Modular Global HTTP Load Balancer for GCE using forwarding rules.
- If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the dynamic backends submodule.
- If you would like to use load balancing with serverless backends (Cloud Run, Cloud Functions or App Engine), see the serverless_negs submodule and cloudrun example.
- TCP load balancer
- HTTP/S load balancer
- Internal load balancer
This module is meant for use with Terraform 0.13. If you haven't upgraded and need a Terraform 0.12.x-compatible version of this module, the last released version intended for Terraform 0.12.x is v4.5.0.
module "gce-lb-http" { source = "GoogleCloudPlatform/lb-http/google" version = "~> 4.4" project = "my-project-id" name = "group-http-lb" target_tags = [module.mig1.target_tags, module.mig2.target_tags] backends = { default = { description = null protocol = "HTTP" port = var.service_port port_name = var.service_port_name timeout_sec = 10 enable_cdn = false custom_request_headers = null security_policy = null connection_draining_timeout_sec = null session_affinity = null affinity_cookie_ttl_sec = null health_check = { check_interval_sec = null timeout_sec = null healthy_threshold = null unhealthy_threshold = null request_path = "/" port = var.service_port host = null logging = null } log_config = { enable = true sample_rate = 1.0 } groups = [ { # Each node pool instance group should be added to the backend. group = var.backend balancing_mode = null capacity_scaler = null description = null max_connections = null max_connections_per_instance = null max_connections_per_endpoint = null max_rate = null max_rate_per_instance = null max_rate_per_endpoint = null max_utilization = null }, ] iap_config = { enable = false oauth2_client_id = null oauth2_client_secret = null } } } }Figure 1. diagram of terraform resources
Current version is 3.0. Upgrade guides:
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| address | IP address self link | string | null | no |
| backends | Map backend indices to list of backend maps. | map(object({ | n/a | yes |
| cdn | Set to true to enable cdn on backend. | bool | false | no |
| certificate | Content of the SSL certificate. Required if ssl is true and ssl_certificates is empty. | string | null | no |
| create_address | Create a new global address | bool | true | no |
| create_url_map | Set to false if url_map variable is provided. | bool | true | no |
| firewall_networks | Names of the networks to create firewall rules in | list(string) | [ | no |
| firewall_projects | Names of the projects to create firewall rules in | list(string) | [ | no |
| http_forward | Set to false to disable HTTP port 80 forward | bool | true | no |
| https_redirect | Set to true to enable https redirect on the lb. | bool | false | no |
| ip_version | IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4 | string | null | no |
| managed_ssl_certificate_domains | Create Google-managed SSL certificates for specified domains. Requires ssl to be set to true and use_ssl_certificates set to false. | list(string) | [] | no |
| name | Name for the forwarding rule and prefix for supporting resources | string | n/a | yes |
| private_key | Content of the private SSL key. Required if ssl is true and ssl_certificates is empty. | string | null | no |
| project | The project to deploy to, if not set the default provider project is used. | string | n/a | yes |
| quic | Set to true to enable QUIC support | bool | false | no |
| security_policy | The resource URL for the security policy to associate with the backend service | string | null | no |
| ssl | Set to true to enable SSL support, requires variable ssl_certificates - a list of self_link certs | bool | false | no |
| ssl_certificates | SSL cert self_link list. Required if ssl is true and no private_key and certificate is provided. | list(string) | [] | no |
| ssl_policy | Selfink to SSL Policy | string | null | no |
| target_service_accounts | List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) | [] | no |
| target_tags | List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. | list(string) | [] | no |
| url_map | The url_map resource to use. Default is to send all traffic to first backend. | string | null | no |
| use_ssl_certificates | If true, use the certificates provided by ssl_certificates, otherwise, create cert from private_key and certificate | bool | false | no |
| Name | Description |
|---|---|
| backend_services | The backend service resources. |
| external_ip | The external IP assigned to the global forwarding rule. |
| http_proxy | The HTTP proxy used by this module. |
| https_proxy | The HTTPS proxy used by this module. |
google_compute_global_forwarding_rule.http: The global HTTP forwarding rule.google_compute_global_forwarding_rule.https: The global HTTPS forwarding rule created whensslistrue.google_compute_target_http_proxy.default: The HTTP proxy resource that binds the url map. Created when inputsslisfalse.google_compute_target_https_proxy.default: The HTTPS proxy resource that binds the url map. Created when inputsslistrue.google_compute_ssl_certificate.default: The certificate resource created when inputsslistrueandmanaged_ssl_certificate_domainsnot specified.google_compute_managed_ssl_certificate.default: The Google-managed certificate resource created when inputsslistrueandmanaged_ssl_certificate_domainsis specified.google_compute_url_map.default: The default URL map resource when inputurl_mapis not provided.google_compute_backend_service.default.*: The backend services created for each of thebackend_paramselements.google_compute_health_check.default.*: Health check resources created for each of the (non global NEG) backend services.google_compute_firewall.default-hc: Firewall rule created for each of the backed services to allow health checks to the instance group.