diff --git a/modules/net-lb-app-int/README.md b/modules/net-lb-app-int/README.md
index 6d4ebda0f0..a52f10fc61 100644
--- a/modules/net-lb-app-int/README.md
+++ b/modules/net-lb-app-int/README.md
@@ -17,6 +17,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Hybrid NEG creation](#hybrid-neg-creation)
- [Serverless NEG creation](#serverless-neg-creation)
- [Private Service Connect NEG creation](#private-service-connect-neg-creation)
+ - [Internet NEG creation](#internet-neg-creation)
- [URL Map](#url-map)
- [SSL Certificates](#ssl-certificates)
- [PSC service attachment](#psc-service-attachment)
@@ -399,6 +400,48 @@ module "ilb-l7" {
# tftest modules=1 resources=5
```
+#### Internet NEG creation
+
+This example shows how to create and manage internet NEGs:
+
+```hcl
+module "ilb-l7" {
+ source = "./fabric/modules/net-lb-app-int"
+ project_id = var.project_id
+ name = "ilb-test"
+ region = var.region
+ backend_service_configs = {
+ default = {
+ backends = [
+ { group = "neg-0" }
+ ]
+ health_checks = []
+ }
+ }
+ # with a single internet NEG the implied default health check is not needed
+ health_check_configs = {}
+ neg_configs = {
+ neg-0 = {
+ internet = {
+ region = var.region
+ use_fqdn = true
+ endpoints = {
+ e-0 = {
+ destination = "www.example.org"
+ port = 80
+ }
+ }
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+}
+# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e
+```
+
### URL Map
The module exposes the full URL map resource configuration, with some minor changes to the interface to decrease verbosity, and support for aliasing backend services via keys.
@@ -678,7 +721,7 @@ module "ilb-l7" {
| [backend-service.tf](./backend-service.tf) | Backend service resources. | google_compute_region_backend_service |
| [groups.tf](./groups.tf) | None | google_compute_instance_group |
| [health-check.tf](./health-check.tf) | Health check resource. | google_compute_health_check |
-| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group · google_compute_region_ssl_certificate · google_compute_region_target_http_proxy · google_compute_region_target_https_proxy · google_compute_service_attachment |
+| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint · google_compute_region_network_endpoint_group · google_compute_region_ssl_certificate · google_compute_region_target_http_proxy · google_compute_region_target_https_proxy · google_compute_service_attachment |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [urlmap.tf](./urlmap.tf) | URL map resources. | google_compute_region_url_map |
| [variables-backend-service.tf](./variables-backend-service.tf) | Backend services variables. | |
@@ -692,9 +735,9 @@ module "ilb-l7" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L54) | Load balancer name. | string | ✓ | |
-| [project_id](variables.tf#L138) | Project id. | string | ✓ | |
-| [region](variables.tf#L156) | The region where to allocate the ILB resources. | string | ✓ | |
-| [vpc_config](variables.tf#L198) | VPC-level configuration. | object({…}) | ✓ | |
+| [project_id](variables.tf#L150) | Project id. | string | ✓ | |
+| [region](variables.tf#L168) | The region where to allocate the ILB resources. | string | ✓ | |
+| [vpc_config](variables.tf#L210) | VPC-level configuration. | object({…}) | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
| [backend_service_configs](variables-backend-service.tf#L19) | Backend service level configuration. | map(object({…})) | | {} |
| [description](variables.tf#L23) | Optional description used for resources. | string | | "Terraform managed." |
@@ -702,13 +745,13 @@ module "ilb-l7" {
| [group_configs](variables.tf#L36) | Optional unmanaged groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
| [health_check_configs](variables-health-check.tf#L19) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | map(object({…})) | | {…} |
| [labels](variables.tf#L48) | Labels set on resources. | map(string) | | {} |
-| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
-| [network_tier_premium](variables.tf#L125) | Use premium network tier. Defaults to true. | bool | | true |
-| [ports](variables.tf#L132) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
-| [protocol](variables.tf#L143) | Protocol supported by this load balancer. | string | | "HTTP" |
-| [service_attachment](variables.tf#L161) | PSC service attachment. | object({…}) | | null |
-| [service_directory_registration](variables.tf#L176) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
-| [ssl_certificates](variables.tf#L185) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
+| [neg_configs](variables.tf#L59) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [network_tier_premium](variables.tf#L137) | Use premium network tier. Defaults to true. | bool | | true |
+| [ports](variables.tf#L144) | Optional ports for HTTP load balancer, valid ports are 80 and 8080. | list(string) | | null |
+| [protocol](variables.tf#L155) | Protocol supported by this load balancer. | string | | "HTTP" |
+| [service_attachment](variables.tf#L173) | PSC service attachment. | object({…}) | | null |
+| [service_directory_registration](variables.tf#L188) | Service directory namespace and service used to register this load balancer. | object({…}) | | null |
+| [ssl_certificates](variables.tf#L197) | SSL target proxy certificates (only if protocol is HTTPS). | object({…}) | | {} |
| [urlmap_config](variables-urlmap.tf#L19) | The URL map configuration. | object({…}) | | {…} |
## Outputs
diff --git a/modules/net-lb-app-int/backend-service.tf b/modules/net-lb-app-int/backend-service.tf
index 0dcfa46a99..807b29cdc6 100644
--- a/modules/net-lb-app-int/backend-service.tf
+++ b/modules/net-lb-app-int/backend-service.tf
@@ -24,11 +24,17 @@ locals {
{
for k, v in google_compute_network_endpoint_group.default : k => v.id
},
+ {
+ for k, v in google_compute_region_network_endpoint_group.internet : k => v.id
+ },
{
for k, v in google_compute_region_network_endpoint_group.default : k => v.id
},
{
for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint.internet : k => v.id
}
)
hc_ids = {
diff --git a/modules/net-lb-app-int/main.tf b/modules/net-lb-app-int/main.tf
index edad808a08..e119a9297b 100644
--- a/modules/net-lb-app-int/main.tf
+++ b/modules/net-lb-app-int/main.tf
@@ -214,3 +214,48 @@ resource "google_compute_region_network_endpoint_group" "psc" {
network = each.value.psc.network
subnetwork = each.value.psc.subnetwork
}
+
+locals {
+ _neg_endpoints_internet = flatten([
+ for k, v in local.neg_internet : [
+ for kk, vv in v.internet.endpoints : merge(vv, {
+ key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn
+ })
+ ]
+ ])
+ neg_endpoints_internet = {
+ for v in local._neg_endpoints_internet : (v.key) => v
+ }
+ neg_internet = {
+ for k, v in var.neg_configs :
+ k => v if v.internet != null
+ }
+}
+
+resource "google_compute_region_network_endpoint_group" "internet" {
+ for_each = local.neg_internet
+ project = var.project_id
+ name = "${var.name}-${each.key}"
+ region = each.value.internet.region
+ # re-enable once provider properly supports this
+ # default_port = each.value.default_port
+ description = coalesce(each.value.description, var.description)
+ network_endpoint_type = (
+ each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT"
+ )
+ network = var.vpc_config.network
+}
+
+resource "google_compute_region_network_endpoint" "internet" {
+ for_each = local.neg_endpoints_internet
+ project = (
+ google_compute_region_network_endpoint_group.internet[each.value.neg].project
+ )
+ region = each.value.region
+ region_network_endpoint_group = (
+ google_compute_region_network_endpoint_group.internet[each.value.neg].name
+ )
+ fqdn = each.value.use_fqdn ? each.value.destination : null
+ ip_address = each.value.use_fqdn ? null : each.value.destination
+ port = each.value.port
+}
diff --git a/modules/net-lb-app-int/variables.tf b/modules/net-lb-app-int/variables.tf
index b454762cb1..402fff9c7e 100644
--- a/modules/net-lb-app-int/variables.tf
+++ b/modules/net-lb-app-int/variables.tf
@@ -59,7 +59,8 @@ variable "name" {
variable "neg_configs" {
description = "Optional network endpoint groups to create. Can be referenced in backends via key or outputs."
type = map(object({
- project_id = optional(string)
+ project_id = optional(string)
+ description = optional(string)
cloudrun = optional(object({
region = string
target_service = optional(object({
@@ -90,6 +91,16 @@ variable "neg_configs" {
port = number
})))
}))
+ internet = optional(object({
+ region = string
+ use_fqdn = optional(bool, true)
+ # re-enable once provider properly support this
+ # default_port = optional(number)
+ endpoints = optional(map(object({
+ destination = string
+ port = number
+ })))
+ }))
psc = optional(object({
region = string
target_service = string
@@ -105,6 +116,7 @@ variable "neg_configs" {
(try(v.cloudrun, null) == null ? 0 : 1) +
(try(v.gce, null) == null ? 0 : 1) +
(try(v.hybrid, null) == null ? 0 : 1) +
+ (try(v.internet, null) == null ? 0 : 1) +
(try(v.psc, null) == null ? 0 : 1) == 1
)
])
diff --git a/tests/modules/net_lb_app_int/examples/internet-neg.yaml b/tests/modules/net_lb_app_int/examples/internet-neg.yaml
new file mode 100644
index 0000000000..38cb7aea19
--- /dev/null
+++ b/tests/modules/net_lb_app_int/examples/internet-neg.yaml
@@ -0,0 +1,76 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+ module.ilb-l7.google_compute_forwarding_rule.default:
+ description: Terraform managed.
+ ip_protocol: TCP
+ load_balancing_scheme: INTERNAL_MANAGED
+ name: ilb-test
+ network: projects/xxx/global/networks/aaa
+ port_range: '80'
+ project: project-id
+ region: europe-west8
+ subnetwork: subnet_self_link
+ module.ilb-l7.google_compute_region_backend_service.default["default"]:
+ backend:
+ - balancing_mode: UTILIZATION
+ capacity_scaler: 1
+ description: Terraform managed.
+ description: Terraform managed.
+ failover_policy: []
+ health_checks: null
+ iap: []
+ load_balancing_scheme: INTERNAL_MANAGED
+ name: ilb-test-default
+ network: null
+ project: project-id
+ protocol: HTTP
+ region: europe-west8
+ module.ilb-l7.google_compute_region_network_endpoint.internet["neg-0-e-0"]:
+ fqdn: www.example.org
+ ip_address: null
+ port: 80
+ project: project-id
+ region: europe-west8
+ region_network_endpoint_group: ilb-test-neg-0
+ module.ilb-l7.google_compute_region_network_endpoint_group.internet["neg-0"]:
+ description: Terraform managed.
+ name: ilb-test-neg-0
+ network: projects/xxx/global/networks/aaa
+ network_endpoint_type: INTERNET_FQDN_PORT
+ project: project-id
+ region: europe-west8
+ module.ilb-l7.google_compute_region_target_http_proxy.default[0]:
+ description: Terraform managed.
+ name: ilb-test
+ project: project-id
+ region: europe-west8
+ module.ilb-l7.google_compute_region_url_map.default:
+ description: Terraform managed.
+ name: ilb-test
+ project: project-id
+ region: europe-west8
+
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_region_backend_service: 1
+ google_compute_region_network_endpoint: 1
+ google_compute_region_network_endpoint_group: 1
+ google_compute_region_target_http_proxy: 1
+ google_compute_region_url_map: 1
+ modules: 1
+ resources: 6
+
+outputs: {}