diff --git a/README.md b/README.md
index 8aac0f26..7d0ef252 100644
--- a/README.md
+++ b/README.md
@@ -122,6 +122,7 @@ module "gce-lb-http" {
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | map(object({
port = optional(number)
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
timeout_sec = optional(number)
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
health_check = object({
host = optional(string)
request_path = optional(string)
request = optional(string)
response = optional(string)
port = optional(number)
port_name = optional(string)
proxy_header = optional(string)
port_specification = optional(string)
protocol = optional(string)
check_interval_sec = optional(number)
timeout_sec = optional(number)
healthy_threshold = optional(number)
unhealthy_threshold = optional(number)
logging = optional(bool)
})
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
balancing_mode = optional(string)
capacity_scaler = optional(number)
description = optional(string)
max_connections = optional(number)
max_connections_per_instance = optional(number)
max_connections_per_endpoint = optional(number)
max_rate = optional(number)
max_rate_per_instance = optional(number)
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no |
| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
index 2ae6a0e7..1728cdd0 100644
--- a/autogen/main.tf.tmpl
+++ b/autogen/main.tf.tmpl
@@ -26,8 +26,9 @@ locals {
health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null }
{% endif %}
- is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
- internal_network = local.is_internal ? var.network : null
+ is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
+ internal_network = local.is_internal ? var.network : null
+ ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}
### IPv4 block ###
@@ -119,8 +120,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map
- ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
- certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+ certificate_manager_certificates = var.certificate_manager_certificates
+ certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+
+ ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
index fdc50d9c..28398f79 100644
--- a/autogen/variables.tf.tmpl
+++ b/autogen/variables.tf.tmpl
@@ -256,6 +256,12 @@ variable "certificate_map" {
default = null
}
+variable "certificate_manager_certificates" {
+ description = "Certificate Manager cert ids. Required if `ssl` is `true` and `certificate_map` is set."
+ type = list(string)
+ default = null
+}
+
variable "ssl_policy" {
type = string
description = "Selfink to SSL Policy"
diff --git a/autogen/versions.tf.tmpl b/autogen/versions.tf.tmpl
index 8cd1eedb..525b02de 100644
--- a/autogen/versions.tf.tmpl
+++ b/autogen/versions.tf.tmpl
@@ -20,11 +20,11 @@ terraform {
google = {
source = "hashicorp/google"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"
diff --git a/main.tf b/main.tf
index d3aec207..b3302448 100644
--- a/main.tf
+++ b/main.tf
@@ -26,6 +26,7 @@ locals {
is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
+ ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}
### IPv4 block ###
@@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map
- ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
- certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+ certificate_manager_certificates = var.certificate_manager_certificates
+ certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+
+ ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md
index 892a3d1c..3506dce8 100644
--- a/modules/dynamic_backends/README.md
+++ b/modules/dynamic_backends/README.md
@@ -115,6 +115,7 @@ module "gce-lb-http" {
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | map(object({
port = optional(number)
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
timeout_sec = optional(number)
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
health_check = object({
host = optional(string)
request_path = optional(string)
request = optional(string)
response = optional(string)
port = optional(number)
port_name = optional(string)
proxy_header = optional(string)
port_specification = optional(string)
protocol = optional(string)
check_interval_sec = optional(number)
timeout_sec = optional(number)
healthy_threshold = optional(number)
unhealthy_threshold = optional(number)
logging = optional(bool)
})
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
balancing_mode = optional(string)
capacity_scaler = optional(number)
description = optional(string)
max_connections = optional(number)
max_connections_per_instance = optional(number)
max_connections_per_endpoint = optional(number)
max_rate = optional(number)
max_rate_per_instance = optional(number)
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no |
| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
index 066e2350..e9389699 100644
--- a/modules/dynamic_backends/main.tf
+++ b/modules/dynamic_backends/main.tf
@@ -26,6 +26,7 @@ locals {
is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
+ ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}
### IPv4 block ###
@@ -117,8 +118,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map
- ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
- certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+ certificate_manager_certificates = var.certificate_manager_certificates
+ certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+
+ ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf
index 56018f1b..d032b7ad 100644
--- a/modules/dynamic_backends/variables.tf
+++ b/modules/dynamic_backends/variables.tf
@@ -243,6 +243,12 @@ variable "certificate_map" {
default = null
}
+variable "certificate_manager_certificates" {
+ description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set."
+ type = list(string)
+ default = null
+}
+
variable "ssl_policy" {
type = string
description = "Selfink to SSL Policy"
diff --git a/modules/dynamic_backends/versions.tf b/modules/dynamic_backends/versions.tf
index 23ee244c..f21e10d2 100644
--- a/modules/dynamic_backends/versions.tf
+++ b/modules/dynamic_backends/versions.tf
@@ -20,11 +20,11 @@ terraform {
google = {
source = "hashicorp/google"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"
diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md
index 5999a26d..ca3572aa 100644
--- a/modules/serverless_negs/README.md
+++ b/modules/serverless_negs/README.md
@@ -81,6 +81,7 @@ module "lb-http" {
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | map(object({
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_manager\_certificates | Certificate Manager cert ids. Required if `ssl` is `true` and certificate\_map is set. | `list(string)` | `null` | no |
| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf
index fe42890f..c2d44ae4 100644
--- a/modules/serverless_negs/main.tf
+++ b/modules/serverless_negs/main.tf
@@ -25,6 +25,7 @@ locals {
is_internal = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
internal_network = local.is_internal ? var.network : null
+ ssl_certificates = var.certificate_manager_certificates != null ? null : compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
}
### IPv4 block ###
@@ -116,8 +117,10 @@ resource "google_compute_target_https_proxy" "default" {
name = "${var.name}-https-proxy"
url_map = local.url_map
- ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, google_compute_managed_ssl_certificate.default.*.self_link, ), )
- certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+ certificate_manager_certificates = var.certificate_manager_certificates
+ certificate_map = var.certificate_map != null ? "//certificatemanager.googleapis.com/${var.certificate_map}" : null
+
+ ssl_certificates = local.ssl_certificates
ssl_policy = var.ssl_policy
quic_override = var.quic == null ? "NONE" : var.quic ? "ENABLE" : "DISABLE"
}
diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf
index 59a56b3e..c80ba820 100644
--- a/modules/serverless_negs/variables.tf
+++ b/modules/serverless_negs/variables.tf
@@ -192,6 +192,12 @@ variable "certificate_map" {
default = null
}
+variable "certificate_manager_certificates" {
+ description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set."
+ type = list(string)
+ default = null
+}
+
variable "ssl_policy" {
type = string
description = "Selfink to SSL Policy"
diff --git a/modules/serverless_negs/versions.tf b/modules/serverless_negs/versions.tf
index cc2fde75..d428ae85 100644
--- a/modules/serverless_negs/versions.tf
+++ b/modules/serverless_negs/versions.tf
@@ -20,11 +20,11 @@ terraform {
google = {
source = "hashicorp/google"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"
diff --git a/variables.tf b/variables.tf
index 56018f1b..d032b7ad 100644
--- a/variables.tf
+++ b/variables.tf
@@ -243,6 +243,12 @@ variable "certificate_map" {
default = null
}
+variable "certificate_manager_certificates" {
+ description = "Certificate Manager cert ids. Required if `ssl` is `true` and certificate_map is set."
+ type = list(string)
+ default = null
+}
+
variable "ssl_policy" {
type = string
description = "Selfink to SSL Policy"
diff --git a/versions.tf b/versions.tf
index c84a468a..fe7d9644 100644
--- a/versions.tf
+++ b/versions.tf
@@ -20,11 +20,11 @@ terraform {
google = {
source = "hashicorp/google"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
google-beta = {
source = "hashicorp/google-beta"
- version = ">= 4.50, < 6"
+ version = ">= 5.3, < 6.0"
}
random = {
source = "hashicorp/random"