Internet NEG for internal proxy LB

modules/net-address/outputs.tf

@@ -64,8 +64,14 @@ output "psa_addresses" {
 
 output "psc_addresses" {
   description = "Allocated internal addresses for PSC endpoints."
-  value = {
-    for address in google_compute_global_address.psc :
-    address.name => address
-  }
+  value = merge(
+    {
+      for address in google_compute_global_address.psc :
+      address.name => address
+    },
+    {
+      for address in google_compute_address.psc :
+      address.name => address
+    }
+  )
 }

modules/net-lb-proxy-int/README.md

@@ -15,6 +15,7 @@ Due to the complexity of the underlying resources, changes to the configuration
     - [Zonal NEG creation](#zonal-neg-creation)
     - [Hybrid NEG creation](#hybrid-neg-creation)
     - [Private Service Connect NEG creation](#private-service-connect-neg-creation)
+    - [Internet NEG creation](#internet-neg-creation)
 - [Files](#files)
 - [Variables](#variables)
 - [Outputs](#outputs)
@@ -271,6 +272,47 @@ module "int-tcp-proxy" {
 # tftest modules=1 resources=5
 ```
 
+#### Internet NEG creation
+
+This example shows how to create and manage internet NEGs:
+
+```hcl
+module "ilb-l7" {
+  source     = "./fabric/modules/net-lb-proxy-int"
+  project_id = var.project_id
+  name       = "ilb-test"
+  region     = var.region
+  backend_service_config = {
+    backends = [
+      { group = "neg-0" }
+    ]
+    # with a single internet NEG the implied default health check is optional
+    health_checks = []
+  }
+  port = 80
+  neg_configs = {
+    neg-0 = {
+      internet = {
+        region   = var.region
+        use_fqdn = true
+        endpoints = {
+          e-0 = {
+            destination = "www.example.org"
+            port        = 80
+          }
+        }
+      }
+    }
+  }
+  vpc_config = {
+    network    = var.vpc.self_link
+    subnetwork = var.subnet.self_link
+  }
+}
+# tftest modules=1 resources=6 inventory=internet-neg.yaml e2e
+```
+
+
 <!-- TFDOC OPTS files:1 -->
 <!-- BEGIN TFDOC -->
 ## Files
@@ -280,7 +322,7 @@ module "int-tcp-proxy" {
 | [backend-service.tf](./backend-service.tf) | Backend service resources. | <code>google_compute_region_backend_service</code> |
 | [groups.tf](./groups.tf) | None | <code>google_compute_instance_group</code> |
 | [health-check.tf](./health-check.tf) | Health check resource. | <code>google_compute_region_health_check</code> |
-| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> |
+| [main.tf](./main.tf) | Module-level locals and resources. | <code>google_compute_forwarding_rule</code> · <code>google_compute_network_endpoint</code> · <code>google_compute_network_endpoint_group</code> · <code>google_compute_region_network_endpoint</code> · <code>google_compute_region_network_endpoint_group</code> · <code>google_compute_region_target_tcp_proxy</code> · <code>google_compute_service_attachment</code> |
 | [outputs.tf](./outputs.tf) | Module outputs. |  |
 | [variables.tf](./variables.tf) | Module variables. |  |
 | [versions.tf](./versions.tf) | Version pins. |  |
@@ -290,9 +332,9 @@ module "int-tcp-proxy" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [name](variables.tf#L198) | Load balancer name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L256) | Project id. | <code>string</code> | ✓ |  |
-| [region](variables.tf#L261) | The region where to allocate the ILB resources. | <code>string</code> | ✓ |  |
-| [vpc_config](variables.tf#L266) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network    &#61; string&#10;  subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [project_id](variables.tf#L267) | Project id. | <code>string</code> | ✓ |  |
+| [region](variables.tf#L272) | The region where to allocate the ILB resources. | <code>string</code> | ✓ |  |
+| [vpc_config](variables.tf#L292) | VPC-level configuration. | <code title="object&#40;&#123;&#10;  network    &#61; string&#10;  subnetwork &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
 | [address](variables.tf#L17) | Optional IP address used for the forwarding rule. | <code>string</code> |  | <code>null</code> |
 | [backend_service_config](variables.tf#L23) | Backend service level configuration. | <code title="object&#40;&#123;&#10;  affinity_cookie_ttl_sec         &#61; optional&#40;number&#41;&#10;  connection_draining_timeout_sec &#61; optional&#40;number&#41;&#10;  health_checks                   &#61; optional&#40;list&#40;string&#41;, &#91;&#34;default&#34;&#93;&#41;&#10;  log_sample_rate                 &#61; optional&#40;number&#41;&#10;  port_name                       &#61; optional&#40;string&#41;&#10;  project_id                      &#61; optional&#40;string&#41;&#10;  session_affinity                &#61; optional&#40;string, &#34;NONE&#34;&#41;&#10;  timeout_sec                     &#61; optional&#40;number&#41;&#10;  backends &#61; optional&#40;list&#40;object&#40;&#123;&#10;    group           &#61; string&#10;    balancing_mode  &#61; optional&#40;string, &#34;UTILIZATION&#34;&#41;&#10;    capacity_scaler &#61; optional&#40;number, 1&#41;&#10;    description     &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;    failover        &#61; optional&#40;bool, false&#41;&#10;    max_connections &#61; optional&#40;object&#40;&#123;&#10;      per_endpoint &#61; optional&#40;number&#41;&#10;      per_group    &#61; optional&#40;number&#41;&#10;      per_instance &#61; optional&#40;number&#41;&#10;    &#125;&#41;&#41;&#10;    max_utilization &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#41;&#10;  connection_tracking &#61; optional&#40;object&#40;&#123;&#10;    idle_timeout_sec          &#61; optional&#40;number&#41;&#10;    persist_conn_on_unhealthy &#61; optional&#40;string&#41;&#10;    track_per_session         &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  failover_config &#61; optional&#40;object&#40;&#123;&#10;    disable_conn_drain        &#61; optional&#40;bool&#41;&#10;    drop_traffic_if_unhealthy &#61; optional&#40;bool&#41;&#10;    ratio                     &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [description](variables.tf#L75) | Optional description used for resources. | <code>string</code> |  | <code>&#34;Terraform managed.&#34;</code> |
@@ -301,22 +343,25 @@ module "int-tcp-proxy" {
 | [health_check](variables.tf#L100) | Name of existing health check to use, disables auto-created health check. | <code>string</code> |  | <code>null</code> |
 | [health_check_config](variables.tf#L106) | Optional auto-created health check configurations, use the output self-link to set it in the auto healing policy. Refer to examples for usage. | <code title="object&#40;&#123;&#10;  check_interval_sec  &#61; optional&#40;number&#41;&#10;  description         &#61; optional&#40;string, &#34;Terraform managed.&#34;&#41;&#10;  enable_logging      &#61; optional&#40;bool, false&#41;&#10;  healthy_threshold   &#61; optional&#40;number&#41;&#10;  project_id          &#61; optional&#40;string&#41;&#10;  timeout_sec         &#61; optional&#40;number&#41;&#10;  unhealthy_threshold &#61; optional&#40;number&#41;&#10;  grpc &#61; optional&#40;object&#40;&#123;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    service_name       &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  http &#61; optional&#40;object&#40;&#123;&#10;    host               &#61; optional&#40;string&#41;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    proxy_header       &#61; optional&#40;string&#41;&#10;    request_path       &#61; optional&#40;string&#41;&#10;    response           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  http2 &#61; optional&#40;object&#40;&#123;&#10;    host               &#61; optional&#40;string&#41;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    proxy_header       &#61; optional&#40;string&#41;&#10;    request_path       &#61; optional&#40;string&#41;&#10;    response           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  https &#61; optional&#40;object&#40;&#123;&#10;    host               &#61; optional&#40;string&#41;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    proxy_header       &#61; optional&#40;string&#41;&#10;    request_path       &#61; optional&#40;string&#41;&#10;    response           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  tcp &#61; optional&#40;object&#40;&#123;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    proxy_header       &#61; optional&#40;string&#41;&#10;    request            &#61; optional&#40;string&#41;&#10;    response           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;  ssl &#61; optional&#40;object&#40;&#123;&#10;    port               &#61; optional&#40;number&#41;&#10;    port_name          &#61; optional&#40;string&#41;&#10;    port_specification &#61; optional&#40;string&#41; &#35; USE_FIXED_PORT USE_NAMED_PORT USE_SERVING_PORT&#10;    proxy_header       &#61; optional&#40;string&#41;&#10;    request            &#61; optional&#40;string&#41;&#10;    response           &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code title="&#123;&#10;  tcp &#61; &#123;&#10;    port_specification &#61; &#34;USE_SERVING_PORT&#34;&#10;  &#125;&#10;&#125;">&#123;&#8230;&#125;</code> |
 | [labels](variables.tf#L192) | Labels set on resources. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
-| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map&#40;object&#40;&#123;&#10;  project_id &#61; optional&#40;string&#41;&#10;  gce &#61; optional&#40;object&#40;&#123;&#10;    zone &#61; string&#10;    network    &#61; optional&#40;string&#41;&#10;    subnetwork &#61; optional&#40;string&#41;&#10;    endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10;      instance   &#61; string&#10;      ip_address &#61; string&#10;      port       &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;&#10;&#10;  &#125;&#41;&#41;&#10;  hybrid &#61; optional&#40;object&#40;&#123;&#10;    zone    &#61; string&#10;    network &#61; optional&#40;string&#41;&#10;    endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10;      ip_address &#61; string&#10;      port       &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  psc &#61; optional&#40;object&#40;&#123;&#10;    region         &#61; string&#10;    target_service &#61; string&#10;    network        &#61; optional&#40;string&#41;&#10;    subnetwork     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [port](variables.tf#L250) | Port. | <code>number</code> |  | <code>80</code> |
+| [neg_configs](variables.tf#L203) | Optional network endpoint groups to create. Can be referenced in backends via key or outputs. | <code title="map&#40;object&#40;&#123;&#10;  project_id &#61; optional&#40;string&#41;&#10;  gce &#61; optional&#40;object&#40;&#123;&#10;    zone &#61; string&#10;    network    &#61; optional&#40;string&#41;&#10;    subnetwork &#61; optional&#40;string&#41;&#10;    endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10;      instance   &#61; string&#10;      ip_address &#61; string&#10;      port       &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;&#10;&#10;  &#125;&#41;&#41;&#10;  hybrid &#61; optional&#40;object&#40;&#123;&#10;    zone    &#61; string&#10;    network &#61; optional&#40;string&#41;&#10;    endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10;      ip_address &#61; string&#10;      port       &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  internet &#61; optional&#40;object&#40;&#123;&#10;    region   &#61; string&#10;    use_fqdn &#61; optional&#40;bool, true&#41;&#10;    endpoints &#61; optional&#40;map&#40;object&#40;&#123;&#10;      destination &#61; string&#10;      port        &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  psc &#61; optional&#40;object&#40;&#123;&#10;    region         &#61; string&#10;    target_service &#61; string&#10;    network        &#61; optional&#40;string&#41;&#10;    subnetwork     &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
+| [port](variables.tf#L261) | Port. | <code>number</code> |  | <code>80</code> |
+| [service_attachment](variables.tf#L277) | PSC service attachment. | <code title="object&#40;&#123;&#10;  nat_subnets           &#61; list&#40;string&#41;&#10;  automatic_connection  &#61; optional&#40;bool, false&#41;&#10;  consumer_accept_lists &#61; optional&#40;map&#40;string&#41;, &#123;&#125;&#41; &#35; map of &#96;project_id&#96; &#61;&#62; &#96;connection_limit&#96;&#10;  consumer_reject_lists &#61; optional&#40;list&#40;string&#41;&#41;&#10;  description           &#61; optional&#40;string&#41;&#10;  domain_name           &#61; optional&#40;string&#41;&#10;  enable_proxy_protocol &#61; optional&#40;bool, false&#41;&#10;  reconcile_connections &#61; optional&#40;bool&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 
 ## Outputs
 
 | name | description | sensitive |
 |---|---|:---:|
-| [backend_service](outputs.tf#L17) | Backend resource. |  |
-| [backend_service_id](outputs.tf#L22) | Backend id. |  |
-| [backend_service_self_link](outputs.tf#L27) | Backend self link. |  |
-| [forwarding_rule](outputs.tf#L32) | Forwarding rule resource. |  |
-| [group_self_links](outputs.tf#L37) | Optional unmanaged instance group self links. |  |
-| [groups](outputs.tf#L44) | Optional unmanaged instance group resources. |  |
-| [health_check](outputs.tf#L49) | Auto-created health-check resource. |  |
-| [health_check_id](outputs.tf#L54) | Auto-created health-check id. |  |
-| [health_check_self_link](outputs.tf#L59) | Auto-created health-check self link. |  |
-| [id](outputs.tf#L64) | Fully qualified forwarding rule id. |  |
-| [neg_ids](outputs.tf#L69) | Autogenerated network endpoint group ids. |  |
+| [address](outputs.tf#L17) | Forwarding rule address. |  |
+| [backend_service](outputs.tf#L22) | Backend resource. |  |
+| [backend_service_id](outputs.tf#L27) | Backend id. |  |
+| [backend_service_self_link](outputs.tf#L32) | Backend self link. |  |
+| [forwarding_rule](outputs.tf#L37) | Forwarding rule resource. |  |
+| [group_self_links](outputs.tf#L42) | Optional unmanaged instance group self links. |  |
+| [groups](outputs.tf#L49) | Optional unmanaged instance group resources. |  |
+| [health_check](outputs.tf#L54) | Auto-created health-check resource. |  |
+| [health_check_id](outputs.tf#L59) | Auto-created health-check id. |  |
+| [health_check_self_link](outputs.tf#L64) | Auto-created health-check self link. |  |
+| [id](outputs.tf#L69) | Fully qualified forwarding rule id. |  |
+| [neg_ids](outputs.tf#L74) | Autogenerated network endpoint group ids. |  |
+| [service_attachment_id](outputs.tf#L81) | Id of the service attachment. |  |
 <!-- END TFDOC -->

modules/net-lb-proxy-int/backend-service.tf

@@ -26,7 +26,11 @@ locals {
     },
     {
       for k, v in google_compute_region_network_endpoint_group.psc : k => v.id
+    },
+    {
+      for k, v in google_compute_region_network_endpoint_group.internet : k => v.id
     }
+
   )
 }
 

modules/net-lb-proxy-int/main.tf

@@ -122,3 +122,81 @@ resource "google_compute_region_network_endpoint_group" "psc" {
   network               = each.value.psc.network
   subnetwork            = each.value.psc.subnetwork
 }
+
+# Internet NEG
+locals {
+  _neg_endpoints_internet = flatten([
+    for k, v in local.neg_internet : [
+      for kk, vv in v.internet.endpoints : merge(vv, {
+        key = "${k}-${kk}", neg = k, region = v.internet.region, use_fqdn = v.internet.use_fqdn
+      })
+    ]
+  ])
+  neg_endpoints_internet = {
+    for v in local._neg_endpoints_internet : (v.key) => v
+  }
+  neg_internet = {
+    for k, v in var.neg_configs :
+    k => v if v.internet != null
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "internet" {
+  for_each = local.neg_internet
+  project  = var.project_id
+  name     = "${var.name}-${each.key}"
+  region   = each.value.internet.region
+  # re-enable once provider properly supports this
+  # default_port = each.value.default_port
+  # description = coalesce(each.value.description, var.description)
+  network_endpoint_type = (
+    each.value.internet.use_fqdn ? "INTERNET_FQDN_PORT" : "INTERNET_IP_PORT"
+  )
+  network = var.vpc_config.network
+}
+
+resource "google_compute_region_network_endpoint" "internet" {
+  for_each = local.neg_endpoints_internet
+  project = (
+    google_compute_region_network_endpoint_group.internet[each.value.neg].project
+  )
+  region = each.value.region
+  region_network_endpoint_group = (
+    google_compute_region_network_endpoint_group.internet[each.value.neg].name
+  )
+  fqdn       = each.value.use_fqdn ? each.value.destination : null
+  ip_address = each.value.use_fqdn ? null : each.value.destination
+  port       = each.value.port
+}
+
+# PSC Procuder Service attachments
+resource "google_compute_service_attachment" "default" {
+  count          = var.service_attachment == null ? 0 : 1
+  project        = var.project_id
+  region         = var.region
+  name           = var.name
+  description    = var.description
+  target_service = google_compute_forwarding_rule.default.id
+  nat_subnets    = var.service_attachment.nat_subnets
+  connection_preference = (
+    var.service_attachment.automatic_connection
+    ? "ACCEPT_AUTOMATIC"
+    : "ACCEPT_MANUAL"
+  )
+  consumer_reject_lists = var.service_attachment.consumer_reject_lists
+  domain_names = (
+    var.service_attachment.domain_name == null
+    ? null
+    : [var.service_attachment.domain_name]
+  )
+  enable_proxy_protocol = var.service_attachment.enable_proxy_protocol
+  reconcile_connections = var.service_attachment.reconcile_connections
+  dynamic "consumer_accept_lists" {
+    for_each = var.service_attachment.consumer_accept_lists
+    iterator = accept
+    content {
+      project_id_or_num = accept.key
+      connection_limit  = accept.value
+    }
+  }
+}

modules/net-lb-proxy-int/outputs.tf

@@ -14,6 +14,11 @@
  * limitations under the License.
  */
 
+output "address" {
+  description = "Forwarding rule address."
+  value       = google_compute_forwarding_rule.default.ip_address
+}
+
 output "backend_service" {
   description = "Backend resource."
   value       = google_compute_region_backend_service.default
@@ -72,3 +77,10 @@ output "neg_ids" {
     for k, v in google_compute_network_endpoint_group.default : k => v.id
   }
 }
+
+output "service_attachment_id" {
+  description = "Id of the service attachment."
+  value = try(
+    google_compute_service_attachment.default[0].id, null
+  )
+}