Folders and files

Name		Name	Last commit message	Last commit date
Latest commit History 391 Commits
.github		.github
autogen		autogen
build		build
docs		docs
examples		examples
modules		modules
test		test
.gitignore		.gitignore
.terraform.lock		.terraform.lock
CHANGELOG.md		CHANGELOG.md
CODEOWNERS		CODEOWNERS
CONTRIBUTING.md		CONTRIBUTING.md
LICENSE		LICENSE
Makefile		Makefile
README.md		README.md
autogen_modules.json		autogen_modules.json
diagram.png		diagram.png
kitchen.yml		kitchen.yml
main.tf		main.tf
metadata.display.yaml		metadata.display.yaml
metadata.yaml		metadata.yaml
outputs.tf		outputs.tf
variables.tf		variables.tf
versions.tf		versions.tf

Repository files navigation

Global HTTP Load Balancer Terraform Module

Modular Global HTTP Load Balancer for GCE using forwarding rules.

If you would like to allow for backend groups to be managed outside Terraform,such as via GKE services, see thedynamicbackends submodule.
If you would like to use load balancing with serverless backends (Cloud Run,Cloud Functions or App Engine), see theserverless_negs submodule andcloudrun example.

Load Balancer Types

TCP load balancer
HTTP/S load balancer
Internal load balancer

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3. If you find incompatibilities using Terraform >=1.3, please open an issue. If you haven'tupgraded and need a Terraform0.12.x-compatible version of this module, the last released versionintended for Terraform 0.12.x isv4.5.0.

Version

Current version is 12.0. Upgrade guides:

Usage

module"gce-lb-http" {source="GoogleCloudPlatform/lb-http/google"version="~> 9.0"project="my-project-id"name="group-http-lb"target_tags=[module.mig1.target_tags,module.mig2.target_tags]backends={    default= {      port= var.service_port      protocol="HTTP"      port_name= var.service_port_name      timeout_sec=10      enable_cdn=false      health_check= {        request_path="/"        port= var.service_port      }      log_config= {        enable=true        sample_rate=1.0      }      groups= [        {# Each node pool instance group should be added to the backend.          group= var.backend        },      ]      iap_config= {        enable=false      }    }  }}

Resources created

Figure 1.diagram of terraform resources

Inputs

Name	Description	Type	Default	Required
address	Existing IPv4 address to use (the actual IP address value)	`string`	`null`	no
backends	Map backend indices to list of backend maps.	map(object({ port = optional(number) project = optional(string) protocol = optional(string) port_name = optional(string) description = optional(string) enable_cdn = optional(bool) compression_mode = optional(string) security_policy = optional(string, null) edge_security_policy = optional(string, null) custom_request_headers = optional(list(string)) custom_response_headers = optional(list(string)) timeout_sec = optional(number) connection_draining_timeout_sec = optional(number) session_affinity = optional(string) affinity_cookie_ttl_sec = optional(number) locality_lb_policy = optional(string) health_check = optional(object({ host = optional(string) request_path = optional(string) request = optional(string) response = optional(string) port = optional(number) port_name = optional(string) proxy_header = optional(string) port_specification = optional(string) protocol = optional(string) check_interval_sec = optional(number) timeout_sec = optional(number) healthy_threshold = optional(number) unhealthy_threshold = optional(number) logging = optional(bool) })) log_config = object({ enable = optional(bool) sample_rate = optional(number) }) groups = list(object({ group = string description = optional(string) balancing_mode = optional(string) capacity_scaler = optional(number) max_connections = optional(number) max_connections_per_instance = optional(number) max_connections_per_endpoint = optional(number) max_rate = optional(number) max_rate_per_instance = optional(number) max_rate_per_endpoint = optional(number) max_utilization = optional(number) })) iap_config = optional(object({ enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) })) cdn_policy = optional(object({ cache_mode = optional(string) signed_url_cache_max_age_sec = optional(string) default_ttl = optional(number) max_ttl = optional(number) client_ttl = optional(number) negative_caching = optional(bool) negative_caching_policy = optional(object({ code = optional(number) ttl = optional(number) })) serve_while_stale = optional(number) cache_key_policy = optional(object({ include_host = optional(bool) include_protocol = optional(bool) include_query_string = optional(bool) query_string_blacklist = optional(list(string)) query_string_whitelist = optional(list(string)) include_http_headers = optional(list(string)) include_named_cookies = optional(list(string)) })) bypass_cache_on_request_headers = optional(list(string)) })) outlier_detection = optional(object({ base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) interval = optional(object({ seconds = number nanos = optional(number) })) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) })) }))	n/a	yes
certificate	Content of the SSL certificate. Requires`ssl` to be set to`true` and`create_ssl_certificate` set to`true`	`string`	`null`	no
certificate_map	Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires`ssl` to be set to`true`	`string`	`null`	no
create_address	Create a new global IPv4 address	`bool`	`true`	no
create_ipv6_address	Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence.	`bool`	`false`	no
create_ssl_certificate	If`true`, Create certificate using`private_key/certificate`	`bool`	`false`	no
create_url_map	Set to`false` if url_map variable is provided.	`bool`	`true`	no
edge_security_policy	The resource URL for the edge security policy to associate with the backend service	`string`	`null`	no
enable_ipv6	Enable IPv6 address on the CDN load-balancer	`bool`	`false`	no
firewall_networks	Names of the networks to create firewall rules in	`list(string)`	[ "default" ]	no
firewall_projects	Names of the projects to create firewall rules in	`list(string)`	[ "default" ]	no
http_forward	Set to`false` to disable HTTP port 80 forward	`bool`	`true`	no
http_keep_alive_timeout_sec	Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds).	`number`	`null`	no
http_port	The port for the HTTP load balancer	`number`	`80`	no
https_port	The port for the HTTPS load balancer	`number`	`443`	no
https_redirect	Set to`true` to enable https redirect on the lb.	`bool`	`false`	no
ipv6_address	An existing IPv6 address to use (the actual IP address value)	`string`	`null`	no
labels	The labels to attach to resources created by this module	`map(string)`	`{}`	no
load_balancing_scheme	Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)	`string`	`"EXTERNAL"`	no
managed_ssl_certificate_domains	Create Google-managed SSL certificates for specified domains. Requires`ssl` to be set to`true`	`list(string)`	`[]`	no
name	Name for the forwarding rule and prefix for supporting resources	`string`	n/a	yes
network	Network for INTERNAL_SELF_MANAGED load balancing scheme	`string`	`"default"`	no
private_key	Content of the private SSL key. Requires`ssl` to be set to`true` and`create_ssl_certificate` set to`true`	`string`	`null`	no
project	The project to deploy to, if not set the default provider project is used.	`string`	n/a	yes
quic	Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only.	`bool`	`null`	no
random_certificate_suffix	Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert.	`bool`	`false`	no
security_policy	The resource URL for the security policy to associate with the backend service	`string`	`null`	no
server_tls_policy	The resource URL for the server TLS policy to associate with the https proxy service	`string`	`null`	no
ssl	Set to`true` to enable SSL support. If`true` then at least one of these are required: 1)`ssl_certificates` OR 2)`create_ssl_certificate` set to`true` and`private_key/certificate` OR 3)`managed_ssl_certificate_domains`, OR 4)`certificate_map`	`bool`	`false`	no
ssl_certificates	SSL cert self_link list. Requires`ssl` to be set to`true`	`list(string)`	`[]`	no
ssl_policy	Selfink to SSL Policy	`string`	`null`	no
target_service_accounts	List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.	`list(string)`	`[]`	no
target_tags	List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.	`list(string)`	`[]`	no
url_map	The url_map resource to use. Default is to send all traffic to first backend.	`string`	`null`	no

Outputs

Name	Description
backend_services	The backend service resources.
external_ip	The external IPv4 assigned to the global fowarding rule.
external_ipv6_address	The external IPv6 assigned to the global fowarding rule.
http_proxy	The HTTP proxy used by this module.
https_proxy	The HTTPS proxy used by this module.
ipv6_enabled	Whether IPv6 configuration is enabled on this load-balancer
ssl_certificate_created	The SSL certificate create from key/pem
url_map	The default URL map used by this module.

google_compute_global_forwarding_rule.http: The global HTTP forwarding rule.
google_compute_global_forwarding_rule.https: The global HTTPS forwarding rule created whenssl istrue.
google_compute_target_http_proxy.default: The HTTP proxy resource that binds the url map. Created when inputssl isfalse.
google_compute_target_https_proxy.default: The HTTPS proxy resource that binds the url map. Created when inputssl istrue.
google_compute_ssl_certificate.default: The certificate resource created when inputssl istrue andmanaged_ssl_certificate_domains not specified.
google_compute_managed_ssl_certificate.default: The Google-managed certificate resource created when inputssl istrue andmanaged_ssl_certificate_domains is specified.
google_compute_url_map.default: The default URL map resource when inputurl_map is not provided.
google_compute_backend_service.default.*: The backend services created for each of thebackend_params elements.
google_compute_health_check.default.*:Health check resources created for each of the (non global NEG) backend services.
google_compute_firewall.default-hc: Firewall rule created for each of the backed services to allow health checks to the instance group.