serverless_negs

Global HTTP Load Balancer Terraform Module for Serverless NEGs

This submodule allows you to create Cloud HTTP(S) Load Balancer with Serverless Network Endpoint Groups (NEGs) and place serverless services from Cloud Run, Cloud Functions and App Engine behind a Cloud Load Balancer.

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3. If you find incompatibilities using Terraform >=1.3, please open an issue. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.5.0.

Version

Current version is 9.0. Upgrade guides:

• 2.X -> 3.0
• 3.X -> 4.0
• 6.X -> 7.0
• 7.X -> 8.0
• 8.X -> 9.0
• 9.X -> 10.0

Usage

module "lb-http" {
  source            = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
  version           = "~> 9.0"

  project           = "my-project-id"
  name              = "my-lb"

  ssl                             = true
  managed_ssl_certificate_domains = ["your-domain.com"]
  https_redirect                  = true
  backends = {
    default = {
      protocol                        = "HTTP"
      port_name                       = var.service_port_name
      enable_cdn                      = false


      log_config = {
        enable = true
        sample_rate = 1.0
      }

      groups = [
        {
          # Your serverless service should have a NEG created that's referenced here.
          group = google_compute_region_network_endpoint_group.default.id
        }
      ]

      iap_config = {
        enable               = false
      }
    }
  }
}

Inputs

Name	Description	Type	Default	Required
address	Existing IPv4 address to use (the actual IP address value)	string	null	no
backends	Map backend indices to list of backend maps.	map(object({ project = optional(string) protocol = optional(string) port_name = optional(string) description = optional(string) enable_cdn = optional(bool) compression_mode = optional(string) security_policy = optional(string, null) edge_security_policy = optional(string, null) custom_request_headers = optional(list(string)) custom_response_headers = optional(list(string)) connection_draining_timeout_sec = optional(number) session_affinity = optional(string) affinity_cookie_ttl_sec = optional(number) locality_lb_policy = optional(string) log_config = object({ enable = optional(bool) sample_rate = optional(number) }) groups = list(object({ group = string description = optional(string) })) // serverless_neg_backends is mutually exclusive to groups.There can only be one serverless neg per region // with one of cloud-run, cloud-functions and app-engine as service. serverless_neg_backends = optional(list(object({ region = string, type = string, // cloud-run, cloud-function and app-engine service = object({ name : string, version : optional(string) }) })), []) iap_config = optional(object({ enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) })) cdn_policy = optional(object({ cache_mode = optional(string) signed_url_cache_max_age_sec = optional(string) default_ttl = optional(number) max_ttl = optional(number) client_ttl = optional(number) negative_caching = optional(bool) negative_caching_policy = optional(object({ code = optional(number) ttl = optional(number) })) serve_while_stale = optional(number) cache_key_policy = optional(object({ include_host = optional(bool) include_protocol = optional(bool) include_query_string = optional(bool) query_string_blacklist = optional(list(string)) query_string_whitelist = optional(list(string)) include_http_headers = optional(list(string)) include_named_cookies = optional(list(string)) })) bypass_cache_on_request_headers = optional(list(string)) })) outlier_detection = optional(object({ base_ejection_time = optional(object({ seconds = number nanos = optional(number) })) consecutive_errors = optional(number) consecutive_gateway_failure = optional(number) enforcing_consecutive_errors = optional(number) enforcing_consecutive_gateway_failure = optional(number) enforcing_success_rate = optional(number) interval = optional(object({ seconds = number nanos = optional(number) })) max_ejection_percent = optional(number) success_rate_minimum_hosts = optional(number) success_rate_request_volume = optional(number) success_rate_stdev_factor = optional(number) })) }))	n/a	yes
certificate	Content of the SSL certificate. Requires ssl to be set to true and create_ssl_certificate set to true	string	null	no
certificate_map	Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires ssl to be set to true	string	null	no
create_address	Create a new global IPv4 address	bool	true	no
create_ipv6_address	Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence.	bool	false	no
create_ssl_certificate	If true, Create certificate using private_key/certificate	bool	false	no
create_url_map	Set to false if url_map variable is provided.	bool	true	no
edge_security_policy	The resource URL for the edge security policy to associate with the backend service	string	null	no
enable_ipv6	Enable IPv6 address on the CDN load-balancer	bool	false	no
http_forward	Set to false to disable HTTP port 80 forward	bool	true	no
http_keep_alive_timeout_sec	Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds).	number	null	no
http_port	The port for the HTTP load balancer	number	80	no
https_port	The port for the HTTPS load balancer	number	443	no
https_redirect	Set to true to enable https redirect on the lb.	bool	false	no
ipv6_address	An existing IPv6 address to use (the actual IP address value)	string	null	no
labels	The labels to attach to resources created by this module	map(string)	{}	no
load_balancing_scheme	Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)	string	"EXTERNAL"	no
managed_ssl_certificate_domains	Create Google-managed SSL certificates for specified domains. Requires ssl to be set to true	list(string)	[]	no
name	Name for the forwarding rule and prefix for supporting resources	string	n/a	yes
network	Network for INTERNAL_SELF_MANAGED load balancing scheme	string	"default"	no
private_key	Content of the private SSL key. Requires ssl to be set to true and create_ssl_certificate set to true	string	null	no
project	The project to deploy to, if not set the default provider project is used.	string	n/a	yes
quic	Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only.	bool	null	no
random_certificate_suffix	Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert.	bool	false	no
security_policy	The resource URL for the security policy to associate with the backend service	string	null	no
server_tls_policy	The resource URL for the server TLS policy to associate with the https proxy service	string	null	no
ssl	Set to true to enable SSL support. If true then at least one of these are required: 1) ssl_certificates OR 2) create_ssl_certificate set to true and private_key/certificate OR 3) managed_ssl_certificate_domains, OR 4) certificate_map	bool	false	no
ssl_certificates	SSL cert self_link list. Requires ssl to be set to true	list(string)	[]	no
ssl_policy	Selfink to SSL Policy	string	null	no
url_map	The url_map resource to use. Default is to send all traffic to first backend.	string	null	no

Outputs

Name	Description
backend_services	The backend service resources.
external_ip	The external IPv4 assigned to the global fowarding rule.
external_ipv6_address	The external IPv6 assigned to the global fowarding rule.
http_proxy	The HTTP proxy used by this module.
https_proxy	The HTTPS proxy used by this module.
ipv6_enabled	Whether IPv6 configuration is enabled on this load-balancer
ssl_certificate_created	The SSL certificate create from key/pem
url_map	The default URL map used by this module.

• google_compute_global_forwarding_rule.http: The global HTTP forwarding rule.
• google_compute_global_forwarding_rule.https: The global HTTPS forwarding rule created when ssl is true.
• google_compute_target_http_proxy.default: The HTTP proxy resource that binds the url map. Created when input ssl is false.
• google_compute_target_https_proxy.default: The HTTPS proxy resource that binds the url map. Created when input ssl is true.
• google_compute_ssl_certificate.default: The certificate resource created when input ssl is true and managed_ssl_certificate_domains not specified.
• google_compute_managed_ssl_certificate.default: The Google-managed certificate resource created when input ssl is true and managed_ssl_certificate_domains is specified.
• google_compute_url_map.default: The default URL map resource when input url_map is not provided.
• google_compute_backend_service.default.*: The backend services created for each of the backend_params elements.