diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md
index eb685f9ea..77b6e96a9 100644
--- a/modules/net-lb-app-ext-regional/README.md
+++ b/modules/net-lb-app-ext-regional/README.md
@@ -15,6 +15,7 @@ The variable space of this module closely mirrors that of [net-lb-app-ext](../n
- [HTTP backends](#http-backends)
- [HTTPS backends](#https-backends)
- [HTTP to HTTPS redirect](#http-to-https-redirect)
+ - [Backend Authenticated TLS](#backend-authenticated-tls)
- [Health Checks](#health-checks)
- [Backend Types and Management](#backend-types-and-management)
- [Instance Groups](#instance-groups)
@@ -218,6 +219,32 @@ module "ralb-test-0" {
# tftest modules=5 resources=16 fixtures=fixtures/ssl-certificate.tf,fixtures/compute-vm-group-bc.tf e2e
```
+### Backend Authenticated TLS
+
+This example shows how to configure Backend Authenticated TLS using the `tls_settings` block.
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-vm-group-b.group.id },
+ ]
+ tls_settings = {
+ sni = "backend.example.com"
+ subject_alt_names = ["backend.example.com"]
+ }
+ }
+ }
+}
+# tftest modules=3 resources=9 fixtures=fixtures/compute-vm-group-bc.tf inventory=tls-settings.yaml
+```
+
### Health Checks
You can leverage externally defined health checks for backend services, or have the module create them for you.
@@ -808,7 +835,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [region](variables.tf#L217) | Region where the load balancer is created. | string | ✓ | |
| [vpc](variables.tf#L237) | VPC-level configuration. | string | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
| [group_configs](variables.tf#L29) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
diff --git a/modules/net-lb-app-ext-regional/backend-service.tf b/modules/net-lb-app-ext-regional/backend-service.tf
index 1bb8b7a6e..a5f533267 100644
--- a/modules/net-lb-app-ext-regional/backend-service.tf
+++ b/modules/net-lb-app-ext-regional/backend-service.tf
@@ -247,4 +247,18 @@ resource "google_compute_region_backend_service" "default" {
}
}
}
+
+ dynamic "tls_settings" {
+ for_each = each.value.tls_settings == null ? [] : [each.value.tls_settings]
+ content {
+ authentication_config = tls_settings.value.authentication_config
+ sni = tls_settings.value.sni
+ dynamic "subject_alt_names" {
+ for_each = tls_settings.value.subject_alt_names == null ? [] : tls_settings.value.subject_alt_names
+ content {
+ dns_name = subject_alt_names.value
+ }
+ }
+ }
+ }
}
diff --git a/modules/net-lb-app-ext-regional/variables-backend-service.tf b/modules/net-lb-app-ext-regional/variables-backend-service.tf
index 42f1b8995..4a0cf25f0 100644
--- a/modules/net-lb-app-ext-regional/variables-backend-service.tf
+++ b/modules/net-lb-app-ext-regional/variables-backend-service.tf
@@ -120,6 +120,11 @@ variable "backend_service_configs" {
nanos = optional(number)
}))
}))
+ tls_settings = optional(object({
+ authentication_config = optional(string)
+ sni = optional(string)
+ subject_alt_names = optional(list(string))
+ }))
}))
default = {}
nullable = false
diff --git a/modules/net-lb-app-ext/README.md b/modules/net-lb-app-ext/README.md
index a1755fe29..d7be6fd12 100644
--- a/modules/net-lb-app-ext/README.md
+++ b/modules/net-lb-app-ext/README.md
@@ -28,6 +28,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Cross Project Backend](#cross-project-backend)
- [URL Map](#url-map)
- [SSL Certificates](#ssl-certificates)
+ - [Backend Authenticated TLS](#backend-authenticated-tls)
- [Complex example](#complex-example)
- [Deploying changes to load balancer configurations](#deploying-changes-to-load-balancer-configurations)
- [Changing the Network Endpoint Group](#changing-the-network-endpoint-group)
@@ -762,6 +763,29 @@ module "glb-0" {
# tftest modules=3 resources=12 fixtures=fixtures/compute-vm-group-bc.tf inventory=ssl-certificates.yaml e2e
```
+### Backend Authenticated TLS
+
+This example shows how to configure Backend Authenticated TLS using the `tls_settings` block.
+
+```hcl
+module "glb-0" {
+ source = "./fabric/modules/net-lb-app-ext"
+ project_id = var.project_id
+ name = "glb-test-0"
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-vm-group-b.group.id },
+ ]
+ tls_settings = {
+ sni = "backend.example.com"
+ }
+ }
+ }
+}
+# tftest modules=3 resources=9 fixtures=fixtures/compute-vm-group-bc.tf inventory=tls-settings.yaml
+```
+
### Complex example
This example mixes group and NEG backends, and shows how to set HTTPS for specific backends.
@@ -1065,7 +1089,7 @@ After provisioning this change, and verifying that the new certificate is provis
| [name](variables.tf#L126) | Load balancer name. | string | ✓ | |
| [project_id](variables.tf#L241) | Project id. | string | ✓ | |
| [backend_buckets_config](variables.tf#L17) | Backend buckets configuration. | map(object({…})) | | {} |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) })) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L52) | Optional description used for resources. | string | | "Terraform managed." |
| [forwarding_rules_config](variables.tf#L58) | The optional forwarding rules configuration. | map(object({…})) | | {…} |
| [group_configs](variables.tf#L79) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
diff --git a/modules/net-lb-app-ext/backend-service.tf b/modules/net-lb-app-ext/backend-service.tf
index ec9cfabbe..0bd35bfef 100644
--- a/modules/net-lb-app-ext/backend-service.tf
+++ b/modules/net-lb-app-ext/backend-service.tf
@@ -292,4 +292,11 @@ resource "google_compute_backend_service" "default" {
}
}
}
+
+ dynamic "tls_settings" {
+ for_each = each.value.tls_settings == null ? [] : [each.value.tls_settings]
+ content {
+ sni = tls_settings.value.sni
+ }
+ }
}
diff --git a/modules/net-lb-app-ext/variables-backend-service.tf b/modules/net-lb-app-ext/variables-backend-service.tf
index 7e702a7b6..20d58d7f4 100644
--- a/modules/net-lb-app-ext/variables-backend-service.tf
+++ b/modules/net-lb-app-ext/variables-backend-service.tf
@@ -142,7 +142,11 @@ variable "backend_service_configs" {
access_key_version = optional(string)
origin_region = optional(string)
}))
- })) }))
+ }))
+ tls_settings = optional(object({
+ sni = optional(string)
+ }))
+ }))
default = {}
nullable = false
validation {
diff --git a/modules/net-lb-app-int/README.md b/modules/net-lb-app-int/README.md
index 10876d9a1..b1a4612b5 100644
--- a/modules/net-lb-app-int/README.md
+++ b/modules/net-lb-app-int/README.md
@@ -21,6 +21,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Internet NEG creation](#internet-neg-creation)
- [URL Map](#url-map)
- [SSL Certificates](#ssl-certificates)
+ - [Backend Authenticated TLS](#backend-authenticated-tls)
- [PSC service attachment](#psc-service-attachment)
- [Complex example](#complex-example)
- [Deploying changes to load balancer configurations](#deploying-changes-to-load-balancer-configurations)
@@ -634,6 +635,36 @@ module "ilb-l7" {
# tftest modules=1 resources=8
```
+### Backend Authenticated TLS
+
+This example shows how to configure Backend Authenticated TLS using the `tls_settings` block.
+
+```hcl
+module "ilb-l7" {
+ source = "./fabric/modules/net-lb-app-int"
+ name = "ilb-test"
+ project_id = var.project_id
+ region = "europe-west1"
+ backend_service_configs = {
+ default = {
+ backends = [{
+ group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+ }]
+ tls_settings = {
+ # authentication_config = "projects/myprj/locations/europe-west1/backendTlsPolicies/my-policy"
+ sni = "backend.example.com"
+ subject_alt_names = ["backend.example.com"]
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+}
+# tftest modules=1 resources=5 inventory=tls-settings.yaml
+```
+
### PSC service attachment
The optional `service_attachment` variable allows [publishing Private Service Connect service](https://cloud.google.com/vpc/docs/configure-private-service-connect-producer) by configuring service attachment for the forwarding rule.
@@ -826,7 +857,7 @@ For deploying changes to load balancer configuration please refer to [net-lb-app
| [region](variables.tf#L196) | The region where to allocate the ILB resources. | string | ✓ | |
| [vpc_config](variables.tf#L239) | VPC-level configuration. | object({…}) | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
-| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
| [global_access](variables.tf#L30) | Allow client access from all regions. | bool | | null |
| [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
diff --git a/modules/net-lb-app-int/backend-service.tf b/modules/net-lb-app-int/backend-service.tf
index 58864adaf..85b39e9bb 100644
--- a/modules/net-lb-app-int/backend-service.tf
+++ b/modules/net-lb-app-int/backend-service.tf
@@ -220,4 +220,20 @@ resource "google_compute_region_backend_service" "default" {
policy = "CONSISTENT_HASH_SUBSETTING"
}
}
+
+ dynamic "tls_settings" {
+ for_each = each.value.tls_settings == null ? [] : [each.value.tls_settings]
+ content {
+ # authentication_config is not supported by the beta provider in this resource?
+ # Wait, lint will tell me. Search result said yes.
+ authentication_config = tls_settings.value.authentication_config
+ sni = tls_settings.value.sni
+ dynamic "subject_alt_names" {
+ for_each = tls_settings.value.subject_alt_names == null ? [] : tls_settings.value.subject_alt_names
+ content {
+ dns_name = subject_alt_names.value
+ }
+ }
+ }
+ }
}
diff --git a/modules/net-lb-app-int/variables-backend-service.tf b/modules/net-lb-app-int/variables-backend-service.tf
index fbd89f8af..f38019fb7 100644
--- a/modules/net-lb-app-int/variables-backend-service.tf
+++ b/modules/net-lb-app-int/variables-backend-service.tf
@@ -97,6 +97,11 @@ variable "backend_service_configs" {
nanos = optional(number)
}))
}))
+ tls_settings = optional(object({
+ authentication_config = optional(string)
+ sni = optional(string)
+ subject_alt_names = optional(list(string))
+ }))
}))
default = {}
nullable = false
diff --git a/tests/modules/net_lb_app_ext/examples/tls-settings.yaml b/tests/modules/net_lb_app_ext/examples/tls-settings.yaml
new file mode 100644
index 000000000..86018ea12
--- /dev/null
+++ b/tests/modules/net_lb_app_ext/examples/tls-settings.yaml
@@ -0,0 +1,296 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.compute-vm-group-b.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ disk_encryption_key_rsa: null
+ disk_encryption_service_account: null
+ force_attach: null
+ initialize_params:
+ - enable_confidential_compute: null
+ image: cos-cloud/cos-stable
+ resource_manager_tags: null
+ size: 10
+ source_image_encryption_key: []
+ source_snapshot_encryption_key: []
+ storage_pool: null
+ type: pd-balanced
+ interface: null
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_display: false
+ hostname: null
+ instance_encryption_key: []
+ key_revocation_action_type: NONE
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: my-ig-b
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ security_policy: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ partner_metadata: null
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ availability_domain: null
+ graceful_shutdown: []
+ host_error_timeout_seconds: null
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ on_instance_stop_action: []
+ preemptible: false
+ provisioning_model: STANDARD
+ skip_guest_os_shutdown: false
+ termination_time: null
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ zone: europe-west8-b
+ module.compute-vm-group-b.google_compute_instance_group.unmanaged[0]:
+ description: Managed by the compute-vm Terraform module.
+ name: my-ig-b
+ named_port: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ project: project-id
+ timeouts: null
+ zone: europe-west8-b
+ module.compute-vm-group-c.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ disk_encryption_key_rsa: null
+ disk_encryption_service_account: null
+ force_attach: null
+ initialize_params:
+ - enable_confidential_compute: null
+ image: cos-cloud/cos-stable
+ resource_manager_tags: null
+ size: 10
+ source_image_encryption_key: []
+ source_snapshot_encryption_key: []
+ storage_pool: null
+ type: pd-balanced
+ interface: null
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_display: false
+ hostname: null
+ instance_encryption_key: []
+ key_revocation_action_type: NONE
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: my-ig-c
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ security_policy: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ partner_metadata: null
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ availability_domain: null
+ graceful_shutdown: []
+ host_error_timeout_seconds: null
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ on_instance_stop_action: []
+ preemptible: false
+ provisioning_model: STANDARD
+ skip_guest_os_shutdown: false
+ termination_time: null
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ zone: europe-west8-c
+ module.compute-vm-group-c.google_compute_instance_group.unmanaged[0]:
+ description: Managed by the compute-vm Terraform module.
+ name: my-ig-c
+ named_port: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ project: project-id
+ timeouts: null
+ zone: europe-west8-c
+ module.glb-0.google_compute_backend_service.default["default"]:
+ affinity_cookie_ttl_sec: null
+ circuit_breakers: []
+ compression_mode: null
+ connection_draining_timeout_sec: 300
+ consistent_hash: []
+ custom_metrics: []
+ custom_request_headers: null
+ custom_response_headers: null
+ description: Terraform managed.
+ dynamic_forwarding: []
+ edge_security_policy: null
+ enable_cdn: null
+ external_managed_migration_state: null
+ external_managed_migration_testing_percentage: null
+ ip_address_selection_policy: null
+ load_balancing_scheme: EXTERNAL
+ locality_lb_policies: []
+ locality_lb_policy: null
+ max_stream_duration: []
+ name: glb-test-0-default
+ network_pass_through_lb_traffic_policy: []
+ outlier_detection: []
+ params: []
+ port_name: http
+ project: project-id
+ protocol: HTTP
+ security_policy: null
+ security_settings: []
+ service_lb_policy: null
+ strong_session_affinity_cookie: []
+ timeouts: null
+ tls_settings:
+ - authentication_config: null
+ sni: backend.example.com
+ subject_alt_names: []
+ module.glb-0.google_compute_global_forwarding_rule.default[""]:
+ allow_psc_global_access: null
+ description: Terraform managed.
+ external_managed_backend_bucket_migration_state: null
+ external_managed_backend_bucket_migration_testing_percentage: null
+ ip_protocol: TCP
+ ip_version: IPV4
+ labels: null
+ load_balancing_scheme: EXTERNAL
+ metadata_filters: []
+ name: glb-test-0
+ no_automate_dns_zone: null
+ port_range: '80'
+ project: project-id
+ source_ip_ranges: null
+ timeouts: null
+ module.glb-0.google_compute_health_check.default["default"]:
+ check_interval_sec: 5
+ description: Terraform managed.
+ grpc_health_check: []
+ grpc_tls_health_check: []
+ healthy_threshold: 2
+ http2_health_check: []
+ http_health_check:
+ - host: null
+ port: null
+ port_name: null
+ port_specification: USE_SERVING_PORT
+ proxy_header: NONE
+ request_path: /
+ response: null
+ https_health_check: []
+ name: glb-test-0-default
+ project: project-id
+ source_regions: null
+ ssl_health_check: []
+ tcp_health_check: []
+ timeout_sec: 5
+ timeouts: null
+ unhealthy_threshold: 2
+ module.glb-0.google_compute_target_http_proxy.default[0]:
+ description: Terraform managed.
+ http_keep_alive_timeout_sec: null
+ name: glb-test-0
+ project: project-id
+ timeouts: null
+ module.glb-0.google_compute_url_map.default:
+ default_custom_error_response_policy: []
+ default_route_action: []
+ default_url_redirect: []
+ description: Terraform managed.
+ header_action: []
+ host_rule: []
+ name: glb-test-0
+ path_matcher: []
+ project: project-id
+ test: []
+ timeouts: null
+
+counts:
+ google_compute_backend_service: 1
+ google_compute_global_forwarding_rule: 1
+ google_compute_health_check: 1
+ google_compute_instance: 2
+ google_compute_instance_group: 2
+ google_compute_target_http_proxy: 1
+ google_compute_url_map: 1
+ modules: 3
+ resources: 9
+
+outputs: {}
diff --git a/tests/modules/net_lb_app_ext_regional/examples/tls-settings.yaml b/tests/modules/net_lb_app_ext_regional/examples/tls-settings.yaml
new file mode 100644
index 000000000..9d66af5de
--- /dev/null
+++ b/tests/modules/net_lb_app_ext_regional/examples/tls-settings.yaml
@@ -0,0 +1,302 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.compute-vm-group-b.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ disk_encryption_key_rsa: null
+ disk_encryption_service_account: null
+ force_attach: null
+ initialize_params:
+ - enable_confidential_compute: null
+ image: cos-cloud/cos-stable
+ resource_manager_tags: null
+ size: 10
+ source_image_encryption_key: []
+ source_snapshot_encryption_key: []
+ storage_pool: null
+ type: pd-balanced
+ interface: null
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_display: false
+ hostname: null
+ instance_encryption_key: []
+ key_revocation_action_type: NONE
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: my-ig-b
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ security_policy: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ partner_metadata: null
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ availability_domain: null
+ graceful_shutdown: []
+ host_error_timeout_seconds: null
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ on_instance_stop_action: []
+ preemptible: false
+ provisioning_model: STANDARD
+ skip_guest_os_shutdown: false
+ termination_time: null
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ zone: europe-west8-b
+ module.compute-vm-group-b.google_compute_instance_group.unmanaged[0]:
+ description: Managed by the compute-vm Terraform module.
+ name: my-ig-b
+ named_port: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ project: project-id
+ timeouts: null
+ zone: europe-west8-b
+ module.compute-vm-group-c.google_compute_instance.default[0]:
+ advanced_machine_features: []
+ allow_stopping_for_update: true
+ attached_disk: []
+ boot_disk:
+ - auto_delete: true
+ disk_encryption_key_raw: null
+ disk_encryption_key_rsa: null
+ disk_encryption_service_account: null
+ force_attach: null
+ initialize_params:
+ - enable_confidential_compute: null
+ image: cos-cloud/cos-stable
+ resource_manager_tags: null
+ size: 10
+ source_image_encryption_key: []
+ source_snapshot_encryption_key: []
+ storage_pool: null
+ type: pd-balanced
+ interface: null
+ mode: READ_WRITE
+ can_ip_forward: false
+ deletion_protection: false
+ description: Managed by the compute-vm Terraform module.
+ desired_status: null
+ effective_labels:
+ goog-terraform-provisioned: 'true'
+ enable_display: false
+ hostname: null
+ instance_encryption_key: []
+ key_revocation_action_type: NONE
+ labels: null
+ machine_type: f1-micro
+ metadata: null
+ metadata_startup_script: null
+ name: my-ig-c
+ network_interface:
+ - access_config: []
+ alias_ip_range: []
+ ipv6_access_config: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ nic_type: null
+ queue_count: null
+ security_policy: null
+ subnetwork: subnet_self_link
+ network_performance_config: []
+ params: []
+ partner_metadata: null
+ project: project-id
+ resource_policies: null
+ scheduling:
+ - automatic_restart: true
+ availability_domain: null
+ graceful_shutdown: []
+ host_error_timeout_seconds: null
+ instance_termination_action: null
+ local_ssd_recovery_timeout: []
+ maintenance_interval: null
+ max_run_duration: []
+ min_node_cpus: null
+ node_affinities: []
+ on_host_maintenance: MIGRATE
+ on_instance_stop_action: []
+ preemptible: false
+ provisioning_model: STANDARD
+ skip_guest_os_shutdown: false
+ termination_time: null
+ scratch_disk: []
+ service_account:
+ - scopes:
+ - https://www.googleapis.com/auth/devstorage.read_only
+ - https://www.googleapis.com/auth/logging.write
+ - https://www.googleapis.com/auth/monitoring.write
+ shielded_instance_config: []
+ tags: null
+ terraform_labels:
+ goog-terraform-provisioned: 'true'
+ timeouts: null
+ zone: europe-west8-c
+ module.compute-vm-group-c.google_compute_instance_group.unmanaged[0]:
+ description: Managed by the compute-vm Terraform module.
+ name: my-ig-c
+ named_port: []
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ project: project-id
+ timeouts: null
+ zone: europe-west8-c
+ module.ralb-0.google_compute_forwarding_rule.default:
+ all_ports: null
+ allow_global_access: null
+ allow_psc_global_access: null
+ backend_service: null
+ description: Terraform managed.
+ ip_collection: null
+ ip_protocol: TCP
+ is_mirroring_collector: null
+ labels: null
+ load_balancing_scheme: EXTERNAL_MANAGED
+ name: ralb-test-0
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ network_tier: STANDARD
+ no_automate_dns_zone: null
+ port_range: '80'
+ ports: null
+ project: project-id
+ recreate_closed_psc: false
+ region: europe-west8
+ service_label: null
+ source_ip_ranges: null
+ timeouts: null
+ module.ralb-0.google_compute_region_backend_service.default["default"]:
+ affinity_cookie_ttl_sec: null
+ circuit_breakers: []
+ connection_draining_timeout_sec: 300
+ connection_tracking_policy: []
+ consistent_hash: []
+ custom_metrics: []
+ description: Terraform managed.
+ dynamic_forwarding: []
+ enable_cdn: null
+ failover_policy: []
+ ha_policy: []
+ ip_address_selection_policy: null
+ load_balancing_scheme: EXTERNAL_MANAGED
+ locality_lb_policy: null
+ name: ralb-test-0-default
+ network: null
+ network_pass_through_lb_traffic_policy: []
+ outlier_detection: []
+ params: []
+ port_name: http
+ project: project-id
+ protocol: HTTP
+ region: europe-west8
+ security_policy: null
+ strong_session_affinity_cookie: []
+ subsetting: []
+ timeouts: null
+ tls_settings:
+ - authentication_config: null
+ sni: backend.example.com
+ subject_alt_names:
+ - dns_name: backend.example.com
+ uniform_resource_identifier: null
+ module.ralb-0.google_compute_region_health_check.default["default"]:
+ check_interval_sec: 5
+ description: Terraform managed.
+ grpc_health_check: []
+ grpc_tls_health_check: []
+ healthy_threshold: 2
+ http2_health_check: []
+ http_health_check:
+ - host: null
+ port: null
+ port_name: null
+ port_specification: USE_SERVING_PORT
+ proxy_header: NONE
+ request_path: /
+ response: null
+ https_health_check: []
+ name: ralb-test-0-default
+ project: project-id
+ region: europe-west8
+ ssl_health_check: []
+ tcp_health_check: []
+ timeout_sec: 5
+ timeouts: null
+ unhealthy_threshold: 2
+ module.ralb-0.google_compute_region_target_http_proxy.default[0]:
+ description: Terraform managed.
+ http_keep_alive_timeout_sec: null
+ name: ralb-test-0
+ project: project-id
+ region: europe-west8
+ timeouts: null
+ module.ralb-0.google_compute_region_url_map.default:
+ default_route_action: []
+ default_url_redirect: []
+ description: Terraform managed.
+ header_action: []
+ host_rule: []
+ name: ralb-test-0
+ path_matcher: []
+ project: project-id
+ region: europe-west8
+ test: []
+ timeouts: null
+
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_region_backend_service: 1
+ google_compute_region_health_check: 1
+ google_compute_region_target_http_proxy: 1
+ google_compute_region_url_map: 1
+ google_compute_instance: 2
+ google_compute_instance_group: 2
+ modules: 3
+ resources: 9
+
+outputs: {}
diff --git a/tests/modules/net_lb_app_int/examples/tls-settings.yaml b/tests/modules/net_lb_app_int/examples/tls-settings.yaml
new file mode 100644
index 000000000..ac9c7ed87
--- /dev/null
+++ b/tests/modules/net_lb_app_int/examples/tls-settings.yaml
@@ -0,0 +1,141 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.ilb-l7.google_compute_forwarding_rule.default:
+ all_ports: null
+ allow_global_access: null
+ allow_psc_global_access: null
+ backend_service: null
+ description: Terraform managed.
+ ip_collection: null
+ ip_protocol: TCP
+ is_mirroring_collector: null
+ labels: null
+ load_balancing_scheme: INTERNAL_MANAGED
+ name: ilb-test
+ network: https://www.googleapis.com/compute/v1/projects/xxx/global/networks/aaa
+ network_tier: PREMIUM
+ no_automate_dns_zone: null
+ port_range: '80'
+ ports: null
+ project: project-id
+ recreate_closed_psc: false
+ region: europe-west1
+ service_label: null
+ source_ip_ranges: null
+ subnetwork: subnet_self_link
+ timeouts: null
+ module.ilb-l7.google_compute_health_check.default["default"]:
+ check_interval_sec: 5
+ description: Terraform managed.
+ grpc_health_check: []
+ grpc_tls_health_check: []
+ healthy_threshold: 2
+ http2_health_check: []
+ http_health_check:
+ - host: null
+ port: null
+ port_name: null
+ port_specification: USE_SERVING_PORT
+ proxy_header: NONE
+ request_path: /
+ response: null
+ https_health_check: []
+ name: ilb-test-default
+ project: project-id
+ source_regions: null
+ ssl_health_check: []
+ tcp_health_check: []
+ timeout_sec: 5
+ timeouts: null
+ unhealthy_threshold: 2
+ module.ilb-l7.google_compute_region_backend_service.default["default"]:
+ affinity_cookie_ttl_sec: null
+ backend:
+ - balancing_mode: UTILIZATION
+ capacity_scaler: 1
+ custom_metrics: []
+ description: Terraform managed.
+ failover: false
+ group: projects/myprj/zones/europe-west1-a/instanceGroups/my-ig
+ max_connections: null
+ max_connections_per_endpoint: null
+ max_connections_per_instance: null
+ max_rate: null
+ max_rate_per_endpoint: null
+ max_rate_per_instance: null
+ max_utilization: null
+ traffic_duration: ''
+ circuit_breakers: []
+ connection_draining_timeout_sec: 300
+ connection_tracking_policy: []
+ consistent_hash: []
+ custom_metrics: []
+ description: Terraform managed.
+ dynamic_forwarding: []
+ enable_cdn: null
+ failover_policy: []
+ ha_policy: []
+ ip_address_selection_policy: null
+ load_balancing_scheme: INTERNAL_MANAGED
+ locality_lb_policy: null
+ name: ilb-test-default
+ network: null
+ network_pass_through_lb_traffic_policy: []
+ outlier_detection: []
+ params: []
+ project: project-id
+ protocol: HTTP
+ region: europe-west1
+ security_policy: null
+ strong_session_affinity_cookie: []
+ subsetting: []
+ timeouts: null
+ tls_settings:
+ - authentication_config: null
+ sni: backend.example.com
+ subject_alt_names:
+ - dns_name: backend.example.com
+ uniform_resource_identifier: null
+ module.ilb-l7.google_compute_region_target_http_proxy.default[0]:
+ description: Terraform managed.
+ http_keep_alive_timeout_sec: null
+ name: ilb-test
+ project: project-id
+ region: europe-west1
+ timeouts: null
+ module.ilb-l7.google_compute_region_url_map.default:
+ default_route_action: []
+ default_url_redirect: []
+ description: Terraform managed.
+ header_action: []
+ host_rule: []
+ name: ilb-test
+ path_matcher: []
+ project: project-id
+ region: europe-west1
+ test: []
+ timeouts: null
+
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_health_check: 1
+ google_compute_region_backend_service: 1
+ google_compute_region_target_http_proxy: 1
+ google_compute_region_url_map: 1
+ modules: 1
+ resources: 5
+
+outputs: {}