group_use_name_prefix, true)
+ security_groups = try(each.value.security_groups, var.defaults.security_groups, [])
+ subnet_mapping = try(each.value.subnet_mapping, var.defaults.subnet_mapping, [])
+ subnets = try(each.value.subnets, var.defaults.subnets, [])
+ tags = try(each.value.tags, var.defaults.tags, {})
+ target_groups = try(each.value.target_groups, var.defaults.target_groups, {})
+ timeouts = try(each.value.timeouts, var.defaults.timeouts, {})
+ vpc_id = try(each.value.vpc_id, var.defaults.vpc_id, null)
+ web_acl_arn = try(each.value.web_acl_arn, var.defaults.web_acl_arn, null)
+ xff_header_processing_mode = try(each.value.xff_header_processing_mode, var.defaults.xff_header_processing_mode, null)
}