Creates a global HTTP load balancer for Compute Engine by using forwarding rules

Home Page: https://registry.terraform.io/modules/terraform-google-modules/lb-http/google

License: Apache License 2.0

HCL 90.93% Makefile 3.09% Ruby 5.06% Go 0.92%

cft-terraform networking

terraform-google-lb-http's Introduction

Global HTTP Load Balancer Terraform Module

Modular Global HTTP Load Balancer for GCE using forwarding rules.

If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the dynamic backends submodule.
If you would like to use load balancing with serverless backends (Cloud Run, Cloud Functions or App Engine), see the serverless_negs submodule and cloudrun example.

Load Balancer Types

TCP load balancer
HTTP/S load balancer
Internal load balancer

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3. If you find incompatibilities using Terraform >=1.3, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.5.0.

Version

Current version is 9.0. Upgrade guides:

Usage

module "gce-lb-http" {
  source            = "GoogleCloudPlatform/lb-http/google"
  version           = "~> 9.0"

  project           = "my-project-id"
  name              = "group-http-lb"
  target_tags       = [module.mig1.target_tags, module.mig2.target_tags]
  backends = {
    default = {
      port                            = var.service_port
      protocol                        = "HTTP"
      port_name                       = var.service_port_name
      timeout_sec                     = 10
      enable_cdn                      = false


      health_check = {
        request_path        = "/"
        port                = var.service_port
      }

      log_config = {
        enable = true
        sample_rate = 1.0
      }

      groups = [
        {
          # Each node pool instance group should be added to the backend.
          group                        = var.backend
        },
      ]

      iap_config = {
        enable               = false
      }
    }
  }
}

Resources created

Figure 1. diagram of terraform resources

Inputs

Name	Description	Type	Default	Required
address	Existing IPv4 address to use (the actual IP address value)	`string`	`null`	no
backends	Map backend indices to list of backend maps.	map(object({ port = optional(number) project = optional(string) protocol = optional(string) port_name = optional(string) description = optional(string) enable_cdn = optional(bool) compression_mode = optional(string) security_policy = optional(string, null) edge_security_policy = optional(string, null) custom_request_headers = optional(list(string)) custom_response_headers = optional(list(string)) timeout_sec = optional(number) connection_draining_timeout_sec = optional(number) session_affinity = optional(string) affinity_cookie_ttl_sec = optional(number) locality_lb_policy = optional(string) health_check = optional(object({ host = optional(string) request_path = optional(string) request = optional(string) response = optional(string) port = optional(number) port_name = optional(string) proxy_header = optional(string) port_specification = optional(string) protocol = optional(string) check_interval_sec = optional(number) timeout_sec = optional(number) healthy_threshold = optional(number) unhealthy_threshold = optional(number) logging = optional(bool) })) log_config = object({ enable = optional(bool) sample_rate = optional(number) }) groups = list(object({ group = string balancing_mode = optional(string) capacity_scaler = optional(number) description = optional(string) max_connections = optional(number) max_connections_per_instance = optional(number) max_connections_per_endpoint = optional(number) max_rate = optional(number) max_rate_per_instance = optional(number) max_rate_per_endpoint = optional(number) max_utilization = optional(number) })) iap_config = object({ enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) }) cdn_policy = optional(object({ cache_mode = optional(string) signed_url_cache_max_age_sec = optional(string) default_ttl = optional(number) max_ttl = optional(number) client_ttl = optional(number) negative_caching = optional(bool) negative_caching_policy = optional(object({ code = optional(number) ttl = optional(number) })) serve_while_stale = optional(number) cache_key_policy = optional(object({ include_host = optional(bool) include_protocol = optional(bool) include_query_string = optional(bool) query_string_blacklist = optional(list(string)) query_string_whitelist = optional(list(string)) include_http_headers = optional(list(string)) include_named_cookies = optional(list(string)) })) bypass_cache_on_request_headers = optional(list(string)) })) outlier_detection = optional(object({ base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) interval = optional(object({ seconds = number nanos = optional(number) })) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) })) }))	n/a	yes
certificate	Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`	`string`	`null`	no
certificate_map	Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`	`string`	`null`	no
create_address	Create a new global IPv4 address	`bool`	`true`	no
create_ipv6_address	Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence.	`bool`	`false`	no
create_ssl_certificate	If `true`, Create certificate using `private_key/certificate`	`bool`	`false`	no
create_url_map	Set to `false` if url_map variable is provided.	`bool`	`true`	no
edge_security_policy	The resource URL for the edge security policy to associate with the backend service	`string`	`null`	no
enable_ipv6	Enable IPv6 address on the CDN load-balancer	`bool`	`false`	no
firewall_networks	Names of the networks to create firewall rules in	`list(string)`	[ "default" ]	no
firewall_projects	Names of the projects to create firewall rules in	`list(string)`	[ "default" ]	no
http_forward	Set to `false` to disable HTTP port 80 forward	`bool`	`true`	no
http_keep_alive_timeout_sec	Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds).	`number`	`null`	no
http_port	The port for the HTTP load balancer	`number`	`80`	no
https_port	The port for the HTTPS load balancer	`number`	`443`	no
https_redirect	Set to `true` to enable https redirect on the lb.	`bool`	`false`	no
ipv6_address	An existing IPv6 address to use (the actual IP address value)	`string`	`null`	no
labels	The labels to attach to resources created by this module	`map(string)`	`{}`	no
load_balancing_scheme	Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)	`string`	`"EXTERNAL"`	no
managed_ssl_certificate_domains	Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`	`list(string)`	`[]`	no
name	Name for the forwarding rule and prefix for supporting resources	`string`	n/a	yes
network	Network for INTERNAL_SELF_MANAGED load balancing scheme	`string`	`"default"`	no
private_key	Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`	`string`	`null`	no
project	The project to deploy to, if not set the default provider project is used.	`string`	n/a	yes
quic	Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only.	`bool`	`null`	no
random_certificate_suffix	Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert.	`bool`	`false`	no
security_policy	The resource URL for the security policy to associate with the backend service	`string`	`null`	no
server_tls_policy	The resource URL for the server TLS policy to associate with the https proxy service	`string`	`null`	no
ssl	Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`	`bool`	`false`	no
ssl_certificates	SSL cert self_link list. Requires `ssl` to be set to `true`	`list(string)`	`[]`	no
ssl_policy	Selfink to SSL Policy	`string`	`null`	no
target_service_accounts	List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.	`list(string)`	`[]`	no
target_tags	List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.	`list(string)`	`[]`	no
url_map	The url_map resource to use. Default is to send all traffic to first backend.	`string`	`null`	no

Outputs

Name	Description
backend_services	The backend service resources.
external_ip	The external IPv4 assigned to the global fowarding rule.
external_ipv6_address	The external IPv6 assigned to the global fowarding rule.
http_proxy	The HTTP proxy used by this module.
https_proxy	The HTTPS proxy used by this module.
ipv6_enabled	Whether IPv6 configuration is enabled on this load-balancer
ssl_certificate_created	The SSL certificate create from key/pem
url_map	The default URL map used by this module.

google_compute_global_forwarding_rule.http: The global HTTP forwarding rule.
google_compute_global_forwarding_rule.https: The global HTTPS forwarding rule created when ssl is true.
google_compute_target_http_proxy.default: The HTTP proxy resource that binds the url map. Created when input ssl is false.
google_compute_target_https_proxy.default: The HTTPS proxy resource that binds the url map. Created when input ssl is true.
google_compute_ssl_certificate.default: The certificate resource created when input ssl is true and managed_ssl_certificate_domains not specified.
google_compute_managed_ssl_certificate.default: The Google-managed certificate resource created when input ssl is true and managed_ssl_certificate_domains is specified.
google_compute_url_map.default: The default URL map resource when input url_map is not provided.
google_compute_backend_service.default.*: The backend services created for each of the backend_params elements.
google_compute_health_check.default.*: Health check resources created for each of the (non global NEG) backend services.
google_compute_firewall.default-hc: Firewall rule created for each of the backed services to allow health checks to the instance group.

terraform-google-lb-http's People

Contributors

Stargazers

Watchers

Forkers

ip-2014 danisla cgriggs01 brtnshrdr danawillow gopu84 ivan-kiselev reisegiganten neomantra fastly azteknative adrianlop liamg urbn faceit emas80 jmound dmxroid kuzuha msvaughn planetrobbie briananderson1222 morgante ed00m ivantorrellas jellyfishgroup night-gold eraac keylimetoolbox jmorenog anandj123 netsil madhusudhan panoplymedia vijayram0690 brandonjbjelland kondareddy103 mignolo kevinjasker devops-adeel alexander-rondon mseravalli justrehan86 jdinh1 imajnashn tszouf romaric1 aantony2 jegapriya jdpleiness kartvep mdantas ziporah chitopunk textplus-inc greenblacked chauffeurprive filipaben woodjme hyww northspringtech bfarayev qtshaimanga-redoute ordenador barrabat itscaro ivankorn srikar-git svshulgin genome21 khalidid dev25 sergeyka-cmd rjackson cray0000 paulpalamarchuk juliocc sureshthomas findkim omazin onetwopunch gailo22 wellbastos zefdelgadillo lioramrosi arturbolt xingao267 tav qumu elisska jeffan18 avikam bnwoods intellum jp bitrockci carlpaton morsecodist dangtgh125 marciodf

terraform-google-lb-http's Issues

Support reserved IP address

We need to use static IP address in our LB.

Detail of propose is below.

Add ip_address variable.
Switch count of google_compute_global_address 0 or 1.
Use google_compute_global_address.default.address or var.ip_address.

Allow creation of LB with backend services that are not tied to any actual IG or NEG

I am interested in using https://github.com/GoogleCloudPlatform/gke-autoneg-controller which only requires that backend services be created, but they need not any associated IGs or NEGs (though they could be of one of those types) as the autoneg-controller will handle that.

I would like to confirm that it is indeed possible via this module to achieve the creation of a GCLB with backend services not associated to any IGs or NEGs.

Thanks in advance.

Error: Invalid value for module argument

When trying to migrate our configuration to 3.0.0, I ran into a syntax/type error. I tested this using the example from the documentation and it produces the same error:

Error: Invalid value for module argument

  on gclb/main.tf line 35, in module "gce-lb-https":
  35:   backends = {
  36:     default = {
  37:       description                     = null
  38:       protocol                        = "HTTP"
  39:       port                            = 443
  40:       port_name                       = "default-https"
  41:       timeout_sec                     = 10
  42:       connection_draining_timeout_sec = null
  43:       enable_cdn                      = false
  45:       health_check = {
  46:         check_interval_sec  = null
  47:         timeout_sec         = null
  48:         healthy_threshold   = null
  49:         unhealthy_threshold = null
  50:         request_path        = "/"
  51:         port                = 443
  52:         host                = null
  53:       }
  55:       groups = [
  56:         {
  57:           # Each node pool instance group should be added to the backend.
  58:           group                        = var.backend
  59:           balancing_mode               = null
  60:           capacity_scaler              = null
  61:           description                  = null
  62:           max_connections              = null
  63:           max_connections_per_instance = null
  64:           max_connections_per_endpoint = null
  65:           max_rate                     = null
  66:           max_rate_per_instance        = null
  67:           max_rate_per_endpoint        = null
  68:           max_utilization              = null
  69:         },
  70:       ]
  71:     }
  72:   }

The given value is not suitable for child module variable "backends" defined
at
.terraform/modules/lb.gce-lb-https/terraform-google-modules-terraform-google-lb-http-d65708d/variables.tf:62,1-20:
element "default": attribute "protocol": string required.

The error message at the end ("element "default": attribute "protocol": string required.") changes from one attribute to another when I re-run terraform apply:

element "default": attribute "protocol": string required.
element "default": attribute "enable_cdn": bool required.
element "default": attribute "timeout_sec": number required.
element "default": attribute "port": number required.

No matter what the message is, the type always is correct. e.g. in the error above, you see protocol is "HTTP", which is a string.

I've got the latest terraform:

$ terraform --version
Terraform v0.12.18

And I've pinned GoogleCloudPlatform/lb-http/google at version 3.0.0 (clearly because when I try 2.0.0 I get "argument "backend_params" is required" error which makes sense because that syntax changed).

Any ideas where to look on this one? I'm kinda stumped.

log_config can't be disabled

I'm tryng to create a load balancer and set:

log_config {
  enable = false
  sample_rate = null
}

The configuration doesn't work correctly as it is always set to enable->true sample_rate->1

I can see this in the logs

2020-03-18T12:45:50.787+0100 [DEBUG] plugin.terraform-provider-google-beta_v3.13.0_x5:   },
2020-03-18T12:45:50.787+0100 [DEBUG] plugin.terraform-provider-google-beta_v3.13.0_x5:   "logConfig": {
2020-03-18T12:45:50.787+0100 [DEBUG] plugin.terraform-provider-google-beta_v3.13.0_x5:     "enable": true,
2020-03-18T12:45:50.787+0100 [DEBUG] plugin.terraform-provider-google-beta_v3.13.0_x5:     "sampleRate": 1
2020-03-18T12:45:50.787+0100 [DEBUG] plugin.terraform-provider-google-beta_v3.13.0_x5:   },

2020/03/18 12:45:50 [WARN] Provider "registry.terraform.io/-/google-beta" produced an unexpected new value for module.app_lb.google_compute_backend_service.default["default"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .log_config[0].enable: was cty.False, but now cty.True
      - .log_config[0].sample_rate: was null, but now cty.NumberIntVal(1)

Relax version constraints

Currently, the google provider required is:

google      = "~> 2.15"
google-beta = "~> 2.15"

Which is pretty old, it was released on Sep 18, 2019.
The latest version is already 3.3, can you please upgrade the versions.tf to use the latest version?

allow to disable HTTP port 80 (only SSL)

HTTPS backend not available

I'm trying to setup HTTPS backend configuration with :

backend_protocol = "HTTPS"

But i got this error :

google_compute_backend_service.default: Error creating backend service: googleapi: Error 400: Invalid value for field 'resource.healthChecks[0]': 'https://www.googleapis.com/compute/v1/projects/setjemesian-terraform-admin/global/httpHealthChecks/web-lb-backend-0'. This HTTPS/HTTP2 backend service supports HealthCheck and HttpsHealthCheck, invalid

The module works when i don't specify backend_protocol, but with the default value (HTTP)
Am I doing it the wrong way ?

Add support for Terraform 0.12

Please, note:
0.12 support for managed_instance_group example depends on this.
Module to be updated once this task is done.
Linked:

Make `health_check` optional to support internet/global NEG backends

The requirement that a group have a health check is a blocker.

Use region variable to configure resources

The region variable is defined but not used to configure resources. Like the changes to project in #52, this variable should be required and used in the configuration.

Possibility to add host for the LB health_check

It's currently not possible to add a specific host to the LB health check.

Integration test suite does not handle project creation failures

If an error occurs while setting up the integration tests, the script apparently tries to delete the project before creating it again, but it doesn't work:

module.project-ci-lb-http.module.project-factory.data.null_data_source.default_service_account: Refreshing state...
module.project-ci-lb-http.module.project-factory.google_project.main: Destroying... [id=ci-int-lb-http-ef72]
module.project-ci-lb-http.module.project-factory.google_project.main: Destruction complete after 4s
module.project-ci-lb-http.module.project-factory.google_project.main: Creating...

Error: error creating project ci-int-lb-http-ef72 (ci-int-lb-http): googleapi: Error 409: Requested entity already exists, alreadyExists. If you received a 403 error, make sure you have the `roles/resourcemanager.projectCreator` permission

I think this happens because Google keeps the project around for a while for "undelete".

To fix this I had to destroy the random number from terraform:

docker run --rm -it -e SERVICE_ACCOUNT_JSON -e TF_VAR_org_id -e TF_VAR_folder_id -e TF_VAR_billing_account -v "$(pwd)":/workspace gcr.io/cloud-foundation-cicd/cft/developer-tools:0.4.2 bash -c 'cd test/setup; /usr/local/bin/execute_with_credentials.sh terraform destroy --target module.project-ci-lb-http.module.project-factory.random_id.random_project_id_suffix'

Then I could re-run the make docker_test_prepare command.

I don't know enough about the test suite. Is this a problem in here or should I post this issue to terraform-google-modules/terraform-google-project-factory?

google_compute_health_check "only one of" error

Environment

Terraform: v0.12.19
terraform-google-lb-http: 4.0.0

Error started happening: May 5th 2020 - 07:00 GMT

google-beta provider: 3.20

Last time working: May 4th 2020 - 16:00 GMT

google-beta provider: 3.19

Error output

Error: "http2_health_check": only one of `http2_health_check,http_health_check,https_health_check,ssl_health_check,tcp_health_check` can be specified, but `http2_health_check,http_health_check,https_health_check` were specified.

  on .terraform/modules/lb_https/terraform-google-lb-http-4.0.0/main.tf line 132, in resource "google_compute_health_check" "default":
 132: resource "google_compute_health_check" "default" {



Error: "http_health_check": only one of `http2_health_check,http_health_check,https_health_check,ssl_health_check,tcp_health_check` can be specified, but `http2_health_check,http_health_check,https_health_check` were specified.

  on .terraform/modules/lb_https/terraform-google-lb-http-4.0.0/main.tf line 132, in resource "google_compute_health_check" "default":
 132: resource "google_compute_health_check" "default" {



Error: "tcp_health_check": only one of `http2_health_check,http_health_check,https_health_check,ssl_health_check,tcp_health_check` can be specified, but `http2_health_check,http_health_check,https_health_check` were specified.

  on .terraform/modules/lb_https/terraform-google-lb-http-4.0.0/main.tf line 132, in resource "google_compute_health_check" "default":
 132: resource "google_compute_health_check" "default" {


Error: "https_health_check": only one of `http2_health_check,http_health_check,https_health_check,ssl_health_check,tcp_health_check` can be specified, but `http2_health_check,http_health_check,https_health_check` were specified.

  on .terraform/modules/lb_https/terraform-google-lb-http-4.0.0/main.tf line 132, in resource "google_compute_health_check" "default":
 132: resource "google_compute_health_check" "default" {

Workaround

Download module to project, and edit the main.tf file.

As long as we are using "http_health_check", on the resource "google_compute_health_check" remove the dynamic "https_health_check" and "http2_health_check" blocks.

diff --git a/main.tf b/main.tf
index bc609ad..913cdc4 100644
--- a/main.tf
+++ b/main.tf
@@ -155,38 +155,6 @@ resource "google_compute_health_check" "default" {
     }
   }

-  dynamic "https_health_check" {
-    for_each = each.value["protocol"] == "HTTPS" ? [
-      {
-        host         = lookup(each.value["health_check"], "host", null)
-        request_path = lookup(each.value["health_check"], "request_path", null)
-        port         = lookup(each.value["health_check"], "port", null)
-      }
-    ] : []
-
-    content {
-      host         = lookup(https_health_check.value, "host", null)
-      request_path = lookup(https_health_check.value, "request_path", null)
-      port         = lookup(https_health_check.value, "port", null)
-    }
-  }
-
-  dynamic "http2_health_check" {
-    for_each = each.value["protocol"] == "HTTP2" ? [
-      {
-        host         = lookup(each.value["health_check"], "host", null)
-        request_path = lookup(each.value["health_check"], "request_path", null)
-        port         = lookup(each.value["health_check"], "port", null)
-      }
-    ] : []
-
-    content {
-      host         = lookup(http2_health_check.value, "host", null)
-      request_path = lookup(http2_health_check.value, "request_path", null)
-      port         = lookup(http2_health_check.value, "port", null)
-    }
-  }
-
 }

 resource "google_compute_firewall" "default-hc" {

Possible explanation

Seems since latest google-beta provider's version the "google_compute_health_check" parameter has been enforced to accept one (and only one) kind of health_check per backend.

Even though each dynamic block is conditioned by a for_each clause, looks like the component is being generated anyways

Add `log_config` to `google_compute_backend_service`

Tests failing due to quota

Currently integration tests are failing due to a max of 5 backend services per project.

Feature to ignore changes to backend services

Hi,

I am using the Google LB Terraform module to create an LB with empty backend services that get automatically populated later on by Google's AutoNEG feature: https://github.com/GoogleCloudPlatform/gke-autoneg-controller

The issue here is that backends are created outside of terraform, so when this is done, the next run of Terraform plan intends to destroy them.

It would be nice to have an optional variable for the module to enable ignore_changes for backends specifically to make use of this feature.

Thanks!

TF configuration in use:

module "global-loadbalancer" {
  source  = "GoogleCloudPlatform/lb-http/google"
  version = "3.0.0"
  project = var.project_id
  name    = "global-loadbalancer"

  ssl         = true
  private_key = file("key")
  certificate = file("cert")

  firewall_networks = ["c0"]
  firewall_projects = [var.host_project_id]

  target_tags = []

  url_map        = google_compute_url_map.url-map.self_link
  create_url_map = false

  // We create empty backends to populate them automatically with autoneg feature
  // https://github.com/GoogleCloudPlatform/gke-autoneg-controller
  backends = {

	"frontendapi" = {
	  description                     = null
	  protocol                        = "HTTP"
	  port                            = 8080
	  port_name                       = "http"
	  timeout_sec                     = 10
	  connection_draining_timeout_sec = null
	  enable_cdn                      = false
	  health_check                    = local.health_check
	  groups = []
	}
  }
}

Make max utilization optional to support Serverless NEG backends

Similar to what we had to do with health checks to support Internet NEGs, it would appear that serverless NEGs cannot have a max util set.

Error: Error creating BackendService: googleapi: Error 400: Invalid value for field 'resource.backends[0].maxUtilization': '1.0'. Max utilization is not supported for Serverless network endpoint groups., invalid

Backend port number is blank after applying plan

The following code results in no backend port for the load balancer:

module "gce-lb-http" {
  source            = "github.com/GoogleCloudPlatform/terraform-google-lb-http"
  name              = "group-http-lb"
  target_tags       = ["${var.consul_server_cluster_tag_name}"]
  backends          = {
    "0" = [
      { group = "${module.consul_servers.instance_group}" }
    ],
  }
  backend_params    = [
    # health check path, port name, port number, timeout seconds.
    "/v1/status/leader,api,8500,10"
  ]
}

It should result in a backend rule specifying 8500. Only the label, api in this case, actually appears in the console after provisioning.

Add testing based on new approach

Make logging optional in health_check

Relates to feature introduced via https://github.com/terraform-google-modules/terraform-google-lb-http/pull/98/files

As per https://www.terraform.io/docs/providers/google/r/compute_health_check.html the log_config is optional, however we are required to set it in this terraform-google-lb-http module.

While setting it to null only once could be ok, that is not the case, instead we get

      + log_config {}

upon every terraform apply now.

It would be best to just make it completely optional, perhaps by means of https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks

Same experience when setting logging to false ... it gets re applied every time.

cc @Dev25

Plan failure when no backend services specified

GCP load balancers can be created solely with backend buckets
instead of backend services. However, that fails. Here's an example:

# bind the bucket `lb-bucket` to a GCP backend_bucket
resource "google_compute_backend_bucket" "testlb-backend-bucket" {
  name        = "testlb-backend-bucket"
  bucket_name = "${google_storage_bucket.my_bucket.name}"
  enable_cdn  = false 
}

# the URL map points to the backend bucket, not a backend service 
resource "google_compute_url_map" "testlb-url-map" {
  name        = "testlb-url-map"
  default_service = "${google_compute_backend_bucket.testlb-backend-bucket.self_link}"
}

module "lbtest-lb" {
  name        = "lbtest-lb"

  source      = "GoogleCloudPlatform/lb-http/google"
  version     = "1.0.5"

  region      = "${var.gcp_region}"

  create_url_map = false
  url_map        = "${google_compute_url_map.testlb-url-map.self_link}"

  # no backend services
  target_tags = []
  backends = {}
  backend_params = []
}

With this setup, terraform plan fails with:

Error: module.lbtest-lb.google_compute_firewall.default-hc: 1 error(s) occurred:

* module.lbtest-lb.google_compute_firewall.default-hc: element: element() may not be used with an empty list in:

${element(split(",", element(var.backend_params, count.index)), 2)}

Since the default-hc will not be created if backend_params is empty,
we just need the expression to parse. Unfortunately, this requires a
tricky expression to work around a HCL issue:
hashicorp/hil#50 (comment)

I used the pipe | character is as delimiter for that trick, because GCP names cannot have pipes.

cannot rotate generated SSL certificates

When using ssl = true with private_key and certificate (i.e. not BYO ssl_certificates), it is impossible to rotate in a new SSL certificate without manual intervention (i.e. destroying resources with terraform, gcloud, or the GCP Console).

This is because GCP SSL certificates cannot be updated after creation, as documented here.

Trying to do so will yield this sort of output:

Terraform will form the following actions:

-/+ module.gcp-edge-lb.google_compute_ssl_certificate.default (new resource required)
      id:                 "example-certificate" => <computed> (forces new resource)
      certificate:        <sensitive> => <sensitive> (forces new resource)
      certificate_id:     "31415926535" => <computed>
      name:               "example-certificate" => "example-certificate"
      name_prefix:        "" => <computed>
      private_key:        <sensitive> => <sensitive> (forces new resource)
      project:            "my-project" => <computed>
      self_link:          "https://www.googleapis.com/compute/v1/projects/my-project/global/sslCertificates/example-certificate" => <computed>

  ~ module.gcp-edge-lb.google_compute_target_https_proxy.default
      ssl_certificates.#: "1" => <computed>


Plan: 1 to add, 1 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.gcp-edge-lb.google_compute_ssl_certificate.default: Creating...
  certificate:    "<sensitive>" => "<sensitive>"
  certificate_id: "" => "<computed>"
  name:           "" => "example-certificate"
  name_prefix:    "" => "<computed>"
  private_key:    "<sensitive>" => "<sensitive>"
  project:        "" => "<computed>"
  self_link:      "" => "<computed>"

Error: Error applying plan:

1 error(s) occurred:

* module.gcp-edge-lb.google_compute_ssl_certificate.default: 1 error(s) occurred:

* google_compute_ssl_certificate.default: Error creating ssl certificate: googleapi: Error 409: The resource 'projects/my-project/global/sslCertificates/example-certificate' already exists, alreadyExists

This is alleviated with a simple change, as described in that same documentation:

Use the argument name_prefix instead of name
Add a lifecycle block with create_before_destroy = true

Support backend/balancing_mode

Hi !

We wanted to change backend/balancing_mode to RATE but it seems that current version of module doesn't support this option.

I think we will send a PR for that.

Thank you for your work !

Combine backend variables

There are currently three backend-related variables, backends, backend_params, and backend_protocol, used in combination to configure multiple resources. This design can be significantly simplified by merging these variables to a single variable of type list(object) with appropriate keys.

Suppport `target_service_accounts`.

Instance groups from multi zone cluster

Please correct me if wrong, but the readme basically takes the first instance group from an existing cluster and configures the load balancer to use this as the backend in a backend service.
Note - I was following the example here as a basis to work from.

As is, will this module support multi zone clusters? i.e. a cluster that has say 3 instance groups. Given the output from the google_container_cluster is a list here, im not sure how I can go about iternating over that particular list within the backends segment of this load balancer. i.e.

  backends = {
    "0" = [
      {
        # Each node pool instance group should be added to the backend.
        group = "${var.backend}"
      },
    ]
  }

I could manually add numbers from the list, eg. if the output was called: TARGET_GROUP_URLS
I could do the following:

  backends = {
    "0" = [
      {
        # Each node pool instance group should be added to the backend.
        group = "${var.TARGET_GROUP_URLS[0]}"
        group = "${var.TARGET_GROUP_URLS[1]}"
        group = "${var.TARGET_GROUP_URLS[2]}"
      },
    ]
  }

However if my cluster may have many node pools, I may not know the end number of target groups. So the above would work but only if I know exactly the number of URLS to expect.

Is there any way to populate recursively using count based on the length of the the var?
Or am I missing something and I don't need to provide all the instance group urls specifically?

ipv6 support

backend service defaults? - so many nulls

Any recommendations on how to not have to repeat null everywhere? This is one group for one service, many others look similar and makes the config really long. e.g.:

      groups = [
        {
          group                        = data.google_compute_network_endpoint_group.foo.self_link
          balancing_mode               = "RATE"
          capacity_scaler              = null
          description                  = null
          max_connections              = null
          max_connections_per_instance = null
          max_connections_per_endpoint = null
          max_rate                     = null
          max_rate_per_instance        = null
          max_rate_per_endpoint        = 100
          max_utilization              = null
        }

How to use it with unmanaged groups

Is it possible to use is with unmanaged groups ?

option to use an existing certificate

We would find it useful to be able to pass in the self_link of an existing certificate to lb-http. This would allow us to create the certificate outside of terraform to avoid having key material in the tfstate file.

I've implemented this feature in our fork: fastly#1

To my understanding, Fastly already has a corporate CLA, and I've been added to it. If this all looks good to you, I'll create a PR.

Fix doc generation

make generate_docs is broken on master, likely due to an issue with parsing the backend object.

This would need to be fixed in the container: https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit/blob/725922d71bfe982479f32e4b45c1c2e8adb34df6/infra/concourse/build/Dockerfile.lint#L38

this module only supports one SSL certificate

hi there,

as described in the title, the module only support 1 SSL cert. would be nice to be able to attach multiple certs.

Option to allow enabling cdn on lb backend

Hi,

I was working with the module and was trying to activate the cdn option that is available in the google_compute_backend_service resource.

I forked the repo, as I was needing it, here: https://github.com/night-gold/terraform-google-lb-http.

I'll be waiting for your response before trying to do the pull request.

Can't delete an instance groups created by the GKE worker node pool that's in use by a backend service

I'm using the terraform to manage the GKE cluster setup. I want to update the instance size of the worker nodes that would re-create google_container_node_pol. But that steps failing because below error because instance groups attached with GCP LB backend not detaching by terraform.

oogle_container_node_pool.new_container_cluster_node_pool.0: Error waiting for deleting GKE NodePool:
(1) Google Compute Engine: The instance_template resource 'projects/XXX-XXX-XXXX/global/instanceTemplates/gke-XXX-XXX-us-west-XXXXXX-53369325' is already being used by 'projects/XXXX-XXXX-XXXXX/zones/us-west1-b/instanceGroupManagers/gke-XXXXX-XXXX-us-west-XXXXX-XXXXX-us-west-53369325-grp'

Finally, we have to manually remove the instance groups entries from GCP LB backend, plan and apply again to re-create the node pool with new instance type.

Do you support backend bucket?

I try to create a load balancer by terraform, but it seems not support backend bucket. Do you support it?

Can't apply module. Failure creating healthchecks

I'm getting the following error when applying the module:

Error: "https_health_check": only one of http2_health_check,http_health_check,https_health_check,ssl_health_check,tcp_health_check can be specified, but http2_health_check,http_health_check,https_health_check were specified.

on .terraform/modules/app_lb/terraform-google-lb-http-4.0.0/modules/dynamic_backends/main.tf line 135, in resource "google_compute_health_check" "default":
135: resource "google_compute_health_check" "default" {

It seems there's been a change with the google provider that now makes this fail.

The backend protocol in my case is "HTTP".

Please provide example of multi-cluster container-native load balancing

As per https://cloud.google.com/kubernetes-engine/docs/how-to/container-native-load-balancing ... thanks!

option to provision google managed ssl cert(s)

It seems like there is none. In order to integrate Google Managed SSL Certs with this module, they must be created separately. Not a big deal but wondering if it would be easily embeddable into the module

two additional health check ranges need adding to default-hc

google_compute_firewall. default-hc needs two additional health check ranges added:

From a GCP announcement dated Jan 31, 2017:

If you use HTTP(S) Load Balancing or SSL Proxy:

Current behavior: Proxied traffic from the load balancer and the health check probes to
your load balanced instances have source IP addresses in the range 130.211.0.0/22.

Action required: We are introducing an additional range 35.191.0.0/16 for this purpose.
You need to update your firewall rule to allow traffic from this new range (35.191.0.0/16)
in addition to the current range (130.211.0.0/22).

If you use Network Load Balancing:

Current behavior: You are not required to add firewall rules for Network LB health checks today

Action required: We are introducing three new ranges for health checking: 209.85.152.0/22,
209.85.204.0/22, and 35.191.0.0/16. You need to ensure that your firewall allows traffic
from 209.85.152.0/22, 209.85.204.0/22, and 35.191.0.0/16. The health check probes to your
backend instances will come from one of these ranges.

Update providers

The provider constraint now restricts terraform to only use 2.7.0. Which is quite old now (21 may 2019)

terraform {
  required_version = "~> 0.12.0"
  required_providers {
    google      = "~> 2.7"
    google-beta = "~> 2.7"
  }
}

Can we update the bundle to use at least 2.20?

Support for HTTP -> HTTPS redirects

Now that https://issuetracker.google.com/issues/35904733 has finally shipped it would be neat if an HTTP->HTTPS redirect could be a simple option

Unsuitable value for child module variable "backends"

When creating new http-lb, I went to a syntax/type error which is shown as below:

Error: Invalid value for module argument

  on https-lb.tf line 29, in module "gce-lb-https":
  29:   backends = {
  30:     default = {
  31:       description                     = null
  32:       protocol                        = "HTTP/2"
  33:       port                            = 443
  34:       port_name                       = "http2"
  35:       timeout_sec                     = 30
  36:       connection_draining_timeout_sec = 300
  37:       enable_cdn                      = "false"
  38:       session_affinity                = null
  39:       affinity_cookie_ttl_sec         = null
  40:       security_policy                 = google_compute_security_policy.default_rules
  41:       health_check                    = google_compute_https_health_check.https_health_check.id
  43:       log_config = {
  44:         enable = true
  45:         sample_rate = 0.2
  46:       }
  48:       groups = [
  49:         {
  50:           group                        = google_compute_instance_group.my_instance_group.self_link
  51:           balancing_mode               = "UTILIZATION"
  52:           capacity_scaler              = 100
  53:           description                  = null
  54:           max_connections              = null
  55:           max_connections_per_instance = null
  56:           max_connections_per_endpoint = null
  57:           max_rate                     = null
  58:           max_rate_per_instance        = null
  59:           max_rate_per_endpoint        = null
  60:           max_utilization              = 80
  61:         },
  62:       ]
  63:     }
  64:   }

The given value is not suitable for child module variable "backends" defined
at
.terraform/modules/gce-lb-https/terraform-google-lb-http-4.0.0/variables.tf:69,1-20:
element "default": attribute "timeout_sec": number required.

The value timeout_sec in backends.default block is already number.
I tried to plan several times with module version 3.2.0 and 4.0.0, but still got the same error with different values:

element "default": attribute "port_name": string required.
element "default": attribute "port": number required.
element "default": attribute "protocol": string required.
element "default": attribute "health_check": object required.

My terraform version: 0.12.20

4.0 upgrade nodes about log_config are wrong

https://github.com/terraform-google-modules/terraform-google-lb-http/releases/tag/v4.0.0 says

You must now specify log_config for each backend service. Use log_config = null to use the default.

The module expects a map so this will fail:

Error: Invalid function argument

  on .terraform/modules/gce-lb-http/terraform-google-lb-http-4.0.0/main.tf line 124, in resource "google_compute_backend_service" "default":
 124:     enable      = lookup(lookup(each.value, "log_config", {}), "enable", true)
    |----------------
    | each.value is object with 12 attributes

Invalid value for "inputMap" parameter: argument must not be null.


Error: Invalid function argument

  on .terraform/modules/gce-lb-http/terraform-google-lb-http-4.0.0/main.tf line 125, in resource "google_compute_backend_service" "default":
 125:     sample_rate = lookup(lookup(each.value, "log_config", {}), "sample_rate", "1.0")
    |----------------
    | each.value is object with 12 attributes

Invalid value for "inputMap" parameter: argument must not be null.

healthcheck interval

There is no variable for check_interval_sec (google_compute_http_health_check), so it's not possible to adjust interval.

Support plans?

I've come across this useful module, but notices that build is failing for some pipelines.

So is this module still supported and it is ok to use it?

Resource google_compute_firewall.default-hc has two "count" arguments

https://github.com/GoogleCloudPlatform/terraform-google-lb-http/blob/b82fc47a848c92e0bbd45d874c2dd6669d200b32/main.tf#L91-L104

This resource has two count arguments defined. It seems that as of Terraform 0.11 this is silently ignored, with Terraform ignoring one of the specifications. A forthcoming Terraform release will make this a real error, as a usability improvement:

Error: Attribute redefined

  on main.tf line 94:
  94:   count         = "${length(var.backend_params)}"

The attribute "count" was already defined at main.tf:92,3-8. Each attribute may be defined only once.

Since this resource is using count.index with both var.firewall_networks and var.backend_params, I'm not sure which one was actually intended here.

Incorrect attribute value type

Error: Incorrect attribute value type

  on .terraform/modules/mig2/GoogleCloudPlatform-terraform-google-managed-instance-group-7550567/main.tf line 242, in resource "google_compute_firewall" "default-ssh":
 242:   source_ranges = ["${var.ssh_source_ranges}"]

Inappropriate value for attribute "source_ranges": element 0: string required.

Error: Incorrect attribute value type

  on .terraform/modules/mig2/GoogleCloudPlatform-terraform-google-managed-instance-group-7550567/main.tf line 274, in resource "google_compute_firewall" "mig-health-check":
 274:   target_tags   = ["${var.target_tags}"]

Inappropriate value for attribute "target_tags": element 0: string required.

Multiple counts on google_compute_firewall resource

Hello maintainers -

Question: I noticed there are multiple counts on google_compute_firewall.default-hc and wondered if that was intentional? I think in these cases, terraform falls back on the second of two attribute declarations. If the goal is to provide a conditional or fallback, that's probably made more explicit within a single count attribute, no?

Let me know if there was intent behind this decision or if it's in fact a bug. From there we can sort out the desired behavior and get it cleaned up. Thanks for this module! 🎊

ssl_certificates - ssl & use_ssl_certificates

Is it ever desirable to set ssl_certificates but keep use_ssl_certificates to false?
Is it ever desirable to set ssl_certificates but keep ssl to false?

If not, it might be best to implicitly enable ssl and use_ssl_certificates if ssl_certificates is set.

Fail to verifying example `multiple-certs`

Instances created in us-central1 region doesn't responds properly:

$ curl -sfkL "https://34.102.207.91/group1" | grep zones
          <td>projects/698653867196/zones/us-west1-a</td>
$ curl -sfkL "https://34.102.207.91/group3" | grep zones
          <td>projects/698653867196/zones/us-east1-d</td>
$ curl -k "https://34.102.207.91/group2/"

<html><head>
<meta http-equiv="content-type" content="text/html;charset=utf-8">
<title>502 Server Error</title>
</head>
<body text=#000000 bgcolor=#ffffff>
<h1>Error: Server Error</h1>
<h2>The server encountered a temporary error and could not complete your request.<p>Please try again in 30 seconds.</h2>
<h2></h2>
</body></html>

terraform-google-modules / terraform-google-lb-http Goto Github PK