Skip to content

Resource: awsShieldProtectionHealthCheckAssociation

Creates an association between a Route53 Health Check and a Shield Advanced protected resource. This association uses the health of your applications to improve responsiveness and accuracy in attack detection and mitigation.

Blog post: AWS Shield Advanced now supports Health Based Detection

Example Usage

Create an association between a protected EIP and a Route53 Health Check

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsEipExample = new aws.eip.Eip(this, "example", {
  tags: {
    Name: "example",
  },
  vpc: true,
});
const awsRoute53HealthCheckExample =
  new aws.route53HealthCheck.Route53HealthCheck(this, "example_1", {
    failureThreshold: "3",
    ipAddress: awsEipExample.publicIp,
    port: 80,
    requestInterval: "30",
    resourcePath: "/ready",
    tags: {
      Name: "tf-example-health-check",
    },
    type: "HTTP",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsRoute53HealthCheckExample.overrideLogicalId("example");
const dataAwsCallerIdentityCurrent =
  new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsPartitionCurrent = new aws.dataAwsPartition.DataAwsPartition(
  this,
  "current_3",
  {}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsPartitionCurrent.overrideLogicalId("current");
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
  this,
  "current_4",
  {}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsRegionCurrent.overrideLogicalId("current");
const awsShieldProtectionExample = new aws.shieldProtection.ShieldProtection(
  this,
  "example_5",
  {
    name: "example-protection",
    resourceArn: `arn:\${${dataAwsPartitionCurrent.partition}}:ec2:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:eip-allocation/\${${awsEipExample.id}}`,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionExample.overrideLogicalId("example");
const awsShieldProtectionHealthCheckAssociationExample =
  new aws.shieldProtectionHealthCheckAssociation.ShieldProtectionHealthCheckAssociation(
    this,
    "example_6",
    {
      healthCheckArn: awsRoute53HealthCheckExample.arn,
      shieldProtectionId: awsShieldProtectionExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionHealthCheckAssociationExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • healthCheckArn - (Required) The ARN (Amazon Resource Name) of the Route53 Health Check resource which will be associated to the protected resource.
  • shieldProtectionId - (Required) The ID of the protected resource.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The unique identifier (ID) for the Protection object that is created.

Import

Shield protection health check association resources can be imported by specifying the shieldProtectionId and healthCheckArn e.g.,

$ terraform import aws_shield_protection_health_check_association.example ff9592dc-22f3-4e88-afa1-7b29fde9669a+arn:aws:route53:::healthcheck/3742b175-edb9-46bc-9359-f53e3b794b1b