Global HTTP Load Balancer Terraform Module

Modular Global HTTP Load Balancer for GCE using forwarding rules.

• If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the dynamic backends submodule.
• If you would like to use load balancing with serverless backends (Cloud Run, Cloud Functions or App Engine), see the serverless_negs submodule and cloudrun example.

Load Balancer Types

• TCP load balancer
• HTTP/S load balancer
• Internal load balancer

Compatibility

This module is meant for use with Terraform 0.12. If you haven't upgraded and need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is 1.0.10.

Usage

module "gce-lb-http" {
  source            = "GoogleCloudPlatform/lb-http/google"
  version           = "~> 4.4"

  project           = "my-project-id"
  name              = "group-http-lb"
  target_tags       = [module.mig1.target_tags, module.mig2.target_tags]
  backends = {
    default = {
      description                     = null
      protocol                        = "HTTP"
      port                            = var.service_port
      port_name                       = var.service_port_name
      timeout_sec                     = 10
      enable_cdn                      = false
      custom_request_headers          = null
      security_policy                 = null
  connection_draining_timeout_sec = null
  session_affinity                = null
  affinity_cookie_ttl_sec         = null

  health_check = {
    check_interval_sec  = null
    timeout_sec         = null
    healthy_threshold   = null
    unhealthy_threshold = null
    request_path        = "/"
    port                = var.service_port
    host                = null
    logging             = null
  }

  log_config = {
    enable = true
    sample_rate = 1.0
  }

  groups = [
    {
      # Each node pool instance group should be added to the backend.
      group                        = var.backend
      balancing_mode               = null
      capacity_scaler              = null
      description                  = null
      max_connections              = null
      max_connections_per_instance = null
      max_connections_per_endpoint = null
      max_rate                     = null
      max_rate_per_instance        = null
      max_rate_per_endpoint        = null
      max_utilization              = null
    },
  ]

  iap_config = {
    enable               = false
    oauth2_client_id     = null
    oauth2_client_secret = null
  }
}
  }
}

Resources created

Figure 1. diagram of terraform resources

Version

Current version is 3.0. Upgrade guides:

• 1.X -> 2.X
• 2.X -> 3.0

Inputs

| Name | Description | Type | Default | Required | |------|-------------|:----:|:-----:|:-----:| | address | IP address self link | string |

"null"

true

"false"

ssl

true

ssl_certificates

"null"

"true"

false

"true"

false

"true"

true

"false"

"null"

ssl

true

set to

. | list(string) |

| no |
| name | Name for the forwarding rule and prefix for supporting resources | string | n/a | yes |
| private\_key | Content of the private SSL key. Required if

is

and

is empty. | string |

| no |
| project | The project to deploy to, if not set the default provider project is used. | string | n/a | yes |
| quic | Set to

to enable QUIC support | bool |

| no |
| security\_policy | The resource URL for the security policy to associate with the backend service | string |

| no |
| ssl | Set to

to enable SSL support, requires variable

"false"

ssl

true

and

is provided. | list(string) |

| no |
| ssl\_policy | Selfink to SSL Policy | string |

| no |
| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) |

| no |
| target\_tags | List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) |

| no |
| url\_map | The url_map resource to use. Default is to send all traffic to first backend. | string |

| no |
| use\_ssl\_certificates | If true, use the certificates provided by

, otherwise, create cert from

and

| bool |

Outputs

| Name | Description | |------|-------------| | backend_services | The backend service resources. | | external_ip | The external IP assigned to the global forwarding rule. | | http_proxy | The HTTP proxy used by this module. | | https_proxy | The HTTPS proxy used by this module. |

• google_compute_global_forwarding_rule.http

  : The global HTTP forwarding rule.

• google_compute_global_forwarding_rule.https

  : The global HTTPS forwarding rule created when

  ssl

  is

  true

  .

• google_compute_target_http_proxy.default

  : The HTTP proxy resource that binds the url map. Created when input

  ssl

  is

  false

  .

• google_compute_target_https_proxy.default

  : The HTTPS proxy resource that binds the url map. Created when input

  ssl

  is

  true

  .

• google_compute_ssl_certificate.default

  : The certificate resource created when input

  ssl

  is

  true

  and

  managed_ssl_certificate_domains

  not specified.

• google_compute_managed_ssl_certificate.default

  : The Google-managed certificate resource created when input

  ssl

  is

  true

  and

  managed_ssl_certificate_domains

  is specified.

• google_compute_url_map.default

  : The default URL map resource when input

  url_map

  is not provided.

• google_compute_backend_service.default.*

  : The backend services created for each of the

  backend_params

  elements.

• google_compute_health_check.default.*

  : Health check resources created for each of the (non global NEG) backend services.

• google_compute_firewall.default-hc

  : Firewall rule created for each of the backed services to allow health checks to the instance group.