From 675bf70579159a74a73827d9b4032c6c61d670cd Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Wed, 6 Nov 2024 17:25:13 -0500
Subject: [PATCH 01/17] certificates can only be defined once in resource
"ssl_certificates" and "certificate_manager_certificates" are mutually
exclusive.
---
modules/net-lb-app-ext-regional/main.tf | 4 ++--
modules/net-lb-app-ext/main.tf | 4 ++--
modules/net-lb-app-int-cross-region/main.tf | 7 ++++++-
modules/net-lb-app-int-cross-region/variables.tf | 13 +++++++++++++
modules/net-lb-app-int/main.tf | 2 +-
5 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/modules/net-lb-app-ext-regional/main.tf b/modules/net-lb-app-ext-regional/main.tf
index edd486c178..b26884e58d 100644
--- a/modules/net-lb-app-ext-regional/main.tf
+++ b/modules/net-lb-app-ext-regional/main.tf
@@ -79,8 +79,8 @@ resource "google_compute_region_target_https_proxy" "default" {
name = var.name
region = var.region
description = var.description
- certificate_manager_certificates = var.https_proxy_config.certificate_manager_certificates
- ssl_certificates = local.proxy_ssl_certificates
+ certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
}
diff --git a/modules/net-lb-app-ext/main.tf b/modules/net-lb-app-ext/main.tf
index f2680d9886..fc424d3d8d 100644
--- a/modules/net-lb-app-ext/main.tf
+++ b/modules/net-lb-app-ext/main.tf
@@ -81,9 +81,9 @@ resource "google_compute_target_https_proxy" "default" {
name = var.name
description = var.description
certificate_map = var.https_proxy_config.certificate_map
- certificate_manager_certificates = var.https_proxy_config.certificate_manager_certificates
+ certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
quic_override = var.https_proxy_config.quic_override
- ssl_certificates = local.proxy_ssl_certificates
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
server_tls_policy = var.https_proxy_config.mtls_policy
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index a46e018297..8204ef808c 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -53,6 +53,10 @@ locals {
for k, v in var.neg_configs :
k => v if v.psc != null
}
+ proxy_ssl_certificates = concat(
+ coalesce(var.ssl_certificates.certificate_ids, []),
+ [for k, v in google_compute_region_ssl_certificate.default : v.id]
+ )
}
resource "google_compute_global_forwarding_rule" "forwarding_rules" {
@@ -92,7 +96,8 @@ resource "google_compute_target_https_proxy" "default" {
project = var.project_id
name = var.name
description = var.description
- certificate_manager_certificates = var.https_proxy_config.certificate_manager_certificates
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
quic_override = var.https_proxy_config.quic_override
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
diff --git a/modules/net-lb-app-int-cross-region/variables.tf b/modules/net-lb-app-int-cross-region/variables.tf
index b707057a0f..fd3b5e3110 100644
--- a/modules/net-lb-app-int-cross-region/variables.tf
+++ b/modules/net-lb-app-int-cross-region/variables.tf
@@ -159,6 +159,19 @@ variable "service_directory_registration" {
default = null
}
+variable "ssl_certificates" {
+ description = "SSL target proxy certificates (only if protocol is HTTPS)."
+ type = object({
+ certificate_ids = optional(list(string), [])
+ create_configs = optional(map(object({
+ certificate = string
+ private_key = string
+ })), {})
+ })
+ default = {}
+ nullable = false
+}
+
variable "vpc_config" {
description = "VPC-level configuration."
type = object({
diff --git a/modules/net-lb-app-int/main.tf b/modules/net-lb-app-int/main.tf
index 92df8dfc70..0ec3be2f7c 100644
--- a/modules/net-lb-app-int/main.tf
+++ b/modules/net-lb-app-int/main.tf
@@ -120,7 +120,7 @@ resource "google_compute_region_target_https_proxy" "default" {
)
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
- certificate_manager_certificates = var.https_proxy_config.certificate_manager_certificates
+ certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
}
resource "google_compute_service_attachment" "default" {
From 2f5014044d40b5cc605c1622f1dea2d3de55323d Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Wed, 6 Nov 2024 18:01:06 -0500
Subject: [PATCH 02/17] ./tools/tfdoc.py modules/net-lb-app-int-cross-region
---
modules/net-lb-app-int-cross-region/README.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/modules/net-lb-app-int-cross-region/README.md b/modules/net-lb-app-int-cross-region/README.md
index 0904633010..a8d41cd8d3 100644
--- a/modules/net-lb-app-int-cross-region/README.md
+++ b/modules/net-lb-app-int-cross-region/README.md
@@ -752,7 +752,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L58) | Load balancer name. | string | ✓ | |
| [project_id](variables.tf#L135) | Project id. | string | ✓ | |
-| [vpc_config](variables.tf#L162) | VPC-level configuration. | object({…}) | ✓ | |
+| [vpc_config](variables.tf#L175) | VPC-level configuration. | object({…}) | ✓ | |
| [addresses](variables.tf#L17) | Optional IP address used for the forwarding rule. | map(string) | | null |
| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
@@ -764,7 +764,8 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [ports](variables.tf#L129) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
| [protocol](variables.tf#L140) | Protocol supported by this load balancer. | string | | "HTTP" |
| [service_directory_registration](variables.tf#L153) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
-| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
+| [ssl_certificates](variables.tf#L162) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
+| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
## Outputs
From f0919705f8f27653b4e2aa00d93e6492d28efdc9 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 21 Nov 2024 18:45:09 -0500
Subject: [PATCH 03/17] add missing "google_compute_ssl_certificate" resource
---
modules/net-lb-app-int-cross-region/README.md | 61 +++++++++++++++++++
modules/net-lb-app-int-cross-region/main.tf | 15 ++++-
2 files changed, 75 insertions(+), 1 deletion(-)
diff --git a/modules/net-lb-app-int-cross-region/README.md b/modules/net-lb-app-int-cross-region/README.md
index a8d41cd8d3..7d412e06a0 100644
--- a/modules/net-lb-app-int-cross-region/README.md
+++ b/modules/net-lb-app-int-cross-region/README.md
@@ -556,6 +556,67 @@ module "ilb-l7" {
# tftest modules=1 resources=7
```
+### SSL Certificates
+
+Similarly to health checks, SSL certificates can also be created by the module. In this example we are using private key and certificate resources so that the example test only depends on Terraform providers, but in real use those can be replaced by external files.
+
+```hcl
+resource "tls_private_key" "default" {
+ algorithm = "RSA"
+ rsa_bits = 4096
+}
+
+resource "tls_self_signed_cert" "default" {
+ private_key_pem = tls_private_key.default.private_key_pem
+ subject {
+ common_name = "example.com"
+ organization = "ACME Examples, Inc"
+ }
+ validity_period_hours = 720
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}
+
+module "ilb-l7" {
+ source = "./fabric/modules/net-lb-app-int-cross-region"
+ name = "ilb-test"
+ project_id = var.project_id
+
+ backend_service_configs = {
+ default = {
+ backends = [{
+ group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig-ew1"
+ }, {
+ group = "projects/myprj/zones/europe-west4-a/instanceGroups/my-ig-ew4"
+ }]
+ health_checks = ["projects/myprj/global/healthChecks/custom"]
+ }
+ }
+ health_check_configs = {}
+ protocol = "HTTPS"
+ ssl_certificates = {
+ create_configs = {
+ default = {
+ # certificate and key could also be read via file() from external files
+ certificate = tls_self_signed_cert.default.cert_pem
+ private_key = tls_private_key.default.private_key_pem
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetworks = {
+ europe-west1 = var.subnet1.self_link
+ europe-west4 = var.subnet2.self_link
+ }
+ }
+}
+# tftest modules=1 resources=8
+```
+
### Complex example
This example mixes group and NEG backends, and shows how to set HTTPS for specific backends.
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index 8204ef808c..a9ef58f88d 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -55,7 +55,7 @@ locals {
}
proxy_ssl_certificates = concat(
coalesce(var.ssl_certificates.certificate_ids, []),
- [for k, v in google_compute_region_ssl_certificate.default : v.id]
+ [for k, v in google_compute_ssl_certificate.default : v.id]
)
}
@@ -83,6 +83,19 @@ resource "google_compute_global_forwarding_rule" "forwarding_rules" {
}
}
+resource "google_compute_ssl_certificate" "default" {
+ for_each = var.ssl_certificates.create_configs
+ project = var.project_id
+
+ name = "${var.name}-${each.key}"
+ certificate = each.value.certificate
+ private_key = each.value.private_key
+
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
resource "google_compute_target_http_proxy" "default" {
count = var.protocol == "HTTPS" ? 0 : 1
project = var.project_id
From 64ad4c607a58fc3ba18910a44beb038b05e9502e Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 21 Nov 2024 18:56:53 -0500
Subject: [PATCH 04/17] formatting
---
modules/net-lb-app-int-cross-region/main.tf | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index a9ef58f88d..f57867b4fc 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -84,9 +84,8 @@ resource "google_compute_global_forwarding_rule" "forwarding_rules" {
}
resource "google_compute_ssl_certificate" "default" {
- for_each = var.ssl_certificates.create_configs
- project = var.project_id
-
+ for_each = var.ssl_certificates.create_configs
+ project = var.project_id
name = "${var.name}-${each.key}"
certificate = each.value.certificate
private_key = each.value.private_key
From 2cb03b75b47830fa212aa3cad97c38f3e000d1af Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 21 Nov 2024 19:51:40 -0500
Subject: [PATCH 05/17] use try() on
var.https_proxy_config.certificate_manager_certificates
---
modules/net-lb-app-ext-regional/main.tf | 3 ++-
modules/net-lb-app-ext/main.tf | 3 ++-
modules/net-lb-app-int-cross-region/main.tf | 3 ++-
modules/net-lb-app-int/main.tf | 3 ++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/modules/net-lb-app-ext-regional/main.tf b/modules/net-lb-app-ext-regional/main.tf
index b26884e58d..f45577574e 100644
--- a/modules/net-lb-app-ext-regional/main.tf
+++ b/modules/net-lb-app-ext-regional/main.tf
@@ -27,6 +27,7 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id],
)
+ certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_forwarding_rule" "default" {
@@ -79,7 +80,7 @@ resource "google_compute_region_target_https_proxy" "default" {
name = var.name
region = var.region
description = var.description
- certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
+ certificate_manager_certificates = local.certificate_manager_certs
ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
diff --git a/modules/net-lb-app-ext/main.tf b/modules/net-lb-app-ext/main.tf
index fc424d3d8d..dcd482be76 100644
--- a/modules/net-lb-app-ext/main.tf
+++ b/modules/net-lb-app-ext/main.tf
@@ -28,6 +28,7 @@ locals {
[for k, v in google_compute_ssl_certificate.default : v.id],
[for k, v in google_compute_managed_ssl_certificate.default : v.id]
)
+ certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_global_forwarding_rule" "default" {
@@ -81,7 +82,7 @@ resource "google_compute_target_https_proxy" "default" {
name = var.name
description = var.description
certificate_map = var.https_proxy_config.certificate_map
- certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
+ certificate_manager_certificates = local.certificate_manager_certs
quic_override = var.https_proxy_config.quic_override
ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index f57867b4fc..c50d4da0c8 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -57,6 +57,7 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_ssl_certificate.default : v.id]
)
+ certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_global_forwarding_rule" "forwarding_rules" {
@@ -109,7 +110,7 @@ resource "google_compute_target_https_proxy" "default" {
name = var.name
description = var.description
ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
- certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
+ certificate_manager_certificates = local.certificate_manager_certs
quic_override = var.https_proxy_config.quic_override
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
diff --git a/modules/net-lb-app-int/main.tf b/modules/net-lb-app-int/main.tf
index 0ec3be2f7c..2957ca6da8 100644
--- a/modules/net-lb-app-int/main.tf
+++ b/modules/net-lb-app-int/main.tf
@@ -57,6 +57,7 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id]
)
+ certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_forwarding_rule" "default" {
@@ -120,7 +121,7 @@ resource "google_compute_region_target_https_proxy" "default" {
)
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
- certificate_manager_certificates = length(var.https_proxy_config.certificate_manager_certificates) > 0 ? var.https_proxy_config.certificate_manager_certificates : null
+ certificate_manager_certificates = local.certificate_manager_certs
}
resource "google_compute_service_attachment" "default" {
From 4a1a4ab1bd512942f9ae07cfd42b799c2fadb678 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:17:45 -0500
Subject: [PATCH 06/17] remove unnecessary local variable
---
modules/net-lb-app-ext-regional/main.tf | 5 ++---
modules/net-lb-app-ext/main.tf | 5 ++---
modules/net-lb-app-int/main.tf | 3 +--
3 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/modules/net-lb-app-ext-regional/main.tf b/modules/net-lb-app-ext-regional/main.tf
index f45577574e..bab7ca9178 100644
--- a/modules/net-lb-app-ext-regional/main.tf
+++ b/modules/net-lb-app-ext-regional/main.tf
@@ -27,7 +27,6 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id],
)
- certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_forwarding_rule" "default" {
@@ -80,8 +79,8 @@ resource "google_compute_region_target_https_proxy" "default" {
name = var.name
region = var.region
description = var.description
- certificate_manager_certificates = local.certificate_manager_certs
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
diff --git a/modules/net-lb-app-ext/main.tf b/modules/net-lb-app-ext/main.tf
index dcd482be76..3c7dca1d99 100644
--- a/modules/net-lb-app-ext/main.tf
+++ b/modules/net-lb-app-ext/main.tf
@@ -28,7 +28,6 @@ locals {
[for k, v in google_compute_ssl_certificate.default : v.id],
[for k, v in google_compute_managed_ssl_certificate.default : v.id]
)
- certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_global_forwarding_rule" "default" {
@@ -82,10 +81,10 @@ resource "google_compute_target_https_proxy" "default" {
name = var.name
description = var.description
certificate_map = var.https_proxy_config.certificate_map
- certificate_manager_certificates = local.certificate_manager_certs
quic_override = var.https_proxy_config.quic_override
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
server_tls_policy = var.https_proxy_config.mtls_policy
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
diff --git a/modules/net-lb-app-int/main.tf b/modules/net-lb-app-int/main.tf
index 2957ca6da8..697118d721 100644
--- a/modules/net-lb-app-int/main.tf
+++ b/modules/net-lb-app-int/main.tf
@@ -57,7 +57,6 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id]
)
- certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_forwarding_rule" "default" {
@@ -121,7 +120,7 @@ resource "google_compute_region_target_https_proxy" "default" {
)
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
- certificate_manager_certificates = local.certificate_manager_certs
+ certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_service_attachment" "default" {
From 7d401bd532a4815c841eb08e717b4bfdf61743e7 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:18:00 -0500
Subject: [PATCH 07/17] revert "backend" back to "group"
the other folders in this directory are using "group" not "backend".
Keep things standardized to make future updates easier.
---
modules/net-lb-app-ext/backend-service.tf | 2 +-
modules/net-lb-app-ext/variables-backend-service.tf | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/net-lb-app-ext/backend-service.tf b/modules/net-lb-app-ext/backend-service.tf
index 87562dc017..2a2dfc482b 100644
--- a/modules/net-lb-app-ext/backend-service.tf
+++ b/modules/net-lb-app-ext/backend-service.tf
@@ -74,7 +74,7 @@ resource "google_compute_backend_service" "default" {
timeout_sec = each.value.timeout_sec
dynamic "backend" {
- for_each = { for b in coalesce(each.value.backends, []) : b.backend => b }
+ for_each = { for b in coalesce(each.value.backends, []) : b.group => b }
content {
group = lookup(local.group_ids, backend.key, backend.key)
balancing_mode = backend.value.balancing_mode # UTILIZATION, RATE
diff --git a/modules/net-lb-app-ext/variables-backend-service.tf b/modules/net-lb-app-ext/variables-backend-service.tf
index 7a431e10a6..e32a942391 100644
--- a/modules/net-lb-app-ext/variables-backend-service.tf
+++ b/modules/net-lb-app-ext/variables-backend-service.tf
@@ -34,8 +34,7 @@ variable "backend_service_configs" {
session_affinity = optional(string)
timeout_sec = optional(number)
backends = list(object({
- # group renamed to backend
- backend = string
+ group = string
balancing_mode = optional(string, "UTILIZATION")
capacity_scaler = optional(number, 1)
description = optional(string, "Terraform managed.")
From d9cc4bc47a660d314ce78ef269a5b443a43a7ace Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:19:21 -0500
Subject: [PATCH 08/17] add "max_connections" to
net-lb-app-int/variables-backend-service
---
modules/net-lb-app-int/variables-backend-service.tf | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/net-lb-app-int/variables-backend-service.tf b/modules/net-lb-app-int/variables-backend-service.tf
index 9340becf92..ffe13cb6f5 100644
--- a/modules/net-lb-app-int/variables-backend-service.tf
+++ b/modules/net-lb-app-int/variables-backend-service.tf
@@ -36,6 +36,11 @@ variable "backend_service_configs" {
capacity_scaler = optional(number, 1)
description = optional(string, "Terraform managed.")
failover = optional(bool, false)
+ max_connections = optional(object({
+ per_endpoint = optional(number)
+ per_group = optional(number)
+ per_instance = optional(number)
+ }))
max_rate = optional(object({
per_endpoint = optional(number)
per_group = optional(number)
From 6dd016f137a5e080d9d20457fdefa5b97f953851 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:28:20 -0500
Subject: [PATCH 09/17] run tfdoc.py
---
modules/net-lb-app-ext/README.md | 2 +-
modules/net-lb-app-int-cross-region/README.md | 3 ++-
modules/net-lb-app-int/README.md | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index b11c8d5409..c32f8f8706 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -1050,7 +1050,7 @@ After provisioning this change, and verifying that the new certificate is provis
| [project_id](variables.tf#L195) | Project id. | string | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
| [backend_buckets_config](variables.tf#L23) | Backend buckets configuration. | map(object({…})) | | {} |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) })) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) })) | | {} |
| [description](variables.tf#L56) | Optional description used for resources. | string | | "Terraform managed." |
| [group_configs](variables.tf#L62) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
diff --git a/modules/net-lb-app-int-cross-region/README.md b/modules/net-lb-app-int-cross-region/README.md
index 7d412e06a0..f2a6280658 100644
--- a/modules/net-lb-app-int-cross-region/README.md
+++ b/modules/net-lb-app-int-cross-region/README.md
@@ -18,6 +18,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Serverless NEG creation](#serverless-neg-creation)
- [Private Service Connect NEG creation](#private-service-connect-neg-creation)
- [URL Map](#url-map)
+ - [SSL Certificates](#ssl-certificates)
- [Complex example](#complex-example)
- [Deploying changes to load balancer configurations](#deploying-changes-to-load-balancer-configurations)
- [Recipes](#recipes)
@@ -798,7 +799,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [backend-service.tf](./backend-service.tf) | Backend service resources. | google_compute_backend_service |
| [groups.tf](./groups.tf) | None | google_compute_instance_group |
| [health-check.tf](./health-check.tf) | Health check resource. | google_compute_health_check |
-| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_global_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group · google_compute_target_http_proxy · google_compute_target_https_proxy |
+| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_global_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group · google_compute_ssl_certificate · google_compute_target_http_proxy · google_compute_target_https_proxy |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [urlmap.tf](./urlmap.tf) | URL map resources. | google_compute_url_map |
| [variables-backend-service.tf](./variables-backend-service.tf) | Backend services variables. | |
diff --git a/modules/net-lb-app-int/README.md b/modules/net-lb-app-int/README.md
index 87eaeab54d..056a4a37d8 100644
--- a/modules/net-lb-app-int/README.md
+++ b/modules/net-lb-app-int/README.md
@@ -744,7 +744,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [region](variables.tf#L178) | The region where to allocate the ILB resources. | string | ✓ | |
| [vpc_config](variables.tf#L220) | VPC-level configuration. | object({…}) | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
| [global_access](variables.tf#L30) | Allow client access from all regions. | bool | | null |
| [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
From 469811730f17c2a1508560ab9dd8bb5b9ec71da0 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 14:36:50 -0500
Subject: [PATCH 10/17] remove unnecessary local variable
---
modules/net-lb-app-int-cross-region/main.tf | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index c50d4da0c8..5585991c0c 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -57,7 +57,6 @@ locals {
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_ssl_certificate.default : v.id]
)
- certificate_manager_certs = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_global_forwarding_rule" "forwarding_rules" {
@@ -109,11 +108,11 @@ resource "google_compute_target_https_proxy" "default" {
project = var.project_id
name = var.name
description = var.description
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
- certificate_manager_certificates = local.certificate_manager_certs
quic_override = var.https_proxy_config.quic_override
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
+ ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
resource "google_compute_network_endpoint_group" "default" {
From 11ecd686ddc617c431b3143753c4f670f965a0a4 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 15:31:28 -0500
Subject: [PATCH 11/17] revert "backend" to "group"
---
modules/net-lb-app-ext-regional/README.md | 36 ++++++-------
.../variables-backend-service.tf | 3 +-
modules/net-lb-app-ext/README.md | 52 +++++++++----------
3 files changed, 45 insertions(+), 46 deletions(-)
diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md
index c3be9aecbe..c32f2be5f6 100644
--- a/modules/net-lb-app-ext-regional/README.md
+++ b/modules/net-lb-app-ext-regional/README.md
@@ -47,8 +47,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id }
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id }
]
}
}
@@ -91,8 +91,8 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id }
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id }
]
protocol = "HTTP"
}
@@ -125,8 +125,8 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id }
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id }
]
protocol = "HTTPS"
}
@@ -198,7 +198,7 @@ module "ralb-test-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-b.group.id },
]
protocol = "HTTP"
}
@@ -235,7 +235,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
# no need to reference the hc explicitly when using the `default` key
# health_checks = ["default"]
@@ -262,7 +262,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
health_checks = ["projects/${var.project_id}/regions/${var.region}/healthChecks/custom"]
}
@@ -288,7 +288,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "default-b" }
+ { group = "default-b" }
]
}
}
@@ -361,7 +361,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.win-mig.group_manager.instance_group }
+ { group = module.win-mig.group_manager.instance_group }
]
}
}
@@ -465,7 +465,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
}
@@ -498,7 +498,7 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
}
@@ -537,7 +537,7 @@ module "ralb-0" {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
}
]
health_checks = []
@@ -566,12 +566,12 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
}
other = {
backends = [{
- backend = module.compute-vm-group-c.group.id
+ group = module.compute-vm-group-c.group.id
}]
}
}
@@ -610,8 +610,8 @@ module "ralb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "group-zone-b" },
- { backend = "group-zone-c" },
+ { group = "group-zone-b" },
+ { group = "group-zone-c" },
]
}
neg-gce-0 = {
diff --git a/modules/net-lb-app-ext-regional/variables-backend-service.tf b/modules/net-lb-app-ext-regional/variables-backend-service.tf
index c6b4d6586c..18da8557ac 100644
--- a/modules/net-lb-app-ext-regional/variables-backend-service.tf
+++ b/modules/net-lb-app-ext-regional/variables-backend-service.tf
@@ -31,8 +31,7 @@ variable "backend_service_configs" {
session_affinity = optional(string)
timeout_sec = optional(number)
backends = list(object({
- # group renamed to backend
- backend = string
+ group = string
balancing_mode = optional(string, "UTILIZATION")
capacity_scaler = optional(number, 1)
description = optional(string, "Terraform managed.")
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index c32f8f8706..e3febfc2fa 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -50,8 +50,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id },
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id },
]
}
}
@@ -73,8 +73,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id },
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id },
]
protocol = "HTTP"
}
@@ -103,8 +103,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id },
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id },
]
protocol = "HTTPS"
}
@@ -169,7 +169,7 @@ module "glb-test-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-b.group.id },
]
protocol = "HTTP"
}
@@ -200,8 +200,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id },
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id },
]
}
}
@@ -225,7 +225,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
# no need to reference the hc explicitly when using the `default` key
# health_checks = ["default"]
@@ -250,7 +250,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
health_checks = ["projects/${var.project_id}/global/healthChecks/custom"]
}
@@ -274,7 +274,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "default-b" }
+ { group = "default-b" }
]
}
}
@@ -345,7 +345,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.win-mig.group_manager.instance_group }
+ { group = module.win-mig.group_manager.instance_group }
]
}
}
@@ -497,7 +497,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
}
@@ -534,7 +534,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
}
@@ -565,7 +565,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
}
@@ -596,7 +596,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
port_name = "http"
@@ -641,7 +641,7 @@ module "ralb-0" {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
}
]
health_checks = []
@@ -668,12 +668,12 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [{
- backend = module.compute-vm-group-b.group.id
+ group = module.compute-vm-group-b.group.id
}]
}
other = {
backends = [{
- backend = module.compute-vm-group-c.group.id
+ group = module.compute-vm-group-c.group.id
}]
}
}
@@ -731,8 +731,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = module.compute-vm-group-b.group.id },
- { backend = module.compute-vm-group-c.group.id },
+ { group = module.compute-vm-group-b.group.id },
+ { group = module.compute-vm-group-c.group.id },
]
protocol = "HTTP"
}
@@ -768,8 +768,8 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "group-zone-b" },
- { backend = "group-zone-c" },
+ { group = "group-zone-b" },
+ { group = "group-zone-c" },
]
}
neg-gce-0 = {
@@ -920,7 +920,7 @@ module "glb-0" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
port_name = "http"
@@ -985,7 +985,7 @@ After applying this change, you can update the backend service to point to the n
backend_service_configs = {
default = {
backends = [
- { backend = "neg-1" }
+ { group = "neg-1" }
]
health_checks = []
port_name = "http"
From 6a76304a735131305febcbb1f768905575406b0d Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 17:18:03 -0500
Subject: [PATCH 12/17] standardize on "group" key
---
blueprints/apigee/apigee-x-foundations/northbound.tf | 2 +-
blueprints/apigee/bigquery-analytics/main.tf | 2 +-
.../apigee_nb.tf | 2 +-
blueprints/cloud-operations/adfs/main.tf | 2 +-
blueprints/networking/glb-and-armor/main.tf | 4 ++--
blueprints/networking/glb-hybrid-neg-internal/glb.tf | 4 ++--
blueprints/networking/psc-glb-and-armor/consumer.tf | 4 ++--
blueprints/serverless/cloud-run-explore/main.tf | 2 +-
blueprints/third-party-solutions/phpipam/glb.tf | 2 +-
modules/net-lb-app-ext-regional/README.md | 8 ++++----
modules/net-lb-app-ext-regional/backend-service.tf | 2 +-
modules/net-lb-app-ext/README.md | 10 +++++-----
tests/modules/net_lb_app_ext/test-plan.tfvars | 12 ++++++------
13 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/blueprints/apigee/apigee-x-foundations/northbound.tf b/blueprints/apigee/apigee-x-foundations/northbound.tf
index 5724542fb5..51ebb2a1d6 100644
--- a/blueprints/apigee/apigee-x-foundations/northbound.tf
+++ b/blueprints/apigee/apigee-x-foundations/northbound.tf
@@ -66,7 +66,7 @@ module "ext_lb" {
use_classic_version = false
backend_service_configs = {
default = {
- backends = [for k, v in local.ext_instances : { backend = google_compute_region_network_endpoint_group.psc_negs[k].id }]
+ backends = [for k, v in local.ext_instances : { group = google_compute_region_network_endpoint_group.psc_negs[k].id }]
protocol = "HTTPS"
health_checks = []
outlier_detection = var.ext_lb_config.outlier_detection
diff --git a/blueprints/apigee/bigquery-analytics/main.tf b/blueprints/apigee/bigquery-analytics/main.tf
index d1534ad77b..5af8342a55 100644
--- a/blueprints/apigee/bigquery-analytics/main.tf
+++ b/blueprints/apigee/bigquery-analytics/main.tf
@@ -95,7 +95,7 @@ module "glb" {
use_classic_version = false
backend_service_configs = {
default = {
- backends = [for k, v in var.instances : { backend = k }]
+ backends = [for k, v in var.instances : { group = k }]
protocol = "HTTPS"
health_checks = []
}
diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee_nb.tf b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee_nb.tf
index bc1035e74d..1021763ca0 100644
--- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee_nb.tf
+++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/apigee_nb.tf
@@ -22,7 +22,7 @@ module "glb" {
use_classic_version = false
backend_service_configs = {
default = {
- backends = [{ backend = "neg-0" }]
+ backends = [{ group = "neg-0" }]
protocol = "HTTPS"
health_checks = []
}
diff --git a/blueprints/cloud-operations/adfs/main.tf b/blueprints/cloud-operations/adfs/main.tf
index 27286bbfc7..11c23701ed 100644
--- a/blueprints/cloud-operations/adfs/main.tf
+++ b/blueprints/cloud-operations/adfs/main.tf
@@ -104,7 +104,7 @@ module "glb" {
protocol = "HTTPS"
backend_service_configs = {
default = {
- backends = [{ backend = module.server.group.id }]
+ backends = [{ group = module.server.group.id }]
log_sample_rate = 1
protocol = "HTTPS"
}
diff --git a/blueprints/networking/glb-and-armor/main.tf b/blueprints/networking/glb-and-armor/main.tf
index 22a7c3c7c4..56a69873b4 100644
--- a/blueprints/networking/glb-and-armor/main.tf
+++ b/blueprints/networking/glb-and-armor/main.tf
@@ -198,8 +198,8 @@ module "glb" {
backend_service_configs = {
default = {
backends = [
- { backend = module.mig_ew1.group_manager.instance_group },
- { backend = module.mig_ue1.group_manager.instance_group }
+ { group = module.mig_ew1.group_manager.instance_group },
+ { group = module.mig_ue1.group_manager.instance_group }
]
log_sample_rate = 1
security_policy = try(google_compute_security_policy.policy[0].name, null)
diff --git a/blueprints/networking/glb-hybrid-neg-internal/glb.tf b/blueprints/networking/glb-hybrid-neg-internal/glb.tf
index b8edd35a85..f9846e1468 100644
--- a/blueprints/networking/glb-hybrid-neg-internal/glb.tf
+++ b/blueprints/networking/glb-hybrid-neg-internal/glb.tf
@@ -24,12 +24,12 @@ module "hybrid-glb" {
default = {
backends = [
{
- backend = "neg-primary"
+ group = "neg-primary"
balancing_mode = "RATE"
max_rate = { per_endpoint = 100 }
},
{
- backend = "neg-secondary"
+ group = "neg-secondary"
balancing_mode = "RATE"
max_rate = { per_endpoint = 100 }
}
diff --git a/blueprints/networking/psc-glb-and-armor/consumer.tf b/blueprints/networking/psc-glb-and-armor/consumer.tf
index e525046ca8..7aa27327d4 100644
--- a/blueprints/networking/psc-glb-and-armor/consumer.tf
+++ b/blueprints/networking/psc-glb-and-armor/consumer.tf
@@ -68,7 +68,7 @@ module "glb" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-a" }
+ { group = "neg-a" }
]
health_checks = []
protocol = "HTTPS"
@@ -76,7 +76,7 @@ module "glb" {
}
other = {
backends = [
- { backend = "neg-b" }
+ { group = "neg-b" }
]
health_checks = []
protocol = "HTTPS"
diff --git a/blueprints/serverless/cloud-run-explore/main.tf b/blueprints/serverless/cloud-run-explore/main.tf
index 579f75b4cd..d5428fd90d 100644
--- a/blueprints/serverless/cloud-run-explore/main.tf
+++ b/blueprints/serverless/cloud-run-explore/main.tf
@@ -75,7 +75,7 @@ module "glb" {
backend_service_configs = {
default = {
backends = [
- { backend = "neg-0" }
+ { group = "neg-0" }
]
health_checks = []
port_name = "http"
diff --git a/blueprints/third-party-solutions/phpipam/glb.tf b/blueprints/third-party-solutions/phpipam/glb.tf
index 36177c515f..29a60af9fd 100644
--- a/blueprints/third-party-solutions/phpipam/glb.tf
+++ b/blueprints/third-party-solutions/phpipam/glb.tf
@@ -57,7 +57,7 @@ module "glb" {
backend_service_configs = {
default = {
backends = [
- { backend = "phpipam" }
+ { group = "phpipam" }
]
health_checks = []
port_name = "http"
diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md
index c32f2be5f6..09d98336bb 100644
--- a/modules/net-lb-app-ext-regional/README.md
+++ b/modules/net-lb-app-ext-regional/README.md
@@ -386,7 +386,7 @@ module "ralb-0" {
default = {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -428,7 +428,7 @@ module "ralb-0" {
default = {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -617,14 +617,14 @@ module "ralb-0" {
neg-gce-0 = {
backends = [{
balancing_mode = "RATE"
- backend = "neg-zone-c"
+ group = "neg-zone-c"
max_rate = { per_endpoint = 10 }
}]
}
neg-hybrid-0 = {
backends = [{
balancing_mode = "RATE"
- backend = "neg-hello"
+ group = "neg-hello"
max_rate = { per_endpoint = 10 }
}]
health_checks = ["neg"]
diff --git a/modules/net-lb-app-ext-regional/backend-service.tf b/modules/net-lb-app-ext-regional/backend-service.tf
index 3ebc150641..272ddb3586 100644
--- a/modules/net-lb-app-ext-regional/backend-service.tf
+++ b/modules/net-lb-app-ext-regional/backend-service.tf
@@ -72,7 +72,7 @@ resource "google_compute_region_backend_service" "default" {
timeout_sec = each.value.timeout_sec
dynamic "backend" {
- for_each = { for b in coalesce(each.value.backends, []) : b.backend => b }
+ for_each = { for b in coalesce(each.value.backends, []) : b.group => b }
content {
group = lookup(local.group_ids, backend.key, backend.key)
balancing_mode = backend.value.balancing_mode # UTILIZATION, RATE
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index e3febfc2fa..16b4cd6d9d 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -386,7 +386,7 @@ module "glb-0" {
default = {
backends = [
{
- backend = "myneg-b"
+ group = "myneg-b"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -420,7 +420,7 @@ module "glb-0" {
default = {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -460,7 +460,7 @@ module "glb-0" {
default = {
backends = [
{
- backend = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -775,14 +775,14 @@ module "glb-0" {
neg-gce-0 = {
backends = [{
balancing_mode = "RATE"
- backend = "neg-zone-c"
+ group = "neg-zone-c"
max_rate = { per_endpoint = 10 }
}]
}
neg-hybrid-0 = {
backends = [{
balancing_mode = "RATE"
- backend = "neg-hello"
+ group = "neg-hello"
max_rate = { per_endpoint = 10 }
}]
health_checks = ["neg"]
diff --git a/tests/modules/net_lb_app_ext/test-plan.tfvars b/tests/modules/net_lb_app_ext/test-plan.tfvars
index 94cc5ab2ae..c44b026176 100644
--- a/tests/modules/net_lb_app_ext/test-plan.tfvars
+++ b/tests/modules/net_lb_app_ext/test-plan.tfvars
@@ -8,26 +8,26 @@ backend_buckets_config = {
backend_service_configs = {
default = {
backends = [
- { backend = "projects/my-project/zones/europe-west8-b/instanceGroups/ig-b" },
- { backend = "ig-c" }
+ { group = "projects/my-project/zones/europe-west8-b/instanceGroups/ig-b" },
+ { group = "ig-c" }
]
}
neg-cloudrun = {
- backends = [{ backend = "neg-cloudrun" }]
+ backends = [{ group = "neg-cloudrun" }]
health_checks = []
}
neg-gce = {
- backends = [{ backend = "neg-gce" }]
+ backends = [{ group = "neg-gce" }]
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
neg-hybrid = {
- backends = [{ backend = "neg-hybrid" }]
+ backends = [{ group = "neg-hybrid" }]
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
neg-internet = {
- backends = [{ backend = "neg-internet" }]
+ backends = [{ group = "neg-internet" }]
health_checks = []
}
}
From b561f2cc716b3e32092094d70021f7c5391df3d7 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 17:32:33 -0500
Subject: [PATCH 13/17] tfdoc.py modules/net-lb-app-ext-regional
---
modules/net-lb-app-ext-regional/README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md
index 09d98336bb..1b26f0368a 100644
--- a/modules/net-lb-app-ext-regional/README.md
+++ b/modules/net-lb-app-ext-regional/README.md
@@ -756,7 +756,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [region](variables.tf#L169) | Region where the load balancer is created. | string | ✓ | |
| [vpc](variables.tf#L188) | VPC-level configuration. | string | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
| [group_configs](variables.tf#L29) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
From 826c1459a2b5670fd8ffc03b166b9f6ab43c7820 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 17:44:10 -0500
Subject: [PATCH 14/17] address formatting errors in readme
---
modules/net-lb-app-ext/README.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index 16b4cd6d9d..7e72ebf9ec 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -386,7 +386,7 @@ module "glb-0" {
default = {
backends = [
{
- group = "myneg-b"
+ group = "myneg-b"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -420,7 +420,7 @@ module "glb-0" {
default = {
backends = [
{
- group = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -460,7 +460,7 @@ module "glb-0" {
default = {
backends = [
{
- group = "neg-0"
+ group = "neg-0"
balancing_mode = "RATE"
max_rate = { per_endpoint = 10 }
}
@@ -775,14 +775,14 @@ module "glb-0" {
neg-gce-0 = {
backends = [{
balancing_mode = "RATE"
- group = "neg-zone-c"
+ group = "neg-zone-c"
max_rate = { per_endpoint = 10 }
}]
}
neg-hybrid-0 = {
backends = [{
balancing_mode = "RATE"
- group = "neg-hello"
+ group = "neg-hello"
max_rate = { per_endpoint = 10 }
}]
health_checks = ["neg"]
From 5b92cc785a93a08e9e23f5c93e7db48719cf5911 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 17:57:55 -0500
Subject: [PATCH 15/17] match variable definition with other net-lb-* dirs
certificate_manager_certificates CAN be null
Fixes pytest error from Terraform plan:
- "certificate_manager_certificates": conflicts with ssl_certificates
---
modules/net-lb-app-int-cross-region/variables.tf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/net-lb-app-int-cross-region/variables.tf b/modules/net-lb-app-int-cross-region/variables.tf
index fd3b5e3110..a470d0d448 100644
--- a/modules/net-lb-app-int-cross-region/variables.tf
+++ b/modules/net-lb-app-int-cross-region/variables.tf
@@ -41,7 +41,7 @@ variable "group_configs" {
variable "https_proxy_config" {
description = "HTTPS proxy configuration."
type = object({
- certificate_manager_certificates = optional(list(string), [])
+ certificate_manager_certificates = optional(list(string))
quic_override = optional(string)
ssl_policy = optional(string)
})
From 4deff4fab713433ba284e3ed32f440ad431fe07e Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 22:46:18 -0500
Subject: [PATCH 16/17] update "ssl_certificates" conditional
---
modules/net-lb-app-ext-regional/main.tf | 2 +-
modules/net-lb-app-ext/main.tf | 2 +-
modules/net-lb-app-int-cross-region/main.tf | 2 +-
modules/net-lb-app-int/main.tf | 16 ++++++----------
4 files changed, 9 insertions(+), 13 deletions(-)
diff --git a/modules/net-lb-app-ext-regional/main.tf b/modules/net-lb-app-ext-regional/main.tf
index bab7ca9178..6205096ce3 100644
--- a/modules/net-lb-app-ext-regional/main.tf
+++ b/modules/net-lb-app-ext-regional/main.tf
@@ -81,6 +81,6 @@ resource "google_compute_region_target_https_proxy" "default" {
description = var.description
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ ssl_certificates = length(local.proxy_ssl_certificates) == 0 ? null : local.proxy_ssl_certificates
certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
diff --git a/modules/net-lb-app-ext/main.tf b/modules/net-lb-app-ext/main.tf
index 3c7dca1d99..9fff32d876 100644
--- a/modules/net-lb-app-ext/main.tf
+++ b/modules/net-lb-app-ext/main.tf
@@ -85,6 +85,6 @@ resource "google_compute_target_https_proxy" "default" {
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
server_tls_policy = var.https_proxy_config.mtls_policy
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ ssl_certificates = length(local.proxy_ssl_certificates) == 0 ? null : local.proxy_ssl_certificates
certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
diff --git a/modules/net-lb-app-int-cross-region/main.tf b/modules/net-lb-app-int-cross-region/main.tf
index 5585991c0c..ea95f6f0b0 100644
--- a/modules/net-lb-app-int-cross-region/main.tf
+++ b/modules/net-lb-app-int-cross-region/main.tf
@@ -111,7 +111,7 @@ resource "google_compute_target_https_proxy" "default" {
quic_override = var.https_proxy_config.quic_override
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_url_map.default.id
- ssl_certificates = length(local.proxy_ssl_certificates) > 0 ? local.proxy_ssl_certificates : null
+ ssl_certificates = length(local.proxy_ssl_certificates) == 0 ? null : local.proxy_ssl_certificates
certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
diff --git a/modules/net-lb-app-int/main.tf b/modules/net-lb-app-int/main.tf
index 697118d721..1c21b708aa 100644
--- a/modules/net-lb-app-int/main.tf
+++ b/modules/net-lb-app-int/main.tf
@@ -108,18 +108,14 @@ resource "google_compute_region_target_http_proxy" "default" {
}
resource "google_compute_region_target_https_proxy" "default" {
- count = var.protocol == "HTTPS" ? 1 : 0
- project = var.project_id
- region = var.region
- name = var.name
- description = var.description
- ssl_certificates = (
- length(local.proxy_ssl_certificates) == 0
- ? null
- : local.proxy_ssl_certificates
- )
+ count = var.protocol == "HTTPS" ? 1 : 0
+ project = var.project_id
+ region = var.region
+ name = var.name
+ description = var.description
ssl_policy = var.https_proxy_config.ssl_policy
url_map = google_compute_region_url_map.default.id
+ ssl_certificates = length(local.proxy_ssl_certificates) == 0 ? null : local.proxy_ssl_certificates
certificate_manager_certificates = try(var.https_proxy_config.certificate_manager_certificates, null)
}
From 536008aea2663f309226a5208002d9245b458684 Mon Sep 17 00:00:00 2001
From: Sergio Rodriguez <2318521+rodriguezsergio@users.noreply.github.com>
Date: Thu, 19 Dec 2024 22:53:32 -0500
Subject: [PATCH 17/17] tfdoc.py modules/net-lb-app-int-cross-region
---
modules/net-lb-app-int-cross-region/README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/net-lb-app-int-cross-region/README.md b/modules/net-lb-app-int-cross-region/README.md
index f2a6280658..1eae9b65ef 100644
--- a/modules/net-lb-app-int-cross-region/README.md
+++ b/modules/net-lb-app-int-cross-region/README.md
@@ -820,14 +820,14 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
| [group_configs](variables.tf#L29) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
-| [https_proxy_config](variables.tf#L41) | HTTPS proxy configuration. | object({…}) | | {} |
+| [https_proxy_config](variables.tf#L41) | HTTPS proxy configuration. | object({…}) | | {} |
| [labels](variables.tf#L52) | Labels set on resources. | map(string) | | {} |
| [neg_configs](variables.tf#L63) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [ports](variables.tf#L129) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
| [protocol](variables.tf#L140) | Protocol supported by this load balancer. | string | | "HTTP" |
| [service_directory_registration](variables.tf#L153) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
| [ssl_certificates](variables.tf#L162) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
-| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
+| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
## Outputs