Skip to content

Commit

Permalink
feat: Add certificate_manager_certificates variable for the https_proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
@lbordowitz
lbordowitz committed Oct 30, 2023
1 parent 4952ec2 commit e5d3646
Show file tree
Hide file tree
Showing 15 changed files with 64 additions and 25 deletions.
3 changes: 2 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,7 @@ module "gce-lb-http" {
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | <pre>map(object({<br> port = optional(number)<br> project = optional(string)<br> protocol = optional(string)<br> port_name = optional(string)<br> description = optional(string)<br> enable_cdn = optional(bool)<br> compression_mode = optional(string)<br> security_policy = optional(string, null)<br> edge_security_policy = optional(string, null)<br> custom_request_headers = optional(list(string))<br> custom_response_headers = optional(list(string))<br><br> timeout_sec = optional(number)<br> connection_draining_timeout_sec = optional(number)<br> session_affinity = optional(string)<br> affinity_cookie_ttl_sec = optional(number)<br><br> health_check = object({<br> host = optional(string)<br> request_path = optional(string)<br> request = optional(string)<br> response = optional(string)<br> port = optional(number)<br> port_name = optional(string)<br> proxy_header = optional(string)<br> port_specification = optional(string)<br> protocol = optional(string)<br> check_interval_sec = optional(number)<br> timeout_sec = optional(number)<br> healthy_threshold = optional(number)<br> unhealthy_threshold = optional(number)<br> logging = optional(bool)<br> })<br><br> log_config = object({<br> enable = optional(bool)<br> sample_rate = optional(number)<br> })<br><br> groups = list(object({<br> group = string<br><br> balancing_mode = optional(string)<br> capacity_scaler = optional(number)<br> description = optional(string)<br> max_connections = optional(number)<br> max_connections_per_instance = optional(number)<br> max_connections_per_endpoint = optional(number)<br> max_rate = optional(number)<br> max_rate_per_instance = optional(number)<br> max_rate_per_endpoint = optional(number)<br> max_utilization = optional(number)<br> }))<br> iap_config = object({<br> enable = bool<br> oauth2_client_id = optional(string)<br> oauth2_client_secret = optional(string)<br> })<br> cdn_policy = optional(object({<br> cache_mode = optional(string)<br> signed_url_cache_max_age_sec = optional(string)<br> default_ttl = optional(number)<br> max_ttl = optional(number)<br> client_ttl = optional(number)<br> negative_caching = optional(bool)<br> negative_caching_policy = optional(object({<br> code = optional(number)<br> ttl = optional(number)<br> }))<br> serve_while_stale = optional(number)<br> cache_key_policy = optional(object({<br> include_host = optional(bool)<br> include_protocol = optional(bool)<br> include_query_string = optional(bool)<br> query_string_blacklist = optional(list(string))<br> query_string_whitelist = optional(list(string))<br> include_http_headers = optional(list(string))<br> include_named_cookies = optional(list(string))<br> }))<br> }))<br> }))</pre> | n/a | yes |
| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no |
| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
Expand Down Expand Up @@ -149,7 +150,7 @@ module "gce-lb-http" {
| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |
| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |

## Outputs

Expand Down
11 changes: 7 additions & 4 deletions autogen/main.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,9 @@ locals {
health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null }
{% endif %}

is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}

### IPv4 block ###
Expand Down Expand Up @@ -119,8 +120,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map

ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
certificate_manager_certificates = var.certificate_manager_certificates
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null

ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
Expand Down
8 changes: 7 additions & 1 deletion autogen/variables.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -232,7 +232,7 @@ variable "managed_ssl_certificate_domains" {
}

variable "use_ssl_certificates" {
description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`"
type = bool
default = false
}
Expand All @@ -243,6 +243,12 @@ variable "ssl_certificates" {
default = []
}

variable "certificate_manager_certificates" {
description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set."
type = list(string)
default = null
}

variable "edge_security_policy" {
description = "The resource URL for the edge security policy to associate with the backend service"
type = string
Expand Down
4 changes: 2 additions & 2 deletions autogen/versions.tf.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {

google = {
source = "hashicorp/google"
version = ">= 4.50, < 5.0"
version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.50, < 5.0"
version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"
Expand Down
7 changes: 5 additions & 2 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ locals {

is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}

### IPv4 block ###
Expand Down Expand Up @@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map

ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
certificate_manager_certificates = var.certificate_manager_certificates
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null

ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
Expand Down
3 changes: 2 additions & 1 deletion modules/dynamic_backends/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,7 @@ module "gce-lb-http" {
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | <pre>map(object({<br> port = optional(number)<br> project = optional(string)<br> protocol = optional(string)<br> port_name = optional(string)<br> description = optional(string)<br> enable_cdn = optional(bool)<br> compression_mode = optional(string)<br> security_policy = optional(string, null)<br> edge_security_policy = optional(string, null)<br> custom_request_headers = optional(list(string))<br> custom_response_headers = optional(list(string))<br><br> timeout_sec = optional(number)<br> connection_draining_timeout_sec = optional(number)<br> session_affinity = optional(string)<br> affinity_cookie_ttl_sec = optional(number)<br><br> health_check = object({<br> host = optional(string)<br> request_path = optional(string)<br> request = optional(string)<br> response = optional(string)<br> port = optional(number)<br> port_name = optional(string)<br> proxy_header = optional(string)<br> port_specification = optional(string)<br> protocol = optional(string)<br> check_interval_sec = optional(number)<br> timeout_sec = optional(number)<br> healthy_threshold = optional(number)<br> unhealthy_threshold = optional(number)<br> logging = optional(bool)<br> })<br><br> log_config = object({<br> enable = optional(bool)<br> sample_rate = optional(number)<br> })<br><br> groups = list(object({<br> group = string<br><br> balancing_mode = optional(string)<br> capacity_scaler = optional(number)<br> description = optional(string)<br> max_connections = optional(number)<br> max_connections_per_instance = optional(number)<br> max_connections_per_endpoint = optional(number)<br> max_rate = optional(number)<br> max_rate_per_instance = optional(number)<br> max_rate_per_endpoint = optional(number)<br> max_utilization = optional(number)<br> }))<br> iap_config = object({<br> enable = bool<br> oauth2_client_id = optional(string)<br> oauth2_client_secret = optional(string)<br> })<br> cdn_policy = optional(object({<br> cache_mode = optional(string)<br> signed_url_cache_max_age_sec = optional(string)<br> default_ttl = optional(number)<br> max_ttl = optional(number)<br> client_ttl = optional(number)<br> negative_caching = optional(bool)<br> negative_caching_policy = optional(object({<br> code = optional(number)<br> ttl = optional(number)<br> }))<br> serve_while_stale = optional(number)<br> cache_key_policy = optional(object({<br> include_host = optional(bool)<br> include_protocol = optional(bool)<br> include_query_string = optional(bool)<br> query_string_blacklist = optional(list(string))<br> query_string_whitelist = optional(list(string))<br> include_http_headers = optional(list(string))<br> include_named_cookies = optional(list(string))<br> }))<br> }))<br> }))</pre> | n/a | yes |
| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no |
| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
Expand Down Expand Up @@ -142,7 +143,7 @@ module "gce-lb-http" {
| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |
| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |

## Outputs

Expand Down
7 changes: 5 additions & 2 deletions modules/dynamic_backends/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ locals {

is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}

### IPv4 block ###
Expand Down Expand Up @@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map

ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
certificate_manager_certificates = var.certificate_manager_certificates
certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null

ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
Expand Down
8 changes: 7 additions & 1 deletion modules/dynamic_backends/variables.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@ variable "managed_ssl_certificate_domains" {
}

variable "use_ssl_certificates" {
description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
description = "If true, use the certificates provided by `ssl_certificates` or `certificate_map`, otherwise, create cert from `private_key` and `certificate`"
type = bool
default = false
}
Expand All @@ -230,6 +230,12 @@ variable "ssl_certificates" {
default = []
}

variable "certificate_manager_certificates" {
description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set."
type = list(string)
default = null
}

variable "edge_security_policy" {
description = "The resource URL for the edge security policy to associate with the backend service"
type = string
Expand Down
4 changes: 2 additions & 2 deletions modules/dynamic_backends/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ terraform {

google = {
source = "hashicorp/google"
version = ">= 4.50, < 5.0"
version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.50, < 5.0"
version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"
Expand Down
Loading

0 comments on commit e5d3646

Please sign in to comment.