diff --git a/metadata.yaml b/metadata.yaml
index fdcb1d05..f6035e1e 100644
--- a/metadata.yaml
+++ b/metadata.yaml
@@ -33,6 +33,10 @@ spec:
subBlueprints:
- name: dynamic_backends
location: modules/dynamic_backends
+ - name: lb-http-backend
+ location: modules/lb-http-backend
+ - name: lb-http-frontend
+ location: modules/lb-http-frontend
- name: serverless_negs
location: modules/serverless_negs
examples:
@@ -131,11 +135,11 @@ spec:
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
- iap_config = object({
+ iap_config = optional(object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
- })
+ }))
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml
index 936377ac..6f0e1cda 100644
--- a/modules/dynamic_backends/metadata.yaml
+++ b/modules/dynamic_backends/metadata.yaml
@@ -127,11 +127,11 @@ spec:
max_rate_per_endpoint = optional(number)
max_utilization = optional(number)
}))
- iap_config = object({
+ iap_config = optional(object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
- })
+ }))
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
diff --git a/modules/lb-http-backend/README.md b/modules/lb-http-backend/README.md
new file mode 100644
index 00000000..7a82fa4c
--- /dev/null
+++ b/modules/lb-http-backend/README.md
@@ -0,0 +1,42 @@
+# HTTP Load balancer backend module
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| affinity\_cookie\_ttl\_sec | n/a | `number` | `null` | no |
+| cdn\_policy | n/a | object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)
default_ttl = optional(number)
max_ttl = optional(number)
client_ttl = optional(number)
negative_caching = optional(bool)
serve_while_stale = optional(number)
bypass_cache_on_request_headers = optional(list(string))
negative_caching_policy = optional(object({
code = optional(number)
ttl = optional(number)
}))
cache_key_policy = optional(object({
include_host = optional(bool)
include_protocol = optional(bool)
include_query_string = optional(bool)
query_string_blacklist = optional(list(string))
query_string_whitelist = optional(list(string))
include_http_headers = optional(list(string))
include_named_cookies = optional(list(string))
}))
}) | `{}` | no |
+| compression\_mode | n/a | `string` | `"DISABLED"` | no |
+| connection\_draining\_timeout\_sec | n/a | `number` | `null` | no |
+| custom\_request\_headers | n/a | `list(string)` | `[]` | no |
+| custom\_response\_headers | n/a | `list(string)` | `[]` | no |
+| description | n/a | `string` | `null` | no |
+| edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
+| enable\_cdn | n/a | `bool` | `false` | no |
+| firewall\_networks | Names of the networks to create firewall rules in | `list(string)` | [
"default"
]
| no |
+| firewall\_projects | Names of the projects to create firewall rules in | `list(string)` | [
"default"
]
| no |
+| groups | n/a | list(object({
group = string
description = optional(string)
})) | `[]` | no |
+| health\_check | n/a | object({
host = optional(string, null)
request_path = optional(string, null)
request = optional(string, null)
response = optional(string, null)
port = optional(number, null)
port_name = optional(string, null)
proxy_header = optional(string, null)
port_specification = optional(string, null)
protocol = optional(string, null)
check_interval_sec = optional(number, 5)
timeout_sec = optional(number, 5)
healthy_threshold = optional(number, 2)
unhealthy_threshold = optional(number, 2)
logging = optional(bool, false)
}) | `null` | no |
+| host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | `list(object({ host : string, path : string }))` | [
{
"host": "*",
"path": "/*"
}
]
| no |
+| iap\_config | n/a | object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
}) | {
"enable": false
} | no |
+| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
+| locality\_lb\_policy | n/a | `string` | `null` | no |
+| log\_config | n/a | object({
enable = bool
sample_rate = number
}) | {
"enable": true,
"sample_rate": 1
} | no |
+| name | Name for the backend service | `string` | n/a | yes |
+| outlier\_detection | n/a | object({
base_ejection_time = optional(object({
seconds = number
nanos = optional(number)
}))
consecutive_errors = optional(number)
consecutive_gateway_failure = optional(number)
enforcing_consecutive_errors = optional(number)
enforcing_consecutive_gateway_failure = optional(number)
enforcing_success_rate = optional(number)
interval = optional(object({
seconds = number
nanos = optional(number)
}))
max_ejection_percent = optional(number)
success_rate_minimum_hosts = optional(number)
success_rate_request_volume = optional(number)
success_rate_stdev_factor = optional(number)
}) | `null` | no |
+| port\_name | n/a | `string` | `"http"` | no |
+| project\_id | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
+| protocol | n/a | `string` | `"HTTP"` | no |
+| security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| serverless\_neg\_backends | n/a | list(object({
region = string
type = string // cloud-run, cloud-function, and app-engine
service_name = string
service_version = optional(string)
})) | `[]` | no |
+| session\_affinity | n/a | `string` | `null` | no |
+| target\_service\_accounts | List of target service accounts for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
+| target\_tags | List of target tags for health check firewall rule. Exactly one of target\_tags or target\_service\_accounts should be specified. | `list(string)` | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| backend\_service\_info | Host, path and backend service mapping |
+
+
\ No newline at end of file
diff --git a/modules/lb-http-backend/main.tf b/modules/lb-http-backend/main.tf
index b7383838..7d83e1d2 100644
--- a/modules/lb-http-backend/main.tf
+++ b/modules/lb-http-backend/main.tf
@@ -1,3 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
resource "google_compute_backend_service" "default" {
provider = google-beta
diff --git a/modules/lb-http-backend/metadata.display.yaml b/modules/lb-http-backend/metadata.display.yaml
new file mode 100644
index 00000000..298177ab
--- /dev/null
+++ b/modules/lb-http-backend/metadata.display.yaml
@@ -0,0 +1,114 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-lb-http-lb-http-backend-display
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: HTTP Load balancer backend module
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-lb-http.git
+ sourceType: git
+ dir: /modules/lb-http-backend
+ ui:
+ input:
+ variables:
+ affinity_cookie_ttl_sec:
+ name: affinity_cookie_ttl_sec
+ title: Affinity Cookie Ttl Sec
+ cdn_policy:
+ name: cdn_policy
+ title: Cdn Policy
+ compression_mode:
+ name: compression_mode
+ title: Compression Mode
+ connection_draining_timeout_sec:
+ name: connection_draining_timeout_sec
+ title: Connection Draining Timeout Sec
+ custom_request_headers:
+ name: custom_request_headers
+ title: Custom Request Headers
+ custom_response_headers:
+ name: custom_response_headers
+ title: Custom Response Headers
+ description:
+ name: description
+ title: Description
+ edge_security_policy:
+ name: edge_security_policy
+ title: Edge Security Policy
+ enable_cdn:
+ name: enable_cdn
+ title: Enable Cdn
+ firewall_networks:
+ name: firewall_networks
+ title: Firewall Networks
+ firewall_projects:
+ name: firewall_projects
+ title: Firewall Projects
+ groups:
+ name: groups
+ title: Groups
+ health_check:
+ name: health_check
+ title: Health Check
+ host_path_mappings:
+ name: host_path_mappings
+ title: Host Path Mappings
+ iap_config:
+ name: iap_config
+ title: Iap Config
+ load_balancing_scheme:
+ name: load_balancing_scheme
+ title: Load Balancing Scheme
+ locality_lb_policy:
+ name: locality_lb_policy
+ title: Locality Lb Policy
+ log_config:
+ name: log_config
+ title: Log Config
+ name:
+ name: name
+ title: Name
+ outlier_detection:
+ name: outlier_detection
+ title: Outlier Detection
+ port_name:
+ name: port_name
+ title: Port Name
+ project_id:
+ name: project_id
+ title: Project Id
+ protocol:
+ name: protocol
+ title: Protocol
+ security_policy:
+ name: security_policy
+ title: Security Policy
+ serverless_neg_backends:
+ name: serverless_neg_backends
+ title: Serverless Neg Backends
+ session_affinity:
+ name: session_affinity
+ title: Session Affinity
+ target_service_accounts:
+ name: target_service_accounts
+ title: Target Service Accounts
+ target_tags:
+ name: target_tags
+ title: Target Tags
diff --git a/modules/lb-http-backend/metadata.yaml b/modules/lb-http-backend/metadata.yaml
new file mode 100644
index 00000000..5112b960
--- /dev/null
+++ b/modules/lb-http-backend/metadata.yaml
@@ -0,0 +1,275 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-lb-http-lb-http-backend
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: HTTP Load balancer backend module
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-lb-http.git
+ sourceType: git
+ dir: /modules/lb-http-backend
+ version: 12.0.0
+ actuationTool:
+ flavor: Terraform
+ version: ">= 1.3"
+ description: {}
+ content:
+ examples:
+ - name: cdn-policy
+ location: examples/cdn-policy
+ - name: certificate-map
+ location: examples/certificate-map
+ - name: cloudrun
+ location: examples/cloudrun
+ - name: cloudrun-implicit-serverless-neg
+ location: examples/cloudrun-implicit-serverless-neg
+ - name: cross-project-mig-backend
+ location: examples/cross-project-mig-backend
+ - name: dynamic-backend
+ location: examples/dynamic-backend
+ - name: gke-node-port
+ location: examples/https-gke/gke-node-port
+ - name: https-gke
+ location: examples/https-gke
+ - name: https-redirect
+ location: examples/https-redirect
+ - name: mig-nat-http-lb
+ location: examples/mig-nat-http-lb
+ - name: multi-backend-multi-mig-bucket-https-lb
+ location: examples/multi-backend-multi-mig-bucket-https-lb
+ - name: multi-mig-http-lb
+ location: examples/multi-mig-http-lb
+ - name: multiple-certs
+ location: examples/multiple-certs
+ - name: shared-vpc
+ location: examples/shared-vpc
+ - name: traffic-director
+ location: examples/traffic-director
+ - name: user-managed-google-managed-ssl
+ location: examples/user-managed-google-managed-ssl
+ interfaces:
+ variables:
+ - name: affinity_cookie_ttl_sec
+ varType: number
+ - name: cdn_policy
+ varType: |-
+ object({
+ cache_mode = optional(string)
+ signed_url_cache_max_age_sec = optional(string)
+ default_ttl = optional(number)
+ max_ttl = optional(number)
+ client_ttl = optional(number)
+ negative_caching = optional(bool)
+ serve_while_stale = optional(number)
+ bypass_cache_on_request_headers = optional(list(string))
+ negative_caching_policy = optional(object({
+ code = optional(number)
+ ttl = optional(number)
+ }))
+ cache_key_policy = optional(object({
+ include_host = optional(bool)
+ include_protocol = optional(bool)
+ include_query_string = optional(bool)
+ query_string_blacklist = optional(list(string))
+ query_string_whitelist = optional(list(string))
+ include_http_headers = optional(list(string))
+ include_named_cookies = optional(list(string))
+ }))
+ })
+ defaultValue: {}
+ - name: compression_mode
+ varType: string
+ defaultValue: DISABLED
+ - name: connection_draining_timeout_sec
+ varType: number
+ - name: custom_request_headers
+ varType: list(string)
+ defaultValue: []
+ - name: custom_response_headers
+ varType: list(string)
+ defaultValue: []
+ - name: description
+ varType: string
+ - name: edge_security_policy
+ description: The resource URL for the edge security policy to associate with the backend service
+ varType: string
+ - name: enable_cdn
+ varType: bool
+ defaultValue: false
+ - name: firewall_networks
+ description: Names of the networks to create firewall rules in
+ varType: list(string)
+ defaultValue:
+ - default
+ - name: firewall_projects
+ description: Names of the projects to create firewall rules in
+ varType: list(string)
+ defaultValue:
+ - default
+ - name: groups
+ varType: |-
+ list(object({
+ group = string
+ description = optional(string)
+ }))
+ defaultValue: []
+ connections:
+ source:
+ source: github.com/terraform-google-modules/terraform-google-vm//modules/mig
+ version: ~> 12.0
+ spec:
+ outputExpr: '{"group": instance_group}'
+ - name: health_check
+ varType: |-
+ object({
+ host = optional(string, null)
+ request_path = optional(string, null)
+ request = optional(string, null)
+ response = optional(string, null)
+ port = optional(number, null)
+ port_name = optional(string, null)
+ proxy_header = optional(string, null)
+ port_specification = optional(string, null)
+ protocol = optional(string, null)
+ check_interval_sec = optional(number, 5)
+ timeout_sec = optional(number, 5)
+ healthy_threshold = optional(number, 2)
+ unhealthy_threshold = optional(number, 2)
+ logging = optional(bool, false)
+ })
+ - name: host_path_mappings
+ description: The list of host/path for which traffic could be sent to the backend service
+ varType: "list(object({ host : string, path : string }))"
+ defaultValue:
+ - host: "*"
+ path: /*
+ - name: iap_config
+ varType: |-
+ object({
+ enable = bool
+ oauth2_client_id = optional(string)
+ oauth2_client_secret = optional(string)
+ })
+ defaultValue:
+ enable: false
+ - name: load_balancing_scheme
+ description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)
+ varType: string
+ defaultValue: EXTERNAL_MANAGED
+ - name: locality_lb_policy
+ varType: string
+ - name: log_config
+ varType: |-
+ object({
+ enable = bool
+ sample_rate = number
+ })
+ defaultValue:
+ enable: true
+ sample_rate: 1
+ - name: name
+ description: Name for the backend service
+ varType: string
+ required: true
+ - name: outlier_detection
+ varType: |-
+ object({
+ base_ejection_time = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ consecutive_errors = optional(number)
+ consecutive_gateway_failure = optional(number)
+ enforcing_consecutive_errors = optional(number)
+ enforcing_consecutive_gateway_failure = optional(number)
+ enforcing_success_rate = optional(number)
+ interval = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ max_ejection_percent = optional(number)
+ success_rate_minimum_hosts = optional(number)
+ success_rate_request_volume = optional(number)
+ success_rate_stdev_factor = optional(number)
+ })
+ - name: port_name
+ varType: string
+ defaultValue: http
+ - name: project_id
+ description: The project to deploy to, if not set the default provider project is used.
+ varType: string
+ required: true
+ - name: protocol
+ varType: string
+ defaultValue: HTTP
+ - name: security_policy
+ description: The resource URL for the security policy to associate with the backend service
+ varType: string
+ - name: serverless_neg_backends
+ varType: |-
+ list(object({
+ region = string
+ type = string // cloud-run, cloud-function, and app-engine
+ service_name = string
+ service_version = optional(string)
+ }))
+ defaultValue: []
+ connections:
+ source:
+ source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2
+ version: ~> 0.12
+ spec:
+ outputExpr: '{"region": location, "service_name": service_name, "type": "cloud-run"}'
+ - name: session_affinity
+ varType: string
+ - name: target_service_accounts
+ description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.
+ varType: list(string)
+ defaultValue: []
+ - name: target_tags
+ description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified.
+ varType: list(string)
+ defaultValue: []
+ outputs:
+ - name: backend_service_info
+ description: Host, path and backend service mapping
+ type:
+ - list
+ - - object
+ - host: string
+ - path: string
+ - backend_service: string
+ requirements:
+ roles:
+ - level: Project
+ roles:
+ - roles/compute.xpnAdmin
+ - level: Project
+ roles:
+ - roles/owner
+ - roles/storage.admin
+ services:
+ - cloudresourcemanager.googleapis.com
+ - storage-api.googleapis.com
+ - serviceusage.googleapis.com
+ - compute.googleapis.com
+ - run.googleapis.com
+ - iam.googleapis.com
+ - certificatemanager.googleapis.com
diff --git a/modules/lb-http-backend/outputs.tf b/modules/lb-http-backend/outputs.tf
index 44e89d75..c8ed10f1 100644
--- a/modules/lb-http-backend/outputs.tf
+++ b/modules/lb-http-backend/outputs.tf
@@ -1,3 +1,19 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
output "backend_service_info" {
description = "Host, path and backend service mapping"
value = [
diff --git a/modules/lb-http-frontend/README.md b/modules/lb-http-frontend/README.md
new file mode 100644
index 00000000..e92b41cd
--- /dev/null
+++ b/modules/lb-http-frontend/README.md
@@ -0,0 +1,51 @@
+# HTTP Load balancer frontend module
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| address | Existing IPv4 address to use (the actual IP address value) | `string` | `null` | no |
+| certificate | Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| certificate\_map | Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` | `string` | `null` | no |
+| create\_address | Create a new global IPv4 address | `bool` | `true` | no |
+| create\_ipv6\_address | Allocate a new IPv6 address. Conflicts with "ipv6\_address" - if both specified, "create\_ipv6\_address" takes precedence. | `bool` | `false` | no |
+| create\_ssl\_certificate | If `true`, Create certificate using `private_key/certificate` | `bool` | `false` | no |
+| create\_url\_map | Set to `false` if url\_map variable is provided. | `bool` | `true` | no |
+| edge\_security\_policy | The resource URL for the edge security policy to associate with the backend service | `string` | `null` | no |
+| enable\_ipv6 | Enable IPv6 address on the CDN load-balancer | `bool` | `false` | no |
+| http\_forward | Set to `false` to disable HTTP port 80 forward | `bool` | `true` | no |
+| http\_keep\_alive\_timeout\_sec | Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). | `number` | `null` | no |
+| http\_port | The port for the HTTP load balancer | `number` | `80` | no |
+| https\_port | The port for the HTTPS load balancer | `number` | `443` | no |
+| https\_redirect | Set to `true` to enable https redirect on the lb. | `bool` | `false` | no |
+| ipv6\_address | An existing IPv6 address to use (the actual IP address value) | `string` | `null` | no |
+| labels | The labels to attach to resources created by this module | `map(string)` | `{}` | no |
+| load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
+| managed\_ssl\_certificate\_domains | Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
+| name | Name for the forwarding rule and prefix for supporting resources | `string` | n/a | yes |
+| network | Network for INTERNAL\_SELF\_MANAGED load balancing scheme | `string` | `"default"` | no |
+| private\_key | Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` | `string` | `null` | no |
+| project\_id | The project to deploy to, if not set the default provider project is used. | `string` | n/a | yes |
+| quic | Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. | `bool` | `null` | no |
+| random\_certificate\_suffix | Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. | `bool` | `false` | no |
+| security\_policy | The resource URL for the security policy to associate with the backend service | `string` | `null` | no |
+| server\_tls\_policy | The resource URL for the server TLS policy to associate with the https proxy service | `string` | `null` | no |
+| ssl | Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map` | `bool` | `false` | no |
+| ssl\_certificates | SSL cert self\_link list. Requires `ssl` to be set to `true` | `list(string)` | `[]` | no |
+| ssl\_policy | Selfink to SSL Policy | `string` | `null` | no |
+| url\_map\_input | List of host, path and backend service for creating url\_map | list(object({
host : string
path : string
backend_service : string
})) | `[]` | no |
+| url\_map\_resource\_uri | The url\_map resource to use. Default is to send all traffic to first backend. | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| external\_ip | The external IPv4 assigned to the global fowarding rule. |
+| external\_ipv6\_address | The external IPv6 assigned to the global fowarding rule. |
+| http\_proxy | The HTTP proxy used by this module. |
+| https\_proxy | The HTTPS proxy used by this module. |
+| ipv6\_enabled | Whether IPv6 configuration is enabled on this load-balancer |
+| ssl\_certificate\_created | The SSL certificate create from key/pem |
+| url\_map | The default URL map used by this module. |
+
+
\ No newline at end of file
diff --git a/modules/lb-http-frontend/metadata.display.yaml b/modules/lb-http-frontend/metadata.display.yaml
new file mode 100644
index 00000000..20180177
--- /dev/null
+++ b/modules/lb-http-frontend/metadata.display.yaml
@@ -0,0 +1,130 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-lb-http-lb-http-frontend-display
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: HTTP Load balancer frontend module
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-lb-http.git
+ sourceType: git
+ dir: /modules/lb-http-frontend
+ ui:
+ input:
+ variables:
+ address:
+ name: address
+ title: Address
+ certificate:
+ name: certificate
+ title: Certificate
+ certificate_map:
+ name: certificate_map
+ title: Certificate Map
+ create_address:
+ name: create_address
+ title: Create Address
+ create_ipv6_address:
+ name: create_ipv6_address
+ title: Create Ipv6 Address
+ create_ssl_certificate:
+ name: create_ssl_certificate
+ title: Create Ssl Certificate
+ create_url_map:
+ name: create_url_map
+ title: Create Url Map
+ edge_security_policy:
+ name: edge_security_policy
+ title: Edge Security Policy
+ enable_ipv6:
+ name: enable_ipv6
+ title: Enable Ipv6
+ http_forward:
+ name: http_forward
+ title: Http Forward
+ http_keep_alive_timeout_sec:
+ name: http_keep_alive_timeout_sec
+ title: Http Keep Alive Timeout Sec
+ http_port:
+ name: http_port
+ title: Http Port
+ https_port:
+ name: https_port
+ title: Https Port
+ https_redirect:
+ name: https_redirect
+ title: Https Redirect
+ ipv6_address:
+ name: ipv6_address
+ title: Ipv6 Address
+ labels:
+ name: labels
+ title: Labels
+ load_balancing_scheme:
+ name: load_balancing_scheme
+ title: Load Balancing Scheme
+ managed_ssl_certificate_domains:
+ name: managed_ssl_certificate_domains
+ title: Managed Ssl Certificate Domains
+ name:
+ name: name
+ title: Name
+ network:
+ name: network
+ title: Network
+ private_key:
+ name: private_key
+ title: Private Key
+ project_id:
+ name: project_id
+ title: Project Id
+ quic:
+ name: quic
+ title: Quic
+ random_certificate_suffix:
+ name: random_certificate_suffix
+ title: Random Certificate Suffix
+ security_policy:
+ name: security_policy
+ title: Security Policy
+ server_tls_policy:
+ name: server_tls_policy
+ title: Server Tls Policy
+ ssl:
+ name: ssl
+ title: Ssl
+ ssl_certificates:
+ name: ssl_certificates
+ title: Ssl Certificates
+ ssl_policy:
+ name: ssl_policy
+ title: Ssl Policy
+ url_map_input:
+ name: url_map_input
+ title: Url Map Input
+ url_map_resource_uri:
+ name: url_map_resource_uri
+ title: Url Map Resource Uri
+ runtime:
+ outputs:
+ external_ip:
+ visibility: VISIBILITY_ROOT
+ external_ipv6_address:
+ visibility: VISIBILITY_ROOT
+
diff --git a/modules/lb-http-frontend/metadata.yaml b/modules/lb-http-frontend/metadata.yaml
new file mode 100644
index 00000000..f94d70f4
--- /dev/null
+++ b/modules/lb-http-frontend/metadata.yaml
@@ -0,0 +1,230 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: blueprints.cloud.google.com/v1alpha1
+kind: BlueprintMetadata
+metadata:
+ name: terraform-google-lb-http-lb-http-frontend
+ annotations:
+ config.kubernetes.io/local-config: "true"
+spec:
+ info:
+ title: HTTP Load balancer frontend module
+ source:
+ repo: https://github.com/terraform-google-modules/terraform-google-lb-http.git
+ sourceType: git
+ dir: /modules/lb-http-frontend
+ version: 12.0.0
+ actuationTool:
+ flavor: Terraform
+ version: ">= 1.3"
+ description: {}
+ content:
+ examples:
+ - name: cdn-policy
+ location: examples/cdn-policy
+ - name: certificate-map
+ location: examples/certificate-map
+ - name: cloudrun
+ location: examples/cloudrun
+ - name: cloudrun-implicit-serverless-neg
+ location: examples/cloudrun-implicit-serverless-neg
+ - name: cross-project-mig-backend
+ location: examples/cross-project-mig-backend
+ - name: dynamic-backend
+ location: examples/dynamic-backend
+ - name: gke-node-port
+ location: examples/https-gke/gke-node-port
+ - name: https-gke
+ location: examples/https-gke
+ - name: https-redirect
+ location: examples/https-redirect
+ - name: mig-nat-http-lb
+ location: examples/mig-nat-http-lb
+ - name: multi-backend-multi-mig-bucket-https-lb
+ location: examples/multi-backend-multi-mig-bucket-https-lb
+ - name: multi-mig-http-lb
+ location: examples/multi-mig-http-lb
+ - name: multiple-certs
+ location: examples/multiple-certs
+ - name: shared-vpc
+ location: examples/shared-vpc
+ - name: traffic-director
+ location: examples/traffic-director
+ - name: user-managed-google-managed-ssl
+ location: examples/user-managed-google-managed-ssl
+ interfaces:
+ variables:
+ - name: address
+ description: Existing IPv4 address to use (the actual IP address value)
+ varType: string
+ - name: certificate
+ description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`
+ varType: string
+ - name: certificate_map
+ description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true`
+ varType: string
+ - name: create_address
+ description: Create a new global IPv4 address
+ varType: bool
+ defaultValue: true
+ - name: create_ipv6_address
+ description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence.
+ varType: bool
+ defaultValue: false
+ - name: create_ssl_certificate
+ description: If `true`, Create certificate using `private_key/certificate`
+ varType: bool
+ defaultValue: false
+ - name: create_url_map
+ description: Set to `false` if url_map variable is provided.
+ varType: bool
+ defaultValue: true
+ - name: edge_security_policy
+ description: The resource URL for the edge security policy to associate with the backend service
+ varType: string
+ - name: enable_ipv6
+ description: Enable IPv6 address on the CDN load-balancer
+ varType: bool
+ defaultValue: false
+ - name: http_forward
+ description: Set to `false` to disable HTTP port 80 forward
+ varType: bool
+ defaultValue: true
+ - name: http_keep_alive_timeout_sec
+ description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds).
+ varType: number
+ - name: http_port
+ description: The port for the HTTP load balancer
+ varType: number
+ defaultValue: 80
+ - name: https_port
+ description: The port for the HTTPS load balancer
+ varType: number
+ defaultValue: 443
+ - name: https_redirect
+ description: Set to `true` to enable https redirect on the lb.
+ varType: bool
+ defaultValue: false
+ - name: ipv6_address
+ description: An existing IPv6 address to use (the actual IP address value)
+ varType: string
+ - name: labels
+ description: The labels to attach to resources created by this module
+ varType: map(string)
+ defaultValue: {}
+ - name: load_balancing_scheme
+ description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director)
+ varType: string
+ defaultValue: EXTERNAL_MANAGED
+ - name: managed_ssl_certificate_domains
+ description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true`
+ varType: list(string)
+ defaultValue: []
+ - name: name
+ description: Name for the forwarding rule and prefix for supporting resources
+ varType: string
+ required: true
+ - name: network
+ description: Network for INTERNAL_SELF_MANAGED load balancing scheme
+ varType: string
+ defaultValue: default
+ - name: private_key
+ description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true`
+ varType: string
+ - name: project_id
+ description: The project to deploy to, if not set the default provider project is used.
+ varType: string
+ required: true
+ - name: quic
+ description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only.
+ varType: bool
+ - name: random_certificate_suffix
+ description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert.
+ varType: bool
+ defaultValue: false
+ - name: security_policy
+ description: The resource URL for the security policy to associate with the backend service
+ varType: string
+ - name: server_tls_policy
+ description: The resource URL for the server TLS policy to associate with the https proxy service
+ varType: string
+ - name: ssl
+ description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`"
+ varType: bool
+ defaultValue: false
+ - name: ssl_certificates
+ description: SSL cert self_link list. Requires `ssl` to be set to `true`
+ varType: list(string)
+ defaultValue: []
+ - name: ssl_policy
+ description: Selfink to SSL Policy
+ varType: string
+ - name: url_map_input
+ description: List of host, path and backend service for creating url_map
+ varType: |-
+ list(object({
+ host : string
+ path : string
+ backend_service : string
+ }))
+ defaultValue: []
+ connections:
+ source:
+ source: github.com/GoogleCloudPlatform/terraform-google-lb-http//modules/lb-http-backend
+ version: ">= 12.0"
+ spec:
+ outputExpr: backend_service_info
+ - name: url_map_resource_uri
+ description: The url_map resource to use. Default is to send all traffic to first backend.
+ varType: string
+ outputs:
+ - name: external_ip
+ description: The external IPv4 assigned to the global fowarding rule.
+ type: string
+ - name: external_ipv6_address
+ description: The external IPv6 assigned to the global fowarding rule.
+ type: string
+ - name: http_proxy
+ description: The HTTP proxy used by this module.
+ type: string
+ - name: https_proxy
+ description: The HTTPS proxy used by this module.
+ type: string
+ - name: ipv6_enabled
+ description: Whether IPv6 configuration is enabled on this load-balancer
+ type: bool
+ - name: ssl_certificate_created
+ description: The SSL certificate create from key/pem
+ type: string
+ - name: url_map
+ description: The default URL map used by this module.
+ type: string
+ requirements:
+ roles:
+ - level: Project
+ roles:
+ - roles/owner
+ - roles/storage.admin
+ - level: Project
+ roles:
+ - roles/compute.xpnAdmin
+ services:
+ - cloudresourcemanager.googleapis.com
+ - storage-api.googleapis.com
+ - serviceusage.googleapis.com
+ - compute.googleapis.com
+ - run.googleapis.com
+ - iam.googleapis.com
+ - certificatemanager.googleapis.com
diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml
index e0ab8de7..832eaa8c 100644
--- a/modules/serverless_negs/metadata.yaml
+++ b/modules/serverless_negs/metadata.yaml
@@ -109,11 +109,11 @@ spec:
service = object({ name : string, version : optional(string) })
})), [])
- iap_config = object({
+ iap_config = optional(object({
enable = bool
oauth2_client_id = optional(string)
oauth2_client_secret = optional(string)
- })
+ }))
cdn_policy = optional(object({
cache_mode = optional(string)
signed_url_cache_max_age_sec = optional(string)