Demonstrations
These step-by-step demonstrations walk you through complete workflows using the alb module. Each demonstration includes prerequisites, detailed instructions, and verification steps.
Getting Started
To follow any demonstration, ensure you have:
- Prerequisites met:
Terraform >= 1.0, AWS CLI configured - Authenticate with the registry:
terraform login registry.patterneddesigns.ca - Clone the demonstration repository:
git clone <demo-repo-url> - Follow the step-by-step instructions below
Step-by-Step Guides
Deploy an ALB with HTTPS listener and SSL certificate
Step 1: Create the ALB
module "web_alb" {
source = "registry.patterneddesigns.ca/patterneddesigns/alb/aws"
version = "3.0.0"
name = "web-alb"
vpc_id = module.vpc.vpc_id
subnets = module.vpc.public_subnets
}
Step 2: Configure HTTPS Listener
Add an HTTPS listener with your SSL certificate.
Step 3: Verify Configuration
Test the ALB endpoint and verify SSL is working correctly.
Configure SSL/TLS termination with ACM certificates
This demonstration shows how to set up SSL/TLS termination on an ALB using AWS Certificate Manager (ACM).
Step 1: Request an ACM Certificate
First, request a certificate for your domain:
resource "aws_acm_certificate" "main" {
domain_name = "example.com"
validation_method = "DNS"
subject_alternative_names = [
"*.example.com"
]
lifecycle {
create_before_destroy = true
}
tags = {
Name = "example-cert"
}
}
Step 2: Validate the Certificate
Create DNS validation records in Route53:
resource "aws_route53_record" "cert_validation" {
for_each = {
for dvo in aws_acm_certificate.main.domain_validation_options : dvo.domain_name => {
name = dvo.resource_record_name
record = dvo.resource_record_value
type = dvo.resource_record_type
}
}
zone_id = aws_route53_zone.main.zone_id
name = each.value.name
type = each.value.type
ttl = 60
records = [each.value.record]
}
resource "aws_acm_certificate_validation" "main" {
certificate_arn = aws_acm_certificate.main.arn
validation_record_fqdns = [for record in aws_route53_record.cert_validation : record.fqdn]
}
Step 3: Create the ALB with HTTPS Listener
Deploy the ALB with SSL termination:
module "secure_alb" {
source = "registry.patterneddesigns.ca/patterneddesigns/alb/aws"
version = "3.0.0"
name = "secure-alb"
vpc_id = module.vpc.vpc_id
subnets = module.vpc.public_subnets
# Redirect HTTP to HTTPS
http_listeners = [{
port = 80
redirect = {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}]
# HTTPS listener with certificate
https_listeners = [{
port = 443
certificate_arn = aws_acm_certificate_validation.main.certificate_arn
ssl_policy = "ELBSecurityPolicy-TLS13-1-2-2021-06"
}]
depends_on = [aws_acm_certificate_validation.main]
}
Step 4: Create DNS Record for ALB
Point your domain to the ALB:
resource "aws_route53_record" "alb" {
zone_id = aws_route53_zone.main.zone_id
name = "example.com"
type = "A"
alias {
name = module.secure_alb.alb_dns_name
zone_id = module.secure_alb.alb_zone_id
evaluate_target_health = true
}
}
Step 5: Verify SSL Configuration
After deployment, verify the configuration:
- Check certificate status in ACM console
- Test HTTPS access:
curl -I https://example.com - Verify HTTP redirect:
curl -I http://example.com - Test SSL with SSL Labs: https://www.ssllabs.com/ssltest/
Security Best Practices
- Use TLS 1.2 or higher (
ELBSecurityPolicy-TLS13-1-2-2021-06) - Enable HTTP to HTTPS redirect
- Use wildcard certificates for subdomains
- Monitor certificate expiration with CloudWatch