Listeners
Define listeners inside each load balancer under lbs.<lb>.listeners.
Key fields (per listener):
- port (default: "80")
- protocol (default: "HTTP") — for ALB: HTTP/HTTPS; for NLB: TCP/UDP/TLS/TCP_UDP.
- certificates (ALB HTTPS) — list of certificate keys; supports SNI with multiple certs.
- ssl_policy (optional, ALB HTTPS)
- alpn_policy (optional)
- default_action — one of:
- redirect: to HTTPS/port 443 by default
- fixed_response: minimal shape allowed
- forward: for NLB, must specify target_group
Examples
# NLB TCP listener forwarding to a TG
lbs = {
smtp-nlb = {
load_balancer_type = "network"
internal = true
subnets = ["SharedInfra.SharedInfraPrivateAZ1"]
listeners = {
smtp25 = {
port = "25"
protocol = "TCP"
default_action = {
type = "forward"
target_group = "SharedInfra.smtp"
}
}
}
}
}
# ALB Listener for WSS
lbs = {
default = {
subnets = ["CentralIngress.CentralIngressPublicAZ1", "CentralIngress.CentralIngressPublicAZ2"]
security_groups = ["CentralIngress.lb"]
listeners = {
default80 = {},
default443 = {
port = "443"
protocol = "HTTPS"
certificates = ["default", "wss", "test2"]
default_action = {
type = "fixed-response"
fixed_response = {}
}
rules = {
wss = {
priority = 10
action = {
target_group = "CentralIngress.wss"
}
conditions = [{
host_header = {
values = ["wss.sapphirehealth.org"]
}
}]
}
}
}
}
}
}
Notes:
- For NLB, rules are not supported; use default_action forward to a target_group.