90360c591e
* Add confidential compute support to google_dataproc_cluster in the dataproc module * fix parent id lookup for networking and security stages (#2744) * Add optional automated MD5 generation in net-vlan-attachment module (#2745) * Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * update changelog * Bump path-to-regexp and express (#2752) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add support for routing mode to net-swp module (#2751) Co-authored-by: Julio Castillo <jccb@google.com> * remove default location in tag value - cloud-run-v2 tags.tf (#2755) The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is. Changed to use the var.region instead * Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example). * Add rest of load balancers. * Add path_template_match and path_template_rewrite support to internal load balancers * Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750) * add disk encyption key to the google_compute_instance_template * add a condition to the kms_key_self_link * use dynamic variable for disk_encryption_key * remove the getpip from the repo --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * Add support for password validation policy to cloudsql module (#2740) * add support for password validation policy to cloudsql module * fix defaults * update changelog * bump provider version constraint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Luca Prete <preteluca@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com> Co-authored-by: Taneli Leppä <taneli@google.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>
External Passthrough Network Load Balancer Module
This module allows managing a GCE Network Load Balancer and integrates the forwarding rule, regional backend, and optional health check resources. It's designed to be a simple match for the compute-vm module, which can be used to manage instance templates and instance groups.
Examples
Referencing existing MIGs
This example shows how to reference existing Managed Infrastructure Groups (MIGs).
module "nlb" {
source = "./fabric/modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "nlb-test"
backends = [{
group = module.compute-mig.group_manager.instance_group
}]
health_check_config = {
http = {
port = 80
}
}
}
# tftest modules=3 resources=5 fixtures=fixtures/compute-mig.tf inventory=migs.yaml e2e
Externally managed instances
This examples shows how to create an NLB by combining externally managed instances (in a custom module or even outside of the current root module) in an unmanaged group. When using internally managed groups, remember to run terraform apply each time group instances change.
module "nlb" {
source = "./fabric/modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "nlb-test"
group_configs = {
my-group = {
zone = "${var.region}-b"
instances = [
module.compute-vm-group-b.id,
]
}
}
backends = [{
group = module.nlb.groups.my-group.self_link
}]
health_check_config = {
http = {
port = 80
}
}
}
# tftest modules=3 resources=8 fixtures=fixtures/compute-vm-group-bc.tf inventory=ext_migs.yaml e2e
Multiple forwarding rules
You can add more forwarding rules to your load balancer and override some forwarding rules defaults, including the global access policy, the IP protocol, the IP version and ports.
The example adds two forwarding rules:
- the first one, called
nlb-test-vip-oneexposes an IPv4 address, it listens on all ports, and allows connections from any region. - the second one, called
nlb-test-vip-twoexposes an IPv4 address, it listens on port 80 and allows connections from the same region only.
module "nlb" {
source = "./fabric/modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "nlb-test"
backends = [{
group = module.nlb.groups.my-group.self_link
}]
forwarding_rules_config = {
vip-one = {}
vip-two = {
ports = [80]
}
}
group_configs = {
my-group = {
zone = "${var.region}-b"
instances = [
module.compute-vm-group-b.id,
]
}
}
}
# tftest modules=3 resources=9 fixtures=fixtures/compute-vm-group-bc.tf inventory=fwd_rules.yaml e2e
Dual stack (IPv4 and IPv6)
Your load balancer can use a combination of either or both IPv4 and IPv6 forwarding rules. In this example we set the load balancer to work as dual stack, meaning it exposes both an IPv4 and an IPv6 address.
module "nlb" {
source = "./fabric/modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "nlb-test"
backends = [{
group = module.nlb.groups.my-group.self_link
}]
forwarding_rules_config = {
ipv4 = {
version = "IPV4"
}
ipv6 = {
version = "IPV6"
}
}
group_configs = {
my-group = {
zone = "${var.region}-b"
instances = [
module.compute-vm-group-b.id,
]
}
}
}
# tftest modules=3 resources=9 fixtures=fixtures/compute-vm-group-bc.tf inventory=dual_stack.yaml e2e
End to end example
This example spins up a simple HTTP server and combines four modules:
nginxfrom thecloud-config-containercollection, to manage instance configurationcompute-vmto manage the instance template and unmanaged instance group- this module to create a Network Load Balancer in front of the managed instance group
Note that the example uses the GCE default service account. You might want to create an ad-hoc service account by combining the iam-service-account module, or by having the GCE VM module create one for you. In both cases, remember to set at least logging write permissions for the service account, or the container on the instances won't be able to start.
module "cos-nginx" {
source = "./fabric/modules/cloud-config-container/nginx"
}
module "instance-group" {
source = "./fabric/modules/compute-vm"
for_each = toset(["b", "c"])
project_id = var.project_id
zone = "${var.region}-${each.key}"
name = "nlb-test-${each.key}"
network_interfaces = [{
network = var.vpc.self_link
subnetwork = var.subnet.self_link
nat = false
addresses = null
}]
boot_disk = {
initialize_params = {
image = "projects/cos-cloud/global/images/family/cos-stable"
type = "pd-ssd"
size = 10
}
}
tags = ["http-server", "ssh"]
metadata = {
user-data = module.cos-nginx.cloud_config
}
group = { named_ports = {} }
}
module "nlb" {
source = "./fabric/modules/net-lb-ext"
project_id = var.project_id
region = var.region
name = "nlb-test"
backends = [
for z, mod in module.instance-group : {
group = mod.group.self_link
}
]
forwarding_rules_config = {
"" = {
ports = [80]
}
}
health_check_config = {
http = {
port = 80
}
}
}
# tftest modules=3 resources=7 inventory=e2e.yaml e2e
Deploying changes to load balancer configurations
For deploying changes to load balancer configuration please refer to net-lb-app-ext README.md
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | Name used for all resources. | string |
✓ | |
| project_id | Project id where resources will be created. | string |
✓ | |
| region | GCP region. | string |
✓ | |
| backend_service_config | Backend service level configuration. | object({…}) |
{} |
|
| backends | Load balancer backends. | list(object({…})) |
[] |
|
| description | Optional description used for resources. | string |
"Terraform managed." |
|
| forwarding_rules_config | The optional forwarding rules configuration. | map(object({…})) |
{…} |
|
| group_configs | Optional unmanaged groups to create. Can be referenced in backends via outputs. | map(object({…})) |
{} |
|
| health_check | Name of existing health check to use, disables auto-created health check. | string |
null |
|
| health_check_config | Optional auto-created health check configuration, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) |
{…} |
|
| labels | Labels set on resources. | map(string) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| backend_service | Backend resource. | |
| backend_service_id | Backend id. | |
| backend_service_self_link | Backend self link. | |
| forwarding_rule_addresses | Forwarding rule addresses. | |
| forwarding_rule_self_links | Forwarding rule self links. | |
| forwarding_rules | Forwarding rule resources. | |
| group_self_links | Optional unmanaged instance group self links. | |
| groups | Optional unmanaged instance group resources. | |
| health_check | Auto-created health-check resource. | |
| health_check_id | Auto-created health-check id. | |
| health_check_self_link | Auto-created health-check self link. | |
| id | Fully qualified forwarding rule ids. |