/terraform-google-lb-http

Modular Global HTTP Load Balancer for GCE using forwarding rules.

Primary LanguageHCLApache License 2.0Apache-2.0

Global HTTP Load Balancer Terraform Module

Modular Global HTTP Load Balancer for GCE using forwarding rules.

  • If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the dynamic backends submodule.
  • If you would like to use load balancing with serverless backends (Cloud Run, Cloud Functions or App Engine), see the serverless_negs submodule and cloudrun example.

Load Balancer Types

Compatibility

This module is meant for use with Terraform 0.13+ and tested using Terraform 1.0+. If you find incompatibilities using Terraform >=0.13, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.5.0.

Usage

module "gce-lb-http" {
  source            = "GoogleCloudPlatform/lb-http/google"
  version           = "~> 4.4"

  project           = "my-project-id"
  name              = "group-http-lb"
  target_tags       = [module.mig1.target_tags, module.mig2.target_tags]
  backends = {
    default = {
      description                     = null
      protocol                        = "HTTP"
      port                            = var.service_port
      port_name                       = var.service_port_name
      timeout_sec                     = 10
      enable_cdn                      = false
      custom_request_headers          = null
      custom_response_headers         = null
      security_policy                 = null

      connection_draining_timeout_sec = null
      session_affinity                = null
      affinity_cookie_ttl_sec         = null

      health_check = {
        check_interval_sec  = null
        timeout_sec         = null
        healthy_threshold   = null
        unhealthy_threshold = null
        request_path        = "/"
        port                = var.service_port
        host                = null
        logging             = null
      }

      log_config = {
        enable = true
        sample_rate = 1.0
      }

      groups = [
        {
          # Each node pool instance group should be added to the backend.
          group                        = var.backend
          balancing_mode               = null
          capacity_scaler              = null
          description                  = null
          max_connections              = null
          max_connections_per_instance = null
          max_connections_per_endpoint = null
          max_rate                     = null
          max_rate_per_instance        = null
          max_rate_per_endpoint        = null
          max_utilization              = null
        },
      ]

      iap_config = {
        enable               = false
        oauth2_client_id     = null
        oauth2_client_secret = null
      }
    }
  }
}

Resources created

Figure 1. diagram of terraform resources

architecture diagram

Version

Current version is 3.0. Upgrade guides:

Inputs

Name Description Type Default Required
address Existing IPv4 address to use (the actual IP address value) string null no
backends Map backend indices to list of backend maps.
map(object({
protocol = string
port = number
port_name = string

description = string
enable_cdn = bool
security_policy = string
custom_request_headers = list(string)
custom_response_headers = list(string)

timeout_sec = number
connection_draining_timeout_sec = number
session_affinity = string
affinity_cookie_ttl_sec = number

health_check = object({
check_interval_sec = number
timeout_sec = number
healthy_threshold = number
unhealthy_threshold = number
request_path = string
port = number
host = string
logging = bool
})

log_config = object({
enable = bool
sample_rate = number
})

groups = list(object({
group = string

balancing_mode = string
capacity_scaler = number
description = string
max_connections = number
max_connections_per_instance = number
max_connections_per_endpoint = number
max_rate = number
max_rate_per_instance = number
max_rate_per_endpoint = number
max_utilization = number
}))
iap_config = object({
enable = bool
oauth2_client_id = string
oauth2_client_secret = string
})
}))
n/a yes
cdn Set to true to enable cdn on backend. bool false no
certificate Content of the SSL certificate. Required if ssl is true and ssl_certificates is empty. string null no
create_address Create a new global IPv4 address bool true no
create_ipv6_address Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. bool false no
create_url_map Set to false if url_map variable is provided. bool true no
enable_ipv6 Enable IPv6 address on the CDN load-balancer bool false no
firewall_networks Names of the networks to create firewall rules in list(string)
[
"default"
]
no
firewall_projects Names of the projects to create firewall rules in list(string)
[
"default"
]
no
http_forward Set to false to disable HTTP port 80 forward bool true no
https_redirect Set to true to enable https redirect on the lb. bool false no
ipv6_address An existing IPv6 address to use (the actual IP address value) string null no
managed_ssl_certificate_domains Create Google-managed SSL certificates for specified domains. Requires ssl to be set to true and use_ssl_certificates set to false. list(string) [] no
name Name for the forwarding rule and prefix for supporting resources string n/a yes
private_key Content of the private SSL key. Required if ssl is true and ssl_certificates is empty. string null no
project The project to deploy to, if not set the default provider project is used. string n/a yes
quic Set to true to enable QUIC support bool false no
random_certificate_suffix Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. bool false no
security_policy The resource URL for the security policy to associate with the backend service string null no
ssl Set to true to enable SSL support, requires variable ssl_certificates - a list of self_link certs bool false no
ssl_certificates SSL cert self_link list. Required if ssl is true and no private_key and certificate is provided. list(string) [] no
ssl_policy Selfink to SSL Policy string null no
target_service_accounts List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. list(string) [] no
target_tags List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. list(string) [] no
url_map The url_map resource to use. Default is to send all traffic to first backend. string null no
use_ssl_certificates If true, use the certificates provided by ssl_certificates, otherwise, create cert from private_key and certificate bool false no

Outputs

Name Description
backend_services The backend service resources.
external_ip The external IPv4 assigned to the global fowarding rule.
external_ipv6_address The external IPv6 assigned to the global fowarding rule.
http_proxy The HTTP proxy used by this module.
https_proxy The HTTPS proxy used by this module.
ipv6_enabled Whether IPv6 configuration is enabled on this load-balancer
url_map The default URL map used by this module.