diff --git a/modules/net-address/outputs.tf b/modules/net-address/outputs.tf
index cf6641bdaf..95ab38b114 100644
--- a/modules/net-address/outputs.tf
+++ b/modules/net-address/outputs.tf
@@ -64,8 +64,14 @@ output "psa_addresses" {
output "psc_addresses" {
description = "Allocated internal addresses for PSC endpoints."
- value = {
- for address in google_compute_global_address.psc :
- address.name => address
- }
+ value = merge(
+ {
+ for address in google_compute_global_address.psc :
+ address.name => address
+ },
+ {
+ for address in google_compute_address.psc :
+ address.name => address
+ }
+ )
}
diff --git a/modules/net-lb-proxy-int/README.md b/modules/net-lb-proxy-int/README.md
index 0e03635371..b11e6cbf87 100644
--- a/modules/net-lb-proxy-int/README.md
+++ b/modules/net-lb-proxy-int/README.md
@@ -15,6 +15,7 @@ Due to the complexity of the underlying resources, changes to the configuration
- [Zonal NEG creation](#zonal-neg-creation)
- [Hybrid NEG creation](#hybrid-neg-creation)
- [Private Service Connect NEG creation](#private-service-connect-neg-creation)
+ - [Internet NEG creation](#internet-neg-creation)
- [Files](#files)
- [Variables](#variables)
- [Outputs](#outputs)
@@ -271,6 +272,47 @@ module "int-tcp-proxy" {
# tftest modules=1 resources=5
```
+#### Internet NEG creation
+
+This example shows how to create and manage internet NEGs:
+
+```hcl
+module "ilb-l7" {
+ source = "./fabric/modules/net-lb-proxy-int"
+ project_id = var.project_id
+ name = "ilb-test"
+ region = var.region
+ backend_service_config = {
+ backends = [
+ { group = "neg-0" }
+ ]
+ # with a single internet NEG the implied default health check is optional
+ health_checks = []
+ }
+ port = 80
+ neg_configs = {
+ neg-0 = {
+ internet = {
+ region = var.region
+ use_fqdn = true
+ endpoints = {
+ e-0 = {
+ destination = "www.example.org"
+ port = 80
+ }
+ }
+ }
+ }
+ }
+ vpc_config = {
+ network = var.vpc.self_link
+ subnetwork = var.subnet.self_link
+ }
+}
+# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e
+```
+
+
## Files
@@ -280,7 +322,7 @@ module "int-tcp-proxy" {
| [backend-service.tf](./backend-service.tf) | Backend service resources. | google_compute_region_backend_service |
| [groups.tf](./groups.tf) | None | google_compute_instance_group |
| [health-check.tf](./health-check.tf) | Health check resource. | google_compute_region_health_check |
-| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint_group · google_compute_region_target_tcp_proxy |
+| [main.tf](./main.tf) | Module-level locals and resources. | google_compute_forwarding_rule · google_compute_network_endpoint · google_compute_network_endpoint_group · google_compute_region_network_endpoint · google_compute_region_network_endpoint_group · google_compute_region_target_tcp_proxy · google_compute_service_attachment |
| [outputs.tf](./outputs.tf) | Module outputs. | |
| [variables.tf](./variables.tf) | Module variables. | |
| [versions.tf](./versions.tf) | Version pins. | |
@@ -290,9 +332,9 @@ module "int-tcp-proxy" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L198) | Load balancer name. | string | ✓ | |
-| [project_id](variables.tf#L256) | Project id. | string | ✓ | |
-| [region](variables.tf#L261) | The region where to allocate the ILB resources. | string | ✓ | |
-| [vpc_config](variables.tf#L266) | VPC-level configuration. | object({…}) | ✓ | |
+| [project_id](variables.tf#L267) | Project id. | string | ✓ | |
+| [region](variables.tf#L272) | The region where to allocate the ILB resources. | string | ✓ | |
+| [vpc_config](variables.tf#L292) | VPC-level configuration. | object({…}) | ✓ | |
| [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | string | | null |
| [backend_service_config](variables.tf#L23) | Backend service level configuration. | object({…}) | | {} |
| [description](variables.tf#L75) | Optional description used for resources. | string | | "Terraform managed." |
@@ -301,22 +343,25 @@ module "int-tcp-proxy" {
| [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | string | | null |
| [health_check_config](variables.tf#L106) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | object({…}) | | {…} |
| [labels](variables.tf#L192) | Labels set on resources. | map(string) | | {} |
-| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
-| [port](variables.tf#L250) | Port. | number | | 80 |
+| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | map(object({…})) | | {} |
+| [port](variables.tf#L261) | Port. | number | | 80 |
+| [service_attachment](variables.tf#L277) | PSC service attachment. | object({…}) | | null |
## Outputs
| name | description | sensitive |
|---|---|:---:|
-| [backend_service](outputs.tf#L17) | Backend resource. | |
-| [backend_service_id](outputs.tf#L22) | Backend id. | |
-| [backend_service_self_link](outputs.tf#L27) | Backend self link. | |
-| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. | |
-| [group_self_links](outputs.tf#L37) | Optional unmanaged instance group self links. | |
-| [groups](outputs.tf#L44) | Optional unmanaged instance group resources. | |
-| [health_check](outputs.tf#L49) | Auto-created health-check resource. | |
-| [health_check_id](outputs.tf#L54) | Auto-created health-check id. | |
-| [health_check_self_link](outputs.tf#L59) | Auto-created health-check self link. | |
-| [id](outputs.tf#L64) | Fully qualified forwarding rule id. | |
-| [neg_ids](outputs.tf#L69) | Autogenerated network endpoint group ids. | |
+| [address](outputs.tf#L17) | Forwarding rule address. | |
+| [backend_service](outputs.tf#L22) | Backend resource. | |
+| [backend_service_id](outputs.tf#L27) | Backend id. | |
+| [backend_service_self_link](outputs.tf#L32) | Backend self link. | |
+| [forwarding_rule](outputs.tf#L37) | Forwarding rule resource. | |
+| [group_self_links](outputs.tf#L42) | Optional unmanaged instance group self links. | |
+| [groups](outputs.tf#L49) | Optional unmanaged instance group resources. | |
+| [health_check](outputs.tf#L54) | Auto-created health-check resource. | |
+| [health_check_id](outputs.tf#L59) | Auto-created health-check id. | |
+| [health_check_self_link](outputs.tf#L64) | Auto-created health-check self link. | |
+| [id](outputs.tf#L69) | Fully qualified forwarding rule id. | |
+| [neg_ids](outputs.tf#L74) | Autogenerated network endpoint group ids. | |
+| [service_attachment_id](outputs.tf#L81) | Id of the service attachment. | |
diff --git a/modules/net-lb-proxy-int/backend-service.tf b/modules/net-lb-proxy-int/backend-service.tf
index 7e7af78e17..e6aa07a28d 100644
--- a/modules/net-lb-proxy-int/backend-service.tf
+++ b/modules/net-lb-proxy-int/backend-service.tf
@@ -26,7 +26,11 @@ locals {
},
{
for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
+ },
+ {
+ for k, v in google_compute_region_network_endpoint_group.internet : k => v.id
}
+
)
}
diff --git a/modules/net-lb-proxy-int/main.tf b/modules/net-lb-proxy-int/main.tf
index 6f123f8443..404b4f4bc2 100644
--- a/modules/net-lb-proxy-int/main.tf
+++ b/modules/net-lb-proxy-int/main.tf
@@ -122,3 +122,81 @@ resource "google_compute_region_network_endpoint_group" "psc" {
network = each.value.psc.network
subnetwork = each.value.psc.subnetwork
}
+
+# Internet NEG
+locals {
+ _neg_endpoints_internet = flatten([
+ for k, v in local.neg_internet : [
+ for kk, vv in v.internet.endpoints : merge(vv, {
+ key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn
+ })
+ ]
+ ])
+ neg_endpoints_internet = {
+ for v in local._neg_endpoints_internet : (v.key) => v
+ }
+ neg_internet = {
+ for k, v in var.neg_configs :
+ k => v if v.internet != null
+ }
+}
+
+resource "google_compute_region_network_endpoint_group" "internet" {
+ for_each = local.neg_internet
+ project = var.project_id
+ name = "${var.name}-${each.key}"
+ region = each.value.internet.region
+ # re-enable once provider properly supports this
+ # default_port = each.value.default_port
+ # description = coalesce(each.value.description, var.description)
+ network_endpoint_type = (
+ each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT"
+ )
+ network = var.vpc_config.network
+}
+
+resource "google_compute_region_network_endpoint" "internet" {
+ for_each = local.neg_endpoints_internet
+ project = (
+ google_compute_region_network_endpoint_group.internet[each.value.neg].project
+ )
+ region = each.value.region
+ region_network_endpoint_group = (
+ google_compute_region_network_endpoint_group.internet[each.value.neg].name
+ )
+ fqdn = each.value.use_fqdn ? each.value.destination : null
+ ip_address = each.value.use_fqdn ? null : each.value.destination
+ port = each.value.port
+}
+
+# PSC Procuder Service attachments
+resource "google_compute_service_attachment" "default" {
+ count = var.service_attachment == null ? 0 : 1
+ project = var.project_id
+ region = var.region
+ name = var.name
+ description = var.description
+ target_service = google_compute_forwarding_rule.default.id
+ nat_subnets = var.service_attachment.nat_subnets
+ connection_preference = (
+ var.service_attachment.automatic_connection
+ ? "ACCEPT_AUTOMATIC"
+ : "ACCEPT_MANUAL"
+ )
+ consumer_reject_lists = var.service_attachment.consumer_reject_lists
+ domain_names = (
+ var.service_attachment.domain_name == null
+ ? null
+ : [var.service_attachment.domain_name]
+ )
+ enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
+ reconcile_connections = var.service_attachment.reconcile_connections
+ dynamic "consumer_accept_lists" {
+ for_each = var.service_attachment.consumer_accept_lists
+ iterator = accept
+ content {
+ project_id_or_num = accept.key
+ connection_limit = accept.value
+ }
+ }
+}
diff --git a/modules/net-lb-proxy-int/outputs.tf b/modules/net-lb-proxy-int/outputs.tf
index 101c6af141..7f37aa7e66 100644
--- a/modules/net-lb-proxy-int/outputs.tf
+++ b/modules/net-lb-proxy-int/outputs.tf
@@ -14,6 +14,11 @@
* limitations under the License.
*/
+output "address" {
+ description = "Forwarding rule address."
+ value = google_compute_forwarding_rule.default.ip_address
+}
+
output "backend_service" {
description = "Backend resource."
value = google_compute_region_backend_service.default
@@ -72,3 +77,10 @@ output "neg_ids" {
for k, v in google_compute_network_endpoint_group.default : k => v.id
}
}
+
+output "service_attachment_id" {
+ description = "Id of the service attachment."
+ value = try(
+ google_compute_service_attachment.default[0].id, null
+ )
+}
diff --git a/modules/net-lb-proxy-int/variables.tf b/modules/net-lb-proxy-int/variables.tf
index cd1a6e81db..119265d241 100644
--- a/modules/net-lb-proxy-int/variables.tf
+++ b/modules/net-lb-proxy-int/variables.tf
@@ -226,6 +226,16 @@ variable "neg_configs" {
port = number
})))
}))
+ internet = optional(object({
+ region = string
+ use_fqdn = optional(bool, true)
+ # re-enable once provider properly support this
+ # default_port = optional(number)
+ endpoints = optional(map(object({
+ destination = string
+ port = number
+ })))
+ }))
psc = optional(object({
region = string
target_service = string
@@ -240,6 +250,7 @@ variable "neg_configs" {
for k, v in var.neg_configs : (
(try(v.gce, null) == null ? 0 : 1) +
(try(v.hybrid, null) == null ? 0 : 1) +
+ (try(v.internet, null) == null ? 0 : 1) +
(try(v.psc, null) == null ? 0 : 1) == 1
)
])
@@ -263,6 +274,21 @@ variable "region" {
type = string
}
+variable "service_attachment" {
+ description = "PSC service attachment."
+ type = object({
+ nat_subnets = list(string)
+ automatic_connection = optional(bool, false)
+ consumer_accept_lists = optional(map(string), {}) # map of `project_id` => `connection_limit`
+ consumer_reject_lists = optional(list(string))
+ description = optional(string)
+ domain_name = optional(string)
+ enable_proxy_protocol = optional(bool, false)
+ reconcile_connections = optional(bool)
+ })
+ default = null
+}
+
variable "vpc_config" {
description = "VPC-level configuration."
type = object({
diff --git a/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml b/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml
new file mode 100644
index 0000000000..ed08342630
--- /dev/null
+++ b/tests/modules/net_lb_proxy_int/examples/internet-neg.yaml
@@ -0,0 +1,69 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+values:
+ module.ilb-l7.google_compute_forwarding_rule.default:
+ description: Terraform managed.
+ ip_protocol: TCP
+ load_balancing_scheme: INTERNAL_MANAGED
+ name: ilb-test
+ network: projects/xxx/global/networks/aaa
+ port_range: '80'
+ project: project-id
+ region: europe-west8
+ subnetwork: subnet_self_link
+ module.ilb-l7.google_compute_region_backend_service.default:
+ backend:
+ - balancing_mode: UTILIZATION
+ capacity_scaler: 1
+ description: Terraform managed.
+ description: Terraform managed.
+ load_balancing_scheme: INTERNAL_MANAGED
+ name: ilb-test
+ project: project-id
+ protocol: TCP
+ region: europe-west8
+ session_affinity: NONE
+ module.ilb-l7.google_compute_region_network_endpoint.internet["neg-0-e-0"]:
+ fqdn: www.example.org
+ ip_address: null
+ port: 80
+ project: project-id
+ region: europe-west8
+ region_network_endpoint_group: ilb-test-neg-0
+ module.ilb-l7.google_compute_region_network_endpoint_group.internet["neg-0"]:
+ name: ilb-test-neg-0
+ network: projects/xxx/global/networks/aaa
+ network_endpoint_type: INTERNET_FQDN_PORT
+ project: project-id
+ region: europe-west8
+ subnetwork: null
+ module.ilb-l7.google_compute_region_target_tcp_proxy.default:
+ description: Terraform managed.
+ name: ilb-test
+ project: project-id
+ proxy_header: NONE
+ region: europe-west8
+ timeouts: null
+
+counts:
+ google_compute_forwarding_rule: 1
+ google_compute_region_backend_service: 1
+ google_compute_region_health_check: 1
+ google_compute_region_network_endpoint: 1
+ google_compute_region_network_endpoint_group: 1
+ google_compute_region_target_tcp_proxy: 1
+ modules: 1
+ resources: 6