map(object({
port = optional(number)
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
timeout_sec = optional(number)
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
health_check = object({
host = optional(string)
request_path = optional(string)
request = optional(string)
response = optional(string)
port = optional(number)
port_name = optional(string)
proxy_header = optional(string)
port_specification = optional(string)
protocol = optional(string)
check_interval_sec = optional(number)
timeout_sec = optional(number)
healthy_threshold = optional(number)
unhealthy_threshold = optional(number)
logging = optional(bool)
})
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
balancing_mode = optional(string)
capacity_scaler = optional(number)
description = optional(string)
max_connections = optional(number)
max_connections_per_instance = optional(number)
max_connections_per_endpoint = optional(number)
max_rate = optional(number)
max_rate_per_instance = optional(number)
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
-| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
-| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no |
+| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
+| create\_ssl\_certificate | If `true`, Create certificate using `private_key/certificate` | `bool` | `false` | no |
| create\_url\_map | Set to `false` if url\_map variable is provided. | `bool` | `true` | no |
| edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
| enable\_ipv6 | Enable IPv6 address on the CDN load-balancer | `bool` | `false` | no |
@@ -135,21 +136,20 @@ module "gce-lb-http" {
| ipv6\_address | An existing IPv6 address to use (the actual IP address value) | `string` | `null` | no |
| labels | The labels to attach to resources created by this module | `map(string)` | `{}` | no |
| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL"` | no |
-| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`. | `list(string)` | `[]` | no |
+| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
-| private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
+| private\_key | Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
| project | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
| quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
| random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
| security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
-| ssl | Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self\_link certs | `bool` | `false` | no |
-| ssl\_certificates | SSL cert self\_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided. | `list(string)` | `[]` | no |
+| ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
+| ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
-| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |
## Outputs
@@ -161,6 +161,7 @@ module "gce-lb-http" {
| http\_proxy | The HTTP proxy used by this module. |
| https\_proxy | The HTTPS proxy used by this module. |
| ipv6\_enabled | Whether IPv6 configuration is enabled on this load-balancer |
+| ssl\_certificate\_created | The SSL certificate create from key/pem |
| url\_map | The default URL map used by this module. |
diff --git a/autogen/README.md b/autogen/README.md
index 08217367..ec5cc46e 100644
--- a/autogen/README.md
+++ b/autogen/README.md
@@ -50,7 +50,7 @@ Current version is 9.0. Upgrade guides:
- [6.X -> 7.0](/docs/upgrading_to_v7.0.md)
- [7.X -> 8.0](/docs/upgrading_to_v8.0.md)
- [8.X -> 9.0](/docs/upgrading_to_v9.0.md)
-
+- [9.X -> 10.0](/docs/upgrading_to_v10.0.m)
## Usage
diff --git a/autogen/main.tf.tmpl b/autogen/main.tf.tmpl
index 56ea3f02..2ae6a0e7 100644
--- a/autogen/main.tf.tmpl
+++ b/autogen/main.tf.tmpl
@@ -47,7 +47,7 @@ resource "google_compute_global_forwarding_rule" "http" {
resource "google_compute_global_forwarding_rule" "https" {
provider = google-beta
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.address
@@ -84,7 +84,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
resource "google_compute_global_forwarding_rule" "https_ipv6" {
provider = google-beta
project = var.project
- count = var.enable_ipv6 && (var.ssl || var.certificate_map != null) ? 1 : 0
+ count = var.enable_ipv6 && var.ssl ? 1 : 0
name = "${var.name}-ipv6-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.ipv6_address
@@ -115,7 +115,7 @@ resource "google_compute_target_http_proxy" "default" {
# HTTPS proxy when ssl is true
resource "google_compute_target_https_proxy" "default" {
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https-proxy"
url_map = local.url_map
@@ -127,7 +127,7 @@ resource "google_compute_target_https_proxy" "default" {
resource "google_compute_ssl_certificate" "default" {
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) == 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && var.create_ssl_certificate ? 1 : 0
name_prefix = "${var.name}-certificate-"
private_key = var.private_key
certificate = var.certificate
@@ -150,7 +150,7 @@ resource "random_id" "certificate" {
resource "google_compute_managed_ssl_certificate" "default" {
provider = google-beta
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 ? 1 : 0
name = var.random_certificate_suffix == true ? random_id.certificate[0].hex : "${var.name}-cert"
lifecycle {
diff --git a/autogen/outputs.tf.tmpl b/autogen/outputs.tf.tmpl
index c17a0ef4..8cbc4e2d 100644
--- a/autogen/outputs.tf.tmpl
+++ b/autogen/outputs.tf.tmpl
@@ -49,3 +49,8 @@ output "url_map" {
description = "The default URL map used by this module."
value = google_compute_url_map.default[*].self_link
}
+
+output "ssl_certificate_created" {
+ description = "The SSL certificate create from key/pem"
+ value = google_compute_ssl_certificate.default.*.self_link
+}
diff --git a/autogen/variables.tf.tmpl b/autogen/variables.tf.tmpl
index c56ba9d9..fdc50d9c 100644
--- a/autogen/variables.tf.tmpl
+++ b/autogen/variables.tf.tmpl
@@ -215,51 +215,57 @@ variable "http_forward" {
}
variable "ssl" {
- description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+ description = "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`"
type = bool
default = false
}
-variable "ssl_policy" {
- type = string
- description = "Selfink to SSL Policy"
- default = null
+variable "create_ssl_certificate" {
+ description = "If `true`, Create certificate using `private_key/certificate`"
+ type = bool
+ default = false
}
-variable "quic" {
- type = bool
- description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
- default = null
+variable "ssl_certificates" {
+ description = "SSL cert self_link list. Requires `ssl` to be set to `true`"
+ type = list(string)
+ default = []
}
variable "private_key" {
- description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "certificate" {
- description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "managed_ssl_certificate_domains" {
- description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`."
+ description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`"
type = list(string)
default = []
}
-variable "use_ssl_certificates" {
- description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
- type = bool
- default = false
+variable "certificate_map" {
+ description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`"
+ type = string
+ default = null
}
-variable "ssl_certificates" {
- description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
- type = list(string)
- default = []
+variable "ssl_policy" {
+ type = string
+ description = "Selfink to SSL Policy"
+ default = null
+}
+
+variable "quic" {
+ type = bool
+ description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
+ default = null
}
variable "edge_security_policy" {
@@ -298,12 +304,6 @@ variable "load_balancing_scheme" {
default = "EXTERNAL"
}
-variable "certificate_map" {
- description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy"
- type = string
- default = null
-}
-
variable "network" {
description = "Network for INTERNAL_SELF_MANAGED load balancing scheme"
type = string
diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml
index fd28d8d8..ecada0c0 100644
--- a/build/int.cloudbuild.yaml
+++ b/build/int.cloudbuild.yaml
@@ -12,7 +12,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-timeout: 4200s
+timeout: 5400s
steps:
- id: swap-module-refs
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
@@ -62,6 +62,32 @@ steps:
- id: traffic-director-example-teardown
name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
args: ['/bin/bash', '-c', 'cft test run TestAll/examples/traffic-director --stage teardown --verbose']
+# certificate-map example
+- id: certificate-map-example-init
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/certificate-map --stage init --verbose']
+- id: certificate-map-example-apply
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/certificate-map --stage apply --verbose']
+- id: certificate-map-example-verify
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/certificate-map --stage verify --verbose']
+- id: certificate-map-example-teardown
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/certificate-map --stage teardown --verbose']
+# managed-manual-certificates example
+- id: user-managed-google-managed-ssl-example-init
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/user-managed-google-managed-ssl --stage init --verbose']
+- id: user-managed-google-managed-ssl-example-apply
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/user-managed-google-managed-ssl --stage apply --verbose']
+- id: user-managed-google-managed-ssl-example-verify
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/user-managed-google-managed-ssl --stage verify --verbose']
+- id: user-managed-google-managed-ssl-example-teardown
+ name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+ args: ['/bin/bash', '-c', 'cft test run TestAll/examples/user-managed-google-managed-ssl --stage teardown --verbose']
tags:
- 'ci'
- 'integration'
diff --git a/docs/upgrading_to_v10.0.md b/docs/upgrading_to_v10.0.md
new file mode 100644
index 00000000..0eb5f8a2
--- /dev/null
+++ b/docs/upgrading_to_v10.0.md
@@ -0,0 +1,69 @@
+# Upgrading to v10.0
+
+The 10.0 release contains backwards-incompatible changes.
+
+---
+
+### use_ssl_certificates is replaced with create_ssl_certificate
+
+The `use_ssl_certificates` parameter has been removed. A new parameter `create_ssl_certificate` has been added. You can now create a load balancer with multiple certificates using certificate manager map or certificates (self managed, google managed)
+
+In order to create https load balancer you need to pass `ssl = true` and at least one of the following:
+
+1) list of self links to your own certificates passed to`ssl_certificates` OR
+2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR
+3) list of domains for `managed_ssl_certificate_domains`, OR
+4) Managed certificate using certificate manager by passing `certificate_map`
+
+Load balancer allows Either 1,2,3 or option 4
+
+---
+See example [user-managed-google-managed-ssl](/examples/user-managed-google-managed-ssl) for combination of `option 1,2,3` where root module will pass self link to certificates, private key/Pem and domain for google managed certificates. You can now attach google managed certificates and user managed certificates to the load balancer at the same time.
+
+
+```diff
+module "gce-lb-https" {
+- source = "GoogleCloudPlatform/lb-http/google"
+- version = "~> 9.0"
++ source = "GoogleCloudPlatform/lb-http/google"
++ version = "~> 10.0"
+- use_ssl_certificates = false
++ create_ssl_certificate = true
+ ssl = true
+ private_key = tls_private_key.single_key.private_key_pem
+ certificate = tls_self_signed_cert.single_cert.cert_pem
+ managed_ssl_certificate_domains = ["test.example.com"]
+ ssl_certificates = google_compute_ssl_certificate.example.*.self_link
+```
+
+Here is an example of how to pass list of self managed certificates and domain for google managed certificates. Leave pem/certificate parameter empty
+
+
+```diff
+module "gce-lb-https" {
+- source = "GoogleCloudPlatform/lb-http/google"
+- version = "~> 9.0"
++ source = "GoogleCloudPlatform/lb-http/google"
++ version = "~> 10.0"
+- use_ssl_certificates = false
++ create_ssl_certificate = false
+ ssl = true
+ managed_ssl_certificate_domains = ["test.example.com"]
+ ssl_certificates = google_compute_ssl_certificate.example.*.self_link
+```
+
+---
+
+See example [certificate-map](/examples/certificate-map) for `option 4` where root module will pass certificate map
+
+```diff
+module "gce-lb-https" {
+- source = "GoogleCloudPlatform/lb-http/google"
+- version = "~> 9.0"
++ source = "GoogleCloudPlatform/lb-http/google"
++ version = "~> 10.0"
+- use_ssl_certificates = false
++ create_ssl_certificate = false
+ ssl = true
+ certificate_map = var.cert_map_name
+```
diff --git a/examples/certificate-map/README.md b/examples/certificate-map/README.md
new file mode 100644
index 00000000..ffb2653f
--- /dev/null
+++ b/examples/certificate-map/README.md
@@ -0,0 +1,30 @@
+# Certificate Map Example
+
+This example shows how to use certificate maps with the HTTPS Load Balancer module.
+
+## Run Terraform
+
+```
+terraform init
+terraform apply
+```
+
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| group1\_region | n/a | `string` | `"us-west1"` | no |
+| network\_name | n/a | `string` | `"tf-lb-https-cert-map"` | no |
+| project\_id | n/a | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| asset-url | n/a |
+| group1\_region | n/a |
+| load-balancer-ip | n/a |
+| project\_id | n/a |
+
+
diff --git a/examples/certificate-map/certificate-map.tf b/examples/certificate-map/certificate-map.tf
new file mode 100644
index 00000000..78fd5218
--- /dev/null
+++ b/examples/certificate-map/certificate-map.tf
@@ -0,0 +1,45 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ cert_map_name = "projects/${var.project_id}/locations/global/certificateMaps/certmgr-map"
+}
+
+resource "google_certificate_manager_certificate" "all" {
+ name = "certmgr-cert"
+ description = "The default cert for all domains"
+ project = var.project_id
+ managed {
+ domains = [
+ "test.example.com",
+ ]
+ }
+}
+
+resource "google_certificate_manager_certificate_map" "certificate_map" {
+ name = "certmgr-map"
+ description = "My certificate map"
+ project = var.project_id
+}
+
+resource "google_certificate_manager_certificate_map_entry" "map_entry_web1" {
+ project = var.project_id
+ name = "certmgr-map-entry-web1"
+ description = "My test certificate map entry"
+ map = google_certificate_manager_certificate_map.certificate_map.name
+ certificates = [google_certificate_manager_certificate.all.id]
+ hostname = "test.example.com"
+}
diff --git a/examples/certificate-map/gceme.sh.tpl b/examples/certificate-map/gceme.sh.tpl
new file mode 100644
index 00000000..97b22459
--- /dev/null
+++ b/examples/certificate-map/gceme.sh.tpl
@@ -0,0 +1,127 @@
+#!/bin/bash -xe
+
+# introducing sleep so network interfaces and routes can get ready before fetching software
+sleep 10
+
+RPM_INSTALL_ARGS="install -y httpd php php-common"
+
+if [ -f "/etc/redhat-release" ]; then
+ yum update -y || dnf update -y
+ yum $RPM_INSTALL_ARGS || dnf $RPM_INSTALL_ARGS
+else
+ apt-get update
+ apt-get install -y apache2 libapache2-mod-php
+fi
+
+cat > /var/www/html/index.php <<'EOF'
+ array(
+ "method" => "GET",
+ "header" => "Metadata-Flavor: Google"
+ )
+ );
+ $context = stream_context_create($opts);
+ $content = file_get_contents("http://metadata/computeMetadata/v1/$value", false, $context);
+ return $content;
+}
+if ($_SERVER['HTTP_X_FORWARDED_PROTO'] == "http") {
+ $redirect = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
+ header('HTTP/1.1 301 Moved Permanently');
+ header('Location: ' . $redirect);
+ exit();
+}
+?>
+
+
+
+
+
+
+
+
+
+
+
+| Name | ++ |
| ID | ++ |
| Hostname | ++ |
| Zone | ++ |
| Machine Type | ++ |
| Project | ++ |
| Internal IP | ++ |
| External IP | ++ |
| Address | ++ |
map(object({
port = optional(number)
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
timeout_sec = optional(number)
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
health_check = object({
host = optional(string)
request_path = optional(string)
request = optional(string)
response = optional(string)
port = optional(number)
port_name = optional(string)
proxy_header = optional(string)
port_specification = optional(string)
protocol = optional(string)
check_interval_sec = optional(number)
timeout_sec = optional(number)
healthy_threshold = optional(number)
unhealthy_threshold = optional(number)
logging = optional(bool)
})
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
balancing_mode = optional(string)
capacity_scaler = optional(number)
description = optional(string)
max_connections = optional(number)
max_connections_per_instance = optional(number)
max_connections_per_endpoint = optional(number)
max_rate = optional(number)
max_rate_per_instance = optional(number)
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
-| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
-| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no |
+| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
+| create\_ssl\_certificate | If `true`, Create certificate using `private_key/certificate` | `bool` | `false` | no |
| create\_url\_map | Set to `false` if url\_map variable is provided. | `bool` | `true` | no |
| edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
| enable\_ipv6 | Enable IPv6 address on the CDN load-balancer | `bool` | `false` | no |
@@ -128,21 +129,20 @@ module "gce-lb-http" {
| ipv6\_address | An existing IPv6 address to use (the actual IP address value) | `string` | `null` | no |
| labels | The labels to attach to resources created by this module | `map(string)` | `{}` | no |
| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL"` | no |
-| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`. | `list(string)` | `[]` | no |
+| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
-| private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
+| private\_key | Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
| project | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
| quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
| random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
| security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
-| ssl | Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self\_link certs | `bool` | `false` | no |
-| ssl\_certificates | SSL cert self\_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided. | `list(string)` | `[]` | no |
+| ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
+| ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
| url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
-| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |
## Outputs
@@ -154,6 +154,7 @@ module "gce-lb-http" {
| http\_proxy | The HTTP proxy used by this module. |
| https\_proxy | The HTTPS proxy used by this module. |
| ipv6\_enabled | Whether IPv6 configuration is enabled on this load-balancer |
+| ssl\_certificate\_created | The SSL certificate create from key/pem |
| url\_map | The default URL map used by this module. |
diff --git a/modules/dynamic_backends/main.tf b/modules/dynamic_backends/main.tf
index 164982ab..066e2350 100644
--- a/modules/dynamic_backends/main.tf
+++ b/modules/dynamic_backends/main.tf
@@ -45,7 +45,7 @@ resource "google_compute_global_forwarding_rule" "http" {
resource "google_compute_global_forwarding_rule" "https" {
provider = google-beta
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.address
@@ -82,7 +82,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
resource "google_compute_global_forwarding_rule" "https_ipv6" {
provider = google-beta
project = var.project
- count = var.enable_ipv6 && (var.ssl || var.certificate_map != null) ? 1 : 0
+ count = var.enable_ipv6 && var.ssl ? 1 : 0
name = "${var.name}-ipv6-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.ipv6_address
@@ -113,7 +113,7 @@ resource "google_compute_target_http_proxy" "default" {
# HTTPS proxy when ssl is true
resource "google_compute_target_https_proxy" "default" {
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https-proxy"
url_map = local.url_map
@@ -125,7 +125,7 @@ resource "google_compute_target_https_proxy" "default" {
resource "google_compute_ssl_certificate" "default" {
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) == 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && var.create_ssl_certificate ? 1 : 0
name_prefix = "${var.name}-certificate-"
private_key = var.private_key
certificate = var.certificate
@@ -148,7 +148,7 @@ resource "random_id" "certificate" {
resource "google_compute_managed_ssl_certificate" "default" {
provider = google-beta
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 ? 1 : 0
name = var.random_certificate_suffix == true ? random_id.certificate[0].hex : "${var.name}-cert"
lifecycle {
diff --git a/modules/dynamic_backends/outputs.tf b/modules/dynamic_backends/outputs.tf
index c17a0ef4..f6d9da29 100644
--- a/modules/dynamic_backends/outputs.tf
+++ b/modules/dynamic_backends/outputs.tf
@@ -49,3 +49,8 @@ output "url_map" {
description = "The default URL map used by this module."
value = google_compute_url_map.default[*].self_link
}
+
+output "ssl_certificate_created" {
+ description = "The SSL certificate create from key/pem"
+ value = google_compute_ssl_certificate.default.*.self_link
+}
diff --git a/modules/dynamic_backends/variables.tf b/modules/dynamic_backends/variables.tf
index 5f27bff0..56018f1b 100644
--- a/modules/dynamic_backends/variables.tf
+++ b/modules/dynamic_backends/variables.tf
@@ -202,51 +202,57 @@ variable "http_forward" {
}
variable "ssl" {
- description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+ description = "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`"
type = bool
default = false
}
-variable "ssl_policy" {
- type = string
- description = "Selfink to SSL Policy"
- default = null
+variable "create_ssl_certificate" {
+ description = "If `true`, Create certificate using `private_key/certificate`"
+ type = bool
+ default = false
}
-variable "quic" {
- type = bool
- description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
- default = null
+variable "ssl_certificates" {
+ description = "SSL cert self_link list. Requires `ssl` to be set to `true`"
+ type = list(string)
+ default = []
}
variable "private_key" {
- description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "certificate" {
- description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "managed_ssl_certificate_domains" {
- description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`."
+ description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`"
type = list(string)
default = []
}
-variable "use_ssl_certificates" {
- description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
- type = bool
- default = false
+variable "certificate_map" {
+ description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`"
+ type = string
+ default = null
}
-variable "ssl_certificates" {
- description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
- type = list(string)
- default = []
+variable "ssl_policy" {
+ type = string
+ description = "Selfink to SSL Policy"
+ default = null
+}
+
+variable "quic" {
+ type = bool
+ description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
+ default = null
}
variable "edge_security_policy" {
@@ -285,12 +291,6 @@ variable "load_balancing_scheme" {
default = "EXTERNAL"
}
-variable "certificate_map" {
- description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy"
- type = string
- default = null
-}
-
variable "network" {
description = "Network for INTERNAL_SELF_MANAGED load balancing scheme"
type = string
diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md
index 9e1588b7..5999a26d 100644
--- a/modules/serverless_negs/README.md
+++ b/modules/serverless_negs/README.md
@@ -22,7 +22,7 @@ Current version is 9.0. Upgrade guides:
- [6.X -> 7.0](/docs/upgrading_to_v7.0.md)
- [7.X -> 8.0](/docs/upgrading_to_v8.0.md)
- [8.X -> 9.0](/docs/upgrading_to_v9.0.md)
-
+- [9.X -> 10.0](/docs/upgrading_to_v10.0.m)
## Usage
@@ -80,10 +80,11 @@ module "lb-http" {
|------|-------------|------|---------|:--------:|
| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
| backends | Map backend indices to list of backend maps. | map(object({
project = optional(string)
protocol = optional(string)
port_name = optional(string)
description = optional(string)
enable_cdn = optional(bool)
compression_mode = optional(string)
security_policy = optional(string, null)
edge_security_policy = optional(string, null)
custom_request_headers = optional(list(string))
custom_response_headers = optional(list(string))
connection_draining_timeout_sec = optional(number)
session_affinity = optional(string)
affinity_cookie_ttl_sec = optional(number)
log_config = object({
enable = optional(bool)
sample_rate = optional(number)
})
groups = list(object({
group = string
}))
iap_config = object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
})
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
serve_while_stale = optional(number)
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}))
outlier_detection = optional(object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}))
})) | n/a | yes |
-| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
-| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy | `string` | `null` | no |
+| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
+| create\_ssl\_certificate | If `true`, Create certificate using `private_key/certificate` | `bool` | `false` | no |
| create\_url\_map | Set to `false` if url\_map variable is provided. | `bool` | `true` | no |
| edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
| enable\_ipv6 | Enable IPv6 address on the CDN load-balancer | `bool` | `false` | no |
@@ -92,19 +93,18 @@ module "lb-http" {
| ipv6\_address | An existing IPv6 address to use (the actual IP address value) | `string` | `null` | no |
| labels | The labels to attach to resources created by this module | `map(string)` | `{}` | no |
| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL"` | no |
-| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`. | `list(string)` | `[]` | no |
+| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
-| private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | `string` | `null` | no |
+| private\_key | Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
| project | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
| quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
| random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
| security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
-| ssl | Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self\_link certs | `bool` | `false` | no |
-| ssl\_certificates | SSL cert self\_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided. | `list(string)` | `[]` | no |
+| ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
+| ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
| ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
| url\_map | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
-| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | `bool` | `false` | no |
## Outputs
@@ -116,6 +116,7 @@ module "lb-http" {
| http\_proxy | The HTTP proxy used by this module. |
| https\_proxy | The HTTPS proxy used by this module. |
| ipv6\_enabled | Whether IPv6 configuration is enabled on this load-balancer |
+| ssl\_certificate\_created | The SSL certificate create from key/pem |
| url\_map | The default URL map used by this module. |
diff --git a/modules/serverless_negs/main.tf b/modules/serverless_negs/main.tf
index f80a0917..fe42890f 100644
--- a/modules/serverless_negs/main.tf
+++ b/modules/serverless_negs/main.tf
@@ -44,7 +44,7 @@ resource "google_compute_global_forwarding_rule" "http" {
resource "google_compute_global_forwarding_rule" "https" {
provider = google-beta
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.address
@@ -81,7 +81,7 @@ resource "google_compute_global_forwarding_rule" "http_ipv6" {
resource "google_compute_global_forwarding_rule" "https_ipv6" {
provider = google-beta
project = var.project
- count = var.enable_ipv6 && (var.ssl || var.certificate_map != null) ? 1 : 0
+ count = var.enable_ipv6 && var.ssl ? 1 : 0
name = "${var.name}-ipv6-https"
target = google_compute_target_https_proxy.default[0].self_link
ip_address = local.ipv6_address
@@ -112,7 +112,7 @@ resource "google_compute_target_http_proxy" "default" {
# HTTPS proxy when ssl is true
resource "google_compute_target_https_proxy" "default" {
project = var.project
- count = var.ssl || var.certificate_map != null ? 1 : 0
+ count = var.ssl ? 1 : 0
name = "${var.name}-https-proxy"
url_map = local.url_map
@@ -124,7 +124,7 @@ resource "google_compute_target_https_proxy" "default" {
resource "google_compute_ssl_certificate" "default" {
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) == 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && var.create_ssl_certificate ? 1 : 0
name_prefix = "${var.name}-certificate-"
private_key = var.private_key
certificate = var.certificate
@@ -147,7 +147,7 @@ resource "random_id" "certificate" {
resource "google_compute_managed_ssl_certificate" "default" {
provider = google-beta
project = var.project
- count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 && !var.use_ssl_certificates ? 1 : 0
+ count = var.ssl && length(var.managed_ssl_certificate_domains) > 0 ? 1 : 0
name = var.random_certificate_suffix == true ? random_id.certificate[0].hex : "${var.name}-cert"
lifecycle {
diff --git a/modules/serverless_negs/outputs.tf b/modules/serverless_negs/outputs.tf
index c17a0ef4..f6d9da29 100644
--- a/modules/serverless_negs/outputs.tf
+++ b/modules/serverless_negs/outputs.tf
@@ -49,3 +49,8 @@ output "url_map" {
description = "The default URL map used by this module."
value = google_compute_url_map.default[*].self_link
}
+
+output "ssl_certificate_created" {
+ description = "The SSL certificate create from key/pem"
+ value = google_compute_ssl_certificate.default.*.self_link
+}
diff --git a/modules/serverless_negs/variables.tf b/modules/serverless_negs/variables.tf
index 1629d1a2..59a56b3e 100644
--- a/modules/serverless_negs/variables.tf
+++ b/modules/serverless_negs/variables.tf
@@ -151,51 +151,57 @@ variable "http_forward" {
}
variable "ssl" {
- description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+ description = "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`"
type = bool
default = false
}
-variable "ssl_policy" {
- type = string
- description = "Selfink to SSL Policy"
- default = null
+variable "create_ssl_certificate" {
+ description = "If `true`, Create certificate using `private_key/certificate`"
+ type = bool
+ default = false
}
-variable "quic" {
- type = bool
- description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
- default = null
+variable "ssl_certificates" {
+ description = "SSL cert self_link list. Requires `ssl` to be set to `true`"
+ type = list(string)
+ default = []
}
variable "private_key" {
- description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "certificate" {
- description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "managed_ssl_certificate_domains" {
- description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`."
+ description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`"
type = list(string)
default = []
}
-variable "use_ssl_certificates" {
- description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
- type = bool
- default = false
+variable "certificate_map" {
+ description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`"
+ type = string
+ default = null
}
-variable "ssl_certificates" {
- description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
- type = list(string)
- default = []
+variable "ssl_policy" {
+ type = string
+ description = "Selfink to SSL Policy"
+ default = null
+}
+
+variable "quic" {
+ type = bool
+ description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
+ default = null
}
variable "edge_security_policy" {
@@ -234,12 +240,6 @@ variable "load_balancing_scheme" {
default = "EXTERNAL"
}
-variable "certificate_map" {
- description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy"
- type = string
- default = null
-}
-
variable "network" {
description = "Network for INTERNAL_SELF_MANAGED load balancing scheme"
type = string
diff --git a/outputs.tf b/outputs.tf
index c17a0ef4..f6d9da29 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -49,3 +49,8 @@ output "url_map" {
description = "The default URL map used by this module."
value = google_compute_url_map.default[*].self_link
}
+
+output "ssl_certificate_created" {
+ description = "The SSL certificate create from key/pem"
+ value = google_compute_ssl_certificate.default.*.self_link
+}
diff --git a/test/setup/main.tf b/test/setup/main.tf
index c94f1ce7..e011f519 100644
--- a/test/setup/main.tf
+++ b/test/setup/main.tf
@@ -34,6 +34,7 @@ module "project-ci-lb-http" {
"compute.googleapis.com",
"run.googleapis.com",
"iam.googleapis.com",
+ "certificatemanager.googleapis.com",
]
}
@@ -57,5 +58,6 @@ module "project-ci-lb-http-1" {
"compute.googleapis.com",
"run.googleapis.com",
"iam.googleapis.com",
+ "certificatemanager.googleapis.com",
]
}
diff --git a/variables.tf b/variables.tf
index 5f27bff0..56018f1b 100644
--- a/variables.tf
+++ b/variables.tf
@@ -202,51 +202,57 @@ variable "http_forward" {
}
variable "ssl" {
- description = "Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs"
+ description = "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`"
type = bool
default = false
}
-variable "ssl_policy" {
- type = string
- description = "Selfink to SSL Policy"
- default = null
+variable "create_ssl_certificate" {
+ description = "If `true`, Create certificate using `private_key/certificate`"
+ type = bool
+ default = false
}
-variable "quic" {
- type = bool
- description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
- default = null
+variable "ssl_certificates" {
+ description = "SSL cert self_link list. Requires `ssl` to be set to `true`"
+ type = list(string)
+ default = []
}
variable "private_key" {
- description = "Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "certificate" {
- description = "Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty."
+ description = "Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`"
type = string
default = null
}
variable "managed_ssl_certificate_domains" {
- description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` and `use_ssl_certificates` set to `false`."
+ description = "Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`"
type = list(string)
default = []
}
-variable "use_ssl_certificates" {
- description = "If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate`"
- type = bool
- default = false
+variable "certificate_map" {
+ description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`"
+ type = string
+ default = null
}
-variable "ssl_certificates" {
- description = "SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided."
- type = list(string)
- default = []
+variable "ssl_policy" {
+ type = string
+ description = "Selfink to SSL Policy"
+ default = null
+}
+
+variable "quic" {
+ type = bool
+ description = "Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only."
+ default = null
}
variable "edge_security_policy" {
@@ -285,12 +291,6 @@ variable "load_balancing_scheme" {
default = "EXTERNAL"
}
-variable "certificate_map" {
- description = "Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy"
- type = string
- default = null
-}
-
variable "network" {
description = "Network for INTERNAL_SELF_MANAGED load balancing scheme"
type = string