Skip to content

STACKITLB-798 | add ALB TF provider #1198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
david-mey-STACKIT wants to merge 4 commits into
base: main
Choose a base branch
from
Open

STACKITLB-798 | add ALB TF provider #1198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
0cac777
STACKITLB-798 | add ALB TF provider
david-mey-STACKIT Jan 5, 2026
ac05133
apply PR suggestions: https://github.com/stackitcloud/terraform-provi…
david-mey-STACKIT Feb 9, 2026
0f6a8b4
Merge remote-tracking branch 'upstream/main'
david-mey-STACKIT Feb 10, 2026
eab55b8
apply PR suggestions
david-mey-STACKIT Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
276 changes: 276 additions & 0 deletions docs/data-sources/application_load_balancer.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,276 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "stackit_application_load_balancer Data Source - stackit"
subcategory: ""
description: |-
Application Load Balancer data source schema. Must have a region specified in the provider configuration.
---

# stackit_application_load_balancer (Data Source)

Application Load Balancer data source schema. Must have a region specified in the provider configuration.

## Example Usage

```terraform
data "stackit_application_load_balancer" "example" {
project_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
name = "example-load-balancer"
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) Application Load balancer name.
- `project_id` (String) STACKIT project ID to which the Application Load Balancer is associated.

### Read-Only

- `disable_target_security_group_assignment` (Boolean) Disable target security group assignemt to allow targets outside of the given network. Connectivity to targets need to be ensured by the customer, including routing and Security Groups (targetSecurityGroup can be assigned). Not changeable after creation.
- `errors` (Attributes Set) Reports all errors a Application Load Balancer has. (see [below for nested schema](#nestedatt--errors))
Copy link
Contributor

@marceljk marceljk Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the errors really needed in terraform? For the network load balancer we also don't pass the errors

Copy link
Author

@david-mey-STACKIT david-mey-STACKIT Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think yes. We do have things that we cannot test/check during creation/update calls in the API. Partly due to OpenStack being too slow and partly because some things can only be checked in the real network of the ALB VM. So, people should have this information in order to know that something is not working as expected and maybe have alerts or automated fixes for their setup.

- `external_address` (String) The external IP address where this Application Load Balancer is exposed. Not changeable after creation.
- `id` (String) Terraform's internal resource ID. It is structured as `project_id`,`region`,`name`.
- `labels` (Map of String) Labels represent user-defined metadata as key-value pairs. Label count cannot exceed 64 per ALB.
- `listeners` (Attributes List) List of all listeners which will accept traffic. Limited to 20. (see [below for nested schema](#nestedatt--listeners))
- `load_balancer_security_group` (Attributes) Security Group permitting network traffic from the LoadBalancer to the targets. Useful when disableTargetSecurityGroupAssignment=true to manually assign target security groups to targets. (see [below for nested schema](#nestedatt--load_balancer_security_group))
- `networks` (Attributes Set) List of networks that listeners and targets reside in. (see [below for nested schema](#nestedatt--networks))
- `options` (Attributes) Defines any optional functionality you want to have enabled on your Application Load Balancer. (see [below for nested schema](#nestedatt--options))
- `plan_id` (String) Service Plan configures the size of the Application Load Balancer.
- `private_address` (String)
- `region` (String) The resource region. If not defined, the provider region is used.
- `target_pools` (Attributes List) List of all target pools which will be used in the Application Load Balancer. Limited to 20. (see [below for nested schema](#nestedatt--target_pools))
- `target_security_group` (Attributes) Security Group that allows the targets to receive traffic from the LoadBalancer. Useful when disableTargetSecurityGroupAssignment=true to manually assign target security groups to targets. (see [below for nested schema](#nestedatt--target_security_group))
- `version` (String) Application Load Balancer resource version. Used for concurrency safe updates.

<a id="nestedatt--errors"></a>
### Nested Schema for `errors`

Read-Only:

- `description` (String) The error description contains additional helpful user information to fix the error state of the Application Load Balancer. For example the IP 45.135.247.139 does not exist in the project, then the description will report: Floating IP "45.135.247.139" could not be found.
- `type` (String) Enum: "TYPE_UNSPECIFIED" "TYPE_INTERNAL" "TYPE_QUOTA_SECGROUP_EXCEEDED" "TYPE_QUOTA_SECGROUPRULE_EXCEEDED" "TYPE_PORT_NOT_CONFIGURED" "TYPE_FIP_NOT_CONFIGURED" "TYPE_TARGET_NOT_ACTIVE" "TYPE_METRICS_MISCONFIGURED" "TYPE_LOGS_MISCONFIGURED"
The error type specifies which part of the Application Load Balancer encountered the error. I.e. the API will not check if a provided public IP is actually available in the project. Instead the Application Load Balancer with try to use the provided IP and if not available reports TYPE_FIP_NOT_CONFIGURED error.


<a id="nestedatt--listeners"></a>
### Nested Schema for `listeners`

Read-Only:

- `http` (Attributes) Configuration for HTTP traffic. (see [below for nested schema](#nestedatt--listeners--http))
- `https` (Attributes) Configuration for handling HTTPS traffic on this listener. (see [below for nested schema](#nestedatt--listeners--https))
- `name` (String) Unique name for the listener
- `port` (Number) Port number on which the listener receives incoming traffic.
- `protocol` (String) Protocol is the highest network protocol we understand to load balance. Possible values are: `PROTOCOL_UNSPECIFIED`, `PROTOCOL_HTTP`, `PROTOCOL_HTTPS`.
- `waf_config_name` (String) Enable Web Application Firewall (WAF), referenced by name. See "Application Load Balancer - Web Application Firewall API" for more information.

<a id="nestedatt--listeners--http"></a>
### Nested Schema for `listeners.http`

Read-Only:

- `hosts` (Attributes List) Defines routing rules grouped by hostname. (see [below for nested schema](#nestedatt--listeners--http--hosts))

<a id="nestedatt--listeners--http--hosts"></a>
### Nested Schema for `listeners.http.hosts`

Read-Only:

- `host` (String) Hostname to match. Supports wildcards (e.g. *.example.com).
- `rules` (Attributes List) Routing rules under the specified host, matched by path prefix. (see [below for nested schema](#nestedatt--listeners--http--hosts--rules))

<a id="nestedatt--listeners--http--hosts--rules"></a>
### Nested Schema for `listeners.http.hosts.rules`

Read-Only:

- `cookie_persistence` (Attributes) Routing persistence via cookies. (see [below for nested schema](#nestedatt--listeners--http--hosts--rules--cookie_persistence))
- `headers` (Attributes Set) Headers for the rule. (see [below for nested schema](#nestedatt--listeners--http--hosts--rules--headers))
- `path` (Attributes) Routing via path. (see [below for nested schema](#nestedatt--listeners--http--hosts--rules--path))
- `query_parameters` (Attributes Set) Query parameters for the rule. (see [below for nested schema](#nestedatt--listeners--http--hosts--rules--query_parameters))
- `target_pool` (String) Reference target pool by target pool name.
- `web_socket` (Boolean) If enabled, when client sends an HTTP request with and Upgrade header, indicating the desire to establish a Websocket connection, if backend server supports WebSocket, it responds with HTTP 101 status code, switching protocols from HTTP to WebSocket. Hence the client and the server can exchange data in real-time using one long-lived TCP connection.

<a id="nestedatt--listeners--http--hosts--rules--cookie_persistence"></a>
### Nested Schema for `listeners.http.hosts.rules.cookie_persistence`

Read-Only:

- `name` (String) The name of the cookie to use.
- `ttl` (String) TTL specifies the time-to-live for the cookie. The default value is 0s, and it acts as a session cookie, expiring when the client session ends.


<a id="nestedatt--listeners--http--hosts--rules--headers"></a>
### Nested Schema for `listeners.http.hosts.rules.headers`

Read-Only:

- `exact_match` (String) Exact match for the header value.
- `name` (String) Header name.


<a id="nestedatt--listeners--http--hosts--rules--path"></a>
### Nested Schema for `listeners.http.hosts.rules.path`

Read-Only:

- `exact_match` (String) Exact path match. Only a request path exactly equal to the value will match, e.g. '/foo' matches only '/foo', not '/foo/bar' or '/foobar'.
- `prefix` (String) Prefix path match. Only matches on full segment boundaries, e.g. '/foo' matches '/foo' and '/foo/bar' but NOT '/foobar'.


<a id="nestedatt--listeners--http--hosts--rules--query_parameters"></a>
### Nested Schema for `listeners.http.hosts.rules.query_parameters`

Read-Only:

- `exact_match` (String) Exact match for the query parameters value.
- `name` (String) Query parameter name.





<a id="nestedatt--listeners--https"></a>
### Nested Schema for `listeners.https`

Read-Only:

- `certificate_config` (Attributes) TLS termination certificate configuration. (see [below for nested schema](#nestedatt--listeners--https--certificate_config))

<a id="nestedatt--listeners--https--certificate_config"></a>
### Nested Schema for `listeners.https.certificate_config`

Read-Only:

- `certificate_ids` (Set of String) Certificate IDs for TLS termination.




<a id="nestedatt--load_balancer_security_group"></a>
### Nested Schema for `load_balancer_security_group`

Read-Only:

- `id` (String) ID of the security Group
- `name` (String) Name of the security Group


<a id="nestedatt--networks"></a>
### Nested Schema for `networks`

Read-Only:

- `network_id` (String) STACKIT network ID the Application Load Balancer and/or targets are in.
- `role` (String) The role defines how the Application Load Balancer is using the network. Possible values are: `ROLE_UNSPECIFIED`, `ROLE_LISTENERS_AND_TARGETS`, `ROLE_LISTENERS`, `ROLE_TARGETS`.


<a id="nestedatt--options"></a>
### Nested Schema for `options`

Read-Only:

- `access_control` (Attributes) Use this option to limit the IP ranges that can use the Application Load Balancer. (see [below for nested schema](#nestedatt--options--access_control))
- `ephemeral_address` (Boolean) This option automates the handling of the external IP address for an Application Load Balancer. If set to true a new IP address will be automatically created. It will also be automatically deleted when the Load Balancer is deleted.
- `observability` (Attributes) We offer Load Balancer observability via STACKIT Observability or external solutions. (see [below for nested schema](#nestedatt--options--observability))
- `private_network_only` (Boolean) Application Load Balancer is accessible only via a private network ip address. Not changeable after creation.

<a id="nestedatt--options--access_control"></a>
### Nested Schema for `options.access_control`

Read-Only:

- `allowed_source_ranges` (Set of String) Application Load Balancer is accessible only from an IP address in this range.


<a id="nestedatt--options--observability"></a>
### Nested Schema for `options.observability`

Read-Only:

- `logs` (Attributes) Observability logs configuration. (see [below for nested schema](#nestedatt--options--observability--logs))
- `metrics` (Attributes) Observability metrics configuration. (see [below for nested schema](#nestedatt--options--observability--metrics))

<a id="nestedatt--options--observability--logs"></a>
### Nested Schema for `options.observability.logs`

Read-Only:

- `credentials_ref` (String) Credentials reference for logging. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the logging solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.
- `push_url` (String) Credentials reference for logging. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the logging solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.


<a id="nestedatt--options--observability--metrics"></a>
### Nested Schema for `options.observability.metrics`

Read-Only:

- `credentials_ref` (String) Credentials reference for metrics. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the metrics solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.
- `push_url` (String) Credentials reference for metrics. This reference is created via the observability create endpoint and the credential needs to contain the basic auth username and password for the metrics solution the push URL points to. Then this enables monitoring via remote write for the Application Load Balancer.




<a id="nestedatt--target_pools"></a>
### Nested Schema for `target_pools`

Read-Only:

- `active_health_check` (Attributes) (see [below for nested schema](#nestedatt--target_pools--active_health_check))
- `name` (String) Target pool name.
- `target_port` (Number) The number identifying the port where each target listens for traffic.
- `targets` (Attributes Set) List of all targets which will be used in the pool. Limited to 250. (see [below for nested schema](#nestedatt--target_pools--targets))
- `tls_config` (Attributes) Configuration for TLS bridging. (see [below for nested schema](#nestedatt--target_pools--tls_config))

<a id="nestedatt--target_pools--active_health_check"></a>
### Nested Schema for `target_pools.active_health_check`

Read-Only:

- `healthy_threshold` (Number) Healthy threshold of the health checking.
- `http_health_checks` (Attributes) Options for the HTTP health checking. (see [below for nested schema](#nestedatt--target_pools--active_health_check--http_health_checks))
- `interval` (String) Interval duration of health checking in seconds.
- `interval_jitter` (String) Interval duration threshold of the health checking in seconds.
- `timeout` (String) Active health checking timeout duration in seconds.
- `unhealthy_threshold` (Number) Unhealthy threshold of the health checking.

<a id="nestedatt--target_pools--active_health_check--http_health_checks"></a>
### Nested Schema for `target_pools.active_health_check.http_health_checks`

Read-Only:

- `ok_status` (Set of String) List of HTTP status codes that indicate a healthy response.
- `path` (String) Path to send the health check request to.



<a id="nestedatt--target_pools--targets"></a>
### Nested Schema for `target_pools.targets`

Read-Only:

- `display_name` (String) Target display name
- `ip` (String) Private target IP, which must by unique within a target pool.


<a id="nestedatt--target_pools--tls_config"></a>
### Nested Schema for `target_pools.tls_config`

Read-Only:

- `custom_ca` (String) Specifies a custom Certificate Authority (CA). When provided, the target pool will trust certificates signed by this CA, in addition to any system-trusted CAs. This is useful for scenarios where the target pool needs to communicate with servers using self-signed or internally-issued certificates. Enabled needs to be set to true and skip validation to false for this option.
- `enabled` (Boolean) Enable TLS (Transport Layer Security) bridging for the connection between Application Load Balancer and targets in this pool. When enabled, public CAs are trusted. Can be used in tandem with the options either custom CA or skip validation or alone.
- `skip_certificate_validation` (Boolean) Bypass certificate validation for TLS bridging in this target pool. This option is insecure and can only be used with public CAs by setting enabled true. Meant to be used for testing purposes only!



<a id="nestedatt--target_security_group"></a>
### Nested Schema for `target_security_group`

Read-Only:

- `id` (String) ID of the security Group
- `name` (String) Name of the security Group
1 change: 1 addition & 0 deletions docs/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,7 @@ Note: AWS specific checks must be skipped as they do not work on STACKIT. For de

### Optional

- `alb_custom_endpoint` (String) Custom endpoint for the Application Load Balancer service
- `authorization_custom_endpoint` (String) Custom endpoint for the Membership service
- `cdn_custom_endpoint` (String) Custom endpoint for the CDN service
- `credentials_path` (String) Path of JSON from where the credentials are read. Takes precedence over the env var `STACKIT_CREDENTIALS_PATH`. Default value is `~/.stackit/credentials.json`.
Expand Down
Loading