community.aws.elb_target_group module – Manage a target group for an Application or Network load balancer

Note

This module is part of the community.aws collection (version 5.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.aws. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.aws.elb_target_group.

New in community.aws 1.0.0

Synopsis

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 3.6

  • boto3 >= 1.18.0

  • botocore >= 1.21.0

Parameters

Parameter

Comments

access_key

aliases: aws_access_key_id, aws_access_key, ec2_access_key

string

AWS access key ID.

See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys.

The AWS_ACCESS_KEY_ID, AWS_ACCESS_KEY or EC2_ACCESS_KEY environment variables may also be used in decreasing order of preference.

The aws_access_key and profile options are mutually exclusive.

The aws_access_key_id alias was added in release 5.1.0 for consistency with the AWS botocore SDK.

The ec2_access_key alias has been deprecated and will be removed in a release after 2024-12-01.

Support for the EC2_ACCESS_KEY environment variable has been deprecated and will be removed in a release after 2024-12-01.

aws_ca_bundle

path

The location of a CA Bundle to use when validating SSL certificates.

The AWS_CA_BUNDLE environment variable may also be used.

aws_config

dictionary

A dictionary to modify the botocore configuration.

Parameters can be found in the AWS documentation https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config.

debug_botocore_endpoint_logs

boolean

Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook.

The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used.

Choices:

  • false ← (default)

  • true

deregistration_connection_termination

boolean

added in community.aws 3.1.0

Indicates whether the load balancer terminates connections at the end of the deregistration timeout.

Using this option is only supported when attaching to a Network Load Balancer (NLB).

Choices:

  • false ← (default)

  • true

deregistration_delay_timeout

integer

The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds.

endpoint_url

aliases: ec2_url, aws_endpoint_url, s3_url

string

URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS.

The AWS_URL or EC2_URL environment variables may also be used, in decreasing order of preference.

The ec2_url and s3_url aliases have been deprecated and will be removed in a release after 2024-12-01.

Support for the EC2_URL environment variable has been deprecated and will be removed in a release after 2024-12-01.

health_check_interval

integer

The approximate amount of time, in seconds, between health checks of an individual target.

health_check_path

string

The ping path that is the destination on the targets for health checks. The path must be defined in order to set a health check.

Requires the health_check_protocol parameter to be set.

health_check_port

string

The port the load balancer uses when performing health checks on targets. Can be set to ‘traffic-port’ to match target port.

When not defined will default to the port on which each target receives traffic from the load balancer.

health_check_protocol

string

The protocol the load balancer uses when performing health checks on targets.

Choices:

  • "http"

  • "https"

  • "tcp"

  • "tls"

  • "udp"

  • "tcp_udp"

  • "HTTP"

  • "HTTPS"

  • "TCP"

  • "TLS"

  • "UDP"

  • "TCP_UDP"

health_check_timeout

integer

The amount of time, in seconds, during which no response from a target means a failed health check.

healthy_threshold_count

integer

The number of consecutive health checks successes required before considering an unhealthy target healthy.

load_balancing_algorithm_type

string

added in community.aws 3.2.0

The type of load balancing algorithm to use.

Changing the load balancing algorithm is only supported when used with Application Load Balancers (ALB).

If not set AWS will default to round_robin.

Choices:

  • "round_robin"

  • "least_outstanding_requests"

modify_targets

boolean

Whether or not to alter existing targets in the group to match what is passed with the module

Choices:

  • false

  • true ← (default)

name

string / required

The name of the target group.

port

integer

The port on which the targets receive traffic. This port is used unless you specify a port override when registering the target.

Required when state is present and target_type is instance, ip, or alb.

preserve_client_ip_enabled

boolean

added in community.aws 2.1.0

Indicates whether client IP preservation is enabled.

The default is disabled if the target group type is ip address and the target group protocol is tcp or tls. Otherwise, the default is enabled. Client IP preservation cannot be disabled for udp and tcp_udp target groups.

preserve_client_ip_enabled is supported only by Network Load Balancers.

Choices:

  • false

  • true

profile

aliases: aws_profile

string

A named AWS profile to use for authentication.

See the AWS documentation for more information about named profiles https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html.

The AWS_PROFILE environment variable may also be used.

The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options.

protocol

string

The protocol to use for routing traffic to the targets.

Required when state is present and target_type is instance, ip, or alb.

Choices:

  • "http"

  • "https"

  • "tcp"

  • "tls"

  • "udp"

  • "tcp_udp"

  • "HTTP"

  • "HTTPS"

  • "TCP"

  • "TLS"

  • "UDP"

  • "TCP_UDP"

proxy_protocol_v2_enabled

boolean

added in community.aws 2.1.0

Indicates whether Proxy Protocol version 2 is enabled.

The value is true or false.

proxy_protocol_v2_enabled is supported only by Network Load Balancers.

Choices:

  • false

  • true

purge_tags

boolean

If purge_tags=true and tags is set, existing tags will be purged from the resource to match exactly what is defined by tags parameter.

If the tags parameter is not set then tags will not be modified, even if purge_tags=True.

Tag keys beginning with aws: are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the purge_tags parameter. See the Amazon documentation for more information https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions.

Choices:

  • false

  • true ← (default)

region

aliases: aws_region, ec2_region

string

The AWS region to use.

For global services such as IAM, Route53 and CloudFront, region is ignored.

The AWS_REGION or EC2_REGION environment variables may also be used.

See the Amazon AWS documentation for more information http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region.

The ec2_region alias has been deprecated and will be removed in a release after 2024-12-01

Support for the EC2_REGION environment variable has been deprecated and will be removed in a release after 2024-12-01.

secret_key

aliases: aws_secret_access_key, aws_secret_key, ec2_secret_key

string

AWS secret access key.

See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys.

The AWS_SECRET_ACCESS_KEY, AWS_SECRET_KEY, or EC2_SECRET_KEY environment variables may also be used in decreasing order of preference.

The secret_key and profile options are mutually exclusive.

The aws_secret_access_key alias was added in release 5.1.0 for consistency with the AWS botocore SDK.

The ec2_secret_key alias has been deprecated and will be removed in a release after 2024-12-01.

Support for the EC2_SECRET_KEY environment variable has been deprecated and will be removed in a release after 2024-12-01.

session_token

aliases: aws_session_token, security_token, aws_security_token, access_token

string

AWS STS session token for use with temporary credentials.

See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys.

The AWS_SESSION_TOKEN, AWS_SECURITY_TOKEN or EC2_SECURITY_TOKEN environment variables may also be used in decreasing order of preference.

The security_token and profile options are mutually exclusive.

Aliases aws_session_token and session_token were added in release 3.2.0, with the parameter being renamed from security_token to session_token in release 6.0.0.

The security_token, aws_security_token, and access_token aliases have been deprecated and will be removed in a release after 2024-12-01.

Support for the EC2_SECRET_KEY and AWS_SECURITY_TOKEN environment variables has been deprecated and will be removed in a release after 2024-12-01.

state

string / required

Create or destroy the target group.

Choices:

  • "present"

  • "absent"

integer

added in community.aws 1.5.0

The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the application-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds).

string

added in community.aws 1.5.0

The name of the application cookie. Required if stickiness_type=app_cookie.

stickiness_enabled

boolean

Indicates whether sticky sessions are enabled.

Choices:

  • false

  • true

integer

The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds).

stickiness_type

string

The type of sticky sessions.

Valid values are lb_cookie, app_cookie or source_ip.

If not set AWS will default to lb_cookie for Application Load Balancers or source_ip for Network Load Balancers.

successful_response_codes

string

The HTTP codes to use when checking for a successful response from a target.

Accepts multiple values (for example, “200,202”) or a range of values (for example, “200-299”).

Requires the health_check_protocol parameter to be set.

tags

aliases: resource_tags

dictionary

A dictionary representing the tags to be applied to the resource.

If the tags parameter is not set then tags will not be modified.

target_type

string

The type of target that you must specify when registering targets with this target group. The possible values are instance (targets are specified by instance ID), ip (targets are specified by IP address), lambda (target is specified by ARN), or alb (target is specified by ARN). Note that you can’t specify targets for a target group using more than one type. Target types lambda and alb only accept one target. When more than one target is specified, only the first one is used. All additional targets are ignored. If the target type is ip, specify IP addresses from the subnets of the virtual private cloud (VPC) for the target group, the RFC 1918 range (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16), and the RFC 6598 range (100.64.0.0/10). You can’t specify publicly routable IP addresses.

The default behavior is instance.

Choices:

  • "instance"

  • "ip"

  • "lambda"

  • "alb"

targets

list / elements=dictionary

A list of targets to assign to the target group. This parameter defaults to an empty list. Unless you set the ‘modify_targets’ parameter then all existing targets will be removed from the group. The list should be an Id and a Port parameter. See the Examples for detail.

unhealthy_threshold_count

integer

The number of consecutive health check failures required before considering a target unhealthy.

validate_certs

boolean

When set to false, SSL certificates will not be validated for communication with the AWS APIs.

Setting validate_certs=false is strongly discouraged, as an alternative, consider setting aws_ca_bundle instead.

Choices:

  • false

  • true ← (default)

vpc_id

string

The identifier of the virtual private cloud (VPC).

Required when state is present and target_type is instance, ip, or alb.

wait

boolean

Whether or not to wait for the target group.

Choices:

  • false ← (default)

  • true

wait_timeout

integer

The time to wait for the target group.

Default: 200

Notes

Note

  • Once a target group has been created, only its health check can then be modified using subsequent calls

  • Caution: Environment variables and configuration files are read from the Ansible ‘host’ context and not the ‘controller’ context. Files may need to be explicitly copied to the ‘host’.

  • The AWS SDK (boto3) that Ansible uses may also read defaults for credentials and other settings, such as the region, from its configuration files in the Ansible ‘host’ context (typically ~/.aws/credentials). See https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html for more information.

Examples

# Note: These examples do not set authentication details, see the AWS Guide for details.

- name: Create a target group with a default health check
  community.aws.elb_target_group:
    name: mytargetgroup
    protocol: http
    port: 80
    vpc_id: vpc-01234567
    state: present

- name: Modify the target group with a custom health check
  community.aws.elb_target_group:
    name: mytargetgroup
    protocol: http
    port: 80
    vpc_id: vpc-01234567
    health_check_protocol: http
    health_check_path: /health_check
    health_check_port: 80
    successful_response_codes: 200
    health_check_interval: 15
    health_check_timeout: 3
    healthy_threshold_count: 4
    unhealthy_threshold_count: 3
    state: present

- name: Delete a target group
  community.aws.elb_target_group:
    name: mytargetgroup
    state: absent

- name: Create a target group with instance targets
  community.aws.elb_target_group:
    name: mytargetgroup
    protocol: http
    port: 81
    vpc_id: vpc-01234567
    health_check_protocol: http
    health_check_path: /
    successful_response_codes: "200,250-260"
    targets:
      - Id: i-01234567
        Port: 80
      - Id: i-98765432
        Port: 80
    state: present
    wait_timeout: 200
    wait: True

- name: Create a target group with IP address targets
  community.aws.elb_target_group:
    name: mytargetgroup
    protocol: http
    port: 81
    vpc_id: vpc-01234567
    health_check_protocol: http
    health_check_path: /
    successful_response_codes: "200,250-260"
    target_type: ip
    targets:
      - Id: 10.0.0.10
        Port: 80
        AvailabilityZone: all
      - Id: 10.0.0.20
        Port: 80
    state: present
    wait_timeout: 200
    wait: True

# Using lambda as targets require that the target group
# itself is allow to invoke the lambda function.
# therefore you need first to create an empty target group
# to receive its arn, second, allow the target group
# to invoke the lambda function and third, add the target
# to the target group
- name: first, create empty target group
  community.aws.elb_target_group:
    name: my-lambda-targetgroup
    target_type: lambda
    state: present
    modify_targets: False
  register: out

- name: second, allow invoke of the lambda
  community.aws.lambda_policy:
    state: "{{ state | default('present') }}"
    function_name: my-lambda-function
    statement_id: someID
    action: lambda:InvokeFunction
    principal: elasticloadbalancing.amazonaws.com
    source_arn: "{{ out.target_group_arn }}"

- name: third, add target
  community.aws.elb_target_group:
    name: my-lambda-targetgroup
    target_type: lambda
    state: present
    targets:
        - Id: arn:aws:lambda:eu-central-1:123456789012:function:my-lambda-function

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

deregistration_connection_termination

boolean

Indicates whether the load balancer terminates connections at the end of the deregistration timeout.

Returned: when state present

Sample: true

deregistration_delay_timeout_seconds

integer

The amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused.

Returned: when state present

Sample: 300

health_check_interval_seconds

integer

The approximate amount of time, in seconds, between health checks of an individual target.

Returned: when state present

Sample: 30

health_check_path

string

The destination for the health check request.

Returned: when state present

Sample: "/index.html"

health_check_port

string

The port to use to connect with the target.

Returned: when state present

Sample: "traffic-port"

health_check_protocol

string

The protocol to use to connect with the target.

Returned: when state present

Sample: "HTTP"

health_check_timeout_seconds

integer

The amount of time, in seconds, during which no response means a failed health check.

Returned: when state present

Sample: 5

healthy_threshold_count

integer

The number of consecutive health checks successes required before considering an unhealthy target healthy.

Returned: when state present

Sample: 5

load_balancer_arns

list / elements=string

The Amazon Resource Names (ARN) of the load balancers that route traffic to this target group.

Returned: when state present

Sample: []

load_balancing_algorithm_type

string

added in community.aws 3.2.0

The type load balancing algorithm used.

Returned: when state present

Sample: "least_outstanding_requests"

matcher

dictionary

The HTTP codes to use when checking for a successful response from a target.

Returned: when state present

Sample: {"http_code": "200"}

port

integer

The port on which the targets are listening.

Returned: when state present

Sample: 80

protocol

string

The protocol to use for routing traffic to the targets.

Returned: when state present

Sample: "HTTP"

stickiness_enabled

boolean

Indicates whether sticky sessions are enabled.

Returned: when state present

Sample: true

integer

The time period, in seconds, during which requests from a client should be routed to the same target.

Returned: when state present

Sample: 86400

stickiness_type

string

The type of sticky sessions.

Returned: when state present

Sample: "lb_cookie"

tags

dictionary

The tags attached to the target group.

Returned: when state present

Sample: {"Tag": "Example"}

target_group_arn

string

The Amazon Resource Name (ARN) of the target group.

Returned: when state present

Sample: "arn:aws:elasticloadbalancing:ap-southeast-2:123456789012:targetgroup/mytargetgroup/aabbccddee0044332211"

target_group_name

string

The name of the target group.

Returned: when state present

Sample: "mytargetgroup"

unhealthy_threshold_count

integer

The number of consecutive health check failures required before considering the target unhealthy.

Returned: when state present

Sample: 2

vpc_id

string

The ID of the VPC for the targets.

Returned: when state present

Sample: "vpc-0123456"

Authors

  • Rob White (@wimnat)