Load balancer fixes #1884
Load balancer fixes #1884
Conversation
radeksimko
added
the
enhancement
|
This should be marked as a bug, not an enhancement - aws_lb of type "network" is unusable, unable to create aws_lb_listener with "TCP" protocol. |
| @@ -420,7 +427,7 @@ func validateAwsLbTargetGroupPort(v interface{}, k string) (ws []string, errors | |||
|
|
|||
| func validateAwsLbTargetGroupProtocol(v interface{}, k string) (ws []string, errors []error) { | |||
| protocol := strings.ToLower(v.(string)) | |||
| if protocol == "http" || protocol == "https" { | |||
| if protocol == "http" || protocol == "https" || protocol == "tcp" { | |||
| return | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Validation error message below needs to be updated
| @@ -402,7 +409,7 @@ func validateAwsLbTargetGroupHealthCheckTimeout(v interface{}, k string) (ws []s | |||
|
|
|||
| func validateAwsLbTargetGroupHealthCheckProtocol(v interface{}, k string) (ws []string, errors []error) { | |||
| value := strings.ToLower(v.(string)) | |||
| if value == "http" || value == "https" { | |||
| if value == "http" || value == "https" || value == "tcp" { | |||
| return | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
Validation error message below needs to be updated
|
Cool! I think it's missing the possibility to attach the LB to a certain subnet / AZ. |
|
@else My first comment is wrong, i removed the subnet ID from my example by mistake, if you try to create a LB without a subnet, it will fail. You are required to attach at least one subnet to a network load balancer. I have also seen that you cannot update a NLB with additional subnets after creation, handled in #1941 |
|
Is there any more work left here? This is a blocker for us and I'll help if necessary |
|
This is minor, but I After the apply succeeded, a subsequent I expected this plan not to show any changes since I had just applied. I believe this is because the Default path for the health check is "/". The health-check-path is only for HTTP/HTTPS health checks, not TCP. |
|
There is one more - checker for healthcheck defaults to checking HTTP 200 response code, which is only supposed to happen for HTTP/HTTPS healthchecks http://docs.aws.amazon.com/elasticloadbalancing/latest/network/target-group-health-checks.html |
|
@c2h5oh in my branch or in master? I removed the default in my branch, so it shouldn't impact it anymore. @jwinter Removed default path, though im not actually sure if this PR is going to be merged or not, we'll have to see, @stack72 or @radeksimko could perhaps give us an update as current NLB is pretty unusable in terraform right now. |
|
Right, it's fixed in your branch. I wish we could just write a validator for entire HealthCheck, but https://github.com/hashicorp/terraform/blob/master/helper/schema/schema.go#L188 suggests we can't.
Totally unusable. |
|
I actually think the best approach would have been to keep the load balancer types separate. They have quite a lot of differences that have made this more complex than it needed to be. I'm sure there are additional things that have not been picked up so far, but once these fixes go in, we may see edge cases not picked up by tests. |
|
Ideally schema.Schema would have been an interface, not a struct and you could just compose the types of LB from a common struct and type specific one. |
|
@DaveBlooman maybe we should keep them separate? It's obvious implementation wasn't as simple as it appeared to be at the outset. It makes sense to me to keep them separate as they require different things. Even though AWS sees them as one resource, functionally they're different. |
|
@nathanielks the The big differences are in:
basically no overlap
again, no overlap So IMHO it makes sense to split listener and target into |
|
@c2h5oh |
|
hi - since this is blocking us - is there a way to get a binary for this version? |
|
@OferE you can just pull the branch and build your own binary pretty easily. |
|
@OferE I have made a release on my fork, assuming its macOS/Linux you wanted. https://github.com/DaveBlooman/terraform-provider-aws/releases/tag/dev |
|
Thank u so much!! you are amazing |
|
@DaveBlooman : you're a lifesaver. |
|
I just tried to setup a new This is my code: And to clarify, I'm using the Which I believe should be fine. Am I doing something wrong or is this just a bug? |
|
@DaveBlooman one more: edit2: interval has to be exactly 30s, timeout exactly 10s |
|
@c2h5oh So you can change the interval, you can set it to 10 or 30s, but the timeout is set to 10s. I have made some changes to this PR so that it should cover the health check block correctly. Here is some sample TF for those having issues with ASG's and NLB's, just fill in the locals and deploy an app running on 8080. locals {
subnet_id = "subnet-"
vpc_id = "vpc-"
ami_id = "ami-"
key_pair = ""
instance_type = "t2.micro"
}
resource "aws_lb" "demo" {
name = "demo-lb"
internal = false
load_balancer_type = "network"
enable_deletion_protection = false
subnet_mapping {
subnet_id = "${local.subnet_id}"
allocation_id = "${aws_eip.demo.id}"
}
tags {
Environment = "demo"
}
}
resource "aws_lb_target_group" "demo" {
name = "nlb-example"
port = 8080
protocol = "TCP"
vpc_id = "${local.vpc_id}"
health_check {
interval = 30
port = 8080
protocol = "TCP"
healthy_threshold = 3
}
}
resource "aws_lb_listener" "demo" {
load_balancer_arn = "${aws_lb.demo.id}"
port = "80"
protocol = "TCP"
default_action {
target_group_arn = "${aws_lb_target_group.demo.id}"
type = "forward"
}
}
resource "aws_eip" "demo" {}
resource "aws_autoscaling_group" "demo" {
name = "testing-asg"
vpc_zone_identifier = ["${local.subnet_id}"]
target_group_arns = ["${aws_lb_target_group.demo.arn}"]
health_check_type = "EC2"
launch_configuration = "${aws_launch_configuration.demo.name}"
desired_capacity = 1
max_size = 1
min_size = 1
}
resource "aws_launch_configuration" "demo" {
name_prefix = "demo-"
image_id = "${local.ami_id}"
instance_type = "${local.instance_type}"
key_name = "${local.key_pair}"
security_groups = ["${aws_security_group.demo.id}"]
lifecycle {
create_before_destroy = true
}
}
resource "aws_security_group" "demo" {
vpc_id = "${local.vpc_id}"
name = "demo-nlb"
description = "demo-nlb"
tags {
Name = "demo-nlb"
}
}
resource "aws_security_group_rule" "demo_ssh_in" {
type = "ingress"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.demo.id}"
}
resource "aws_security_group_rule" "nlb_port_in" {
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.demo.id}"
}
resource "aws_security_group_rule" "traffic_out" {
type = "egress"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.demo.id}"
}
|
| @@ -794,6 +794,39 @@ resource "aws_vpc" "test" { | |||
| }`, targetGroupName) | |||
| } | |||
|
|
|||
| func testAccAWSLBTargetGroupConfig_typeTCP(targetGroupName string) string { | |||
There was a problem hiding this comment.
This configuration isn't actually used in a test, was the corresponding test omitted?
|
|
||
| deregistration_delay = 200 | ||
|
|
||
| stickiness { |
There was a problem hiding this comment.
stickiness is only applicable to Application Load balancers:
We should take this opportunity to document that as well
|
I've opened #2251 to supersede of this one. It's a continuation with just a commit on top that adds a test and updates the docs. That PR will allow Network Load balancers to use Target Groups. Please let me know what you think! I'm going to close this one for now |
|
Hello Terraform, This is a very critical blocker for our automation and we are ending up getting the same error. Error applying plan: 1 error(s) occurred:
1 error(s) occurred:
My Code* enable_deletion_protection = false tags { NOTE: The Load balancer is actually created and is attached to multiple Availability zone as mentioned in the subnet. But the error simply fails the automation. Is there an ETA when this will be resolved or any suggestions to circumvent this behavior..... Thank you |
|
@AnishAnil this was shipped yesterday in |
|
I just updated Terraform and tested and ended up with the same error. The only differnec being it asks to confirm before i apply the plan and after the plan it applied the "Error" is in red while the rest of the message is in plain white text. Error: Error applying plan: <"Error" in this statement is in RED and is the only differnece> 1 error(s) occurred:
Terraform does not automatically rollback in the face of errors.Instead, your Terraform state file has been partially updated with any resources that successfully completed. Please address the error above and apply again to incremental
Is this the intended behavior.........or is there any separete mentod to upgrade to 1.3?? |
|
HI @AnishAnil Since Terraform 0.10, providers (aws, google, azure, rabbitmq, etc..) are not in their own repository, like the one you are currently seeing. This brings a lot of pros: you don't need the core release to get new fixes & features as each one of them has its own lifecycle and thus is built & released independently. Yesterday, we released version 1.3.0 of the AWS Provider, which contains the new features & fixes. It seems you updated Terraform only, which is a great thing! however, you will only get those new features once you run: Can you do that and tell us how it goes? Thanks! |
|
@Ninir, Thank you n it works now. |
|
I'm having the same issue where TCP is not a valid option for protocol. Error: aws_lb_target_group.testexternal: "protocol" must be either "HTTP" or "HTTPS" |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks! |
ghost
locked and limited conversation to collaborators
The loadbalancer changes don't allow for a NLB to be created because the NLB uses TCP only, with most of the code only allowing HTTP or HTTPS.
I think there is probably some additional code coverage that can be added here, especially as NLB's are much more restrictive than ALB/ELB
Example