diff --git a/modules/net-lb-app-ext-regional/README.md b/modules/net-lb-app-ext-regional/README.md
new file mode 100644
index 0000000000..1de3a82a63
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/README.md
@@ -0,0 +1,750 @@
+# External Regional Application Load Balancer Module
+
+This module allows managing External Regional HTTP/HTTPS Application Load Balancers. It's designed to expose the full configuration of the underlying resources, and to facilitate common usage patterns by providing sensible defaults, and optionally managing prerequisite resources like health checks, instance groups, etc.
+
+Due to the complexity of the underlying resources, changes to the configuration that involve recreation of resources are best applied in stages, starting by disabling the configuration in the urlmap that references the resources that need recreation, then doing the same for the backend service, etc.
+
+The variable space of this module closely mirrors that of [net-lb-app-ext](../net-lb-app-ext), with the exception of certain features not supported by the regional version. These unsupported features include GCS backends and Internet NEGs, among others. For a comprehensive overview of feature disparities, please consult the [load balancer feature comparison matrix](https://cloud.google.com/load-balancing/docs/features).
+
+## Examples
+
+
+- [Examples](#examples)
+ - [Minimal HTTP Example](#minimal-http-example)
+ - [Minimal HTTPS examples](#minimal-https-examples)
+ - [HTTP backends](#http-backends)
+ - [HTTPS backends](#https-backends)
+ - [HTTP to HTTPS redirect](#http-to-https-redirect)
+ - [Health Checks](#health-checks)
+ - [Backend Types and Management](#backend-types-and-management)
+ - [Instance Groups](#instance-groups)
+ - [Managed Instance Groups](#managed-instance-groups)
+ - [Zonal NEG creation](#zonal-neg-creation)
+ - [Hybrid NEG creation](#hybrid-neg-creation)
+ - [Private Service Connect NEG creation](#private-service-connect-neg-creation)
+ - [Serverless NEG creation](#serverless-neg-creation)
+ - [URL Map](#url-map)
+ - [Complex example](#complex-example)
+- [Files](#files)
+- [Variables](#variables)
+- [Outputs](#outputs)
+- [Fixtures](#fixtures)
+
+
+### Minimal HTTP Example
+
+An HTTP load balancer with a backend service pointing to a GCE instance group:
+
+```hcl
+module "glb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-mig-b.group.id },
+ { backend = module.compute-mig-c.group.id }
+ ]
+ }
+ }
+}
+# tftest modules=3 resources=9 fixtures=fixtures/compute-mig-bc.tf
+```
+
+### Minimal HTTPS examples
+
+#### HTTP backends
+
+An HTTPS load balancer needs a certificate and backends can be HTTP or HTTPS. Regional external application load balancers don't support managed certificates, so you have to provide the certificate and private key manually as shown below:
+
+```hcl
+resource "tls_private_key" "default" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "tls_self_signed_cert" "default" {
+ private_key_pem = tls_private_key.default.private_key_pem
+ subject {
+ common_name = "example.com"
+ organization = "ACME Examples, Inc"
+ }
+ validity_period_hours = 720
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}
+
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-mig-b.group.id },
+ { backend = module.compute-mig-c.group.id }
+ ]
+ protocol = "HTTP"
+ }
+ }
+ protocol = "HTTPS"
+ ssl_certificates = {
+ create_configs = {
+ default = {
+ # certificate and key could also be read via file() from external files
+ certificate = tls_self_signed_cert.default.cert_pem
+ private_key = tls_private_key.default.private_key_pem
+ }
+ }
+ }
+}
+# tftest modules=3 resources=12 fixtures=fixtures/compute-mig-bc.tf
+```
+
+#### HTTPS backends
+
+For HTTPS backends the backend service protocol needs to be set to `HTTPS`. The port name if omitted is inferred from the protocol, in this case it is set internally to `https`. The health check also needs to be set to https. This is a complete example:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-mig-b.group.id },
+ { backend = module.compute-mig-c.group.id }
+ ]
+ protocol = "HTTPS"
+ }
+ }
+ health_check_configs = {
+ default = {
+ https = {
+ port_specification = "USE_SERVING_PORT"
+ }
+ }
+ }
+ protocol = "HTTPS"
+ ssl_certificates = {
+ create_configs = {
+ default = {
+ certificate = tls_self_signed_cert.default.cert_pem
+ private_key = tls_private_key.default.private_key_pem
+ }
+ }
+ }
+}
+# tftest modules=3 resources=12 fixtures=fixtures/ssl-certificate.tf,fixtures/compute-mig-bc.tf
+```
+
+#### HTTP to HTTPS redirect
+
+Redirect is implemented via an additional HTTP load balancer with a custom URL map, similarly to how it's done via the GCP Console. The address shared by the two load balancers needs to be reserved.
+
+```hcl
+module "addresses" {
+ source = "./fabric/modules/net-address"
+ project_id = var.project_id
+ global_addresses = {
+ "ralb-test-0" = {}
+ }
+}
+
+module "ralb-test-0-redirect" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0-redirect"
+ vpc = var.vpc.self_link
+ region = var.region
+ address = (
+ module.addresses.global_addresses["ralb-test-0"].address
+ )
+ health_check_configs = {}
+ urlmap_config = {
+ description = "URL redirect for ralb-test-0."
+ default_url_redirect = {
+ https = true
+ response_code = "MOVED_PERMANENTLY_DEFAULT"
+ }
+ }
+}
+
+module "ralb-test-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ address = (
+ module.addresses.global_addresses["ralb-test-0"].address
+ )
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.compute-mig-b.group.id },
+ ]
+ protocol = "HTTP"
+ }
+ }
+ protocol = "HTTPS"
+ ssl_certificates = {
+ create_configs = {
+ default = {
+ certificate = tls_self_signed_cert.default.cert_pem
+ private_key = tls_private_key.default.private_key_pem
+ }
+ }
+ }
+}
+
+# tftest modules=5 resources=16 fixtures=fixtures/ssl-certificate.tf,fixtures/compute-mig-bc.tf
+```
+
+### Health Checks
+
+You can leverage externally defined health checks for backend services, or have the module create them for you.
+
+By default a simple HTTP health check named `default` is created and used in backend services. If you need to override the default, simply define your own health check using the same key (`default`). For more complex configurations you can define your own health checks and reference them via keys in the backend service configurations.
+
+Health checks created by this module are controlled via the `health_check_configs` variable, which behaves in a similar way to other LB modules in this repository. This is an example that overrides the default health check configuration using a TCP health check:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [{
+ backend = module.compute-mig-b.group.id
+ }]
+ # no need to reference the hc explicitly when using the `default` key
+ # health_checks = ["default"]
+ }
+ }
+ health_check_configs = {
+ default = {
+ tcp = { port = 80 }
+ }
+ }
+}
+# tftest modules=3 resources=9 fixtures=fixtures/compute-mig-bc.tf
+```
+
+To leverage existing health checks without having the module create them, simply pass their self links to backend services and set the `health_check_configs` variable to an empty map:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [{
+ backend = module.compute-mig-b.group.id
+ }]
+ health_checks = ["projects/${var.project_id}/global/healthChecks/custom"]
+ }
+ }
+ health_check_configs = {}
+}
+# tftest modules=3 resources=8 fixtures=fixtures/compute-mig-bc.tf
+```
+
+### Backend Types and Management
+
+#### Instance Groups
+
+The module can optionally create unmanaged instance groups, which can then be referred to in backends via their key. This is the simple HTTP example above but with instance group creation managed by the module:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = "default-b" }
+ ]
+ }
+ }
+ group_configs = {
+ default-b = {
+ zone = "${var.region}-b"
+ instances = [
+ module.compute-mig-b.id
+ ]
+ named_ports = { http = 80 }
+ }
+ }
+}
+# tftest modules=3 resources=10 fixtures=fixtures/compute-mig-bc.tf
+```
+
+#### Managed Instance Groups
+
+This example shows how to use the module with a manage instance group as backend:
+
+```hcl
+module "win-template" {
+ source = "./fabric/modules/compute-vm"
+ project_id = var.project_id
+ zone = "${var.region}-a"
+ name = "win-template"
+ instance_type = "n2d-standard-2"
+ create_template = true
+ boot_disk = {
+ initialize_params = {
+ image = "projects/windows-cloud/global/images/windows-server-2019-dc-v20221214"
+ size = 70
+ }
+ }
+ network_interfaces = [{
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ nat = false
+ addresses = null
+ }]
+}
+
+module "win-mig" {
+ source = "./fabric/modules/compute-mig"
+ project_id = var.project_id
+ location = "${var.region}-a"
+ name = "win-mig"
+ instance_template = module.win-template.template.self_link
+ autoscaler_config = {
+ max_replicas = 3
+ min_replicas = 1
+ cooldown_period = 30
+ scaling_signals = {
+ cpu_utilization = {
+ target = 0.80
+ }
+ }
+ }
+ named_ports = {
+ http = 80
+ }
+}
+
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = module.win-mig.group_manager.instance_group }
+ ]
+ }
+ }
+}
+# tftest modules=3 resources=8
+```
+
+#### Zonal NEG creation
+
+Supported Network Endpoint Groups (NEGs) can also be used as backends. Similarly to groups, you can pass a self link for existing NEGs or have the module manage them for you.
+
+This example shows how to create and manage zonal NEGs using GCE VMs as endpoints:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ {
+ backend = "neg-0"
+ balancing_mode = "RATE"
+ max_rate = { per_endpoint = 10 }
+ }
+ ]
+ }
+ }
+ neg_configs = {
+ neg-0 = {
+ gce = {
+ network = "projects/myprj-host/global/networks/svpc"
+ subnetwork = "projects/myprj-host/regions/europe-west8/subnetworks/gce"
+ zone = "${var.region}-b"
+ endpoints = {
+ e-0 = {
+ instance = "my-ig-b"
+ ip_address = module.compute-mig-b.internal_ip
+ port = 80
+ }
+ }
+ }
+ }
+ }
+}
+# tftest modules=3 resources=11 fixtures=fixtures/compute-mig-bc.tf
+```
+
+#### Hybrid NEG creation
+
+This example shows how to create and manage hybrid NEGs:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ {
+ backend = "neg-0"
+ balancing_mode = "RATE"
+ max_rate = { per_endpoint = 10 }
+ }
+ ]
+ }
+ }
+ neg_configs = {
+ neg-0 = {
+ hybrid = {
+ network = "projects/myprj-host/global/networks/svpc"
+ zone = "${var.region}-b"
+ endpoints = {
+ e-0 = {
+ ip_address = "10.0.0.10"
+ port = 80
+ }
+ }
+ }
+ }
+ }
+}
+# tftest modules=1 resources=7
+```
+
+#### Private Service Connect NEG creation
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = "neg-0" }
+ ]
+ health_checks = []
+ }
+ }
+ # with a single PSC NEG the implied default health check is not needed
+ health_check_configs = {}
+ neg_configs = {
+ neg-0 = {
+ psc = {
+ region = var.region
+ target_service = "${var.region}-cloudkms.googleapis.com"
+ }
+ }
+ }
+}
+# tftest modules=1 resources=5
+```
+
+#### Serverless NEG creation
+
+The module supports managing Serverless NEGs for Cloud Run and Cloud Function. This is an example of a Cloud Run NEG:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = "neg-0" }
+ ]
+ health_checks = []
+ }
+ }
+ # with a single serverless NEG the implied default health check is not needed
+ health_check_configs = {}
+ neg_configs = {
+ neg-0 = {
+ cloudrun = {
+ region = var.region
+ target_service = {
+ name = "hello"
+ }
+ }
+ }
+ }
+}
+# tftest modules=1 resources=5
+```
+
+### URL Map
+
+The module exposes the full URL map resource configuration, with some minor changes to the interface to decrease verbosity, and support for aliasing backend services via keys.
+
+The default URL map configuration sets the `default` backend service as the default service for the load balancer as a convenience. Just override the `urlmap_config` variable to change the default behaviour:
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [{
+ backend = module.compute-mig-b.group.id
+ }]
+ }
+ other = {
+ backends = [{
+ backend = module.compute-mig-c.group.id
+ }]
+ }
+ }
+ urlmap_config = {
+ default_service = "default"
+ host_rules = [{
+ hosts = ["*"]
+ path_matcher = "pathmap"
+ }]
+ path_matchers = {
+ pathmap = {
+ default_service = "default"
+ path_rules = [{
+ paths = ["/other", "/other/*"]
+ service = "other"
+ }]
+ }
+ }
+ }
+}
+
+# tftest modules=3 resources=10 fixtures=fixtures/compute-mig-bc.tf
+```
+
+### Complex example
+
+This example mixes group and NEG backends, and shows how to set HTTPS for specific backends.
+
+```hcl
+module "ralb-0" {
+ source = "./fabric/modules/net-lb-app-ext-regional"
+ project_id = var.project_id
+ name = "ralb-test-0"
+ vpc = var.vpc.self_link
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { backend = "group-zone-b" },
+ { backend = "group-zone-c" },
+ ]
+ }
+ neg-gce-0 = {
+ backends = [{
+ balancing_mode = "RATE"
+ backend = "neg-zone-c"
+ max_rate = { per_endpoint = 10 }
+ }]
+ }
+ neg-hybrid-0 = {
+ backends = [{
+ balancing_mode = "RATE"
+ backend = "neg-hello"
+ max_rate = { per_endpoint = 10 }
+ }]
+ health_checks = ["neg"]
+ protocol = "HTTPS"
+ }
+ }
+ group_configs = {
+ group-zone-b = {
+ zone = "${var.region}-b"
+ instances = [
+ module.compute-mig-b.id
+ ]
+ named_ports = { http = 80 }
+ }
+ group-zone-c = {
+ zone = "${var.region}-c"
+ instances = [
+ module.compute-mig-c.id
+ ]
+ named_ports = { http = 80 }
+ }
+ }
+ health_check_configs = {
+ default = {
+ http = {
+ port = 80
+ }
+ }
+ neg = {
+ https = {
+ host = "hello.example.com"
+ port = 443
+ }
+ }
+ }
+ neg_configs = {
+ neg-zone-c = {
+ gce = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ zone = "${var.region}-c"
+ endpoints = {
+ e-0 = {
+ instance = "my-ig-c"
+ ip_address = module.compute-mig-c.internal_ip
+ port = 80
+ }
+ }
+ }
+ }
+ neg-hello = {
+ hybrid = {
+ network = var.vpc.self_link
+ zone = "${var.region}-b"
+ endpoints = {
+ e-0 = {
+ ip_address = "192.168.0.3"
+ port = 443
+ }
+ }
+ }
+ }
+ }
+ urlmap_config = {
+ default_service = "default"
+ host_rules = [
+ {
+ hosts = ["*"]
+ path_matcher = "gce"
+ },
+ {
+ hosts = ["hello.example.com"]
+ path_matcher = "hello"
+ },
+ {
+ hosts = ["static.example.com"]
+ path_matcher = "static"
+ }
+ ]
+ path_matchers = {
+ gce = {
+ default_service = "default"
+ path_rules = [
+ {
+ paths = ["/gce-neg", "/gce-neg/*"]
+ service = "neg-gce-0"
+ }
+ ]
+ }
+ hello = {
+ default_service = "neg-hybrid-0"
+ }
+ static = {
+ default_service = "neg-gce-0"
+ }
+ }
+ }
+}
+# tftest modules=3 resources=18 fixtures=fixtures/compute-mig-bc.tf
+```
+
+
+
+## Files
+
+| name | description | resources |
+|---|---|---|
+| [backend-service.tf](./backend-service.tf) | Backend service resources. | google_compute_region_backend_service |
+| [groups.tf](./groups.tf) | None | google_compute_instance_group |
+| [health-check.tf](./health-check.tf) | Health check resource. | google_compute_region_health_check |
+| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_region_ssl_certificate · google_compute_region_target_http_proxy · google_compute_region_target_https_proxy |
+| [negs.tf](./negs.tf) | NEG resources. | google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group |
+| [outputs.tf](./outputs.tf) | Module outputs. | |
+| [urlmap.tf](./urlmap.tf) | URL map resources. | google_compute_region_url_map |
+| [variables-backend-service.tf](./variables-backend-service.tf) | Backend services variables. | |
+| [variables-health-check.tf](./variables-health-check.tf) | Health check variable. | |
+| [variables-urlmap.tf](./variables-urlmap.tf) | URLmap variable. | |
+| [variables.tf](./variables.tf) | Module variables. | |
+| [versions.tf](./versions.tf) | Version pins. | |
+
+## Variables
+
+| name | description | type | required | default |
+|---|---|:---:|:---:|:---:|
+| [name](variables.tf#L58) | Load balancer name. | string | ✓ | |
+| [project_id](variables.tf#L150) | Project id. | string | ✓ | |
+| [region](variables.tf#L168) | Region where the load balancer is created. | string | ✓ | |
+| [vpc](variables.tf#L187) | VPC-level configuration. | string | ✓ | |
+| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
+| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
+| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
+| [group_configs](variables.tf#L29) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
+| [https_proxy_config](variables.tf#L41) | HTTPS proxy connfiguration. | object({…}) | | {} |
+| [labels](variables.tf#L52) | Labels set on resources. | map(string) | | {} |
+| [neg_configs](variables.tf#L63) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [ports](variables.tf#L144) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
+| [protocol](variables.tf#L155) | Protocol supported by this load balancer. | string | | "HTTP" |
+| [ssl_certificates](variables.tf#L173) | SSL target proxy certificates (only if protocol is HTTPS) for existing, custom, and managed certificates. | object({…}) | | {} |
+| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
+
+## Outputs
+
+| name | description | sensitive |
+|---|---|:---:|
+| [address](outputs.tf#L17) | Forwarding rule address. | |
+| [backend_service_ids](outputs.tf#L22) | Backend service resources. | |
+| [backend_service_names](outputs.tf#L29) | Backend service resource names. | |
+| [forwarding_rule](outputs.tf#L36) | Forwarding rule resource. | |
+| [group_ids](outputs.tf#L41) | Autogenerated instance group ids. | |
+| [health_check_ids](outputs.tf#L48) | Autogenerated health check ids. | |
+| [id](outputs.tf#L55) | Fully qualified forwarding rule id. | |
+| [neg_ids](outputs.tf#L60) | Autogenerated network endpoint group ids. | |
+
+## Fixtures
+
+- [compute-mig-bc.tf](../../tests/fixtures/compute-mig-bc.tf)
+- [ssl-certificate.tf](../../tests/fixtures/ssl-certificate.tf)
+
diff --git a/modules/net-lb-app-ext-regional/backend-service.tf b/modules/net-lb-app-ext-regional/backend-service.tf
new file mode 100644
index 0000000000..f594d6e416
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/backend-service.tf
@@ -0,0 +1,249 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Backend service resources.
+
+locals {
+ group_ids = merge(
+ {
+ for k, v in google_compute_instance_group.default : k => v.id
+ },
+ {
+ for k, v in google_compute_network_endpoint_group.default : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint_group.serverless : k => v.id
+ }
+ )
+ hc_ids = {
+ for k, v in google_compute_region_health_check.default : k => v.id
+ }
+}
+
+# TODO(jccb): add security_policy block
+# TODO(jccb): add connection_tracking_policy block
+
+resource "google_compute_region_backend_service" "default" {
+ provider = google-beta
+ for_each = var.backend_service_configs
+ project = (
+ each.value.project_id == null
+ ? var.project_id
+ : each.value.project_id
+ )
+ name = "${var.name}-${each.key}"
+ region = var.region
+ description = var.description
+ affinity_cookie_ttl_sec = each.value.affinity_cookie_ttl_sec
+ connection_draining_timeout_sec = each.value.connection_draining_timeout_sec
+ enable_cdn = each.value.enable_cdn
+ health_checks = length(each.value.health_checks) == 0 ? null : [
+ for k in each.value.health_checks : lookup(local.hc_ids, k, k)
+ ]
+ # external regional load balancer is always EXTERNAL_MANAGER.
+ # TODO(jccb): double check if this is true
+ load_balancing_scheme = "EXTERNAL_MANAGED"
+ #TODO(jccb): add locality_lb_policy with MAGLEV and WEIGHTED_MAGLEV when scheme EXTERNAL
+ port_name = (
+ each.value.port_name == null
+ ? lower(each.value.protocol == null ? var.protocol : each.value.protocol)
+ : each.value.port_name
+ )
+ protocol = (
+ each.value.protocol == null ? var.protocol : each.value.protocol
+ )
+ session_affinity = each.value.session_affinity
+ timeout_sec = each.value.timeout_sec
+
+ dynamic "backend" {
+ for_each = { for b in coalesce(each.value.backends, []) : b.backend => b }
+ content {
+ group = lookup(local.group_ids, backend.key, backend.key)
+ balancing_mode = backend.value.balancing_mode # UTILIZATION, RATE
+ capacity_scaler = backend.value.capacity_scaler
+ description = backend.value.description
+ max_connections = try(
+ backend.value.max_connections.per_group, null
+ )
+ max_connections_per_endpoint = try(
+ backend.value.max_connections.per_endpoint, null
+ )
+ max_connections_per_instance = try(
+ backend.value.max_connections.per_instance, null
+ )
+ max_rate = try(
+ backend.value.max_rate.per_group, null
+ )
+ max_rate_per_endpoint = try(
+ backend.value.max_rate.per_endpoint, null
+ )
+ max_rate_per_instance = try(
+ backend.value.max_rate.per_instance, null
+ )
+ max_utilization = backend.value.max_utilization
+ }
+ }
+
+ dynamic "cdn_policy" {
+ for_each = (
+ each.value.cdn_policy == null ? [] : [each.value.cdn_policy]
+ )
+ iterator = cdn
+ content {
+ cache_mode = cdn.value.cache_mode
+ client_ttl = cdn.value.client_ttl
+ default_ttl = cdn.value.default_ttl
+ max_ttl = cdn.value.max_ttl
+ negative_caching = cdn.value.negative_caching
+ serve_while_stale = cdn.value.serve_while_stale
+ signed_url_cache_max_age_sec = cdn.value.signed_url_cache_max_age_sec
+ dynamic "cache_key_policy" {
+ for_each = (
+ cdn.value.cache_key_policy == null
+ ? []
+ : [cdn.value.cache_key_policy]
+ )
+ iterator = ck
+ content {
+ include_host = ck.value.include_host
+ include_named_cookies = ck.value.include_named_cookies
+ include_protocol = ck.value.include_protocol
+ include_query_string = ck.value.include_query_string
+ query_string_blacklist = ck.value.query_string_blacklist
+ query_string_whitelist = ck.value.query_string_whitelist
+ }
+ }
+ dynamic "negative_caching_policy" {
+ for_each = (
+ cdn.value.negative_caching_policy == null
+ ? []
+ : [cdn.value.negative_caching_policy]
+ )
+ iterator = nc
+ content {
+ code = nc.value.code
+ ttl = nc.value.ttl
+ }
+ }
+ }
+ }
+
+ dynamic "circuit_breakers" {
+ for_each = (
+ each.value.circuit_breakers == null ? [] : [each.value.circuit_breakers]
+ )
+ iterator = cb
+ content {
+ max_connections = cb.value.max_connections
+ max_pending_requests = cb.value.max_pending_requests
+ max_requests = cb.value.max_requests
+ max_requests_per_connection = cb.value.max_requests_per_connection
+ max_retries = cb.value.max_retries
+ dynamic "connect_timeout" {
+ for_each = (
+ cb.value.connect_timeout == null ? [] : [cb.value.connect_timeout]
+ )
+ content {
+ seconds = connect_timeout.value.seconds
+ nanos = connect_timeout.value.nanos
+ }
+ }
+ }
+ }
+
+ dynamic "consistent_hash" {
+ for_each = (
+ each.value.consistent_hash == null ? [] : [each.value.consistent_hash]
+ )
+ iterator = ch
+ content {
+ http_header_name = ch.value.http_header_name
+ minimum_ring_size = ch.value.minimum_ring_size
+ dynamic "http_cookie" {
+ for_each = ch.value.http_cookie == null ? [] : [ch.value.http_cookie]
+ content {
+ name = http_cookie.value.name
+ path = http_cookie.value.path
+ dynamic "ttl" {
+ for_each = (
+ http_cookie.value.ttl == null ? [] : [http_cookie.value.ttl]
+ )
+ content {
+ seconds = ttl.value.seconds
+ nanos = ttl.value.nanos
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "iap" {
+ for_each = each.value.iap_config == null ? [] : [each.value.iap_config]
+ content {
+ oauth2_client_id = iap.value.oauth2_client_id
+ oauth2_client_secret = iap.value.oauth2_client_secret
+ oauth2_client_secret_sha256 = iap.value.oauth2_client_secret_sha256
+ }
+ }
+
+ dynamic "log_config" {
+ for_each = each.value.log_sample_rate == null ? [] : [""]
+ content {
+ enable = true
+ sample_rate = each.value.log_sample_rate
+ }
+ }
+
+ dynamic "outlier_detection" {
+ for_each = (
+ each.value.outlier_detection == null ? [] : [each.value.outlier_detection]
+ )
+ iterator = od
+ content {
+ consecutive_errors = od.value.consecutive_errors
+ consecutive_gateway_failure = od.value.consecutive_gateway_failure
+ enforcing_consecutive_errors = od.value.enforcing_consecutive_errors
+ enforcing_consecutive_gateway_failure = od.value.enforcing_consecutive_gateway_failure
+ enforcing_success_rate = od.value.enforcing_success_rate
+ max_ejection_percent = od.value.max_ejection_percent
+ success_rate_minimum_hosts = od.value.success_rate_minimum_hosts
+ success_rate_request_volume = od.value.success_rate_request_volume
+ success_rate_stdev_factor = od.value.success_rate_stdev_factor
+ dynamic "base_ejection_time" {
+ for_each = (
+ od.value.base_ejection_time == null ? [] : [od.value.base_ejection_time]
+ )
+ content {
+ seconds = base_ejection_time.value.seconds
+ nanos = base_ejection_time.value.nanos
+ }
+ }
+ dynamic "interval" {
+ for_each = (
+ od.value.interval == null ? [] : [od.value.interval]
+ )
+ content {
+ seconds = interval.value.seconds
+ nanos = interval.value.nanos
+ }
+ }
+ }
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/groups.tf b/modules/net-lb-app-ext-regional/groups.tf
new file mode 100644
index 0000000000..285ca79a3a
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/groups.tf
@@ -0,0 +1,36 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+resource "google_compute_instance_group" "default" {
+ for_each = var.group_configs
+ project = (
+ each.value.project_id == null
+ ? var.project_id
+ : each.value.project_id
+ )
+ zone = each.value.zone
+ name = "${var.name}-${each.key}"
+ description = var.description
+ instances = each.value.instances
+
+ dynamic "named_port" {
+ for_each = each.value.named_ports
+ content {
+ name = named_port.key
+ port = named_port.value
+ }
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/health-check.tf b/modules/net-lb-app-ext-regional/health-check.tf
new file mode 100644
index 0000000000..f7dc9c178f
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/health-check.tf
@@ -0,0 +1,114 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Health check resource.
+
+resource "google_compute_region_health_check" "default" {
+ provider = google-beta
+ for_each = var.health_check_configs
+ project = (
+ each.value.project_id == null
+ ? var.project_id
+ : each.value.project_id
+ )
+ name = "${var.name}-${each.key}"
+ region = var.region
+ description = each.value.description
+ check_interval_sec = each.value.check_interval_sec
+ healthy_threshold = each.value.healthy_threshold
+ timeout_sec = each.value.timeout_sec
+ unhealthy_threshold = each.value.unhealthy_threshold
+
+ dynamic "grpc_health_check" {
+ for_each = try(each.value.grpc, null) != null ? [""] : []
+ content {
+ port = each.value.grpc.port
+ port_name = each.value.grpc.port_name
+ port_specification = each.value.grpc.port_specification
+ grpc_service_name = each.value.grpc.service_name
+ }
+ }
+
+ dynamic "http_health_check" {
+ for_each = try(each.value.http, null) != null ? [""] : []
+ content {
+ host = each.value.http.host
+ port = each.value.http.port
+ port_name = each.value.http.port_name
+ port_specification = each.value.http.port_specification
+ proxy_header = each.value.http.proxy_header
+ request_path = each.value.http.request_path
+ response = each.value.http.response
+ }
+ }
+
+ dynamic "http2_health_check" {
+ for_each = try(each.value.http2, null) != null ? [""] : []
+ content {
+ host = each.value.http2.host
+ port = each.value.http2.port
+ port_name = each.value.http2.port_name
+ port_specification = each.value.http2.port_specification
+ proxy_header = each.value.http2.proxy_header
+ request_path = each.value.http2.request_path
+ response = each.value.http2.response
+ }
+ }
+
+ dynamic "https_health_check" {
+ for_each = try(each.value.https, null) != null ? [""] : []
+ content {
+ host = each.value.https.host
+ port = each.value.https.port
+ port_name = each.value.https.port_name
+ port_specification = each.value.https.port_specification
+ proxy_header = each.value.https.proxy_header
+ request_path = each.value.https.request_path
+ response = each.value.https.response
+ }
+ }
+
+ dynamic "ssl_health_check" {
+ for_each = try(each.value.ssl, null) != null ? [""] : []
+ content {
+ port = each.value.ssl.port
+ port_name = each.value.ssl.port_name
+ port_specification = each.value.ssl.port_specification
+ proxy_header = each.value.ssl.proxy_header
+ request = each.value.ssl.request
+ response = each.value.ssl.response
+ }
+ }
+
+ dynamic "tcp_health_check" {
+ for_each = try(each.value.tcp, null) != null ? [""] : []
+ content {
+ port = each.value.tcp.port
+ port_name = each.value.tcp.port_name
+ port_specification = each.value.tcp.port_specification
+ proxy_header = each.value.tcp.proxy_header
+ request = each.value.tcp.request
+ response = each.value.tcp.response
+ }
+ }
+
+ dynamic "log_config" {
+ for_each = try(each.value.enable_logging, null) == true ? [""] : []
+ content {
+ enable = true
+ }
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/main.tf b/modules/net-lb-app-ext-regional/main.tf
new file mode 100644
index 0000000000..dfabdd7528
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/main.tf
@@ -0,0 +1,87 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+locals {
+ fwd_rule_ports = (
+ var.protocol == "HTTPS" ? [443] : coalesce(var.ports, [80])
+ )
+ fwd_rule_target = (
+ var.protocol == "HTTPS"
+ ? google_compute_region_target_https_proxy.default.0.id
+ : google_compute_region_target_http_proxy.default.0.id
+ )
+ proxy_ssl_certificates = concat(
+ coalesce(var.ssl_certificates.certificate_ids, []),
+ [for k, v in google_compute_region_ssl_certificate.default : v.id],
+ )
+}
+
+resource "google_compute_forwarding_rule" "default" {
+ provider = google-beta
+ project = var.project_id
+ name = var.name
+ region = var.region
+ description = var.description
+ ip_address = var.address
+ ip_protocol = "TCP"
+ # external regional load balancer is always EXTERNAL_MANAGER.
+ # TODO(jccb): double check if this is true
+ load_balancing_scheme = "EXTERNAL_MANAGED"
+ port_range = join(",", local.fwd_rule_ports)
+ labels = var.labels
+ target = local.fwd_rule_target
+ network = var.vpc
+ # external regional app lb only supports standard tier
+ network_tier = "STANDARD"
+}
+
+# certificates
+
+resource "google_compute_region_ssl_certificate" "default" {
+ for_each = var.ssl_certificates.create_configs
+ project = var.project_id
+ name = "${var.name}-${each.key}"
+ region = var.region
+ certificate = trimspace(each.value.certificate)
+ private_key = trimspace(each.value.private_key)
+ lifecycle {
+ create_before_destroy = true
+ }
+}
+
+# proxies
+
+resource "google_compute_region_target_http_proxy" "default" {
+ count = var.protocol == "HTTPS" ? 0 : 1
+ project = var.project_id
+ region = var.region
+ name = var.name
+ description = var.description
+ url_map = google_compute_region_url_map.default.id
+}
+
+resource "google_compute_region_target_https_proxy" "default" {
+ count = var.protocol == "HTTPS" ? 1 : 0
+ project = var.project_id
+ name = var.name
+ region = var.region
+ description = var.description
+ # certificate_map = var.https_proxy_config.certificate_map
+ # quic_override = var.https_proxy_config.quic_override
+ ssl_certificates = local.proxy_ssl_certificates
+ ssl_policy = var.https_proxy_config.ssl_policy
+ url_map = google_compute_region_url_map.default.id
+}
diff --git a/modules/net-lb-app-ext-regional/negs.tf b/modules/net-lb-app-ext-regional/negs.tf
new file mode 100644
index 0000000000..5fbf71bcf2
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/negs.tf
@@ -0,0 +1,118 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description NEG resources.
+
+locals {
+ _neg_endpoints_zonal = flatten([
+ for k, v in local.neg_zonal : [
+ for kk, vv in v.endpoints : merge(vv, {
+ key = "${k}-${kk}", neg = k, zone = v.zone
+ })
+ ]
+ ])
+ neg_endpoints_zonal = {
+ for v in local._neg_endpoints_zonal : (v.key) => v
+ }
+ neg_regional_psc = {
+ for k, v in var.neg_configs :
+ k => v if v.psc != null
+ }
+ neg_regional_serverless = {
+ for k, v in var.neg_configs :
+ k => v if v.cloudrun != null || v.cloudfunction != null
+ }
+ neg_zonal = {
+ # we need to rebuild new objects as we cannot merge different types
+ for k, v in var.neg_configs : k => {
+ description = v.description
+ endpoints = v.gce != null ? v.gce.endpoints : v.hybrid.endpoints
+ network = v.gce != null ? v.gce.network : v.hybrid.network
+ subnetwork = v.gce != null ? v.gce.subnetwork : null
+ type = v.gce != null ? "GCE_VM_IP_PORT" : "NON_GCP_PRIVATE_IP_PORT"
+ zone = v.gce != null ? v.gce.zone : v.hybrid.zone
+ } if v.gce != null || v.hybrid != null
+ }
+}
+
+resource "google_compute_network_endpoint_group" "default" {
+ for_each = local.neg_zonal
+ project = var.project_id
+ zone = each.value.zone
+ name = "${var.name}-${each.key}"
+ # re-enable once provider properly supports this
+ # default_port = each.value.default_port
+ description = coalesce(each.value.description, var.description)
+ network_endpoint_type = each.value.type
+ network = each.value.network
+ subnetwork = (
+ each.value.type == "NON_GCP_PRIVATE_IP_PORT"
+ ? null
+ : each.value.subnetwork
+ )
+}
+
+resource "google_compute_network_endpoint" "default" {
+ for_each = local.neg_endpoints_zonal
+ project = (
+ google_compute_network_endpoint_group.default[each.value.neg].project
+ )
+ network_endpoint_group = (
+ google_compute_network_endpoint_group.default[each.value.neg].name
+ )
+ instance = try(each.value.instance, null)
+ ip_address = each.value.ip_address
+ port = each.value.port
+ zone = each.value.zone
+}
+
+resource "google_compute_region_network_endpoint_group" "psc" {
+ for_each = local.neg_regional_psc
+ project = var.project_id
+ region = each.value.psc.region
+ name = "${var.name}-${each.key}"
+ description = coalesce(each.value.description, var.description)
+ network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
+ psc_target_service = each.value.psc.target_service
+ network = each.value.psc.network
+ subnetwork = each.value.psc.subnetwork
+}
+
+resource "google_compute_region_network_endpoint_group" "serverless" {
+ for_each = local.neg_regional_serverless
+ project = var.project_id
+ region = try(
+ each.value.cloudrun.region, each.value.cloudfunction.region, null
+ )
+ name = "${var.name}-${each.key}"
+ description = coalesce(each.value.description, var.description)
+ network_endpoint_type = "SERVERLESS"
+ dynamic "cloud_function" {
+ for_each = each.value.cloudfunction == null ? [] : [""]
+ content {
+ function = each.value.cloudfunction.target_function
+ url_mask = each.value.cloudfunction.target_urlmask
+ }
+ }
+ dynamic "cloud_run" {
+ for_each = each.value.cloudrun == null ? [] : [""]
+ content {
+ service = try(each.value.cloudrun.target_service.name, null)
+ tag = try(each.value.cloudrun.target_service.tag, null)
+ url_mask = each.value.cloudrun.target_urlmask
+ }
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/outputs.tf b/modules/net-lb-app-ext-regional/outputs.tf
new file mode 100644
index 0000000000..dc1824be2b
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/outputs.tf
@@ -0,0 +1,65 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "address" {
+ description = "Forwarding rule address."
+ value = google_compute_forwarding_rule.default.ip_address
+}
+
+output "backend_service_ids" {
+ description = "Backend service resources."
+ value = {
+ for k, v in google_compute_region_backend_service.default : k => v.id
+ }
+}
+
+output "backend_service_names" {
+ description = "Backend service resource names."
+ value = {
+ for k, v in google_compute_region_backend_service.default : k => v.name
+ }
+}
+
+output "forwarding_rule" {
+ description = "Forwarding rule resource."
+ value = google_compute_forwarding_rule.default
+}
+
+output "group_ids" {
+ description = "Autogenerated instance group ids."
+ value = {
+ for k, v in google_compute_instance_group.default : k => v.id
+ }
+}
+
+output "health_check_ids" {
+ description = "Autogenerated health check ids."
+ value = {
+ for k, v in google_compute_region_health_check.default : k => v.id
+ }
+}
+
+output "id" {
+ description = "Fully qualified forwarding rule id."
+ value = google_compute_forwarding_rule.default.id
+}
+
+output "neg_ids" {
+ description = "Autogenerated network endpoint group ids."
+ value = {
+ for k, v in google_compute_network_endpoint_group.default : k => v.id
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/urlmap.tf b/modules/net-lb-app-ext-regional/urlmap.tf
new file mode 100644
index 0000000000..2cc7abdede
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/urlmap.tf
@@ -0,0 +1,736 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description URL map resources.
+
+locals {
+ backend_ids = merge(
+ { for k, v in google_compute_region_backend_service.default : k => v.id },
+ )
+}
+
+resource "google_compute_region_url_map" "default" {
+ provider = google-beta
+ project = var.project_id
+ name = var.name
+ region = var.region
+ description = var.description
+ default_service = (
+ var.urlmap_config.default_service == null ? null : lookup(
+ local.backend_ids,
+ var.urlmap_config.default_service,
+ var.urlmap_config.default_service
+ )
+ )
+
+ dynamic "default_route_action" {
+ for_each = (
+ var.urlmap_config.default_route_action == null
+ ? []
+ : [var.urlmap_config.default_route_action]
+ )
+ iterator = route_action
+ content {
+ dynamic "cors_policy" {
+ for_each = (
+ route_action.value.cors_policy == null
+ ? []
+ : [route_action.value.cors_policy]
+ )
+ content {
+ allow_credentials = cors_policy.value.allow_credentials
+ allow_headers = cors_policy.value.allow_headers
+ allow_methods = cors_policy.value.allow_methods
+ allow_origin_regexes = cors_policy.value.allow_origin_regexes
+ allow_origins = cors_policy.value.allow_origins
+ disabled = cors_policy.value.disabled
+ expose_headers = cors_policy.value.expose_headers
+ max_age = cors_policy.value.max_age
+ }
+ }
+ dynamic "fault_injection_policy" {
+ for_each = (
+ route_action.value.fault_injection_policy == null
+ ? []
+ : [route_action.value.fault_injection_policy]
+ )
+ content {
+ dynamic "abort" {
+ for_each = (
+ fault_injection_policy.value.abort == null
+ ? []
+ : [fault_injection_policy.value.abort]
+ )
+ content {
+ http_status = abort.value.status
+ percentage = abort.value.percentage
+ }
+ }
+ dynamic "delay" {
+ for_each = (
+ fault_injection_policy.value.delay == null
+ ? []
+ : [fault_injection_policy.value.delay]
+ )
+ content {
+ percentage = delay.value.percentage
+ fixed_delay {
+ nanos = delay.value.fixed.nanos
+ seconds = delay.value.fixed.seconds
+ }
+ }
+ }
+ }
+ }
+ dynamic "request_mirror_policy" {
+ for_each = (
+ route_action.value.request_mirror_backend == null
+ ? []
+ : [""]
+ )
+ content {
+ backend_service = lookup(
+ local.backend_ids,
+ route_action.value.request_mirror_backend,
+ route_action.value.request_mirror_backend
+ )
+ }
+ }
+ dynamic "retry_policy" {
+ for_each = (
+ route_action.value.retry_policy == null
+ ? []
+ : [route_action.value.retry_policy]
+ )
+ content {
+ num_retries = retry_policy.value.num_retries
+ retry_conditions = retry_policy.value.retry_conditions
+ dynamic "per_try_timeout" {
+ for_each = (
+ retry_policy.value.per_try_timeout == null
+ ? []
+ : [retry_policy.value.per_try_timeout]
+ )
+ content {
+ nanos = per_try_timeout.value.nanos
+ seconds = per_try_timeout.value.seconds
+ }
+ }
+ }
+ }
+ dynamic "timeout" {
+ for_each = (
+ route_action.value.timeout == null
+ ? []
+ : [route_action.value.timeout]
+ )
+ content {
+ nanos = timeout.value.nanos
+ seconds = timeout.value.seconds
+ }
+ }
+ dynamic "url_rewrite" {
+ for_each = (
+ route_action.value.url_rewrite == null
+ ? []
+ : [route_action.value.url_rewrite]
+ )
+ content {
+ host_rewrite = url_rewrite.value.host
+ path_prefix_rewrite = url_rewrite.value.path_prefix
+ }
+ }
+ dynamic "weighted_backend_services" {
+ for_each = coalesce(
+ route_action.value.weighted_backend_services, {}
+ )
+ iterator = service
+ content {
+ backend_service = lookup(
+ local.backend_ids, service.key, service.key
+ )
+ weight = service.value.weight
+ dynamic "header_action" {
+ for_each = (
+ service.value.header_action == null
+ ? []
+ : [service.value.header_action]
+ )
+ iterator = h
+ content {
+ request_headers_to_remove = h.value.request_remove
+ response_headers_to_remove = h.value.response_remove
+ dynamic "request_headers_to_add" {
+ for_each = coalesce(h.value.request_add, {})
+ content {
+ header_name = request_headers_to_add.key
+ header_value = request_headers_to_add.value.value
+ replace = request_headers_to_add.value.replace
+ }
+ }
+ dynamic "response_headers_to_add" {
+ for_each = coalesce(h.value.response_add, {})
+ content {
+ header_name = response_headers_to_add.key
+ header_value = response_headers_to_add.value.value
+ replace = response_headers_to_add.value.replace
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "default_url_redirect" {
+ for_each = (
+ var.urlmap_config.default_url_redirect == null
+ ? []
+ : [var.urlmap_config.default_url_redirect]
+ )
+ iterator = r
+ content {
+ host_redirect = r.value.host
+ https_redirect = r.value.https
+ path_redirect = r.value.path
+ prefix_redirect = r.value.prefix
+ redirect_response_code = r.value.response_code
+ strip_query = r.value.strip_query
+ }
+ }
+
+ dynamic "host_rule" {
+ for_each = coalesce(var.urlmap_config.host_rules, [])
+ iterator = r
+ content {
+ hosts = r.value.hosts
+ path_matcher = r.value.path_matcher
+ description = r.value.description
+ }
+ }
+
+ dynamic "path_matcher" {
+ for_each = coalesce(var.urlmap_config.path_matchers, {})
+ iterator = m
+ content {
+ default_service = m.value.default_service == null ? null : lookup(
+ local.backend_ids, m.value.default_service, m.value.default_service
+ )
+ description = m.value.description
+ name = m.key
+ dynamic "default_url_redirect" {
+ for_each = (
+ m.value.default_url_redirect == null
+ ? []
+ : [m.value.default_url_redirect]
+ )
+ content {
+ host_redirect = default_url_redirect.value.host
+ https_redirect = default_url_redirect.value.https
+ path_redirect = default_url_redirect.value.path
+ prefix_redirect = default_url_redirect.value.prefix
+ redirect_response_code = default_url_redirect.value.response_code
+ strip_query = default_url_redirect.value.strip_query
+ }
+ }
+ dynamic "path_rule" {
+ for_each = toset(coalesce(m.value.path_rules, []))
+ content {
+ paths = path_rule.value.paths
+ service = path_rule.value.service == null ? null : lookup(
+ local.backend_ids,
+ path_rule.value.service,
+ path_rule.value.service
+ )
+ dynamic "route_action" {
+ for_each = (
+ path_rule.value.route_action == null
+ ? []
+ : [path_rule.value.route_action]
+ )
+ content {
+ dynamic "cors_policy" {
+ for_each = (
+ route_action.value.cors_policy == null
+ ? []
+ : [route_action.value.cors_policy]
+ )
+ content {
+ allow_credentials = cors_policy.value.allow_credentials
+ allow_headers = cors_policy.value.allow_headers
+ allow_methods = cors_policy.value.allow_methods
+ allow_origin_regexes = cors_policy.value.allow_origin_regexes
+ allow_origins = cors_policy.value.allow_origins
+ disabled = cors_policy.value.disabled
+ expose_headers = cors_policy.value.expose_headers
+ max_age = cors_policy.value.max_age
+ }
+ }
+ dynamic "fault_injection_policy" {
+ for_each = (
+ route_action.value.fault_injection_policy == null
+ ? []
+ : [route_action.value.fault_injection_policy]
+ )
+ content {
+ dynamic "abort" {
+ for_each = (
+ fault_injection_policy.value.abort == null
+ ? []
+ : [fault_injection_policy.value.abort]
+ )
+ content {
+ http_status = abort.value.status
+ percentage = abort.value.percentage
+ }
+ }
+ dynamic "delay" {
+ for_each = (
+ fault_injection_policy.value.delay == null
+ ? []
+ : [fault_injection_policy.value.delay]
+ )
+ content {
+ percentage = delay.value.percentage
+ fixed_delay {
+ nanos = delay.value.fixed.nanos
+ seconds = delay.value.fixed.seconds
+ }
+ }
+ }
+ }
+ }
+ dynamic "request_mirror_policy" {
+ for_each = (
+ route_action.value.request_mirror_backend == null
+ ? []
+ : [""]
+ )
+ content {
+ backend_service = lookup(
+ local.backend_ids,
+ route_action.value.request_mirror_backend,
+ route_action.value.request_mirror_backend
+ )
+ }
+ }
+ dynamic "retry_policy" {
+ for_each = (
+ route_action.value.retry_policy == null
+ ? []
+ : [route_action.value.retry_policy]
+ )
+ content {
+ num_retries = retry_policy.value.num_retries
+ retry_conditions = retry_policy.value.retry_conditions
+ dynamic "per_try_timeout" {
+ for_each = (
+ retry_policy.value.per_try_timeout == null
+ ? []
+ : [retry_policy.value.per_try_timeout]
+ )
+ content {
+ nanos = per_try_timeout.value.nanos
+ seconds = per_try_timeout.value.seconds
+ }
+ }
+ }
+ }
+ dynamic "timeout" {
+ for_each = (
+ route_action.value.timeout == null
+ ? []
+ : [route_action.value.timeout]
+ )
+ content {
+ nanos = timeout.value.nanos
+ seconds = timeout.value.seconds
+ }
+ }
+ dynamic "url_rewrite" {
+ for_each = (
+ route_action.value.url_rewrite == null
+ ? []
+ : [route_action.value.url_rewrite]
+ )
+ content {
+ host_rewrite = url_rewrite.value.host
+ path_prefix_rewrite = url_rewrite.value.path_prefix
+ }
+ }
+ dynamic "weighted_backend_services" {
+ for_each = coalesce(
+ route_action.value.weighted_backend_services, {}
+ )
+ iterator = service
+ content {
+ backend_service = lookup(
+ local.backend_ids, service.key, service.key
+ )
+ weight = service.value.weight
+ dynamic "header_action" {
+ for_each = (
+ service.value.header_action == null
+ ? []
+ : [service.value.header_action]
+ )
+ iterator = h
+ content {
+ request_headers_to_remove = h.value.request_remove
+ response_headers_to_remove = h.value.response_remove
+ dynamic "request_headers_to_add" {
+ for_each = coalesce(h.value.request_add, {})
+ content {
+ header_name = request_headers_to_add.key
+ header_value = request_headers_to_add.value.value
+ replace = request_headers_to_add.value.replace
+ }
+ }
+ dynamic "response_headers_to_add" {
+ for_each = coalesce(h.value.response_add, {})
+ content {
+ header_name = response_headers_to_add.key
+ header_value = response_headers_to_add.value.value
+ replace = response_headers_to_add.value.replace
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ dynamic "url_redirect" {
+ for_each = (
+ path_rule.value.url_redirect == null
+ ? []
+ : [path_rule.value.url_redirect]
+ )
+ content {
+ host_redirect = url_redirect.value.host
+ https_redirect = url_redirect.value.https
+ path_redirect = url_redirect.value.path
+ prefix_redirect = url_redirect.value.prefix
+ redirect_response_code = url_redirect.value.response_code
+ strip_query = url_redirect.value.strip_query
+ }
+ }
+ }
+ }
+ dynamic "route_rules" {
+ for_each = toset(coalesce(m.value.route_rules, []))
+ content {
+ priority = route_rules.value.priority
+ service = route_rules.value.service == null ? null : lookup(
+ local.backend_ids,
+ route_rules.value.service,
+ route_rules.value.service
+ )
+ dynamic "header_action" {
+ for_each = (
+ route_rules.value.header_action == null
+ ? []
+ : [route_rules.value.header_action]
+ )
+ iterator = h
+ content {
+ request_headers_to_remove = h.value.request_remove
+ response_headers_to_remove = h.value.response_remove
+ dynamic "request_headers_to_add" {
+ for_each = coalesce(h.value.request_add, {})
+ content {
+ header_name = request_headers_to_add.key
+ header_value = request_headers_to_add.value.value
+ replace = request_headers_to_add.value.replace
+ }
+ }
+ dynamic "response_headers_to_add" {
+ for_each = coalesce(h.value.response_add, {})
+ content {
+ header_name = response_headers_to_add.key
+ header_value = response_headers_to_add.value.value
+ replace = response_headers_to_add.value.replace
+ }
+ }
+ }
+ }
+ dynamic "match_rules" {
+ for_each = toset(coalesce(route_rules.value.match_rules, []))
+ content {
+ ignore_case = match_rules.value.ignore_case
+ full_path_match = (
+ try(match_rules.value.path.type, null) == "full"
+ ? match_rules.value.path.value
+ : null
+ )
+ prefix_match = (
+ try(match_rules.value.path.type, null) == "prefix"
+ ? match_rules.value.path.value
+ : null
+ )
+ regex_match = (
+ try(match_rules.value.path.type, null) == "regex"
+ ? match_rules.value.path.value
+ : null
+ )
+ dynamic "header_matches" {
+ for_each = toset(coalesce(match_rules.value.headers, []))
+ iterator = h
+ content {
+ header_name = h.value.name
+ exact_match = h.value.type == "exact" ? h.value.value : null
+ invert_match = h.value.invert_match
+ prefix_match = h.value.type == "prefix" ? h.value.value : null
+ present_match = h.value.type == "present" ? h.value.value : null
+ regex_match = h.value.type == "regex" ? h.value.value : null
+ suffix_match = h.value.type == "suffix" ? h.value.value : null
+ dynamic "range_match" {
+ for_each = (
+ h.value.type != "range" || h.value.range_value == null
+ ? []
+ : [""]
+ )
+ content {
+ range_end = h.value.range_value.end
+ range_start = h.value.range_value.start
+ }
+ }
+ }
+ }
+ dynamic "metadata_filters" {
+ for_each = toset(coalesce(match_rules.value.metadata_filters, []))
+ iterator = m
+ content {
+ filter_match_criteria = (
+ m.value.match_all ? "MATCH_ALL" : "MATCH_ANY"
+ )
+ dynamic "filter_labels" {
+ for_each = m.value.labels
+ content {
+ name = filter_labels.key
+ value = filter_labels.value
+ }
+ }
+ }
+ }
+ dynamic "query_parameter_matches" {
+ for_each = toset(coalesce(match_rules.value.query_params, []))
+ iterator = q
+ content {
+ name = q.value.name
+ exact_match = (
+ q.value.type == "exact" ? q.value.value : null
+ )
+ present_match = (
+ q.value.type == "present" ? q.value.value : null
+ )
+ regex_match = (
+ q.value.type == "regex" ? q.value.value : null
+ )
+ }
+ }
+ }
+ }
+ dynamic "route_action" {
+ for_each = (
+ route_rules.value.route_action == null
+ ? []
+ : [route_rules.value.route_action]
+ )
+ content {
+ dynamic "cors_policy" {
+ for_each = (
+ route_action.value.cors_policy == null
+ ? []
+ : [route_action.value.cors_policy]
+ )
+ content {
+ allow_credentials = cors_policy.value.allow_credentials
+ allow_headers = cors_policy.value.allow_headers
+ allow_methods = cors_policy.value.allow_methods
+ allow_origin_regexes = cors_policy.value.allow_origin_regexes
+ allow_origins = cors_policy.value.allow_origins
+ disabled = cors_policy.value.disabled
+ expose_headers = cors_policy.value.expose_headers
+ max_age = cors_policy.value.max_age
+ }
+ }
+ dynamic "fault_injection_policy" {
+ for_each = (
+ route_action.value.fault_injection_policy == null
+ ? []
+ : [route_action.value.fault_injection_policy]
+ )
+ content {
+ dynamic "abort" {
+ for_each = (
+ fault_injection_policy.value.abort == null
+ ? []
+ : [fault_injection_policy.value.abort]
+ )
+ content {
+ http_status = abort.value.status
+ percentage = abort.value.percentage
+ }
+ }
+ dynamic "delay" {
+ for_each = (
+ fault_injection_policy.value.delay == null
+ ? []
+ : [fault_injection_policy.value.delay]
+ )
+ content {
+ percentage = delay.value.percentage
+ fixed_delay {
+ nanos = delay.value.fixed.nanos
+ seconds = delay.value.fixed.seconds
+ }
+ }
+ }
+ }
+ }
+ dynamic "request_mirror_policy" {
+ for_each = (
+ route_action.value.request_mirror_backend == null
+ ? []
+ : [""]
+ )
+ content {
+ backend_service = lookup(
+ local.backend_ids,
+ route_action.value.request_mirror_backend,
+ route_action.value.request_mirror_backend
+ )
+ }
+ }
+ dynamic "retry_policy" {
+ for_each = (
+ route_action.value.retry_policy == null
+ ? []
+ : [route_action.value.retry_policy]
+ )
+ content {
+ num_retries = retry_policy.value.num_retries
+ retry_conditions = retry_policy.value.retry_conditions
+ dynamic "per_try_timeout" {
+ for_each = (
+ retry_policy.value.per_try_timeout == null
+ ? []
+ : [retry_policy.value.per_try_timeout]
+ )
+ content {
+ nanos = per_try_timeout.value.nanos
+ seconds = per_try_timeout.value.seconds
+ }
+ }
+ }
+ }
+ dynamic "timeout" {
+ for_each = (
+ route_action.value.timeout == null
+ ? []
+ : [route_action.value.timeout]
+ )
+ content {
+ nanos = timeout.value.nanos
+ seconds = timeout.value.seconds
+ }
+ }
+ dynamic "url_rewrite" {
+ for_each = (
+ route_action.value.url_rewrite == null
+ ? []
+ : [route_action.value.url_rewrite]
+ )
+ content {
+ host_rewrite = url_rewrite.value.host
+ path_prefix_rewrite = url_rewrite.value.path_prefix
+ }
+ }
+ dynamic "weighted_backend_services" {
+ for_each = coalesce(
+ route_action.value.weighted_backend_services, {}
+ )
+ iterator = service
+ content {
+ backend_service = lookup(
+ local.backend_ids, service.key, service.key
+ )
+ weight = service.value.weight
+ dynamic "header_action" {
+ for_each = (
+ service.value.header_action == null
+ ? []
+ : [service.value.header_action]
+ )
+ iterator = h
+ content {
+ request_headers_to_remove = h.value.request_remove
+ response_headers_to_remove = h.value.response_remove
+ dynamic "request_headers_to_add" {
+ for_each = coalesce(h.value.request_add, {})
+ content {
+ header_name = request_headers_to_add.key
+ header_value = request_headers_to_add.value.value
+ replace = request_headers_to_add.value.replace
+ }
+ }
+ dynamic "response_headers_to_add" {
+ for_each = coalesce(h.value.response_add, {})
+ content {
+ header_name = response_headers_to_add.key
+ header_value = response_headers_to_add.value.value
+ replace = response_headers_to_add.value.replace
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ dynamic "url_redirect" {
+ for_each = (
+ route_rules.value.url_redirect == null
+ ? []
+ : [route_rules.value.url_redirect]
+ )
+ content {
+ host_redirect = url_redirect.value.host
+ https_redirect = url_redirect.value.https
+ path_redirect = url_redirect.value.path
+ prefix_redirect = url_redirect.value.prefix
+ redirect_response_code = url_redirect.value.response_code
+ strip_query = url_redirect.value.strip_query
+ }
+ }
+ }
+ }
+ }
+ }
+
+ dynamic "test" {
+ for_each = toset(coalesce(var.urlmap_config.test, []))
+ content {
+ host = test.value.host
+ path = test.value.path
+ service = test.value.service
+ description = test.value.description
+ }
+ }
+
+}
diff --git a/modules/net-lb-app-ext-regional/variables-backend-service.tf b/modules/net-lb-app-ext-regional/variables-backend-service.tf
new file mode 100644
index 0000000000..c6b4d6586c
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/variables-backend-service.tf
@@ -0,0 +1,144 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Backend services variables.
+
+variable "backend_service_configs" {
+ description = "Backend service level configuration."
+ type = map(object({
+ affinity_cookie_ttl_sec = optional(number)
+ connection_draining_timeout_sec = optional(number)
+ enable_cdn = optional(bool)
+ health_checks = optional(list(string), ["default"])
+ log_sample_rate = optional(number)
+ port_name = optional(string)
+ project_id = optional(string)
+ protocol = optional(string)
+ security_policy = optional(string)
+ session_affinity = optional(string)
+ timeout_sec = optional(number)
+ backends = list(object({
+ # group renamed to backend
+ backend = string
+ balancing_mode = optional(string, "UTILIZATION")
+ capacity_scaler = optional(number, 1)
+ description = optional(string, "Terraform managed.")
+ failover = optional(bool, false)
+ max_connections = optional(object({
+ per_endpoint = optional(number)
+ per_group = optional(number)
+ per_instance = optional(number)
+ }))
+ max_rate = optional(object({
+ per_endpoint = optional(number)
+ per_group = optional(number)
+ per_instance = optional(number)
+ }))
+ max_utilization = optional(number)
+ }))
+ cdn_policy = optional(object({
+ cache_mode = optional(string)
+ client_ttl = optional(number)
+ default_ttl = optional(number)
+ max_ttl = optional(number)
+ negative_caching = optional(bool)
+ serve_while_stale = optional(number)
+ signed_url_cache_max_age_sec = optional(number)
+ cache_key_policy = optional(object({
+ include_host = optional(bool)
+ include_named_cookies = optional(list(string))
+ include_protocol = optional(bool)
+ include_query_string = optional(bool)
+ query_string_blacklist = optional(list(string))
+ query_string_whitelist = optional(list(string))
+ }))
+ negative_caching_policy = optional(object({
+ code = optional(number)
+ ttl = optional(number)
+ }))
+ }))
+ circuit_breakers = optional(object({
+ max_connections = optional(number)
+ max_pending_requests = optional(number)
+ max_requests = optional(number)
+ max_requests_per_connection = optional(number)
+ max_retries = optional(number)
+ connect_timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ consistent_hash = optional(object({
+ http_header_name = optional(string)
+ minimum_ring_size = optional(number)
+ http_cookie = optional(object({
+ name = optional(string)
+ path = optional(string)
+ ttl = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ }))
+ iap_config = optional(object({
+ oauth2_client_id = string
+ oauth2_client_secret = string
+ oauth2_client_secret_sha256 = optional(string)
+ }))
+ outlier_detection = optional(object({
+ consecutive_errors = optional(number)
+ consecutive_gateway_failure = optional(number)
+ enforcing_consecutive_errors = optional(number)
+ enforcing_consecutive_gateway_failure = optional(number)
+ enforcing_success_rate = optional(number)
+ max_ejection_percent = optional(number)
+ success_rate_minimum_hosts = optional(number)
+ success_rate_request_volume = optional(number)
+ success_rate_stdev_factor = optional(number)
+ base_ejection_time = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ interval = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ }))
+ default = {}
+ nullable = false
+ validation {
+ condition = alltrue([
+ for backend_service in values(var.backend_service_configs) : contains(
+ [
+ "NONE", "CLIENT_IP", "CLIENT_IP_NO_DESTINATION",
+ "CLIENT_IP_PORT_PROTO", "CLIENT_IP_PROTO"
+ ],
+ coalesce(backend_service.session_affinity, "NONE")
+ )
+ ])
+ error_message = "Invalid session affinity value."
+ }
+ validation {
+ condition = alltrue(flatten([
+ for backend_service in values(var.backend_service_configs) : [
+ for backend in backend_service.backends : contains(
+ ["RATE", "UTILIZATION"], coalesce(backend.balancing_mode, "UTILIZATION")
+ )]
+ ]))
+ error_message = "When specified, balancing mode needs to be 'RATE' or 'UTILIZATION'."
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/variables-health-check.tf b/modules/net-lb-app-ext-regional/variables-health-check.tf
new file mode 100644
index 0000000000..be34d779dd
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/variables-health-check.tf
@@ -0,0 +1,109 @@
+/**
+ * Copyright 2022 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description Health check variable.
+
+variable "health_check_configs" {
+ description = "Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage."
+ type = map(object({
+ check_interval_sec = optional(number)
+ description = optional(string, "Terraform managed.")
+ enable_logging = optional(bool, false)
+ healthy_threshold = optional(number)
+ project_id = optional(string)
+ timeout_sec = optional(number)
+ unhealthy_threshold = optional(number)
+ grpc = optional(object({
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ service_name = optional(string)
+ }))
+ http = optional(object({
+ host = optional(string)
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ proxy_header = optional(string)
+ request_path = optional(string)
+ response = optional(string)
+ }))
+ http2 = optional(object({
+ host = optional(string)
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ proxy_header = optional(string)
+ request_path = optional(string)
+ response = optional(string)
+ }))
+ https = optional(object({
+ host = optional(string)
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ proxy_header = optional(string)
+ request_path = optional(string)
+ response = optional(string)
+ }))
+ tcp = optional(object({
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ proxy_header = optional(string)
+ request = optional(string)
+ response = optional(string)
+ }))
+ ssl = optional(object({
+ port = optional(number)
+ port_name = optional(string)
+ port_specification = optional(string) # USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT
+ proxy_header = optional(string)
+ request = optional(string)
+ response = optional(string)
+ }))
+ }))
+ default = {
+ default = {
+ http = {
+ port_specification = "USE_SERVING_PORT"
+ }
+ }
+ }
+ validation {
+ condition = alltrue([
+ for k, v in var.health_check_configs : (
+ (try(v.grpc, null) == null ? 0 : 1) +
+ (try(v.http, null) == null ? 0 : 1) +
+ (try(v.http2, null) == null ? 0 : 1) +
+ (try(v.https, null) == null ? 0 : 1) +
+ (try(v.tcp, null) == null ? 0 : 1) +
+ (try(v.ssl, null) == null ? 0 : 1) <= 1
+ )
+ ])
+ error_message = "At most one health check type can be configured at a time."
+ }
+ validation {
+ condition = alltrue(flatten([
+ for k, v in var.health_check_configs : [
+ for kk, vv in v : contains([
+ "-", "USE_FIXED_PORT", "USE_NAMED_PORT", "USE_SERVING_PORT"
+ ], coalesce(try(vv.port_specification, null), "-"))
+ ]
+ ]))
+ error_message = "Invalid 'port_specification' value. Supported values are 'USE_FIXED_PORT', 'USE_NAMED_PORT', 'USE_SERVING_PORT'."
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/variables-urlmap.tf b/modules/net-lb-app-ext-regional/variables-urlmap.tf
new file mode 100644
index 0000000000..c3149c5197
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/variables-urlmap.tf
@@ -0,0 +1,303 @@
+/**
+ * Copyright 2023 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+# tfdoc:file:description URLmap variable.
+
+variable "urlmap_config" {
+ description = "The URL map configuration."
+ type = object({
+ default_route_action = optional(object({
+ request_mirror_backend = optional(string)
+ cors_policy = optional(object({
+ allow_credentials = optional(bool)
+ allow_headers = optional(string)
+ allow_methods = optional(string)
+ allow_origin_regexes = list(string)
+ allow_origins = list(string)
+ disabled = optional(bool)
+ expose_headers = optional(string)
+ max_age = optional(string)
+ }))
+ fault_injection_policy = optional(object({
+ abort = optional(object({
+ percentage = number
+ status = number
+ }))
+ delay = optional(object({
+ fixed = object({
+ seconds = number
+ nanos = number
+ })
+ percentage = number
+ }))
+ }))
+ retry_policy = optional(object({
+ num_retries = number
+ retry_conditions = optional(list(string))
+ per_try_timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ url_rewrite = optional(object({
+ host = optional(string)
+ path_prefix = optional(string)
+ }))
+ weighted_backend_services = optional(map(object({
+ weight = number
+ header_action = optional(object({
+ request_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ request_remove = optional(list(string))
+ response_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ response_remove = optional(list(string))
+ }))
+ })))
+ }))
+ default_service = optional(string)
+ default_url_redirect = optional(object({
+ host = optional(string)
+ https = optional(bool)
+ path = optional(string)
+ prefix = optional(string)
+ response_code = optional(string)
+ strip_query = optional(bool, false)
+ }))
+ header_action = optional(object({
+ request_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ request_remove = optional(list(string))
+ response_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ response_remove = optional(list(string))
+ }))
+ host_rules = optional(list(object({
+ hosts = list(string)
+ path_matcher = string
+ description = optional(string)
+ })))
+ path_matchers = optional(map(object({
+ description = optional(string)
+ default_service = optional(string)
+ default_url_redirect = optional(object({
+ host = optional(string)
+ https = optional(bool)
+ path = optional(string)
+ prefix = optional(string)
+ response_code = optional(string)
+ strip_query = optional(bool)
+ }))
+ path_rules = optional(list(object({
+ paths = list(string)
+ service = optional(string)
+ route_action = optional(object({
+ request_mirror_backend = optional(string)
+ cors_policy = optional(object({
+ allow_credentials = optional(bool)
+ allow_headers = optional(string)
+ allow_methods = optional(string)
+ allow_origin_regexes = list(string)
+ allow_origins = list(string)
+ disabled = optional(bool)
+ expose_headers = optional(string)
+ max_age = optional(string)
+ }))
+ fault_injection_policy = optional(object({
+ abort = optional(object({
+ percentage = number
+ status = number
+ }))
+ delay = optional(object({
+ fixed = object({
+ seconds = number
+ nanos = number
+ })
+ percentage = number
+ }))
+ }))
+ retry_policy = optional(object({
+ num_retries = number
+ retry_conditions = optional(list(string))
+ per_try_timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ url_rewrite = optional(object({
+ host = optional(string)
+ path_prefix = optional(string)
+ }))
+ weighted_backend_services = optional(map(object({
+ weight = number
+ header_action = optional(object({
+ request_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ request_remove = optional(list(string))
+ response_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ response_remove = optional(list(string))
+ }))
+ })))
+ }))
+ url_redirect = optional(object({
+ host = optional(string)
+ https = optional(bool)
+ path = optional(string)
+ prefix = optional(string)
+ response_code = optional(string)
+ strip_query = optional(bool)
+ }))
+ })))
+ route_rules = optional(list(object({
+ priority = number
+ service = optional(string)
+ header_action = optional(object({
+ request_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ request_remove = optional(list(string))
+ response_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ response_remove = optional(list(string))
+ }))
+ match_rules = optional(list(object({
+ ignore_case = optional(bool, false)
+ headers = optional(list(object({
+ name = string
+ invert_match = optional(bool, false)
+ type = optional(string, "present") # exact, prefix, suffix, regex, present, range
+ value = optional(string)
+ range_value = optional(object({
+ end = string
+ start = string
+ }))
+ })))
+ metadata_filters = optional(list(object({
+ labels = map(string)
+ match_all = bool # MATCH_ANY, MATCH_ALL
+ })))
+ path = optional(object({
+ value = string
+ type = optional(string, "prefix") # full, prefix, regex
+ }))
+ query_params = optional(list(object({
+ name = string
+ value = string
+ type = optional(string, "present") # exact, present, regex
+ })))
+ })))
+ route_action = optional(object({
+ request_mirror_backend = optional(string)
+ cors_policy = optional(object({
+ allow_credentials = optional(bool)
+ allow_headers = optional(string)
+ allow_methods = optional(string)
+ allow_origin_regexes = list(string)
+ allow_origins = list(string)
+ disabled = optional(bool)
+ expose_headers = optional(string)
+ max_age = optional(string)
+ }))
+ fault_injection_policy = optional(object({
+ abort = optional(object({
+ percentage = number
+ status = number
+ }))
+ delay = optional(object({
+ fixed = object({
+ seconds = number
+ nanos = number
+ })
+ percentage = number
+ }))
+ }))
+ retry_policy = optional(object({
+ num_retries = number
+ retry_conditions = optional(list(string))
+ per_try_timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ }))
+ timeout = optional(object({
+ seconds = number
+ nanos = optional(number)
+ }))
+ url_rewrite = optional(object({
+ host = optional(string)
+ path_prefix = optional(string)
+ }))
+ weighted_backend_services = optional(map(object({
+ weight = number
+ header_action = optional(object({
+ request_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ request_remove = optional(list(string))
+ response_add = optional(map(object({
+ value = string
+ replace = optional(bool, true)
+ })))
+ response_remove = optional(list(string))
+ }))
+ })))
+ }))
+ url_redirect = optional(object({
+ host = optional(string)
+ https = optional(bool)
+ path = optional(string)
+ prefix = optional(string)
+ response_code = optional(string)
+ strip_query = optional(bool)
+ }))
+ })))
+ })))
+ test = optional(list(object({
+ host = string
+ path = string
+ service = string
+ description = optional(string)
+ })))
+ })
+ default = {
+ default_service = "default"
+ }
+}
diff --git a/modules/net-lb-app-ext-regional/variables.tf b/modules/net-lb-app-ext-regional/variables.tf
new file mode 100644
index 0000000000..85a0034033
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/variables.tf
@@ -0,0 +1,191 @@
+/**
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "address" {
+ description = "Optional IP address used for the forwarding rule."
+ type = string
+ default = null
+}
+
+variable "description" {
+ description = "Optional description used for resources."
+ type = string
+ default = "Terraform managed."
+}
+
+variable "group_configs" {
+ description = "Optional unmanaged groups to create. Can be referenced in backends via key or outputs."
+ type = map(object({
+ zone = string
+ instances = optional(list(string))
+ named_ports = optional(map(number), {})
+ project_id = optional(string)
+ }))
+ default = {}
+ nullable = false
+}
+
+variable "https_proxy_config" {
+ description = "HTTPS proxy connfiguration."
+ type = object({
+ certificate_map = optional(string)
+ quic_override = optional(string)
+ ssl_policy = optional(string)
+ })
+ default = {}
+ nullable = false
+}
+
+variable "labels" {
+ description = "Labels set on resources."
+ type = map(string)
+ default = {}
+}
+
+variable "name" {
+ description = "Load balancer name."
+ type = string
+}
+
+variable "neg_configs" {
+ description = "Optional network endpoint groups to create. Can be referenced in backends via key or outputs."
+ type = map(object({
+ description = optional(string)
+ cloudfunction = optional(object({
+ region = string
+ target_function = optional(string)
+ target_urlmask = optional(string)
+ }))
+ cloudrun = optional(object({
+ region = string
+ target_service = optional(object({
+ name = string
+ tag = optional(string)
+ }))
+ target_urlmask = optional(string)
+ }))
+ gce = optional(object({
+ network = string
+ subnetwork = string
+ zone = string
+ # default_port = optional(number)
+ endpoints = optional(map(object({
+ instance = string
+ ip_address = string
+ port = number
+ })))
+ }))
+ hybrid = optional(object({
+ network = string
+ zone = string
+ # re-enable once provider properly support this
+ # default_port = optional(number)
+ endpoints = optional(map(object({
+ ip_address = string
+ port = number
+ })))
+ }))
+ psc = optional(object({
+ region = string
+ target_service = string
+ network = optional(string)
+ subnetwork = optional(string)
+ }))
+ }))
+ default = {}
+ nullable = false
+ validation {
+ condition = alltrue([
+ for k, v in var.neg_configs : (
+ (try(v.cloudfunction, null) == null ? 0 : 1) +
+ (try(v.cloudrun, null) == null ? 0 : 1) +
+ (try(v.gce, null) == null ? 0 : 1) +
+ (try(v.hybrid, null) == null ? 0 : 1) +
+ (try(v.psc, null) == null ? 0 : 1) == 1
+ )
+ ])
+ error_message = "Only one type of NEG can be configured at a time."
+ }
+ validation {
+ condition = alltrue([
+ for k, v in var.neg_configs : (
+ v.cloudrun == null
+ ? true
+ : v.cloudrun.target_urlmask != null || v.cloudrun.target_service != null
+ )
+ ])
+ error_message = "Cloud Run NEGs need either target service or target urlmask defined."
+ }
+ validation {
+ condition = alltrue([
+ for k, v in var.neg_configs : (
+ v.cloudfunction == null
+ ? true
+ : v.cloudfunction.target_urlmask != null || v.cloudfunction.target_function != null
+ )
+ ])
+ error_message = "Cloud Function NEGs need either target function or target urlmask defined."
+ }
+}
+
+variable "ports" {
+ description = "Optional ports for HTTP load balancer, valid ports are 80 and 8080."
+ type = list(string)
+ default = null
+}
+
+variable "project_id" {
+ description = "Project id."
+ type = string
+}
+
+variable "protocol" {
+ description = "Protocol supported by this load balancer."
+ type = string
+ default = "HTTP"
+ nullable = false
+ validation {
+ condition = (
+ var.protocol == null || var.protocol == "HTTP" || var.protocol == "HTTPS"
+ )
+ error_message = "Protocol must be HTTP or HTTPS"
+ }
+}
+
+variable "region" {
+ description = "Region where the load balancer is created."
+ type = string
+}
+
+variable "ssl_certificates" {
+ description = "SSL target proxy certificates (only if protocol is HTTPS) for existing, custom, and managed certificates."
+ type = object({
+ certificate_ids = optional(list(string), [])
+ create_configs = optional(map(object({
+ certificate = string
+ private_key = string
+ })), {})
+ })
+ default = {}
+ nullable = false
+}
+
+
+variable "vpc" {
+ description = "VPC-level configuration."
+ type = string
+ nullable = false
+}
diff --git a/modules/net-lb-app-ext-regional/versions.tf b/modules/net-lb-app-ext-regional/versions.tf
new file mode 100644
index 0000000000..5ec74cff31
--- /dev/null
+++ b/modules/net-lb-app-ext-regional/versions.tf
@@ -0,0 +1,27 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+ required_version = ">= 1.5.1"
+ required_providers {
+ google = {
+ source = "hashicorp/google"
+ version = ">= 5.10.0, < 6.0.0" # tftest
+ }
+ google-beta = {
+ source = "hashicorp/google-beta"
+ version = ">= 5.10.0, < 6.0.0" # tftest
+ }
+ }
+}
diff --git a/tests/fixtures/ssl-certificate.tf b/tests/fixtures/ssl-certificate.tf
new file mode 100644
index 0000000000..99c1fd4379
--- /dev/null
+++ b/tests/fixtures/ssl-certificate.tf
@@ -0,0 +1,32 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+resource "tls_private_key" "default" {
+ algorithm = "RSA"
+ rsa_bits = 2048
+}
+
+resource "tls_self_signed_cert" "default" {
+ private_key_pem = tls_private_key.default.private_key_pem
+ subject {
+ common_name = "example.com"
+ organization = "ACME Examples, Inc"
+ }
+ validity_period_hours = 720
+ allowed_uses = [
+ "key_encipherment",
+ "digital_signature",
+ "server_auth",
+ ]
+}