80kk
January 24, 2020, 4:35pm
1
Hi,
opened 03:29PM - 20 Jan 20 UTC
closed 01:38PM - 29 Jun 21 UTC
question
service/elbv2
I am trying to setup NLB for AWS Transfer Server, however I stuck on target regi… ster step as TF outputs IPs in eni-xyz format only. How can I get IPs from ENI ids to use them as a targets?
main.tf
```
resource "aws_transfer_server" "transfer_server" {
identity_provider_type = "API_GATEWAY"
endpoint_type = "VPC_ENDPOINT"
endpoint_details {
vpc_endpoint_id = aws_vpc_endpoint.transfer_server.id
}
logging_role = aws_iam_role.transfer_server-role.arn
url = var.api_url
invocation_role = aws_iam_role.transfer_server_invocation-role.arn
tags = var.tags
depends_on = [aws_vpc_endpoint.transfer_server]
}
resource "aws_vpc_endpoint" "transfer_server" {
vpc_id = var.vpc_id
service_name = "com.amazonaws.${var.region}.transfer.server"
vpc_endpoint_type = "Interface"
subnet_ids = var.public_subnet_ids
private_dns_enabled = true
security_group_ids = [aws_security_group.transfer_server.id]
}
resource "aws_security_group" "transfer_server" {
name = join("", [var.tags.Environment, "-transfer_server"])
description = "allows access to SFTP"
vpc_id = var.vpc_id
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
description = "allows port 22 to be accessed from local VPC and the internet"
cidr_blocks = concat(var.allowed_pub_cidrs, var.allowed_priv_cidrs)
self = true
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = var.tags
}
```
## NLB
```
resource "aws_eip" "eip_nlb" {
count = length(var.public_subnet_ids)
vpc = true
}
resource "aws_lb" "sftp-nlb" {
name = join("", [var.tags.Environment, "-sftp-nlb"])
internal = false
load_balancer_type = "network"
enable_deletion_protection = false
idle_timeout = 180
tags = var.tags
dynamic "subnet_mapping" {
for_each = var.subnet_mapping
content {
subnet_id = subnet_mapping.value.subnet_id
allocation_id = lookup(subnet_mapping.value, "allocation_id", null)
}
}
}
resource "aws_lb_target_group" "sftp-nlb-target-group" {
name = join("", [var.tags.Environment, "-sftp"])
port = 22
protocol = "TCP"
target_type = "ip"
vpc_id = var.vpc_id
tags = var.tags
}
resource "aws_lb_listener" "sftp-nlb-listener" {
load_balancer_arn = aws_lb.sftp-nlb.arn
port = 22
protocol = "TCP"
default_action {
target_group_arn = aws_lb_target_group.sftp-nlb-target-group.arn
type = "forward"
}
}
```
vars.tf
```
output "transfer_server_id" {
value = aws_transfer_server.transfer_server.id
}
output "transfer_server_endpoint" {
value = aws_transfer_server.transfer_server.endpoint
}
output "vpc_endpoint_transferserver_network_interface_ids" {
description = "One or more network interfaces for the VPC Endpoint for transferserver"
value = flatten(aws_vpc_endpoint.transfer_server.*.network_interface_ids)
}
```
What I want to do is to create target group attachment. I have tried this:
data "aws_network_interface" "sftp-nlb" {
for_each = var.private_subnet_ids
filter {
name = "description"
values = ["ELB ${aws_lb.sftp-nlb.arn_suffix}"]
}
filter {
name = "private_subnet_ids"
values = [each.value]
}
}
resource "aws_alb_target_group_attachment" "tg_attachment" {
vpc_id = var.vpc_id
target_group_arn = aws_lb_target_group.sftp-nlb-target-group.arn
target_id = formatlist("%s/32", [for eni in data.aws_network_interface.sftp-nlb : eni.private_ip])
port = 22
}
but that gives me:
Error: Incorrect attribute value type
on modules/sftp/main.tf line 135, in resource "aws_alb_target_group_attachment" "tg_attachment":
135: target_id = formatlist("%s/32", [for eni in data.aws_network_interface.sftp-nlb : eni.private_ip])
Inappropriate value for attribute “target_id”: string required.
an ip-address is not an interface ideni.id instead of eni.private_ip
80kk
January 27, 2020, 9:33am
3
same error:
Error: Incorrect attribute value type
on modules/sftp/main.tf line 136, in resource "aws_alb_target_group_attachment" "tg_attachment":
136: target_id = formatlist("%s/32", [for eni in data.aws_network_interface.sftp-nlb : eni.id])
Inappropriate value for attribute "target_id": string required.
Sorry, that was silly of me - I didn’t read up on the aws_lb_target_group_attachment resource
The resource only takes one id as target_id, so we must attach them separately.
resource “aws_alb_target_group_attachment” “tg_attachment” {
If this doesn’t work, can I please see the contents of data.aws_network_interface.sftp-nlb? just dump it as output to get hold of it.
This is working although it is slightly different from what your question asked. I think you can adapt it to your case.
data "aws_network_interface" "vpc_endpoint_eni" {
for_each = toset(var.private_subnet_ids)
filter {
name = "description"
values = ["ELB ${aws_lb.sftp-nlb.arn_suffix}"]
}
filter {
name = "subnet-id"
values = [each.value]
}
}
resource "aws_lb_target_group_attachment" "custom_domain_lb_api_targets" {
for_each = toset(var.private_subnet_ids)
target_group_arn = aws_lb_target_group.custom_domain_lb_api_target_group.arn
target_id = data.aws_network_interface.vpc_endpoint_eni[each.key].private_ip
port = 443
}