Terraform-provider-aws: Cannot create multiple path-pattern conditions for ALB Rules

Also host-header is not supporting multiple values.

Error: aws_alb_listener_rule.alb_web_rule1: condition.0.values: attribute supports 1 item maximum, config has 2 declared.

resource "aws_alb_listener_rule" "alb_web_rule1" {
listener_arn = "${aws_alb_listener.alb_web_https.arn}"
priority = 1
action {
type = "forward"
target_group_arn = "${aws_alb_target_group.tg_web1_uat_https.arn}"
}
condition {
field = "host-header"
values = ["uat.example.com","uat-analytics.example.com"]
}
}

Duplicate of #8126

When I use resource aws_lb_listener_rule with multiple path patterns, I follow code practice below:

variable "path_patterns" {
  type = "list"
}

resource "aws_lb_listener_rule" "default" {
  count        = "${length(var.path_patterns)}"
  listener_arn = "${aws_lb_listener.default.arn}"

  /* .. */

  condition {
    field = "path-pattern"

    values = [
      "${element(var.path_patterns, count.index)}",
    ]
  }
}

Generally speaking, I attach multiple aws_lb_listener_rule to aws_lb_listener.

I hit the ALB limit number of rules with the solution that @thoo5ieb provided. Is this feature available in provider version 2.23.0?

@sandangel If I understand correctly, the limit reaching issue you have, will be pretty much the same with different Terraform resource design constraints. Under the hood, it still does N rules for a specific AWS ALB listener. One way or other, you can reach out AWS support OR re-design (if possible) your solution to a given problem.

@thoo5ieb Thanks for your response.
I have around 107 routes and With your solution I need to use 107 rules for https listener, which is not possible with the current ALB spec (100 rules max).
With multiple values per rule config I just need to use 22 rules, which is still far from the limit. I managed to reduced the number of routes to < 100 by using wildcard prefix for some routes so your solution work for me right now. but hopefully multiple values per rule will available soon.

@thoo5ieb, @sandangel hit the nail on the head and explained the exact use case on why I created this issue in the first place.

The functionality (multiple pathing rules) can be done with the AWS console, but cannot be done with Terraform. Therefore if we want to not hit the limit, we cannot use Terraform and need to use the AWS console or some janky wildcard workaround which doesn't fit all use-cases.

@emmm-dee you can still use local_exec , null_resource to call aws-cli

@emmm-dee you can still use local_exec , null_resource to call aws-cli

For sure, but quite sad it's the only way given that all my other infra is properly managed with Terraform.

Right now I'm just using a bash script that calls aws-cli to get this job done. Could probably have local_exec call it, but it's just as easy triggering the script as needed manually.

Active bounty open to have this fixed: https://www.bountysource.com/issues/73811280-cannot-create-multiple-path-pattern-conditions-for-alb-rules

Thanks to anyone that can contribute either by code or by fiat to help get this fixed up! Godspeed.

@sandangel any chance you could share an example?

This issue is part of #8126

Here is a working workaround example from my code with few explanations:

• listener rules made by Terraform contain single pattern value(as condition block is required and rule resource won't create without it) and is then overwritten by the null_resource provider later in plan execution
• on each subsequent run, Terraform will find that the actual rule state doesn't match the desired one and restore configuration managed by the aws_alb_listener_rule resource
• null_resource is not aware of actual state as it only executes provisioners; in particular, it won't know terraform restored it's desired config, so it must be triggered on each Terraform's run with timestamp() value
• the overall result is rules are recreated on each Terraform's run (which is not great but works, allows keeping everything in terraform code and prevents from hitting ALB limits due to excessive rules separation)

resource "aws_alb_listener_rule" " example_https" {
  listener_arn = "${data.aws_lb_listener.elb_service_listener_443.arn}"
  action {
    type             = "forward"
    target_group_arn = "${module.elb_example_targetgroup.arn}"
  }
  condition {
    field  = "host-header"
    values = ["example.com"]
  }
}
  resource "null_resource" "update_rule_example_https" {
    triggers = {
      always = "${timestamp()}"
    }
    provisioner "local-exec" {
      command = <<EOF
        aws elbv2 modify-rule \
          --rule-arn=${aws_alb_listener_rule.example_https.arn} \
          --conditions='[
    {
        "Field": "host-header",
        "Values": [
            "example.com",
            "www.example.com"
        ]
    }
]'
EOF
    }
  }

It looks like this is possible with the new syntax:

  condition {
    host_header {
      values = var.alb_listener_rule_host_header_values
    }
  }
  condition {
    path_pattern {
      values = var.alb_listener_rule_path_pattern_values
    }
  }

It also works with terraform 0.12 dynamic blocks:

resource "aws_alb_listener_rule" "service" {
  listener_arn = data.aws_alb_listener.service.arn

  action {
    type             = "forward"
    target_group_arn = aws_alb_target_group.service.arn
  }

  condition {
    host_header {
      values = var.alb_listener_rule_host_header_values
    }
  }

  dynamic "condition" {
    for_each = length(var.alb_listener_rule_path_pattern_values) > 0 ? [true] : []
    content {
      path_pattern {
        values = var.alb_listener_rule_path_pattern_values
      }
    }
  }
}

Hi folks 👋 Sorry this issue was not closed out with the release of version 2.42.0 of the Terraform AWS Provider a few weeks ago as part of https://github.com/terraform-providers/terraform-provider-aws/issues/8126. Closing as the feature request was resolved.

The examples provided by @danieladams456 above should be a good starting point. If you're looking for general assistance still, please note that we use GitHub issues in this repository for tracking bugs and enhancements with the Terraform AWS Provider codebase rather than for questions. While we may be able to help with certain simple problems here it's generally better to use the community forums where there are far more people ready to help, whereas the GitHub issues here are generally monitored only by a few maintainers and dedicated community members interested in code development of the Terraform AWS Provider itself.

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!