Modular Global HTTP Load Balancer for GCE using forwarding rules.
If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the dynamic backends submodule.
- TCP load balancer
- HTTP/S load balancer
- Internal load balancer
This module is meant for use with Terraform 0.12. If you haven't upgraded and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is 1.0.10.
module "gce-lb-http" {
source = "GoogleCloudPlatform/lb-http/google"
version = "~> 3.1"
name = "group-http-lb"
project = "my-project-id"
target_tags = [module.mig1.target_tags, module.mig2.target_tags]
backends = {
default = {
description = null
protocol = "HTTP"
port = var.service_port
port_name = var.service_port_name
timeout_sec = 10
connection_draining_timeout_sec = null
enable_cdn = false
session_affinity = null
affinity_cookie_ttl_sec = null
custom_request_headers = null
health_check = {
check_interval_sec = null
timeout_sec = null
healthy_threshold = null
unhealthy_threshold = null
request_path = "/"
port = var.service_port
host = null
logging = null
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
# Each node pool instance group should be added to the backend.
group = var.backend
balancing_mode = null
capacity_scaler = null
description = null
max_connections = null
max_connections_per_instance = null
max_connections_per_endpoint = null
max_rate = null
max_rate_per_instance = null
max_rate_per_endpoint = null
max_utilization = null
},
]
iap_config {
enable = false
oauth2_client_id = null
oauth2_client_secret = null
}
}
}
}Figure 1. diagram of terraform resources
Current version is 3.0. Upgrade guides:
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| address | IP address self link | string | "null" |
no |
| backends | Map backend indices to list of backend maps. | object | n/a | yes |
| cdn | Set to true to enable cdn on backend. |
bool | "false" |
no |
| certificate | Content of the SSL certificate. Required if ssl is true and ssl_certificates is empty. |
string | "null" |
no |
| create_address | Create a new global address | bool | "true" |
no |
| create_url_map | Set to false if url_map variable is provided. |
bool | "true" |
no |
| firewall_networks | Names of the networks to create firewall rules in | list(string) | <list> |
no |
| firewall_projects | Names of the projects to create firewall rules in | list(string) | <list> |
no |
| http_forward | Set to false to disable HTTP port 80 forward |
bool | "true" |
no |
| https_redirect | Set to true to enable https redirect on the lb. |
bool | "false" |
no |
| ip_version | IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4 | string | "null" |
no |
| name | Name for the forwarding rule and prefix for supporting resources | string | n/a | yes |
| private_key | Content of the private SSL key. Required if ssl is true and ssl_certificates is empty. |
string | "null" |
no |
| project | The project to deploy to, if not set the default provider project is used. | string | n/a | yes |
| quic | Set to true to enable QUIC support |
bool | "false" |
no |
| security_policy | The resource URL for the security policy to associate with the backend service | string | "null" |
no |
| ssl | Set to true to enable SSL support, requires variable ssl_certificates - a list of self_link certs |
bool | "false" |
no |
| ssl_certificates | SSL cert self_link list. Required if ssl is true and no private_key and certificate is provided. |
list(string) | <list> |
no |
| ssl_policy | Selfink to SSL Policy | string | "null" |
no |
| target_service_accounts | List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) | <list> |
no |
| target_tags | List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) | <list> |
no |
| url_map | The url_map resource to use. Default is to send all traffic to first backend. | string | "null" |
no |
| use_ssl_certificates | If true, use the certificates provided by ssl_certificates, otherwise, create cert from private_key and certificate |
bool | "false" |
no |
| Name | Description |
|---|---|
| backend_services | The backend service resources. |
| external_ip | The external IP assigned to the global fowarding rule. |
| http_proxy | The HTTP proxy used by this module. |
| https_proxy | The HTTPS proxyused by this module. |
google_compute_global_forwarding_rule.http: The global HTTP forwarding rule.google_compute_global_forwarding_rule.https: The global HTTPS forwarding rule created whensslistrue.google_compute_target_http_proxy.default: The HTTP proxy resource that binds the url map. Created when inputsslisfalse.google_compute_target_https_proxy.default: The HTTPS proxy resource that binds the url map. Created when inputsslistrue.google_compute_ssl_certificate.default: The certificate resource created when inputsslistrue.google_compute_url_map.default: The default URL map resource when inputurl_mapis not provided.google_compute_backend_service.default.*: The backend services created for each of thebackend_paramselements.google_compute_health_check.default.*: Health check resources created for each of the (non global NEG) backend services.google_compute_firewall.default-hc: Firewall rule created for each of the backed services to allow health checks to the instance group.