diff --git a/modules/net-ilb-l7/README.md b/modules/net-ilb-l7/README.md
index 330a9a5a5b..597d580c96 100644
--- a/modules/net-ilb-l7/README.md
+++ b/modules/net-ilb-l7/README.md
@@ -225,7 +225,9 @@ module "ilb-l7" {
# tftest modules=1 resources=5
```
-Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, and serverless NEGs:
+Similarly to instance groups, NEGs can also be managed by this module which supports GCE, hybrid, serverless and Private Service Connect NEGs:
+
+#### Zonal NEG creation
```hcl
resource "google_compute_address" "test" {
@@ -273,7 +275,7 @@ module "ilb-l7" {
# tftest modules=1 resources=8
```
-Hybrid NEGs are also supported:
+#### Hybrid NEG creation
```hcl
module "ilb-l7" {
@@ -307,7 +309,7 @@ module "ilb-l7" {
# tftest modules=1 resources=7
```
-As are serverless NEGs for Cloud Run:
+#### Serverless NEG creation
```hcl
module "ilb-l7" {
@@ -344,6 +346,39 @@ module "ilb-l7" {
# tftest modules=1 resources=5
```
+#### Private Service Connect NEG creation
+
+```hcl
+module "ilb-l7" {
+ source = "./fabric/modules/net-ilb-l7"
+ name = "ilb-test"
+ project_id = var.project_id
+ region = "europe-west1"
+ backend_service_configs = {
+ default = {
+ backends = [{
+ group = "my-neg"
+ }]
+ health_checks = []
+ }
+ }
+ health_check_configs = {}
+ neg_configs = {
+ my-neg = {
+ psc = {
+ region = "europe-west1"
+ target_service = "europe-west1-cloudkms.googleapis.com"
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+}
+# tftest modules=1 resources=5
+```
+
### URL Map
The module exposes the full URL map resource configuration, with some minor changes to the interface to decrease verbosity, and support for aliasing backend services via keys.
@@ -602,9 +637,9 @@ module "ilb-l7" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L54) | Load balancer name. | string | ✓ | |
-| [project_id](variables.tf#L132) | Project id. | string | ✓ | |
-| [region](variables.tf#L150) | The region where to allocate the ILB resources. | string | ✓ | |
-| [vpc_config](variables.tf#L177) | VPC-level configuration. | object({…}) | ✓ | |
+| [project_id](variables.tf#L138) | Project id. | string | ✓ | |
+| [region](variables.tf#L156) | The region where to allocate the ILB resources. | string | ✓ | |
+| [vpc_config](variables.tf#L183) | VPC-level configuration. | object({…}) | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
@@ -612,12 +647,12 @@ module "ilb-l7" {
| [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
| [labels](variables.tf#L48) | Labels set on resources. | map(string) | | {} |
-| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
-| [network_tier_premium](variables.tf#L119) | Use premium network tier. Defaults to true. | bool | | true |
-| [ports](variables.tf#L126) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
-| [protocol](variables.tf#L137) | Protocol supported by this load balancer. | string | | "HTTP" |
-| [service_directory_registration](variables.tf#L155) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
-| [ssl_certificates](variables.tf#L164) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
+| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [network_tier_premium](variables.tf#L125) | Use premium network tier. Defaults to true. | bool | | true |
+| [ports](variables.tf#L132) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
+| [protocol](variables.tf#L143) | Protocol supported by this load balancer. | string | | "HTTP" |
+| [service_directory_registration](variables.tf#L161) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
+| [ssl_certificates](variables.tf#L170) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
## Outputs
diff --git a/modules/net-ilb-l7/backend-service.tf b/modules/net-ilb-l7/backend-service.tf
index ea758835bd..669a291aff 100644
--- a/modules/net-ilb-l7/backend-service.tf
+++ b/modules/net-ilb-l7/backend-service.tf
@@ -26,6 +26,9 @@ locals {
},
{
for k, v in google_compute_region_network_endpoint_group.default : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
}
)
hc_ids = {
diff --git a/modules/net-ilb-l7/main.tf b/modules/net-ilb-l7/main.tf
index 2ca114aed8..9d5f71548b 100644
--- a/modules/net-ilb-l7/main.tf
+++ b/modules/net-ilb-l7/main.tf
@@ -49,6 +49,10 @@ locals {
zone = v.gce != null ? v.gce.zone : v.hybrid.zone
} if v.gce != null || v.hybrid != null
}
+ neg_regional_psc = {
+ for k, v in var.neg_configs :
+ k => v if v.psc != null
+ }
proxy_ssl_certificates = concat(
coalesce(var.ssl_certificates.certificate_ids, []),
[for k, v in google_compute_region_ssl_certificate.default : v.id]
@@ -187,3 +191,15 @@ resource "google_compute_region_network_endpoint_group" "default" {
url_mask = each.value.target_urlmask
}
}
+
+resource "google_compute_region_network_endpoint_group" "psc" {
+ for_each = local.neg_regional_psc
+ project = var.project_id
+ region = each.value.psc.region
+ name = "${var.name}-${each.key}"
+ //description = coalesce(each.value.description, var.description)
+ network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+ psc_target_service = each.value.psc.target_service
+ network = each.value.psc.network
+ subnetwork = each.value.psc.subnetwork
+}
diff --git a/modules/net-ilb-l7/variables.tf b/modules/net-ilb-l7/variables.tf
index 09b3f7ac74..40158aca0f 100644
--- a/modules/net-ilb-l7/variables.tf
+++ b/modules/net-ilb-l7/variables.tf
@@ -90,7 +90,12 @@ variable "neg_configs" {
port = number
})))
}))
- # psc = optional(object({}))
+ psc = optional(object({
+ region = string
+ target_service = string
+ network = optional(string)
+ subnetwork = optional(string)
+ }))
}))
default = {}
nullable = false
@@ -99,7 +104,8 @@ variable "neg_configs" {
for k, v in var.neg_configs : (
(try(v.cloudrun, null) == null ? 0 : 1) +
(try(v.gce, null) == null ? 0 : 1) +
- (try(v.hybrid, null) == null ? 0 : 1) == 1
+ (try(v.hybrid, null) == null ? 0 : 1) +
+ (try(v.psc, null) == null ? 0 : 1) == 1
)
])
error_message = "Only one type of neg can be configured at a time."