ALB without target group attachment not working

[kvarzand]

Description

Trying to use the ALB and autoscaling modules together. ALB module should not have to create a targe_group_attachment (will configure that logic in autoscaling module's "traffic_source_attachment"), but it errors out. In addition, the create_attachment input variable is undocumented, but the plan still fails after setting it to false.

The current logic has a few flaws:

1. There are two resource "aws_lb_target_group_attachment" resources. One uses the undocumented "create_attachment" attribute of Target_group object and the other doesn't. There is no "try" logic for "create_attachment" attribute. Here's the current code:

################################################################################

Target Group Attachment

################################################################################

resource "aws_lb_target_group_attachment" "this" { for_each = { for k, v in var.target_groups : k => v if local.create && lookup(v, "create_attachment", true) }

target_group_arn = aws_lb_target_group.this[each.key].arn target_id = each.value.target_id port = try(each.value.target_type, null) == "lambda" ? null : try(each.value.port, var.default_port) availability_zone = try(each.value.availability_zone, null)

depends_on = [aws_lambda_permission.this] }

resource "aws_lb_target_group_attachment" "additional" { for_each = { for k, v in var.additional_target_group_attachments : k => v if local.create }

target_group_arn = aws_lb_target_group.this[each.value.target_group_key].arn target_id = each.value.target_id port = try(each.value.target_type, null) == "lambda" ? null : try(each.value.port, var.default_port) availability_zone = try(each.value.availability_zone, null)

depends_on = [aws_lambda_permission.this] }

2. My code sets the create_attachment attribute to false but the code is still executed (I do not have a lambda target at all). I set the create_attachment attribute to true and see the error message repeated

• [x ] ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]:

• Terraform version:

  terraform --version Terraform v1.9.2 on windows_386

• Provider version(s):

  terraform providers -version Terraform v1.9.2 on windows_386

• provider registry.terraform.io/hashicorp/aws v5.59.0

• provider registry.terraform.io/hashicorp/random v3.6.2

Reproduction Code [Required]

module "alb-cognito" { source = "terraform-aws-modules/alb/aws"

name = "my-alb" vpc_id = var.vpc_id subnets = var.subnet_ids

Security Group

security_group_ingress_rules = {

all_https = {
  from_port   = 443
  to_port     = 443
  ip_protocol = "tcp"
  description = "HTTPS web traffic"
  cidr_ipv4   = "0.0.0.0/0"
}

} security_group_egress_rules = { all = { ip_protocol = "-1" cidr_ipv4 = "10.0.0.0/16" } }

access_logs = { bucket = "my-alb-logs" }

listeners = { https = { port = 443 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-TLS13-1-2-Res-2021-06" certificate_arn = var.certificate_arn

  forward = {
    target_group_key = "asg"
  }

  rules = {
    # ex-cognito = {
    #   actions = [
    #     {
    #       type                       = "authenticate-cognito"
    #       on_unauthenticated_request = "authenticate"
    #       session_cookie_name        = "session-${local.name}"
    #       session_timeout            = 3600
    #       user_pool_arn              = "arn:aws:cognito-idp:us-east-1:123412341234:userpool/us-east-1_123412341" # aws_cognito_user_pool.this.arn temporarily hard coding
    #       user_pool_client_id        = "cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789" # aws_cognito_user_pool_client.this.id temporarily hard coding
    #       user_pool_domain           = "auth.example.com" # aws_cognito_user_pool_domain.this.domain temporarily hard coding
    #     },
    #     {
    #       type             = "forward"
    #       target_group_key = "asg"
    #     }
    #   ]

    #   conditions = [{
    #     path_pattern = {
    #       values = ["/some/auth/required/route"]
    #     }
    #   }]
    # }

    ex-fixed-response = {
      priority = 3
      actions = [{
        type         = "fixed-response"
        content_type = "text/plain"
        status_code  = 200
        message_body = "This is a fixed response"
      }]

      conditions = [{
        http_header = {
          http_header_name = "x-Gimme-Fixed-Response"
          values           = ["yes", "please", "right now"]
        }
      }]
    }

    ex-weighted-forward = {
      priority = 4
      actions = [{
        type = "weighted-forward"
        target_groups = [
          {
            target_group_key = "asg"
            weight           = 2
          },
        ]
        stickiness = {
          enabled  = true
          duration = 3600
        }
      }]

      conditions = [{
        query_string = {
          key   = "weighted"
          value = "true"
        },
        path_pattern = {
          values = ["/some/path"]
        }
      }]
    }

    ex-redirect = {
      priority = 5000
      actions = [{
        type        = "redirect"
        status_code = "HTTP_302"
        host        = "www.youtube.com"
        path        = "/watch"
        query       = "v=dQw4w9WgXcQ"
        protocol    = "HTTPS"
      }]

      conditions = [{
        query_string = {
          key   = "video"
          value = "random"
        }
      }]
    }
  }
}

}

target_groups = { asg = { name_prefix = "h1" protocol = "HTTPS" port = 443 target_type = "instance" deregistration_delay = 10 load_balancing_algorithm_type = "weighted_random" load_balancing_anomaly_mitigation = "on" load_balancing_cross_zone_enabled = false create_attachment = false health_check = { enabled = true interval = 30 path = "/healthz" port = "traffic-port" healthy_threshold = 3 unhealthy_threshold = 3 timeout = 6 protocol = "HTTPS" matcher = "200-399" } } tags = local.tags } }

Steps to reproduce the behavior:

No Yes execute terraform plan ## Expected behavior Target Group Attachment resource block should not be executed ## Actual behavior 2. Terraform Plan gets this error when create_attachement is set to false: │ Error: Unsupported attribute │ │ on .terraform\modules\app-alb-asg.alb-cognito\main.tf line 568, in resource "aws_lb_target_group_attachment" "this": │ 568: target_id = each.value.target_id │ ├──────────────── │ │ each.value is object with 3 attributes │ │ This object does not have an attribute named "target_id". The error is repeated if create_attachment is set to true ### Terminal Output Screenshot(s)

Additional context

[mconigliaro]

I think I was having this same problem, but setting create_attachment = false in the target group resolved it for me.

[kgalkin92]

I was also confused about this undocumented parameter. Source code of the module helped me. This code works in my case

target_groups = {
  gitlab_https = {
    name                 = "gitlab-https"
    protocol             = "TCP"
    port                 = 443
    target_type          = "ip"
    create_attachment    = false
  }
}

[bryantbiggs]

undocumented? https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/docs/patterns.md#target-group-without-attachment

[kvarzand]

undocumented? https://github.com/terraform-aws-modules/terraform-aws-alb/blob/master/docs/patterns.md#target-group-without-attachment

@bryantbiggs It is missing in the list of variables here: https://registry.terraform.io/modules/terraform-aws-modules/alb/aws/latest?tab=inputs

[bryantbiggs]

its a property of target_groups - just like port, protocol, target_type, etc.

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions[bot]]

This issue was automatically closed because of stale in 10 days

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.