Skip to content

Commit

Permalink
Internet NEG for net-lb-proxy-int
Browse files Browse the repository at this point in the history
  • Loading branch information
@wiktorn
wiktorn committed May 24, 2024
1 parent 11050c4 commit 439e9a1
Show file tree
Hide file tree
Showing 6 changed files with 251 additions and 17 deletions.
79 changes: 62 additions & 17 deletions modules/net-lb-proxy-int/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Zonal NEG creation](#zonal-neg-creation)
- [Hybrid NEG creation](#hybrid-neg-creation)
- [Private Service Connect NEG creation](#private-service-connect-neg-creation)
- [Internet NEG creation](#internet-neg-creation)
- [Files](#files)
- [Variables](#variables)
- [Outputs](#outputs)
Expand Down Expand Up @@ -271,6 +272,47 @@ module "int-tcp-proxy" {
# tftest modules=1 resources=5
```

#### Internet NEG creation

This example shows how to create and manage internet NEGs:

```hcl
module "ilb-l7" {
source = "./fabric/modules/net-lb-proxy-int"
project_id = var.project_id
name = "ilb-test"
region = var.region
backend_service_config = {
backends = [
{ group = "neg-0" }
]
# with a single internet NEG the implied default health check is optional
health_checks = []
}
port = 80
neg_configs = {
neg-0 = {
internet = {
region = var.region
use_fqdn = true
endpoints = {
e-0 = {
destination = "www.example.org"
port = 80
}
}
}
}
}
vpc_config = {
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}
}
# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e
```


<!-- TFDOC OPTS files:1 -->
<!-- BEGIN TFDOC -->
## Files
Expand All @@ -280,7 +322,7 @@ module "int-tcp-proxy" {
| [backend-service.tf](./backend-service.tf) | Backend service resources. | <code>google_compute_region_backend_service</code> |
| [groups.tf](./groups.tf) | None | <code>google_compute_instance_group</code> |
| [health-check.tf](./health-check.tf) | Health check resource. | <code>google_compute_region_health_check</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> |
| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> · <code>google_compute_service_attachment</code> |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [variables.tf](./variables.tf) | Module variables. | |
| [versions.tf](./versions.tf) | Version pins. | |
Expand All @@ -290,9 +332,9 @@ module "int-tcp-proxy" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L198) | Load balancer name. | <code>string</code> || |
| [project_id](variables.tf#L256) | Project id. | <code>string</code> || |
| [region](variables.tf#L261) | The region where to allocate the ILB resources. | <code>string</code> || |
| [vpc_config](variables.tf#L266) | VPC-level configuration. | <code title="object&#40;&#123;&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || |
| [project_id](variables.tf#L267) | Project id. | <code>string</code> || |
| [region](variables.tf#L272) | The region where to allocate the ILB resources. | <code>string</code> || |
| [vpc_config](variables.tf#L292) | VPC-level configuration. | <code title="object&#40;&#123;&#10; network &#61; string&#10; subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> || |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | <code>string</code> | | <code>null</code> |
| [backend_service_config](variables.tf#L23) | Backend service level configuration. | <code title="object&#40;&#123;&#10; affinity_cookie_ttl_sec &#61; optional&#40;number&#41;&#10; connection_draining_timeout_sec &#61; optional&#40;number&#41;&#10; health_checks &#61; optional&#40;list&#40;string&#41;, &#91;&#34;default&#34;&#93;&#41;&#10; log_sample_rate &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; project_id &#61; optional&#40;string&#41;&#10; session_affinity &#61; optional&#40;string, &#34;NONE&#34;&#41;&#10; timeout_sec &#61; optional&#40;number&#41;&#10; backends &#61; optional&#40;list&#40;object&#40;&#123;&#10; group &#61; string&#10; balancing_mode &#61; optional&#40;string, &#34;UTILIZATION&#34;&#41;&#10; capacity_scaler &#61; optional&#40;number, 1&#41;&#10; description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10; failover &#61; optional&#40;bool, false&#41;&#10; max_connections &#61; optional&#40;object&#40;&#123;&#10; per_endpoint &#61; optional&#40;number&#41;&#10; per_group &#61; optional&#40;number&#41;&#10; per_instance &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10; max_utilization &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#41;&#10; connection_tracking &#61; optional&#40;object&#40;&#123;&#10; idle_timeout_sec &#61; optional&#40;number&#41;&#10; persist_conn_on_unhealthy &#61; optional&#40;string&#41;&#10; track_per_session &#61; optional&#40;bool&#41;&#10; &#125;&#41;&#41;&#10; failover_config &#61; optional&#40;object&#40;&#123;&#10; disable_conn_drain &#61; optional&#40;bool&#41;&#10; drop_traffic_if_unhealthy &#61; optional&#40;bool&#41;&#10; ratio &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [description](variables.tf#L75) | Optional description used for resources. | <code>string</code> | | <code>&#34;Terraform managed.&#34;</code> |
Expand All @@ -301,22 +343,25 @@ module "int-tcp-proxy" {
| [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | <code>string</code> | | <code>null</code> |
| [health_check_config](variables.tf#L106) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | <code title="object&#40;&#123;&#10; check_interval_sec &#61; optional&#40;number&#41;&#10; description &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10; enable_logging &#61; optional&#40;bool, false&#41;&#10; healthy_threshold &#61; optional&#40;number&#41;&#10; project_id &#61; optional&#40;string&#41;&#10; timeout_sec &#61; optional&#40;number&#41;&#10; unhealthy_threshold &#61; optional&#40;number&#41;&#10; grpc &#61; optional&#40;object&#40;&#123;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; service_name &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; http &#61; optional&#40;object&#40;&#123;&#10; host &#61; optional&#40;string&#41;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; proxy_header &#61; optional&#40;string&#41;&#10; request_path &#61; optional&#40;string&#41;&#10; response &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; http2 &#61; optional&#40;object&#40;&#123;&#10; host &#61; optional&#40;string&#41;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; proxy_header &#61; optional&#40;string&#41;&#10; request_path &#61; optional&#40;string&#41;&#10; response &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; https &#61; optional&#40;object&#40;&#123;&#10; host &#61; optional&#40;string&#41;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; proxy_header &#61; optional&#40;string&#41;&#10; request_path &#61; optional&#40;string&#41;&#10; response &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; tcp &#61; optional&#40;object&#40;&#123;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; proxy_header &#61; optional&#40;string&#41;&#10; request &#61; optional&#40;string&#41;&#10; response &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; ssl &#61; optional&#40;object&#40;&#123;&#10; port &#61; optional&#40;number&#41;&#10; port_name &#61; optional&#40;string&#41;&#10; port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10; proxy_header &#61; optional&#40;string&#41;&#10; request &#61; optional&#40;string&#41;&#10; response &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code title="&#123;&#10; tcp &#61; &#123;&#10; port_specification &#61; &#34;USE_SERVING_PORT&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
| [labels](variables.tf#L192) | Labels set on resources. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map&#40;object&#40;&#123;&#10; project_id &#61; optional&#40;string&#41;&#10; gce &#61; optional&#40;object&#40;&#123;&#10; zone &#61; string&#10; network &#61; optional&#40;string&#41;&#10; subnetwork &#61; optional&#40;string&#41;&#10; endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10; instance &#61; string&#10; ip_address &#61; string&#10; port &#61; number&#10; &#125;&#41;&#41;&#41;&#10;&#10;&#10; &#125;&#41;&#41;&#10; hybrid &#61; optional&#40;object&#40;&#123;&#10; zone &#61; string&#10; network &#61; optional&#40;string&#41;&#10; endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10; ip_address &#61; string&#10; port &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; psc &#61; optional&#40;object&#40;&#123;&#10; region &#61; string&#10; target_service &#61; string&#10; network &#61; optional&#40;string&#41;&#10; subnetwork &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [port](variables.tf#L250) | Port. | <code>number</code> | | <code>80</code> |
| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map&#40;object&#40;&#123;&#10; project_id &#61; optional&#40;string&#41;&#10; gce &#61; optional&#40;object&#40;&#123;&#10; zone &#61; string&#10; network &#61; optional&#40;string&#41;&#10; subnetwork &#61; optional&#40;string&#41;&#10; endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10; instance &#61; string&#10; ip_address &#61; string&#10; port &#61; number&#10; &#125;&#41;&#41;&#41;&#10;&#10;&#10; &#125;&#41;&#41;&#10; hybrid &#61; optional&#40;object&#40;&#123;&#10; zone &#61; string&#10; network &#61; optional&#40;string&#41;&#10; endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10; ip_address &#61; string&#10; port &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; internet &#61; optional&#40;object&#40;&#123;&#10; region &#61; string&#10; use_fqdn &#61; optional&#40;bool, true&#41;&#10; endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10; destination &#61; string&#10; port &#61; number&#10; &#125;&#41;&#41;&#41;&#10; &#125;&#41;&#41;&#10; psc &#61; optional&#40;object&#40;&#123;&#10; region &#61; string&#10; target_service &#61; string&#10; network &#61; optional&#40;string&#41;&#10; subnetwork &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [port](variables.tf#L261) | Port. | <code>number</code> | | <code>80</code> |
| [service_attachment](variables.tf#L277) | PSC service attachment. | <code title="object&#40;&#123;&#10; nat_subnets &#61; list&#40;string&#41;&#10; automatic_connection &#61; optional&#40;bool, false&#41;&#10; consumer_accept_lists &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41; &#35; map of &#96;project_id&#96; &#61;&#62; &#96;connection_limit&#96;&#10; consumer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10; description &#61; optional&#40;string&#41;&#10; domain_name &#61; optional&#40;string&#41;&#10; enable_proxy_protocol &#61; optional&#40;bool, false&#41;&#10; reconcile_connections &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |

## Outputs

| name | description | sensitive |
|---|---|:---:|
| [backend_service](outputs.tf#L17) | Backend resource. | |
| [backend_service_id](outputs.tf#L22) | Backend id. | |
| [backend_service_self_link](outputs.tf#L27) | Backend self link. | |
| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
| [group_self_links](outputs.tf#L37) | Optional unmanaged instance group self links. | |
| [groups](outputs.tf#L44) | Optional unmanaged instance group resources. | |
| [health_check](outputs.tf#L49) | Auto-created health-check resource. | |
| [health_check_id](outputs.tf#L54) | Auto-created health-check id. | |
| [health_check_self_link](outputs.tf#L59) | Auto-created health-check self link. | |
| [id](outputs.tf#L64) | Fully qualified forwarding rule id. | |
| [neg_ids](outputs.tf#L69) | Autogenerated network endpoint group ids. | |
| [address](outputs.tf#L17) | Forwarding rule address. | |
| [backend_service](outputs.tf#L22) | Backend resource. | |
| [backend_service_id](outputs.tf#L27) | Backend id. | |
| [backend_service_self_link](outputs.tf#L32) | Backend self link. | |
| [forwarding_rule](outputs.tf#L37) | Forwarding rule resource. | |
| [group_self_links](outputs.tf#L42) | Optional unmanaged instance group self links. | |
| [groups](outputs.tf#L49) | Optional unmanaged instance group resources. | |
| [health_check](outputs.tf#L54) | Auto-created health-check resource. | |
| [health_check_id](outputs.tf#L59) | Auto-created health-check id. | |
| [health_check_self_link](outputs.tf#L64) | Auto-created health-check self link. | |
| [id](outputs.tf#L69) | Fully qualified forwarding rule id. | |
| [neg_ids](outputs.tf#L74) | Autogenerated network endpoint group ids. | |
| [service_attachment_id](outputs.tf#L81) | Id of the service attachment. | |
<!-- END TFDOC -->
4 changes: 4 additions & 0 deletions modules/net-lb-proxy-int/backend-service.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,11 @@ locals {
},
{
for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
},
{
for k, v in google_compute_region_network_endpoint_group.internet : k => v.id
}

)
}

Expand Down
78 changes: 78 additions & 0 deletions modules/net-lb-proxy-int/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,3 +122,81 @@ resource "google_compute_region_network_endpoint_group" "psc" {
network = each.value.psc.network
subnetwork = each.value.psc.subnetwork
}

# Internet NEG
locals {
_neg_endpoints_internet = flatten([
for k, v in local.neg_internet : [
for kk, vv in v.internet.endpoints : merge(vv, {
key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn
})
]
])
neg_endpoints_internet = {
for v in local._neg_endpoints_internet : (v.key) => v
}
neg_internet = {
for k, v in var.neg_configs :
k => v if v.internet != null
}
}

resource "google_compute_region_network_endpoint_group" "internet" {
for_each = local.neg_internet
project = var.project_id
name = "${var.name}-${each.key}"
region = each.value.internet.region
# re-enable once provider properly supports this
# default_port = each.value.default_port
# description = coalesce(each.value.description, var.description)
network_endpoint_type = (
each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT"
)
network = var.vpc_config.network
}

resource "google_compute_region_network_endpoint" "internet" {
for_each = local.neg_endpoints_internet
project = (
google_compute_region_network_endpoint_group.internet[each.value.neg].project
)
region = each.value.region
region_network_endpoint_group = (
google_compute_region_network_endpoint_group.internet[each.value.neg].name
)
fqdn = each.value.use_fqdn ? each.value.destination : null
ip_address = each.value.use_fqdn ? null : each.value.destination
port = each.value.port
}

# PSC Procuder Service attachments
resource "google_compute_service_attachment" "default" {
count = var.service_attachment == null ? 0 : 1
project = var.project_id
region = var.region
name = var.name
description = var.description
target_service = google_compute_forwarding_rule.default.id
nat_subnets = var.service_attachment.nat_subnets
connection_preference = (
var.service_attachment.automatic_connection
? "ACCEPT_AUTOMATIC"
: "ACCEPT_MANUAL"
)
consumer_reject_lists = var.service_attachment.consumer_reject_lists
domain_names = (
var.service_attachment.domain_name == null
? null
: [var.service_attachment.domain_name]
)
enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
reconcile_connections = var.service_attachment.reconcile_connections
dynamic "consumer_accept_lists" {
for_each = var.service_attachment.consumer_accept_lists
iterator = accept
content {
project_id_or_num = accept.key
connection_limit = accept.value
}
}
}
12 changes: 12 additions & 0 deletions modules/net-lb-proxy-int/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,11 @@
* limitations under the License.
*/

output "address" {
description = "Forwarding rule address."
value = google_compute_forwarding_rule.default.ip_address
}

output "backend_service" {
description = "Backend resource."
value = google_compute_region_backend_service.default
Expand Down Expand Up @@ -72,3 +77,10 @@ output "neg_ids" {
for k, v in google_compute_network_endpoint_group.default : k => v.id
}
}

output "service_attachment_id" {
description = "Id of the service attachment."
value = try(
google_compute_service_attachment.default[0].id, null
)
}
Loading

0 comments on commit 439e9a1

Please sign in to comment.