diff --git a/modules/lb-http-backend/main.tf b/modules/lb-http-backend/main.tf new file mode 100644 index 00000000..b7383838 --- /dev/null +++ b/modules/lb-http-backend/main.tf @@ -0,0 +1,265 @@ +resource "google_compute_backend_service" "default" { + provider = google-beta + + project = var.project_id + name = var.name + + load_balancing_scheme = var.load_balancing_scheme + + port_name = var.port_name + protocol = var.protocol + + description = var.description + connection_draining_timeout_sec = var.connection_draining_timeout_sec + enable_cdn = var.enable_cdn + compression_mode = var.compression_mode + custom_request_headers = var.custom_request_headers + custom_response_headers = var.custom_response_headers + session_affinity = var.session_affinity + affinity_cookie_ttl_sec = var.affinity_cookie_ttl_sec + locality_lb_policy = var.locality_lb_policy + edge_security_policy = var.edge_security_policy + security_policy = var.security_policy + + health_checks = var.health_check != null ? google_compute_health_check.default[*].self_link : null + + dynamic "backend" { + for_each = toset(var.groups) + content { + description = lookup(backend.value, "description", null) + group = backend.value["group"] + + } + } + + dynamic "backend" { + for_each = toset(var.serverless_neg_backends) + content { + group = google_compute_region_network_endpoint_group.serverless_negs["neg-${var.name}-${backend.value.region}"].id + } + } + + dynamic "log_config" { + for_each = var.log_config.enable ? [1] : [] + content { + enable = var.log_config.enable + sample_rate = var.log_config.sample_rate + } + } + + dynamic "iap" { + for_each = var.iap_config.enable ? [1] : [] + content { + oauth2_client_id = lookup(var.iap_config, "oauth2_client_id", "") + enabled = var.iap_config.enable + oauth2_client_secret = lookup(var.iap_config, "oauth2_client_secret", "") + } + } + + dynamic "cdn_policy" { + for_each = var.enable_cdn ? [1] : [] + content { + cache_mode = var.cdn_policy.cache_mode + signed_url_cache_max_age_sec = var.cdn_policy.signed_url_cache_max_age_sec + default_ttl = var.cdn_policy.default_ttl + max_ttl = var.cdn_policy.max_ttl + client_ttl = var.cdn_policy.client_ttl + negative_caching = var.cdn_policy.negative_caching + serve_while_stale = var.cdn_policy.serve_while_stale + + dynamic "negative_caching_policy" { + for_each = var.cdn_policy.negative_caching_policy != null ? [1] : [] + content { + code = var.cdn_policy.negative_caching_policy.code + ttl = var.cdn_policy.negative_caching_policy.ttl + } + } + + dynamic "cache_key_policy" { + for_each = var.cdn_policy.cache_key_policy != null ? [1] : [] + content { + include_host = var.cdn_policy.cache_key_policy.include_host + include_protocol = var.cdn_policy.cache_key_policy.include_protocol + include_query_string = var.cdn_policy.cache_key_policy.include_query_string + query_string_blacklist = var.cdn_policy.cache_key_policy.query_string_blacklist + query_string_whitelist = var.cdn_policy.cache_key_policy.query_string_whitelist + include_http_headers = var.cdn_policy.cache_key_policy.include_http_headers + include_named_cookies = var.cdn_policy.cache_key_policy.include_named_cookies + } + } + + dynamic "bypass_cache_on_request_headers" { + for_each = toset(var.cdn_policy.bypass_cache_on_request_headers) != null ? var.cdn_policy.bypass_cache_on_request_headers : [] + content { + header_name = bypass_cache_on_request_headers.value + } + } + } + } + + dynamic "outlier_detection" { + for_each = var.outlier_detection != null && (var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" || var.load_balancing_scheme == "EXTERNAL_MANAGED") ? [1] : [] + content { + consecutive_errors = var.outlier_detection.consecutive_errors + consecutive_gateway_failure = var.outlier_detection.consecutive_gateway_failure + enforcing_consecutive_errors = var.outlier_detection.enforcing_consecutive_errors + enforcing_consecutive_gateway_failure = var.outlier_detection.enforcing_consecutive_gateway_failure + enforcing_success_rate = var.outlier_detection.enforcing_success_rate + max_ejection_percent = var.outlier_detection.max_ejection_percent + success_rate_minimum_hosts = var.outlier_detection.success_rate_minimum_hosts + success_rate_request_volume = var.outlier_detection.success_rate_request_volume + success_rate_stdev_factor = var.outlier_detection.success_rate_stdev_factor + + dynamic "base_ejection_time" { + for_each = var.outlier_detection.base_ejection_time != null ? [1] : [] + content { + seconds = var.outlier_detection.base_ejection_time.seconds + nanos = var.outlier_detection.base_ejection_time.nanos + } + } + + dynamic "interval" { + for_each = var.outlier_detection.interval != null ? [1] : [] + content { + seconds = var.outlier_detection.interval.seconds + nanos = var.outlier_detection.interval.nanos + } + } + } + } +} + +resource "google_compute_region_network_endpoint_group" "serverless_negs" { + for_each = { for serverless_neg_backend in var.serverless_neg_backends : + "neg-${var.name}-${serverless_neg_backend.region}" => serverless_neg_backend } + + + provider = google-beta + project = var.project_id + name = each.key + network_endpoint_type = "SERVERLESS" + region = each.value.region + + dynamic "cloud_run" { + for_each = each.value.type == "cloud-run" ? [1] : [] + content { + service = each.value.service.name + } + } + + dynamic "cloud_function" { + for_each = each.value.type == "cloud-function" ? [1] : [] + content { + function = each.value.service.name + } + } + + dynamic "app_engine" { + for_each = each.value.type == "app-engine" ? [1] : [] + content { + service = each.value.service.name + version = each.value.service.version + } + } + + lifecycle { + create_before_destroy = true + } +} + +resource "google_compute_health_check" "default" { + provider = google-beta + count = var.health_check != null ? 1 : 0 + project = var.project_id + name = "${var.name}-hc" + + check_interval_sec = var.health_check.check_interval_sec + timeout_sec = var.health_check.timeout_sec + healthy_threshold = var.health_check.healthy_threshold + unhealthy_threshold = var.health_check.unhealthy_threshold + + log_config { + enable = var.health_check.logging + } + + dynamic "http_health_check" { + for_each = coalesce(var.health_check.protocol, var.protocol) == "HTTP" ? [ + 1 + ] : [] + + content { + host = var.health_check.host + request_path = var.health_check.request_path + response = var.health_check.response + port = var.health_check.port + port_name = var.health_check.port_name + proxy_header = var.health_check.proxy_header + port_specification = var.health_check.port_specification + } + } + + dynamic "https_health_check" { + for_each = coalesce(var.health_check.protocol, var.protocol) == "HTTPS" ? [ + 1 + ] : [] + + content { + host = var.health_check.host + request_path = var.health_check.request_path + response = var.health_check.response + port = var.health_check.port + port_name = var.health_check.port_name + proxy_header = var.health_check.proxy_header + port_specification = var.health_check.port_specification + } + } + + dynamic "http2_health_check" { + for_each = coalesce(var.health_check.protocol, var.protocol) == "HTTP2" ? [ + 1 + ] : [] + + content { + host = var.health_check.host + request_path = var.health_check.request_path + response = var.health_check.response + port = var.health_check.port + port_name = var.health_check.port_name + proxy_header = var.health_check.proxy_header + port_specification = var.health_check.port_specification + } + } + + dynamic "tcp_health_check" { + for_each = coalesce(var.health_check.protocol, var.protocol) == "TCP" ? [ + 1 + ] : [] + + content { + request = var.health_check.request + response = var.health_check.response + port = var.health_check.port + port_name = var.health_check.port_name + proxy_header = var.health_check.proxy_header + port_specification = var.health_check.port_specification + } + } +} + +resource "google_compute_firewall" "default-hc" { + count = var.health_check != null ? length(var.firewall_networks) : 0 + project = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project_id : var.firewall_projects[count.index] + name = "${var.name}-hc-${count.index}" + network = var.firewall_networks[count.index] + source_ranges = [ + "130.211.0.0/22", + "35.191.0.0/16" + ] + target_tags = length(var.target_tags) > 0 ? var.target_tags : null + target_service_accounts = length(var.target_service_accounts) > 0 ? var.target_service_accounts : null + + allow { + protocol = "tcp" + ports = [var.health_check.port] + } +} \ No newline at end of file diff --git a/modules/lb-http-backend/outputs.tf b/modules/lb-http-backend/outputs.tf new file mode 100644 index 00000000..44e89d75 --- /dev/null +++ b/modules/lb-http-backend/outputs.tf @@ -0,0 +1,10 @@ +output "backend_service_info" { + description = "Host, path and backend service mapping" + value = [ + for mapping in var.host_path_mappings : { + host = mapping.host + path = mapping.path + backend_service = google_compute_backend_service.default.self_link + } + ] +} diff --git a/modules/lb-http-backend/variables.tf b/modules/lb-http-backend/variables.tf new file mode 100644 index 00000000..c6dc8ce8 --- /dev/null +++ b/modules/lb-http-backend/variables.tf @@ -0,0 +1,234 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +variable "name" { + description = "Name for the backend service" + type = string +} + +variable "load_balancing_scheme" { + description = "Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)" + type = string + default = "EXTERNAL_MANAGED" +} + +variable "project_id" { + description = "The project to deploy to, if not set the default provider project is used." + type = string +} + +variable "protocol" { + type = string + default = "HTTP" +} + +variable "port_name" { + type = string + default = "http" +} + +variable "description" { + type = string + default = null +} + +variable "enable_cdn" { + type = bool + default = false +} + +variable "compression_mode" { + type = string + default = "DISABLED" +} + +variable "custom_request_headers" { + type = list(string) + default = [] +} + +variable "custom_response_headers" { + type = list(string) + default = [] +} + +variable "connection_draining_timeout_sec" { + type = number + default = null +} + +variable "session_affinity" { + type = string + default = null +} + +variable "affinity_cookie_ttl_sec" { + type = number + default = null +} + +variable "locality_lb_policy" { + type = string + default = null +} + +variable "log_config" { + type = object({ + enable = bool + sample_rate = number + }) + default = { enable = true, sample_rate = 1.0 } +} + +variable "groups" { + type = list(object({ + group = string + description = optional(string) + })) + default = [] +} + +variable "serverless_neg_backends" { + type = list(object({ + region = string + type = string // cloud-run, cloud-function, and app-engine + service_name = string + service_version = optional(string) + })) + default = [] +} + +variable "iap_config" { + type = object({ + enable = bool + oauth2_client_id = optional(string) + oauth2_client_secret = optional(string) + }) + default = { enable = false } +} + +variable "cdn_policy" { + type = object({ + cache_mode = optional(string) + signed_url_cache_max_age_sec = optional(string) + default_ttl = optional(number) + max_ttl = optional(number) + client_ttl = optional(number) + negative_caching = optional(bool) + serve_while_stale = optional(number) + bypass_cache_on_request_headers = optional(list(string)) + negative_caching_policy = optional(object({ + code = optional(number) + ttl = optional(number) + })) + cache_key_policy = optional(object({ + include_host = optional(bool) + include_protocol = optional(bool) + include_query_string = optional(bool) + query_string_blacklist = optional(list(string)) + query_string_whitelist = optional(list(string)) + include_http_headers = optional(list(string)) + include_named_cookies = optional(list(string)) + })) + }) + default = {} +} + +variable "outlier_detection" { + type = object({ + base_ejection_time = optional(object({ + seconds = number + nanos = optional(number) + })) + consecutive_errors = optional(number) + consecutive_gateway_failure = optional(number) + enforcing_consecutive_errors = optional(number) + enforcing_consecutive_gateway_failure = optional(number) + enforcing_success_rate = optional(number) + interval = optional(object({ + seconds = number + nanos = optional(number) + })) + max_ejection_percent = optional(number) + success_rate_minimum_hosts = optional(number) + success_rate_request_volume = optional(number) + success_rate_stdev_factor = optional(number) + }) + default = null +} + +variable "health_check" { + type = object({ + host = optional(string, null) + request_path = optional(string, null) + request = optional(string, null) + response = optional(string, null) + port = optional(number, null) + port_name = optional(string, null) + proxy_header = optional(string, null) + port_specification = optional(string, null) + protocol = optional(string, null) + check_interval_sec = optional(number, 5) + timeout_sec = optional(number, 5) + healthy_threshold = optional(number, 2) + unhealthy_threshold = optional(number, 2) + logging = optional(bool, false) + }) + default = null +} + +variable "edge_security_policy" { + description = "The resource URL for the edge security policy to associate with the backend service" + type = string + default = null +} + +variable "security_policy" { + description = "The resource URL for the security policy to associate with the backend service" + type = string + default = null +} + +variable "host_path_mappings" { + description = "The list of host/path for which traffic could be sent to the backend service" + type = list(object({ host : string, path : string })) + default = [{ host : "*", path : "/*" }] +} + +variable "firewall_networks" { + description = "Names of the networks to create firewall rules in" + type = list(string) + default = ["default"] +} + +variable "firewall_projects" { + description = "Names of the projects to create firewall rules in" + type = list(string) + default = ["default"] +} + +variable "target_tags" { + description = "List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified." + type = list(string) + default = [] +} + +variable "target_service_accounts" { + description = "List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified." + type = list(string) + default = [] +} \ No newline at end of file diff --git a/modules/lb-http-backend/versions.tf b/modules/lb-http-backend/versions.tf new file mode 100644 index 00000000..7c0b86c1 --- /dev/null +++ b/modules/lb-http-backend/versions.tf @@ -0,0 +1,43 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" + required_providers { + + google = { + source = "hashicorp/google" + version = ">= 6.0, < 7" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 6.0, < 7" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-lb-http:lb-http-backend/v12.0.0" + } + + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-lb-http:lb-http-backend/v12.0.0" + } + +} diff --git a/modules/lb-http-frontend/main.tf b/modules/lb-http-frontend/main.tf new file mode 100644 index 00000000..762f6923 --- /dev/null +++ b/modules/lb-http-frontend/main.tf @@ -0,0 +1,216 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + + +locals { + address = var.create_address ? join("", google_compute_global_address.default[*].address) : var.address + ipv6_address = var.create_ipv6_address ? join("", google_compute_global_address.default_ipv6[*].address) : var.ipv6_address + + url_map = var.create_url_map ? join("", google_compute_url_map.default[*].self_link) : var.url_map_resource_uri + create_http_forward = var.http_forward || var.https_redirect + + + is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED" + internal_network = local.is_internal ? var.network : null + + # Create a map with hosts as keys and empty lists as initial values + hosts = toset([for service in var.url_map_input : service.host]) + backend_services_by_host = { + for host in local.hosts : + host => [ + for s in var.url_map_input : + s if s.host == host + ] + } +} + +### IPv4 block ### +resource "google_compute_global_forwarding_rule" "http" { + provider = google-beta + project = var.project_id + count = local.create_http_forward ? 1 : 0 + name = var.name + target = google_compute_target_http_proxy.default[0].self_link + ip_address = local.address + port_range = var.http_port + labels = var.labels + load_balancing_scheme = var.load_balancing_scheme + network = local.internal_network +} + +resource "google_compute_global_forwarding_rule" "https" { + provider = google-beta + project = var.project_id + count = var.ssl ? 1 : 0 + name = "${var.name}-https" + target = google_compute_target_https_proxy.default[0].self_link + ip_address = local.address + port_range = var.https_port + labels = var.labels + load_balancing_scheme = var.load_balancing_scheme + network = local.internal_network +} + +resource "google_compute_global_address" "default" { + provider = google-beta + count = local.is_internal ? 0 : var.create_address ? 1 : 0 + project = var.project_id + name = "${var.name}-address" + ip_version = "IPV4" + labels = var.labels +} +### IPv4 block ### + +### IPv6 block ### +resource "google_compute_global_forwarding_rule" "http_ipv6" { + provider = google-beta + project = var.project_id + count = (var.enable_ipv6 && local.create_http_forward) ? 1 : 0 + name = "${var.name}-ipv6-http" + target = google_compute_target_http_proxy.default[0].self_link + ip_address = local.ipv6_address + port_range = "80" + labels = var.labels + load_balancing_scheme = var.load_balancing_scheme + network = local.internal_network +} + +resource "google_compute_global_forwarding_rule" "https_ipv6" { + provider = google-beta + project = var.project_id + count = var.enable_ipv6 && var.ssl ? 1 : 0 + name = "${var.name}-ipv6-https" + target = google_compute_target_https_proxy.default[0].self_link + ip_address = local.ipv6_address + port_range = "443" + labels = var.labels + load_balancing_scheme = var.load_balancing_scheme + network = local.internal_network +} + +resource "google_compute_global_address" "default_ipv6" { + provider = google-beta + count = local.is_internal ? 0 : (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0 + project = var.project_id + name = "${var.name}-ipv6-address" + ip_version = "IPV6" + labels = var.labels +} +### IPv6 block ### + +# HTTP proxy when http forwarding is true +resource "google_compute_target_http_proxy" "default" { + project = var.project_id + count = local.create_http_forward ? 1 : 0 + name = "${var.name}-http-proxy" + url_map = var.https_redirect == false ? local.url_map : join("", google_compute_url_map.https_redirect[*].self_link) +} + +# HTTPS proxy when ssl is true +resource "google_compute_target_https_proxy" "default" { + project = var.project_id + count = var.ssl ? 1 : 0 + name = "${var.name}-https-proxy" + url_map = local.url_map + + ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default[*].self_link, google_compute_managed_ssl_certificate.default[*].self_link, ), ) + certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null + ssl_policy = var.ssl_policy + quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE" + server_tls_policy = var.server_tls_policy + http_keep_alive_timeout_sec = var.http_keep_alive_timeout_sec +} + +resource "google_compute_ssl_certificate" "default" { + project = var.project_id + count = var.ssl && var.create_ssl_certificate ? 1 : 0 + name_prefix = "${var.name}-certificate-" + private_key = var.private_key + certificate = var.certificate + + lifecycle { + create_before_destroy = true + } +} + +resource "random_id" "certificate" { + count = var.random_certificate_suffix == true ? 1 : 0 + byte_length = 4 + prefix = "${var.name}-cert-" + + keepers = { + domains = join(",", var.managed_ssl_certificate_domains) + } +} + +resource "google_compute_managed_ssl_certificate" "default" { + provider = google-beta + project = var.project_id + count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 ? 1 : 0 + name = var.random_certificate_suffix == true ? random_id.certificate[0].hex : "${var.name}-cert" + + lifecycle { + create_before_destroy = true + } + + managed { + domains = var.managed_ssl_certificate_domains + } +} + +resource "google_compute_url_map" "https_redirect" { + project = var.project_id + count = var.https_redirect ? 1 : 0 + name = "${var.name}-https-redirect" + default_url_redirect { + https_redirect = true + redirect_response_code = "MOVED_PERMANENTLY_DEFAULT" + strip_query = false + } +} + +resource "google_compute_url_map" "default" { + count = var.create_url_map ? 1 : 0 + provider = google-beta + project = var.project_id + name = "${var.name}-url-map" + default_service = local.backend_services_by_host["*"][0].backend_service + + + dynamic "host_rule" { + for_each = local.backend_services_by_host + content { + hosts = [host_rule.key] + path_matcher = host_rule.key == "*" ? "default" : replace(host_rule.key, ".", "") + } + } + + dynamic "path_matcher" { + for_each = local.backend_services_by_host + content { + name = path_matcher.key == "*" ? "default" : replace(path_matcher.key, ".", "") + default_service = path_matcher.value[0].backend_service + + dynamic "path_rule" { + for_each = path_matcher.value + content { + paths = [path_rule.value.path] + service = path_rule.value.backend_service + } + } + } + } +} diff --git a/modules/lb-http-frontend/outputs.tf b/modules/lb-http-frontend/outputs.tf new file mode 100644 index 00000000..d927a80f --- /dev/null +++ b/modules/lb-http-frontend/outputs.tf @@ -0,0 +1,50 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "external_ip" { + description = "The external IPv4 assigned to the global fowarding rule." + value = local.address +} + +output "external_ipv6_address" { + description = "The external IPv6 assigned to the global fowarding rule." + value = local.ipv6_address +} + +output "ipv6_enabled" { + description = "Whether IPv6 configuration is enabled on this load-balancer" + value = var.enable_ipv6 +} + +output "http_proxy" { + description = "The HTTP proxy used by this module." + value = google_compute_target_http_proxy.default[*].self_link +} + +output "https_proxy" { + description = "The HTTPS proxy used by this module." + value = google_compute_target_https_proxy.default[*].self_link +} + +output "url_map" { + description = "The default URL map used by this module." + value = google_compute_url_map.default[*].self_link +} + +output "ssl_certificate_created" { + description = "The SSL certificate create from key/pem" + value = google_compute_ssl_certificate.default[*].self_link +} diff --git a/modules/lb-http-frontend/variables.tf b/modules/lb-http-frontend/variables.tf new file mode 100644 index 00000000..5a493680 --- /dev/null +++ b/modules/lb-http-frontend/variables.tf @@ -0,0 +1,211 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + description = "The project to deploy to, if not set the default provider project is used." + type = string +} + +variable "name" { + description = "Name for the forwarding rule and prefix for supporting resources" + type = string +} + +variable "create_address" { + type = bool + description = "Create a new global IPv4 address" + default = true +} + +variable "address" { + type = string + description = "Existing IPv4 address to use (the actual IP address value)" + default = null +} + +variable "enable_ipv6" { + type = bool + description = "Enable IPv6 address on the CDN load-balancer" + default = false +} + +variable "create_ipv6_address" { + type = bool + description = "Allocate a new IPv6 address. Conflicts with \"ipv6_address\" - if both specified, \"create_ipv6_address\" takes precedence." + default = false +} + +variable "ipv6_address" { + type = string + description = "An existing IPv6 address to use (the actual IP address value)" + default = null +} + +variable "create_url_map" { + description = "Set to `false` if url_map variable is provided." + type = bool + default = true +} + +variable "url_map_input" { + description = "List of host, path and backend service for creating url_map" + type = list(object({ + host : string + path : string + backend_service : string + })) + default = [] +} + +variable "url_map_resource_uri" { + description = "The url_map resource to use. Default is to send all traffic to first backend." + type = string + default = null +} + +variable "http_forward" { + description = "Set to `false` to disable HTTP port 80 forward" + type = bool + default = true +} + +variable "ssl" { + description = "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" + type = bool + default = false +} + +variable "create_ssl_certificate" { + description = "If `true`, Create certificate using `private_key/certificate`" + type = bool + default = false +} + +variable "ssl_certificates" { + description = "SSL cert self_link list. Requires `ssl` to be set to `true`" + type = list(string) + default = [] +} + +variable "private_key" { + description = "Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`" + type = string + default = null +} + +variable "certificate" { + description = "Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`" + type = string + default = null +} + +variable "managed_ssl_certificate_domains" { + description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`" + type = list(string) + default = [] +} + +variable "certificate_map" { + description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`" + type = string + default = null +} + +variable "ssl_policy" { + type = string + description = "Selfink to SSL Policy" + default = null +} + +variable "quic" { + type = bool + description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only." + default = null +} + +variable "edge_security_policy" { + description = "The resource URL for the edge security policy to associate with the backend service" + type = string + default = null +} + +variable "security_policy" { + description = "The resource URL for the security policy to associate with the backend service" + type = string + default = null +} + +variable "https_redirect" { + description = "Set to `true` to enable https redirect on the lb." + type = bool + default = false +} + +variable "random_certificate_suffix" { + description = "Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert." + type = bool + default = false +} + +variable "labels" { + description = "The labels to attach to resources created by this module" + type = map(string) + default = {} +} + +variable "load_balancing_scheme" { + description = "Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)" + type = string + default = "EXTERNAL_MANAGED" +} + +variable "network" { + description = "Network for INTERNAL_SELF_MANAGED load balancing scheme" + type = string + default = "default" +} + +variable "server_tls_policy" { + description = "The resource URL for the server TLS policy to associate with the https proxy service" + type = string + default = null +} + +variable "http_port" { + description = "The port for the HTTP load balancer" + type = number + default = 80 + validation { + condition = var.http_port >= 1 && var.http_port <= 65535 + error_message = "You must specify exactly one port between 1 and 65535" + } +} + +variable "https_port" { + description = "The port for the HTTPS load balancer" + type = number + default = 443 + validation { + condition = var.https_port >= 1 && var.https_port <= 65535 + error_message = "You must specify exactly one port between 1 and 65535" + } +} + +variable "http_keep_alive_timeout_sec" { + description = "Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds)." + type = number + default = null +} diff --git a/modules/lb-http-frontend/versions.tf b/modules/lb-http-frontend/versions.tf new file mode 100644 index 00000000..0768ccd6 --- /dev/null +++ b/modules/lb-http-frontend/versions.tf @@ -0,0 +1,43 @@ +/** + * Copyright 2022 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" + required_providers { + + google = { + source = "hashicorp/google" + version = ">= 6.0, < 7" + } + google-beta = { + source = "hashicorp/google-beta" + version = ">= 6.0, < 7" + } + random = { + source = "hashicorp/random" + version = ">= 2.1" + } + } + + provider_meta "google" { + module_name = "blueprints/terraform/terraform-google-lb-http:lb-http-frontend/v12.0.0" + } + + provider_meta "google-beta" { + module_name = "blueprints/terraform/terraform-google-lb-http:lb-http-frontend/v12.0.0" + } + +}