Refactor net-ilb-l7 module for Terraform 1.3 (#974)

* wip

* wip

* minimal example test

* wip

* instance group example

* neg examples

* example tests

* tfdoc

* readme

* tested

* example

* default urlmap value, remove stale variable

* tests

tests/modules/net_ilb_l7/fixture/main.tf

@@ -15,19 +15,24 @@
  */
 
 module "test" {
-  source                        = "../../../../modules/net-ilb-l7"
-  project_id                    = "my-project"
-  name                          = "ilb-l7-test"
-  region                        = "europe-west1"
-  network                       = "projects/my-project/global/networks/default"
-  subnetwork                    = "projects/my-project/regions/europe-west1/subnetworks/default"
-  backend_services_config       = var.backend_services_config
-  forwarding_rule_config        = var.forwarding_rule_config
-  health_checks_config          = var.health_checks_config
-  health_checks_config_defaults = var.health_checks_config_defaults
-  https                         = var.https
-  ssl_certificates_config       = var.ssl_certificates_config
-  static_ip_config              = var.static_ip_config
-  target_proxy_https_config     = var.target_proxy_https_config
-  url_map_config                = var.url_map_config
+  source     = "../../../../modules/net-ilb-l7"
+  project_id = "my-project"
+  name       = "ilb-l7-test"
+  region     = "europe-west1"
+  vpc_config = {
+    network    = "projects/my-project/global/networks/default"
+    subnetwork = "projects/my-project/regions/europe-west1/subnetworks/default"
+  }
+  address                 = var.address
+  backend_service_configs = var.backend_service_configs
+  description             = var.description
+  group_configs           = var.group_configs
+  health_check_configs    = var.health_check_configs
+  labels                  = var.labels
+  neg_configs             = var.neg_configs
+  network_tier_premium    = var.network_tier_premium
+  ports                   = var.ports
+  protocol                = var.protocol
+  ssl_certificates        = var.ssl_certificates
+  urlmap_config           = var.urlmap_config
 }

tests/modules/net_ilb_l7/fixture/test.defaults.tfvars

@@ -0,0 +1,7 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+    }]
+  }
+}

tests/modules/net_ilb_l7/fixture/test.groups.tfvars

@@ -0,0 +1,16 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "custom"
+    }]
+  }
+}
+group_configs = {
+  custom = {
+    zone = "europe-west1-b"
+    instances = [
+      "projects/myprj/zones/europe-west1-b/instances/vm-a"
+    ]
+    named_ports = { http = 80 }
+  }
+}

tests/modules/net_ilb_l7/fixture/test.health-checks-custom.tfvars

@@ -0,0 +1,16 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+    }]
+    health_checks = ["custom"]
+  }
+}
+health_check_configs = {
+  custom = {
+    tcp = {
+      port_specification = "USE_SERVING_PORT"
+    }
+  }
+}
+

tests/modules/net_ilb_l7/fixture/test.health-checks-external.tfvars

@@ -0,0 +1,10 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+    }]
+    health_checks = ["projects/myprj/global/healthChecks/custom"]
+  }
+}
+health_check_configs = {}
+

tests/modules/net_ilb_l7/fixture/test.https.tfvars

@@ -0,0 +1,6 @@
+protocol = "HTTPS"
+ssl_certificates = {
+  certificate_ids = [
+    "projects/myprj/regions/europe-west1/sslCertificates/my-cert"
+  ]
+}

tests/modules/net_ilb_l7/fixture/test.negs.tfvars

@@ -0,0 +1,17 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "custom"
+    }]
+  }
+}
+neg_configs = {
+  custom = {
+    zone = "europe-west1-b"
+    endpoints = [{
+      ip_address = "10.0.0.10"
+      instance   = "test-1"
+      port       = 80
+    }]
+  }
+}

tests/modules/net_ilb_l7/fixture/test.ssl.tfvars

@@ -0,0 +1,9 @@
+protocol = "HTTPS"
+ssl_certificates = {
+  create_configs = {
+    default = {
+      certificate = "FOO"
+      private_key = "FOO"
+    }
+  }
+}

tests/modules/net_ilb_l7/fixture/test.urlmaps.tfvars

@@ -0,0 +1,28 @@
+backend_service_configs = {
+  default = {
+    backends = [{
+      group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig"
+    }]
+  }
+  video = {
+    backends = [{
+      group = "projects/myprj/zones/europe-west1-a/instanceGroups/my-ig-2"
+    }]
+  }
+}
+urlmap_config = {
+  default_service = "default"
+  host_rules = [{
+    hosts        = ["*"]
+    path_matcher = "pathmap"
+  }]
+  path_matchers = {
+    pathmap = {
+      default_service = "default"
+      path_rules = [{
+        paths   = ["/video", "/video/*"]
+        service = "video"
+      }]
+    }
+  }
+}

tests/modules/net_ilb_l7/fixture/variables.tf

@@ -14,173 +14,71 @@
  * limitations under the License.
  */
 
-variable "backend_services_config" {
-  description = "The backends services configuration."
-  type = map(object({
-    backends = list(object({
-      group = string # IG FQDN address
-      options = object({
-        balancing_mode               = string # Can be UTILIZATION, RATE
-        capacity_scaler              = number # Valid range is [0.0,1.0]
-        max_connections              = number
-        max_connections_per_instance = number
-        max_connections_per_endpoint = number
-        max_rate                     = number
-        max_rate_per_instance        = number
-        max_rate_per_endpoint        = number
-        max_utilization              = number
-      })
-    }))
+variable "address" {
+  description = "Optional IP address used for the forwarding rule."
+  type        = string
+  default     = null
+}
 
-    # Optional health check ids for backend service groups.
-    # Will lookup for ids in health_chacks_config first,
-    # then will use the id as is. If no ids are defined
-    # at all (null, []) health_checks_config_defaults is used
-    health_checks = list(string)
-
-    log_config = object({
-      enable      = bool
-      sample_rate = number # must be in [0, 1]
-    })
-
-    options = object({
-      affinity_cookie_ttl_sec         = number
-      custom_request_headers          = list(string)
-      custom_response_headers         = list(string)
-      connection_draining_timeout_sec = number
-      locality_lb_policy              = string
-      port_name                       = string
-      protocol                        = string
-      session_affinity                = string
-      timeout_sec                     = number
-
-      circuits_breakers = object({
-        max_requests_per_connection = number # Set to 1 to disable keep-alive
-        max_connections             = number # Defaults to 1024
-        max_pending_requests        = number # Defaults to 1024
-        max_requests                = number # Defaults to 1024
-        max_retries                 = number # Defaults to 3
-      })
-
-      consistent_hash = object({
-        http_header_name  = string
-        minimum_ring_size = string
-        http_cookie = object({
-          name = string
-          path = string
-          ttl = object({
-            seconds = number
-            nanos   = number
-          })
-        })
-      })
-
-      iap = object({
-        oauth2_client_id            = string
-        oauth2_client_secret        = string
-        oauth2_client_secret_sha256 = string
-      })
-    })
-  }))
+variable "backend_service_configs" {
+  type    = any
   default = {}
 }
 
-variable "forwarding_rule_config" {
-  description = "Forwarding rule configurations."
-  type = object({
-    ip_version    = string
-    labels        = map(string)
-    network_tier  = string
-    port_range    = string
-    service_label = string
-  })
-  default = {
-    allow_global_access = true
-    ip_version          = "IPV4"
-    labels              = {}
-    network_tier        = "PREMIUM"
-    # If not specified, 443 if var.https = true; 80 otherwise
-    port_range    = null
-    service_label = null
-  }
+variable "description" {
+  type    = string
+  default = "Terraform managed."
 }
 
-variable "health_checks_config" {
-  description = "Custom health checks configuration."
-  type = map(object({
-    type    = string      # http https tcp ssl http2
-    check   = map(any)    # actual health check block attributes
-    options = map(number) # interval, thresholds, timeout
-    logging = bool
-  }))
+variable "group_configs" {
+  type    = any
   default = {}
 }
 
-variable "health_checks_config_defaults" {
-  description = "Auto-created health check default configuration."
-  type = object({
-    check   = map(any) # actual health check block attributes
-    logging = bool
-    options = map(number) # interval, thresholds, timeout
-    type    = string      # http https tcp ssl http2
-  })
+variable "health_check_configs" {
+  type = any
   default = {
-    type    = "http"
-    logging = false
-    options = {}
-    check = {
-      port_specification = "USE_SERVING_PORT"
+    default = {
+      http = {
+        port_specification = "USE_SERVING_PORT"
+      }
     }
   }
 }
 
-variable "https" {
-  description = "Whether to enable HTTPS."
-  type        = bool
-  default     = false
-}
-
-variable "ssl_certificates_config" {
-  description = "The SSL certificate configuration."
-  type = map(object({
-    domains              = list(string)
-    tls_private_key      = string
-    tls_self_signed_cert = string
-  }))
+variable "labels" {
+  type    = map(string)
   default = {}
 }
 
-variable "static_ip_config" {
-  description = "Static IP address configuration."
-  type = object({
-    reserve = bool
-    options = object({
-      address    = string
-      subnetwork = string # The subnet id
-    })
-  })
+variable "neg_configs" {
+  type    = any
+  default = {}
+}
+
+variable "network_tier_premium" {
+  type    = bool
+  default = true
+}
+
+variable "ports" {
+  type    = list(string)
+  default = null
+}
+
+variable "protocol" {
+  type    = string
+  default = "HTTP"
+}
+
+variable "ssl_certificates" {
+  type    = any
+  default = {}
+}
+
+variable "urlmap_config" {
+  type = any
   default = {
-    reserve = false
-    options = null
+    default_service = "default"
   }
 }
-
-variable "target_proxy_https_config" {
-  description = "The HTTPS target proxy configuration."
-  type = object({
-    ssl_certificates = list(string)
-  })
-  default = null
-}
-
-variable "url_map_config" {
-  description = "The url-map configuration."
-  type = object({
-    default_service      = string
-    default_url_redirect = map(any)
-    host_rules           = list(any)
-    path_matchers        = list(any)
-    tests                = list(map(string))
-  })
-  default = null
-}

tests/modules/net_ilb_l7/test_plan.py

@@ -12,173 +12,109 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-_BACKEND_SVC_CONFIG = '''{
-  my-group = {
-    backends = [
-      {
-        group   = "my_group",
-        options = null
-      }
-    ],
-    health_checks = []
-    log_config    = null
-    options       = null
+import collections
+
+
+def test_defaults(plan_runner):
+  "Test with default values."
+  _, resources = plan_runner(tf_var_file='test.defaults.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_region_backend_service.default': 1,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
   }
-}'''
 
-_BACKEND_SVC_CONFIG_HC = '''{
-  my-group = {
-    backends = [
-      {
-        group   = "my_group",
-        options = null
-      }
-    ],
-    health_checks = ["hc_1"]
-    log_config    = null
-    options       = null
+
+def test_groups(plan_runner):
+  "Test groups."
+  _, resources = plan_runner(tf_var_file='test.groups.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_instance_group.default': 1,
+      'google_compute_region_backend_service.default': 1,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
   }
-}'''
 
-_NAME = 'ilb-l7-test'
 
-_RESERVED_IP_CONFIG = '''{
-  reserve = true
-  options = null
-}'''
-
-_SSL_CERTIFICATES_CONFIG = '''{
-  my-domain = {
-    domains = [
-      "my-domain.com"
-    ],
-    tls_private_key      = "my-key"
-    tls_self_signed_cert = "my-cert"
+def test_health_checks_external(plan_runner):
+  "Test external health check."
+  _, resources = plan_runner(tf_var_file='test.health-checks-external.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_region_backend_service.default': 1,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
   }
-}'''
-
-_TARGET_PROXY_HTTPS_CONFIG = '''{
-  ssl_certificates = [
-    "my-domain"
-  ]
-}'''
 
 
-def test_group_default_hc(plan_runner):
-  "Tests a group backend service with no HC specified."
-  _, resources = plan_runner(backend_services_config=_BACKEND_SVC_CONFIG)
-  assert len(resources) == 5
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  fwd_rule = resources['google_compute_forwarding_rule']
-  assert fwd_rule['load_balancing_scheme'] == 'INTERNAL_MANAGED'
-  assert fwd_rule['port_range'] == '80'
-  assert fwd_rule['ip_protocol'] == 'TCP'
-
-  group = resources['google_compute_region_backend_service']
-  assert len(group['backend']) == 1
-  assert group['backend'][0]['group'] == 'my_group'
-
-  health_check = resources['google_compute_region_health_check']
-  assert health_check['name'] == _NAME + '-default'
-  assert len(health_check['http_health_check']) > 0
-  assert len(health_check['https_health_check']) == 0
-  assert len(health_check['http2_health_check']) == 0
-  assert len(health_check['tcp_health_check']) == 0
-  assert health_check['http_health_check'][0]['port_specification'] == 'USE_SERVING_PORT'
-  assert health_check['http_health_check'][0]['proxy_header'] == 'NONE'
-  assert health_check['http_health_check'][0]['request_path'] == '/'
-
-  assert 'google_compute_region_target_http_proxy' in resources
-  assert 'google_compute_region_target_https_proxy' not in resources
-  assert 'google_compute_region_url_map' in resources
+def test_health_checks_custom(plan_runner):
+  "Test custom health check."
+  _, resources = plan_runner(tf_var_file='test.health-checks-custom.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_region_backend_service.default': 1,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
+  }
 
 
-def test_group_no_hc(plan_runner):
-  "Tests a group backend service without HCs (including no default HC)."
-  _, resources = plan_runner(backend_services_config=_BACKEND_SVC_CONFIG,
-                             health_checks_config_defaults='null')
-
-  assert len(resources) == 4
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  assert 'google_compute_region_backend_service' in resources
-  assert 'google_compute_region_health_check' not in resources
-  assert 'google_compute_region_target_http_proxy' in resources
-  assert 'google_compute_region_target_https_proxy' not in resources
-  assert 'google_compute_region_url_map' in resources
-  assert 'google_compute_forwarding_rule' in resources
+def test_https(plan_runner):
+  "Test HTTPS load balancer."
+  _, resources = plan_runner(tf_var_file='test.https.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_region_target_https_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
+  }
 
 
-def test_group_existing_hc(plan_runner):
-  "Tests a group backend service with referencing an existing HC."
-  _, resources = plan_runner(backend_services_config=_BACKEND_SVC_CONFIG_HC)
-  assert len(resources) == 4
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  assert 'google_compute_region_backend_service' in resources
-  assert 'google_compute_region_health_check' not in resources
-  assert 'google_compute_region_target_http_proxy' in resources
-  assert 'google_compute_region_target_https_proxy' not in resources
-  assert 'google_compute_region_url_map' in resources
-  assert 'google_compute_forwarding_rule' in resources
+def test_negs(plan_runner):
+  "Test negs."
+  _, resources = plan_runner(tf_var_file='test.negs.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_network_endpoint.default': 1,
+      'google_compute_network_endpoint_group.default': 1,
+      'google_compute_region_backend_service.default': 1,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
+  }
 
 
-def test_reserved_ip(plan_runner):
-  "Tests an IP reservation with a group backend service."
-  _, resources = plan_runner(
-    backend_services_config=_BACKEND_SVC_CONFIG,
-    static_ip_config=_RESERVED_IP_CONFIG
-  )
-  assert len(resources) == 6
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  assert 'google_compute_region_backend_service' in resources
-  assert 'google_compute_region_target_http_proxy' in resources
-  assert 'google_compute_region_target_https_proxy' not in resources
-  assert 'google_compute_region_url_map' in resources
-  assert 'google_compute_address' in resources
-  assert 'google_compute_forwarding_rule' in resources
+def test_ssl_certificates(plan_runner):
+  "Test HTTPS load balancer with SSL certificates."
+  _, resources = plan_runner(tf_var_file='test.ssl.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_region_ssl_certificate.default': 1,
+      'google_compute_region_target_https_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
+  }
 
 
-def test_ssl(plan_runner):
-  "Tests HTTPS and SSL certificates."
-  _, resources = plan_runner(
-    backend_services_config=_BACKEND_SVC_CONFIG,
-    https="true",
-    ssl_certificates_config=_SSL_CERTIFICATES_CONFIG,
-    target_proxy_https_config=_TARGET_PROXY_HTTPS_CONFIG
-  )
-  assert len(resources) == 6
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  fwd_rule = resources['google_compute_forwarding_rule']
-  assert fwd_rule['port_range'] == '443'
-
-  assert 'google_compute_region_backend_service' in resources
-  assert 'google_compute_region_ssl_certificate' in resources
-  assert 'google_compute_region_target_http_proxy' not in resources
-  assert 'google_compute_region_target_https_proxy' in resources
-  assert 'google_compute_region_url_map' in resources
-  assert 'google_compute_forwarding_rule' in resources
-
-
-def test_ssl_existing_cert(plan_runner):
-  "Tests HTTPS and SSL existing certificate."
-  _, resources = plan_runner(
-    backend_services_config=_BACKEND_SVC_CONFIG,
-    https="true",
-    target_proxy_https_config=_TARGET_PROXY_HTTPS_CONFIG
-  )
-  assert len(resources) == 5
-  resources = dict((r['type'], r['values']) for r in resources)
-
-  fwd_rule = resources['google_compute_forwarding_rule']
-  assert fwd_rule['port_range'] == '443'
-
-  assert 'google_compute_region_backend_service' in resources
-  assert 'google_compute_region_ssl_certificate' not in resources
-  assert 'google_compute_region_target_http_proxy' not in resources
-  assert 'google_compute_region_target_https_proxy' in resources
-  assert 'google_compute_region_url_map' in resources
-  assert 'google_compute_forwarding_rule' in resources
+def test_urlmaps(plan_runner):
+  "Test URL maps."
+  _, resources = plan_runner(tf_var_file='test.urlmaps.tfvars')
+  counts = collections.Counter(f'{r["type"]}.{r["name"]}' for r in resources)
+  assert counts == {
+      'google_compute_forwarding_rule.default': 1,
+      'google_compute_health_check.default': 1,
+      'google_compute_region_backend_service.default': 2,
+      'google_compute_region_target_http_proxy.default': 1,
+      'google_compute_region_url_map.default': 1
+  }