feat: added network for INTERNAL_SELF_MANAGED load balancing schema (#…

…320)
terraform-google-modules · Apr 14, 2023 · 7226353 · 7226353
1 parent e9da266
commit 7226353
Show file tree

Hide file tree

Showing 15 changed files with 258 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -136,6 +136,7 @@ Current version is 9.0. Upgrade guides:
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL"` | no |
 | managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`. | `list(string)` | `[]` | no |
 | name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
+| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
 | private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
 | project | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |

diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
@@ -26,6 +26,8 @@ locals {
   health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null }  
   {% endif %}
 
+  is_internal       = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
+  internal_network  = local.is_internal ? var.network : null
 }
 
 ### IPv4 block ###
@@ -39,6 +41,7 @@ resource "google_compute_global_forwarding_rule" "http" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https" {
@@ -51,11 +54,12 @@ resource "google_compute_global_forwarding_rule" "https" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default" {
   provider   = google-beta
-  count      = var.create_address ? 1 : 0
+  count      = local.is_internal ? 0 : var.create_address ? 1 : 0
   project    = var.project
   name       = "${var.name}-address"
   ip_version = "IPV4"
@@ -74,6 +78,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https_ipv6" {
@@ -86,11 +91,12 @@ resource "google_compute_global_forwarding_rule" "https_ipv6" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default_ipv6" {
   provider   = google-beta
-  count      = (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
+  count      = local.is_internal ? 0 : (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
   project    = var.project
   name       = "${var.name}-ipv6-address"
   ip_version = "IPV6"

diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
@@ -277,3 +277,9 @@ variable "certificate_map" {
   type        = string
   default     = null
 }
+
+variable "network" {
+  description = "Network for INTERNAL_SELF_MANAGED load balancing scheme"
+  type        = string
+  default     = "default"
+}
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
@@ -49,6 +49,19 @@ steps:
 - id: cdn-policy-example-teardown
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestAll/examples/cdn-policy --stage teardown --verbose']
+# traffic-director example
+- id: traffic-director-example-init
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/traffic-director --stage init --verbose']
+- id: traffic-director-example-apply
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/traffic-director --stage apply --verbose']
+- id: traffic-director-example-verify
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/traffic-director --stage verify --verbose']
+- id: traffic-director-example-teardown
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestAll/examples/traffic-director --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

diff --git a/examples/traffic-director/README.md b/examples/traffic-director/README.md
@@ -0,0 +1,77 @@
+# External HTTPS Load Balancer with dynamic backends
+
+[![button](http://gstatic.com/cloudssh/images/open-btn.png)](https://console.cloud.google.com/cloudshell/open?git_repo=https://github.com/GoogleCloudPlatform/terraform-google-lb-http&working_dir=examples/dynamic-backend&page=shell&tutorial=README.md)
+
+This creates an external Envoy-based HTTPS Load Balancer using dynamic
+backends suitable for integrating with a Google Kubernetes Engine cluster
+running [gke-autoneg-controller](https://github.com/GoogleCloudPlatform/gke-autoneg-controller).
+The load balancer will not route traffic to any backend service or bucket;
+instead, it expects that an external user or service will register backends
+(such as Network Endpoint Groups) accordingly to serve traffic. The example
+will attempt to provision a Google-managed TLS certificate for the domain
+"example.com" by default and use `/api/health` as a health check endpoint.
+
+## Change to the example directory
+
+```
+[[ `basename $PWD` != https-gke ]] && cd examples/dynamic-backend
+```
+
+## Install Terraform
+
+1. Install Terraform if it is not already installed (visit [terraform.io](https://terraform.io) for other distributions):
+
+## Set up the environment
+
+1. Set the project, replace `YOUR_PROJECT` with your project ID:
+
+```
+PROJECT=YOUR_PROJECT
+```
+
+```
+gcloud config set project ${PROJECT}
+```
+
+2. Configure the environment for Terraform:
+
+```
+[[ $CLOUD_SHELL ]] || gcloud auth application-default login
+export GOOGLE_PROJECT=$(gcloud config get-value project)
+```
+
+3. Create the dynamic backend load balancer.
+
+```
+(
+    cd dynamic-backend/
+    terraform init
+    terraform plan -out terraform.tfplan
+    terraform apply terraform.tfplan
+)
+```
+
+4. Deploy the `gke-autoneg-controller` into a GKE cluster and configure it according to the instructions. This will create a Network Endpoint Group for a service and bind it to this load balancer.
+
+
+## Cleanup
+
+1. Delete the load balancing resources created by terraform:
+
+```
+terraform destroy
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| network\_name | n/a | `string` | `"traffic-director-lb"` | no |
+| project\_id | n/a | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/examples/traffic-director/main.tf b/examples/traffic-director/main.tf
@@ -0,0 +1,85 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+provider "google" {
+  project = var.project_id
+}
+
+provider "google-beta" {
+  project = var.project_id
+}
+
+resource "google_compute_network" "default" {
+  name                    = var.network_name
+  auto_create_subnetworks = true
+}
+
+module "load_balancer" {
+  source = "../../"
+
+  name           = "traffic-director-lb"
+  project        = var.project_id
+  create_address = false
+
+  load_balancing_scheme = "INTERNAL_SELF_MANAGED"
+  network               = google_compute_network.default.self_link
+  address               = "0.0.0.0"
+  firewall_networks     = []
+
+  backends = {
+    default = {
+      description                     = null
+      protocol                        = "HTTP"
+      port                            = 80
+      port_name                       = "http"
+      timeout_sec                     = 30
+      connection_draining_timeout_sec = 0
+      enable_cdn                      = false
+      edge_security_policy            = null
+      security_policy                 = null
+      session_affinity                = null
+      affinity_cookie_ttl_sec         = null
+      custom_request_headers          = null
+      custom_response_headers         = null
+      compression_mode                = null
+
+      health_check = {
+        check_interval_sec  = 15
+        timeout_sec         = 15
+        healthy_threshold   = 4
+        unhealthy_threshold = 4
+        request_path        = "/api/health"
+        port                = 443
+        host                = null
+        logging             = true
+      }
+
+      log_config = {
+        enable      = false
+        sample_rate = null
+      }
+
+      # leave blank, NEGs are dynamically added to the lb via autoneg
+      groups = []
+
+      iap_config = {
+        enable               = false
+        oauth2_client_id     = ""
+        oauth2_client_secret = ""
+      }
+    }
+  }
+}
diff --git a/examples/traffic-director/variables.tf b/examples/traffic-director/variables.tf
@@ -0,0 +1,24 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type = string
+}
+
+variable "network_name" {
+  default = "traffic-director-lb"
+  type    = string
+}
diff --git a/main.tf b/main.tf
@@ -24,6 +24,8 @@ locals {
 
   health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null }
 
+  is_internal      = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
+  internal_network = local.is_internal ? var.network : null
 }
 
 ### IPv4 block ###
@@ -37,6 +39,7 @@ resource "google_compute_global_forwarding_rule" "http" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https" {
@@ -49,11 +52,12 @@ resource "google_compute_global_forwarding_rule" "https" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default" {
   provider   = google-beta
-  count      = var.create_address ? 1 : 0
+  count      = local.is_internal ? 0 : var.create_address ? 1 : 0
   project    = var.project
   name       = "${var.name}-address"
   ip_version = "IPV4"
@@ -72,6 +76,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https_ipv6" {
@@ -84,11 +89,12 @@ resource "google_compute_global_forwarding_rule" "https_ipv6" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default_ipv6" {
   provider   = google-beta
-  count      = (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
+  count      = local.is_internal ? 0 : (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
   project    = var.project
   name       = "${var.name}-ipv6-address"
   ip_version = "IPV6"

diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md
@@ -129,6 +129,7 @@ Current version is 9.0. Upgrade guides:
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL"` | no |
 | managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`. | `list(string)` | `[]` | no |
 | name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
+| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
 | private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
 | project | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
 | quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |

diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
@@ -24,6 +24,8 @@ locals {
 
   health_checked_backends = { for backend_index, backend_value in var.backends : backend_index => backend_value if backend_value["health_check"] != null }
 
+  is_internal      = var.load_balancing_scheme == "INTERNAL_SELF_MANAGED"
+  internal_network = local.is_internal ? var.network : null
 }
 
 ### IPv4 block ###
@@ -37,6 +39,7 @@ resource "google_compute_global_forwarding_rule" "http" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https" {
@@ -49,11 +52,12 @@ resource "google_compute_global_forwarding_rule" "https" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default" {
   provider   = google-beta
-  count      = var.create_address ? 1 : 0
+  count      = local.is_internal ? 0 : var.create_address ? 1 : 0
   project    = var.project
   name       = "${var.name}-address"
   ip_version = "IPV4"
@@ -72,6 +76,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
   port_range            = "80"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_forwarding_rule" "https_ipv6" {
@@ -84,11 +89,12 @@ resource "google_compute_global_forwarding_rule" "https_ipv6" {
   port_range            = "443"
   labels                = var.labels
   load_balancing_scheme = var.load_balancing_scheme
+  network               = local.internal_network
 }
 
 resource "google_compute_global_address" "default_ipv6" {
   provider   = google-beta
-  count      = (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
+  count      = local.is_internal ? 0 : (var.enable_ipv6 && var.create_ipv6_address) ? 1 : 0
   project    = var.project
   name       = "${var.name}-ipv6-address"
   ip_version = "IPV6"