This submodule allows you to create Cloud HTTP(S) Load Balancer with Serverless Network Endpoint Groups (NEGs) and place serverless services from Cloud Run, Cloud Functions and App Engine behind a Cloud Load Balancer.
This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3. If you find incompatibilities using Terraform >=1.3, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.5.0.
Current version is 9.0. Upgrade guides:
module "lb-http" {
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
version = "~> 9.0"
project = "my-project-id"
name = "my-lb"
ssl = true
managed_ssl_certificate_domains = ["your-domain.com"]
https_redirect = true
backends = {
default = {
description = null
protocol = "HTTP"
port_name = var.service_port_name
enable_cdn = false
custom_request_headers = null
custom_response_headers = null
security_policy = null
compression_mode = null
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
# Your serverless service should have a NEG created that's referenced here.
group = google_compute_region_network_endpoint_group.default.id
}
]
iap_config = {
enable = false
oauth2_client_id = null
oauth2_client_secret = null
}
}
}
}
Name | Description | Type | Default | Required |
---|---|---|---|---|
address | Existing IPv4 address to use (the actual IP address value) | string |
null |
no |
backends | Map backend indices to list of backend maps. | map(object({ |
n/a | yes |
certificate | Content of the SSL certificate. Required if ssl is true and ssl_certificates is empty. |
string |
null |
no |
certificate_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | string |
null |
no |
create_address | Create a new global IPv4 address | bool |
true |
no |
create_ipv6_address | Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. | bool |
false |
no |
create_url_map | Set to false if url_map variable is provided. |
bool |
true |
no |
edge_security_policy | The resource URL for the edge security policy to associate with the backend service | string |
null |
no |
enable_ipv6 | Enable IPv6 address on the CDN load-balancer | bool |
false |
no |
http_forward | Set to false to disable HTTP port 80 forward |
bool |
true |
no |
https_redirect | Set to true to enable https redirect on the lb. |
bool |
false |
no |
ipv6_address | An existing IPv6 address to use (the actual IP address value) | string |
null |
no |
labels | The labels to attach to resources created by this module | map(string) |
{} |
no |
load_balancing_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director) | string |
"EXTERNAL" |
no |
managed_ssl_certificate_domains | Create Google-managed SSL certificates for specified domains. Requires ssl to be set to true and use_ssl_certificates set to false . |
list(string) |
[] |
no |
name | Name for the forwarding rule and prefix for supporting resources | string |
n/a | yes |
network | Network for INTERNAL_SELF_MANAGED load balancing scheme | string |
"default" |
no |
private_key | Content of the private SSL key. Required if ssl is true and ssl_certificates is empty. |
string |
null |
no |
project | The project to deploy to, if not set the default provider project is used. | string |
n/a | yes |
quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | bool |
null |
no |
random_certificate_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | bool |
false |
no |
security_policy | The resource URL for the security policy to associate with the backend service | string |
null |
no |
ssl | Set to true to enable SSL support, requires variable ssl_certificates - a list of self_link certs |
bool |
false |
no |
ssl_certificates | SSL cert self_link list. Required if ssl is true and no private_key and certificate is provided. |
list(string) |
[] |
no |
ssl_policy | Selfink to SSL Policy | string |
null |
no |
url_map | The url_map resource to use. Default is to send all traffic to first backend. | string |
null |
no |
use_ssl_certificates | If true, use the certificates provided by ssl_certificates , otherwise, create cert from private_key and certificate |
bool |
false |
no |
Name | Description |
---|---|
backend_services | The backend service resources. |
external_ip | The external IPv4 assigned to the global fowarding rule. |
external_ipv6_address | The external IPv6 assigned to the global fowarding rule. |
http_proxy | The HTTP proxy used by this module. |
https_proxy | The HTTPS proxy used by this module. |
ipv6_enabled | Whether IPv6 configuration is enabled on this load-balancer |
url_map | The default URL map used by this module. |
google_compute_global_forwarding_rule.http
: The global HTTP forwarding rule.google_compute_global_forwarding_rule.https
: The global HTTPS forwarding rule created whenssl
istrue
.google_compute_target_http_proxy.default
: The HTTP proxy resource that binds the url map. Created when inputssl
isfalse
.google_compute_target_https_proxy.default
: The HTTPS proxy resource that binds the url map. Created when inputssl
istrue
.google_compute_ssl_certificate.default
: The certificate resource created when inputssl
istrue
andmanaged_ssl_certificate_domains
not specified.google_compute_managed_ssl_certificate.default
: The Google-managed certificate resource created when inputssl
istrue
andmanaged_ssl_certificate_domains
is specified.google_compute_url_map.default
: The default URL map resource when inputurl_map
is not provided.google_compute_backend_service.default.*
: The backend services created for each of thebackend_params
elements.