Terraform-provider-aws: Impossible to create LBs of type `network`

Thanks, according to #1618 I was under the impression that this should already work in latest master.

I was under the same impression, i.e. that after #1806 was merged Network Load Balancers would work. @bubunyo do you know of any additional work in progress for NLB support? I don't see any other Issues or PRs.

I don't know of any other WIP for NLB support. I don't exactly know what exactly the hold up is for the release for version 1.0.1 . I also don't know what the eta for that is. Perhaps @radeksimko can help with that.

I will take a look this week, hopefully, as I wanted to cut a release.

Lacking features can certainly be added in future releases but if there's a known crash or significantly buggy behaviour introduced by #1806 then that would make me reconsider and fix the bug before cutting the release.

Do you mind providing an example config that causes a crash @else ?

Thanks.

Sorry for being unclear, the crash only occured during my experiments when I allowed target group protocol tcp which is necessary for NLBs.

This is the diff that I had to apply in order to get terraform actually do something and not complain about erroneously configured provisioners:

diff --git a/aws/resource_aws_lb_target_group.go b/aws/resource_aws_lb_target_group.go
index 9cab9601..132fab88 100644
--- a/aws/resource_aws_lb_target_group.go
+++ b/aws/resource_aws_lb_target_group.go
@@ -420,11 +420,11 @@ func validateAwsLbTargetGroupPort(v interface{}, k string) (ws []string, errors

 func validateAwsLbTargetGroupProtocol(v interface{}, k string) (ws []string, errors []error) {
    protocol := strings.ToLower(v.(string))
-   if protocol == "http" || protocol == "https" {
+   if protocol == "http" || protocol == "https" || protocol == "tcp" {
        return
    }

-   errors = append(errors, fmt.Errorf("%q must be either %q or %q", k, "HTTP", "HTTPS"))
+   errors = append(errors, fmt.Errorf("%q must be either %q or %q", k, "HTTP", "HTTPS", "TCP"))
    return
 }

@@ -479,13 +479,15 @@ func flattenAwsLbTargetGroupResource(d *schema.ResourceData, meta interface{}, t

    healthCheck := make(map[string]interface{})
    healthCheck["interval"] = *targetGroup.HealthCheckIntervalSeconds
-   healthCheck["path"] = *targetGroup.HealthCheckPath
+   if *targetGroup.Protocol != "TCP" {
+       healthCheck["path"] = *targetGroup.HealthCheckPath
+       healthCheck["matcher"] = *targetGroup.Matcher.HttpCode
+   }
    healthCheck["port"] = *targetGroup.HealthCheckPort
    healthCheck["protocol"] = *targetGroup.HealthCheckProtocol
    healthCheck["timeout"] = *targetGroup.HealthCheckTimeoutSeconds
    healthCheck["healthy_threshold"] = *targetGroup.HealthyThresholdCount
    healthCheck["unhealthy_threshold"] = *targetGroup.UnhealthyThresholdCount
-   healthCheck["matcher"] = *targetGroup.Matcher.HttpCode
    d.Set("health_check", []interface{}{healthCheck})

    attrResp, err := elbconn.DescribeTargetGroupAttributes(&elbv2.DescribeTargetGroupAttributesInput{
diff --git a/website/docs/r/lb.html.markdown b/website/docs/r/lb.html.markdown
index c155a15e..ee193c14 100644
--- a/website/docs/r/lb.html.markdown
+++ b/website/docs/r/lb.html.markdown
@@ -50,7 +50,7 @@ Terraform will autogenerate a name beginning with `tf-lb`.
 * `name_prefix` - (Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `internal` - (Optional) If true, the LB will be internal.
 * `load_balancer_type` - (Optional) The type of load balancer to create. Possible values are `application` or `network`. The default value is `application`.
-* `security_groups` - (Optional) A list of security group IDs to assign to the LB.
+* `security_groups` - (Optional) A list of security group IDs to assign to the LB. Only allowed for type `application`.
 * `access_logs` - (Optional) An Access Logs block. Access Logs documented below.
 * `subnets` - (Optional) A list of subnet IDs to attach to the LB.
 * `subnet_mapping` - (Optional) A subnet mapping block as documented below.
diff --git a/website/docs/r/lb_listener.html.markdown b/website/docs/r/lb_listener.html.markdown
index f9398e05..7b7f82ab 100644
--- a/website/docs/r/lb_listener.html.markdown
+++ b/website/docs/r/lb_listener.html.markdown
@@ -44,7 +44,7 @@ The following arguments are supported:

 * `load_balancer_arn` - (Required, Forces New Resource) The ARN of the load balancer.
 * `port` - (Required) The port on which the load balancer is listening.
-* `protocol` - (Optional) The protocol for connections from clients to the load balancer. Valid values are `HTTP` and `HTTPS`. Defaults to `HTTP`.
+* `protocol` - (Optional) The protocol for connections from clients to the load balancer. Valid values are `HTTP`, `HTTPS` and `TCP`. Defaults to `HTTP`. Note that the set of available protocols depends on the target groups attached to the load balancer.
 * `ssl_policy` - (Optional) The name of the SSL Policy for the listener. Required if `protocol` is `HTTPS`.
 * `certificate_arn` - (Optional) The ARN of the SSL server certificate. Exactly one certificate is required if the protocol is HTTPS.
 * `default_action` - (Required) An Action block. Action blocks are documented below.
diff --git a/website/docs/r/lb_target_group.html.markdown b/website/docs/r/lb_target_group.html.markdown
index 15590ce5..257d9d7d 100644
--- a/website/docs/r/lb_target_group.html.markdown
+++ b/website/docs/r/lb_target_group.html.markdown
@@ -34,7 +34,7 @@ The following arguments are supported:
 * `name` - (Optional, Forces new resource) The name of the target group. If omitted, Terraform will assign a random, unique name.
 * `name_prefix` - (Optional, Forces new resource) Creates a unique name beginning with the specified prefix. Conflicts with `name`.
 * `port` - (Required) The port on which targets receive traffic, unless overridden when registering a specific target.
-* `protocol` - (Required) The protocol to use for routing traffic to the targets.
+* `protocol` - (Required) The protocol to use for routing traffic to the targets. Valid protocols are `HTTP`, `HTTPS` and `TCP`.
 * `vpc_id` - (Required) The identifier of the VPC in which to create the target group.
 * `deregistration_delay` - (Optional) The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.
 * `stickiness` - (Optional) A Stickiness block. Stickiness blocks are documented below.

What's missing here is the possibility to set the subnet. Apparently this is only possible by setting availability zones?

@else could you try my branch https://github.com/terraform-providers/terraform-provider-aws/pull/1884

I created a Network Load Balancer manually via the AWS console and tried using an aws_lb Data Source to work around this issue, but that doesn't work either. Details here:

https://github.com/terraform-providers/terraform-provider-aws/issues/1912#issuecomment-337915717

@bploetz i will have a look at the data source later if i get a chance

There are a few other cases didn't handle well:

• even with the patch from @DaveBlooman , I still need apply twice to finish nlb creation(wait more than 2 mins, time out and trying to do a update, which result Unable to update subnets error)
• can't change anything on an existing nlb, so any change on nlb should result a force recreate
• health check for nlb target group is tricky:
  
  
  
  • it requires healthy_threshold the same as unhealthy_threshold
  
  
  • for HTTP/HTTPS healthcheck protocol, matcher is required parameter when sending the api request, but it has to be "200-399"
  
  
  • timeout value can't be set or change when healthcheck protocol is TCP
  
  

Hello all! #2251 is a continuation of #1884 which addressed these issues, so Network Load balancers should be fully supported. There's another PR https://github.com/terraform-providers/terraform-provider-aws/pull/1941 to throw an error if a user tries to update subnets on aws_lb of type network, which is not currently supported by the AWS API.

If there is anything else you see missing please let me know!

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!