Internet NEG for net-lb-proxy-int
This commit is contained in:
Wiktor Niesiobędzki
committed by
Wiktor Niesiobędzki
Wiktor Niesiobędzki
parent
11050c46cf
commit
439e9a1af9
@@ -15,6 +15,7 @@ Due to the complexity of the underlying resources, changes to the configuration
|
||||
- [Zonal NEG creation](#zonal-neg-creation)
|
||||
- [Hybrid NEG creation](#hybrid-neg-creation)
|
||||
- [Private Service Connect NEG creation](#private-service-connect-neg-creation)
|
||||
- [Internet NEG creation](#internet-neg-creation)
|
||||
- [Files](#files)
|
||||
- [Variables](#variables)
|
||||
- [Outputs](#outputs)
|
||||
@@ -271,6 +272,47 @@ module "int-tcp-proxy" {
|
||||
# tftest modules=1 resources=5
|
||||
```
|
||||
|
||||
#### Internet NEG creation
|
||||
|
||||
This example shows how to create and manage internet NEGs:
|
||||
|
||||
```hcl
|
||||
module "ilb-l7" {
|
||||
source = "./fabric/modules/net-lb-proxy-int"
|
||||
project_id = var.project_id
|
||||
name = "ilb-test"
|
||||
region = var.region
|
||||
backend_service_config = {
|
||||
backends = [
|
||||
{ group = "neg-0" }
|
||||
]
|
||||
# with a single internet NEG the implied default health check is optional
|
||||
health_checks = []
|
||||
}
|
||||
port = 80
|
||||
neg_configs = {
|
||||
neg-0 = {
|
||||
internet = {
|
||||
region = var.region
|
||||
use_fqdn = true
|
||||
endpoints = {
|
||||
e-0 = {
|
||||
destination = "www.example.org"
|
||||
port = 80
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
vpc_config = {
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e
|
||||
```
|
||||
|
||||
|
||||
<!-- TFDOC OPTS files:1 -->
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Files
|
||||
@@ -280,7 +322,7 @@ module "int-tcp-proxy" {
|
||||
| [backend-service.tf](./backend-service.tf) | Backend service resources. | <code>google_compute_region_backend_service</code> |
|
||||
| [groups.tf](./groups.tf) | None | <code>google_compute_instance_group</code> |
|
||||
| [health-check.tf](./health-check.tf) | Health check resource. | <code>google_compute_region_health_check</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> |
|
||||
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> · <code>google_compute_service_attachment</code> |
|
||||
| [outputs.tf](./outputs.tf) | Module outputs. | |
|
||||
| [variables.tf](./variables.tf) | Module variables. | |
|
||||
| [versions.tf](./versions.tf) | Version pins. | |
|
||||
@@ -290,9 +332,9 @@ module "int-tcp-proxy" {
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L198) | Load balancer name. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L256) | Project id. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L261) | The region where to allocate the ILB resources. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L266) | VPC-level configuration. | <code title="object({ network = string subnetwork = string })">object({…})</code> | ✓ | |
|
||||
| [project_id](variables.tf#L267) | Project id. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L272) | The region where to allocate the ILB resources. | <code>string</code> | ✓ | |
|
||||
| [vpc_config](variables.tf#L292) | VPC-level configuration. | <code title="object({ network = string subnetwork = string })">object({…})</code> | ✓ | |
|
||||
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | <code>string</code> | | <code>null</code> |
|
||||
| [backend_service_config](variables.tf#L23) | Backend service level configuration. | <code title="object({ affinity_cookie_ttl_sec = optional(number) connection_draining_timeout_sec = optional(number) health_checks = optional(list(string), ["default"]) log_sample_rate = optional(number) port_name = optional(string) project_id = optional(string) session_affinity = optional(string, "NONE") timeout_sec = optional(number) backends = optional(list(object({ group = string balancing_mode = optional(string, "UTILIZATION") capacity_scaler = optional(number, 1) description = optional(string, "Terraform managed.") failover = optional(bool, false) max_connections = optional(object({ per_endpoint = optional(number) per_group = optional(number) per_instance = optional(number) })) max_utilization = optional(number) }))) connection_tracking = optional(object({ idle_timeout_sec = optional(number) persist_conn_on_unhealthy = optional(string) track_per_session = optional(bool) })) failover_config = optional(object({ disable_conn_drain = optional(bool) drop_traffic_if_unhealthy = optional(bool) ratio = optional(number) })) })">object({…})</code> | | <code>{}</code> |
|
||||
| [description](variables.tf#L75) | Optional description used for resources. | <code>string</code> | | <code>"Terraform managed."</code> |
|
||||
@@ -301,22 +343,25 @@ module "int-tcp-proxy" {
|
||||
| [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | <code>string</code> | | <code>null</code> |
|
||||
| [health_check_config](variables.tf#L106) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | <code title="object({ check_interval_sec = optional(number) description = optional(string, "Terraform managed.") enable_logging = optional(bool, false) healthy_threshold = optional(number) project_id = optional(string) timeout_sec = optional(number) unhealthy_threshold = optional(number) grpc = optional(object({ port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT service_name = optional(string) })) http = optional(object({ host = optional(string) port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT proxy_header = optional(string) request_path = optional(string) response = optional(string) })) http2 = optional(object({ host = optional(string) port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT proxy_header = optional(string) request_path = optional(string) response = optional(string) })) https = optional(object({ host = optional(string) port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT proxy_header = optional(string) request_path = optional(string) response = optional(string) })) tcp = optional(object({ port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT proxy_header = optional(string) request = optional(string) response = optional(string) })) ssl = optional(object({ port = optional(number) port_name = optional(string) port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT proxy_header = optional(string) request = optional(string) response = optional(string) })) })">object({…})</code> | | <code title="{ tcp = { port_specification = "USE_SERVING_PORT" } }">{…}</code> |
|
||||
| [labels](variables.tf#L192) | Labels set on resources. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map(object({ project_id = optional(string) gce = optional(object({ zone = string network = optional(string) subnetwork = optional(string) endpoints = optional(map(object({ instance = string ip_address = string port = number }))) })) hybrid = optional(object({ zone = string network = optional(string) endpoints = optional(map(object({ ip_address = string port = number }))) })) psc = optional(object({ region = string target_service = string network = optional(string) subnetwork = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [port](variables.tf#L250) | Port. | <code>number</code> | | <code>80</code> |
|
||||
| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map(object({ project_id = optional(string) gce = optional(object({ zone = string network = optional(string) subnetwork = optional(string) endpoints = optional(map(object({ instance = string ip_address = string port = number }))) })) hybrid = optional(object({ zone = string network = optional(string) endpoints = optional(map(object({ ip_address = string port = number }))) })) internet = optional(object({ region = string use_fqdn = optional(bool, true) endpoints = optional(map(object({ destination = string port = number }))) })) psc = optional(object({ region = string target_service = string network = optional(string) subnetwork = optional(string) })) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [port](variables.tf#L261) | Port. | <code>number</code> | | <code>80</code> |
|
||||
| [service_attachment](variables.tf#L277) | PSC service attachment. | <code title="object({ nat_subnets = list(string) automatic_connection = optional(bool, false) consumer_accept_lists = optional(map(string), {}) # map of `project_id` => `connection_limit` consumer_reject_lists = optional(list(string)) description = optional(string) domain_name = optional(string) enable_proxy_protocol = optional(bool, false) reconcile_connections = optional(bool) })">object({…})</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| [backend_service](outputs.tf#L17) | Backend resource. | |
|
||||
| [backend_service_id](outputs.tf#L22) | Backend id. | |
|
||||
| [backend_service_self_link](outputs.tf#L27) | Backend self link. | |
|
||||
| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
|
||||
| [group_self_links](outputs.tf#L37) | Optional unmanaged instance group self links. | |
|
||||
| [groups](outputs.tf#L44) | Optional unmanaged instance group resources. | |
|
||||
| [health_check](outputs.tf#L49) | Auto-created health-check resource. | |
|
||||
| [health_check_id](outputs.tf#L54) | Auto-created health-check id. | |
|
||||
| [health_check_self_link](outputs.tf#L59) | Auto-created health-check self link. | |
|
||||
| [id](outputs.tf#L64) | Fully qualified forwarding rule id. | |
|
||||
| [neg_ids](outputs.tf#L69) | Autogenerated network endpoint group ids. | |
|
||||
| [address](outputs.tf#L17) | Forwarding rule address. | |
|
||||
| [backend_service](outputs.tf#L22) | Backend resource. | |
|
||||
| [backend_service_id](outputs.tf#L27) | Backend id. | |
|
||||
| [backend_service_self_link](outputs.tf#L32) | Backend self link. | |
|
||||
| [forwarding_rule](outputs.tf#L37) | Forwarding rule resource. | |
|
||||
| [group_self_links](outputs.tf#L42) | Optional unmanaged instance group self links. | |
|
||||
| [groups](outputs.tf#L49) | Optional unmanaged instance group resources. | |
|
||||
| [health_check](outputs.tf#L54) | Auto-created health-check resource. | |
|
||||
| [health_check_id](outputs.tf#L59) | Auto-created health-check id. | |
|
||||
| [health_check_self_link](outputs.tf#L64) | Auto-created health-check self link. | |
|
||||
| [id](outputs.tf#L69) | Fully qualified forwarding rule id. | |
|
||||
| [neg_ids](outputs.tf#L74) | Autogenerated network endpoint group ids. | |
|
||||
| [service_attachment_id](outputs.tf#L81) | Id of the service attachment. | |
|
||||
<!-- END TFDOC -->
|
||||
|
||||
@@ -26,7 +26,11 @@ locals {
|
||||
},
|
||||
{
|
||||
for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
|
||||
},
|
||||
{
|
||||
for k, v in google_compute_region_network_endpoint_group.internet : k => v.id
|
||||
}
|
||||
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
@@ -122,3 +122,81 @@ resource "google_compute_region_network_endpoint_group" "psc" {
|
||||
network = each.value.psc.network
|
||||
subnetwork = each.value.psc.subnetwork
|
||||
}
|
||||
|
||||
# Internet NEG
|
||||
locals {
|
||||
_neg_endpoints_internet = flatten([
|
||||
for k, v in local.neg_internet : [
|
||||
for kk, vv in v.internet.endpoints : merge(vv, {
|
||||
key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn
|
||||
})
|
||||
]
|
||||
])
|
||||
neg_endpoints_internet = {
|
||||
for v in local._neg_endpoints_internet : (v.key) => v
|
||||
}
|
||||
neg_internet = {
|
||||
for k, v in var.neg_configs :
|
||||
k => v if v.internet != null
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_region_network_endpoint_group" "internet" {
|
||||
for_each = local.neg_internet
|
||||
project = var.project_id
|
||||
name = "${var.name}-${each.key}"
|
||||
region = each.value.internet.region
|
||||
# re-enable once provider properly supports this
|
||||
# default_port = each.value.default_port
|
||||
# description = coalesce(each.value.description, var.description)
|
||||
network_endpoint_type = (
|
||||
each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT"
|
||||
)
|
||||
network = var.vpc_config.network
|
||||
}
|
||||
|
||||
resource "google_compute_region_network_endpoint" "internet" {
|
||||
for_each = local.neg_endpoints_internet
|
||||
project = (
|
||||
google_compute_region_network_endpoint_group.internet[each.value.neg].project
|
||||
)
|
||||
region = each.value.region
|
||||
region_network_endpoint_group = (
|
||||
google_compute_region_network_endpoint_group.internet[each.value.neg].name
|
||||
)
|
||||
fqdn = each.value.use_fqdn ? each.value.destination : null
|
||||
ip_address = each.value.use_fqdn ? null : each.value.destination
|
||||
port = each.value.port
|
||||
}
|
||||
|
||||
# PSC Procuder Service attachments
|
||||
resource "google_compute_service_attachment" "default" {
|
||||
count = var.service_attachment == null ? 0 : 1
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = var.name
|
||||
description = var.description
|
||||
target_service = google_compute_forwarding_rule.default.id
|
||||
nat_subnets = var.service_attachment.nat_subnets
|
||||
connection_preference = (
|
||||
var.service_attachment.automatic_connection
|
||||
? "ACCEPT_AUTOMATIC"
|
||||
: "ACCEPT_MANUAL"
|
||||
)
|
||||
consumer_reject_lists = var.service_attachment.consumer_reject_lists
|
||||
domain_names = (
|
||||
var.service_attachment.domain_name == null
|
||||
? null
|
||||
: [var.service_attachment.domain_name]
|
||||
)
|
||||
enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
|
||||
reconcile_connections = var.service_attachment.reconcile_connections
|
||||
dynamic "consumer_accept_lists" {
|
||||
for_each = var.service_attachment.consumer_accept_lists
|
||||
iterator = accept
|
||||
content {
|
||||
project_id_or_num = accept.key
|
||||
connection_limit = accept.value
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -14,6 +14,11 @@
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "address" {
|
||||
description = "Forwarding rule address."
|
||||
value = google_compute_forwarding_rule.default.ip_address
|
||||
}
|
||||
|
||||
output "backend_service" {
|
||||
description = "Backend resource."
|
||||
value = google_compute_region_backend_service.default
|
||||
@@ -72,3 +77,10 @@ output "neg_ids" {
|
||||
for k, v in google_compute_network_endpoint_group.default : k => v.id
|
||||
}
|
||||
}
|
||||
|
||||
output "service_attachment_id" {
|
||||
description = "Id of the service attachment."
|
||||
value = try(
|
||||
google_compute_service_attachment.default[0].id, null
|
||||
)
|
||||
}
|
||||
|
||||
@@ -226,6 +226,16 @@ variable "neg_configs" {
|
||||
port = number
|
||||
})))
|
||||
}))
|
||||
internet = optional(object({
|
||||
region = string
|
||||
use_fqdn = optional(bool, true)
|
||||
# re-enable once provider properly support this
|
||||
# default_port = optional(number)
|
||||
endpoints = optional(map(object({
|
||||
destination = string
|
||||
port = number
|
||||
})))
|
||||
}))
|
||||
psc = optional(object({
|
||||
region = string
|
||||
target_service = string
|
||||
@@ -240,6 +250,7 @@ variable "neg_configs" {
|
||||
for k, v in var.neg_configs : (
|
||||
(try(v.gce, null) == null ? 0 : 1) +
|
||||
(try(v.hybrid, null) == null ? 0 : 1) +
|
||||
(try(v.internet, null) == null ? 0 : 1) +
|
||||
(try(v.psc, null) == null ? 0 : 1) == 1
|
||||
)
|
||||
])
|
||||
@@ -263,6 +274,21 @@ variable "region" {
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "service_attachment" {
|
||||
description = "PSC service attachment."
|
||||
type = object({
|
||||
nat_subnets = list(string)
|
||||
automatic_connection = optional(bool, false)
|
||||
consumer_accept_lists = optional(map(string), {}) # map of `project_id` => `connection_limit`
|
||||
consumer_reject_lists = optional(list(string))
|
||||
description = optional(string)
|
||||
domain_name = optional(string)
|
||||
enable_proxy_protocol = optional(bool, false)
|
||||
reconcile_connections = optional(bool)
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "vpc_config" {
|
||||
description = "VPC-level configuration."
|
||||
type = object({
|
||||
|
||||
69
tests/modules/net_lb_proxy_int/examples/internet-neg.yaml
Normal file
69
tests/modules/net_lb_proxy_int/examples/internet-neg.yaml
Normal file
@@ -0,0 +1,69 @@
|
||||
# Copyright 2024 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
|
||||
values:
|
||||
module.ilb-l7.google_compute_forwarding_rule.default:
|
||||
description: Terraform managed.
|
||||
ip_protocol: TCP
|
||||
load_balancing_scheme: INTERNAL_MANAGED
|
||||
name: ilb-test
|
||||
network: projects/xxx/global/networks/aaa
|
||||
port_range: '80'
|
||||
project: project-id
|
||||
region: europe-west8
|
||||
subnetwork: subnet_self_link
|
||||
module.ilb-l7.google_compute_region_backend_service.default:
|
||||
backend:
|
||||
- balancing_mode: UTILIZATION
|
||||
capacity_scaler: 1
|
||||
description: Terraform managed.
|
||||
description: Terraform managed.
|
||||
load_balancing_scheme: INTERNAL_MANAGED
|
||||
name: ilb-test
|
||||
project: project-id
|
||||
protocol: TCP
|
||||
region: europe-west8
|
||||
session_affinity: NONE
|
||||
module.ilb-l7.google_compute_region_network_endpoint.internet["neg-0-e-0"]:
|
||||
fqdn: www.example.org
|
||||
ip_address: null
|
||||
port: 80
|
||||
project: project-id
|
||||
region: europe-west8
|
||||
region_network_endpoint_group: ilb-test-neg-0
|
||||
module.ilb-l7.google_compute_region_network_endpoint_group.internet["neg-0"]:
|
||||
name: ilb-test-neg-0
|
||||
network: projects/xxx/global/networks/aaa
|
||||
network_endpoint_type: INTERNET_FQDN_PORT
|
||||
project: project-id
|
||||
region: europe-west8
|
||||
subnetwork: null
|
||||
module.ilb-l7.google_compute_region_target_tcp_proxy.default:
|
||||
description: Terraform managed.
|
||||
name: ilb-test
|
||||
project: project-id
|
||||
proxy_header: NONE
|
||||
region: europe-west8
|
||||
timeouts: null
|
||||
|
||||
counts:
|
||||
google_compute_forwarding_rule: 1
|
||||
google_compute_region_backend_service: 1
|
||||
google_compute_region_health_check: 1
|
||||
google_compute_region_network_endpoint: 1
|
||||
google_compute_region_network_endpoint_group: 1
|
||||
google_compute_region_target_tcp_proxy: 1
|
||||
modules: 1
|
||||
resources: 6
|
||||
Reference in New Issue
Block a user