fix: Update XFF value to follow API defaults

README.md

@@ -394,7 +394,7 @@ No modules.
 | <a name="input_enable_http2"></a> [enable\_http2](#input\_enable\_http2) | Indicates whether HTTP/2 is enabled in application load balancers. Defaults to `true` | `bool` | `null` | no |
 | <a name="input_enable_tls_version_and_cipher_suite_headers"></a> [enable\_tls\_version\_and\_cipher\_suite\_headers](#input\_enable\_tls\_version\_and\_cipher\_suite\_headers) | Indicates whether the two headers (`x-amzn-tls-version` and `x-amzn-tls-cipher-suite`), which contain information about the negotiated TLS version and cipher suite, are added to the client request before sending it to the target. Only valid for Load Balancers of type `application`. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_enable_waf_fail_open"></a> [enable\_waf\_fail\_open](#input\_enable\_waf\_fail\_open) | Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to `false` | `bool` | `null` | no |
-| <a name="input_enable_xff_client_port"></a> [enable\_xff\_client\_port](#input\_enable\_xff\_client\_port) | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `true` | `bool` | `true` | no |
+| <a name="input_enable_xff_client_port"></a> [enable\_xff\_client\_port](#input\_enable\_xff\_client\_port) | Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type `application`. Default: `60` | `number` | `null` | no |
 | <a name="input_internal"></a> [internal](#input\_internal) | If true, the LB will be internal. Defaults to `false` | `bool` | `null` | no |
 | <a name="input_ip_address_type"></a> [ip\_address\_type](#input\_ip\_address\_type) | The type of IP addresses used by the subnets for your load balancer. The possible values are `ipv4` and `dualstack` | `string` | `null` | no |

main.tf

@@ -2,6 +2,7 @@ data "aws_partition" "current" {}
 
 locals {
   create = var.create && var.putin_khuylo
+  tags   = merge(var.tags, { terraform-aws-modules = "alb" })
 }
 
 ################################################################################
@@ -51,7 +52,7 @@ resource "aws_lb" "this" {
   }
 
   subnets                    = var.subnets
-  tags                       = var.tags
+  tags                       = local.tags
   xff_header_processing_mode = var.xff_header_processing_mode
 
   timeouts {
@@ -191,7 +192,7 @@ resource "aws_lb_listener" "this" {
   port              = try(each.value.port, var.default_port)
   protocol          = try(each.value.protocol, var.default_protocol)
   ssl_policy        = contains(["HTTPS", "TLS"], try(each.value.protocol, var.default_protocol)) ? try(each.value.ssl_policy, "ELBSecurityPolicy-TLS13-1-2-Res-2021-06") : try(each.value.ssl_policy, null)
-  tags              = merge(var.tags, try(each.value.tags, {}))
+  tags              = merge(local.tags, try(each.value.tags, {}))
 }
 
 ################################################################################
@@ -388,7 +389,7 @@ resource "aws_lb_listener_rule" "this" {
     }
   }
 
-  tags = merge(var.tags, try(each.value.tags, {}))
+  tags = merge(local.tags, try(each.value.tags, {}))
 }
 
 ################################################################################
@@ -484,7 +485,7 @@ resource "aws_lb_target_group" "this" {
   target_type = try(each.value.target_type, null)
   vpc_id      = try(each.value.vpc_id, var.vpc_id)
 
-  tags = merge(var.tags, try(each.value.tags, {}))
+  tags = merge(local.tags, try(each.value.tags, {}))
 
   lifecycle {
     create_before_destroy = true
@@ -554,7 +555,7 @@ resource "aws_security_group" "this" {
   description = coalesce(var.security_group_description, "Security group for ${local.security_group_name} ${var.load_balancer_type} load balancer")
   vpc_id      = var.vpc_id
 
-  tags = merge(var.tags, var.security_group_tags)
+  tags = merge(local.tags, var.security_group_tags)
 
   lifecycle {
     create_before_destroy = true
@@ -577,7 +578,7 @@ resource "aws_vpc_security_group_egress_rule" "this" {
   referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null)
   to_port                      = try(each.value.to_port, null)
 
-  tags = merge(var.tags, var.security_group_tags, try(each.value.tags, {}))
+  tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {}))
 }
 
 resource "aws_vpc_security_group_ingress_rule" "this" {
@@ -596,7 +597,7 @@ resource "aws_vpc_security_group_ingress_rule" "this" {
   referenced_security_group_id = lookup(each.value, "referenced_security_group_id", null)
   to_port                      = try(each.value.to_port, null)
 
-  tags = merge(var.tags, var.security_group_tags, try(each.value.tags, {}))
+  tags = merge(local.tags, var.security_group_tags, try(each.value.tags, {}))
 }
 
 ################################################################################

variables.tf

@@ -69,9 +69,9 @@ variable "enable_waf_fail_open" {
 }
 
 variable "enable_xff_client_port" {
-  description = "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `true`"
+  description = "Indicates whether the X-Forwarded-For header should preserve the source port that the client used to connect to the load balancer in `application` load balancers. Defaults to `false`"
   type        = bool
-  default     = true
+  default     = null
 }
 
 variable "idle_timeout" {

wrappers/main.tf

@@ -17,7 +17,7 @@ module "wrapper" {
   enable_http2                                = try(each.value.enable_http2, var.defaults.enable_http2, null)
   enable_tls_version_and_cipher_suite_headers = try(each.value.enable_tls_version_and_cipher_suite_headers, var.defaults.enable_tls_version_and_cipher_suite_headers, null)
   enable_waf_fail_open                        = try(each.value.enable_waf_fail_open, var.defaults.enable_waf_fail_open, null)
-  enable_xff_client_port                      = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, true)
+  enable_xff_client_port                      = try(each.value.enable_xff_client_port, var.defaults.enable_xff_client_port, null)
   idle_timeout                                = try(each.value.idle_timeout, var.defaults.idle_timeout, null)
   internal                                    = try(each.value.internal, var.defaults.internal, null)
   ip_address_type                             = try(each.value.ip_address_type, var.defaults.ip_address_type, null)