feat: Added IAP Principals terraform resource for backend-service (#533)

Author: bryan0515

build/int.cloudbuild.yaml

@@ -158,6 +158,27 @@ steps:
     - verify internal-lb-http gce-mig
   name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
   args: ['/bin/bash', '-c', 'cft test run TestInternalLbGCEMIG --stage teardown --verbose']
+  # Backend Service with IAP Enabled
+- id: init backend-with-iap
+  waitFor:
+    - teardown internal-lb-http gce-mig
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage init --verbose']
+- id: apply backend-with-iap
+  waitFor:
+    - init backend-with-iap
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage apply --verbose']
+- id: verify backend-with-iap
+  waitFor:
+    - apply backend-with-iap
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage verify --verbose']
+- id: teardown backend-with-iap
+  waitFor:
+    - verify backend-with-iap
+  name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS'
+  args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage teardown --verbose']
 tags:
 - 'ci'
 - 'integration'

examples/backend-with-iap/main.tf

@@ -0,0 +1,36 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "lb-backend-iap" {
+  source  = "terraform-google-modules/lb-http/google//modules/backend"
+  version = "~> 12.0"
+
+  project_id = var.project_id
+  name       = "backend-with-iap"
+  iap_config = {
+    enable      = true
+    iap_members = ["user:[email protected]"]
+  }
+}
+
+module "lb-frontend" {
+  source  = "terraform-google-modules/lb-http/google//modules/frontend"
+  version = "~> 12.0"
+
+  project_id    = var.project_id
+  name          = "global-lb-fe-bucket"
+  url_map_input = module.lb-backend-iap.backend_service_info
+}

examples/backend-with-iap/outputs.tf

@@ -0,0 +1,21 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+output "project_id" {
+  value       = var.project_id
+  description = "Project ID of the service"
+}

examples/backend-with-iap/variables.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type = string
+}

examples/lb-http-separate-frontend-and-backend/main.tf

@@ -68,8 +68,9 @@ module "cloud-nat-group2" {
 }
 
 module "lb-http-backend" {
-  source     = "terraform-google-modules/lb-http/google//modules/backend"
-  version    = "~> 12.0"
+  source  = "terraform-google-modules/lb-http/google//modules/backend"
+  version = "~> 12.0"
+
   project_id = var.project_id
   name       = "backend-lb"
   target_tags = [

metadata.display.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

metadata.yaml

@@ -40,6 +40,8 @@ spec:
       - name: serverless_negs
         location: modules/serverless_negs
     examples:
+      - name: backend-with-iap
+        location: examples/backend-with-iap
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -336,13 +338,13 @@ spec:
     roles:
       - level: Project
         roles:
-          - roles/run.admin
           - roles/iam.serviceAccountUser
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
           - roles/storage.admin
           - roles/compute.admin
+          - roles/run.admin
     services:
       - certificatemanager.googleapis.com
       - cloudresourcemanager.googleapis.com

modules/backend/README.md

@@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | groups | The list of backend instance group which serves the traffic. | <pre>list(object({<br>    group       = string<br>    description = optional(string)<br><br>    balancing_mode               = optional(string)<br>    capacity_scaler              = optional(number)<br>    max_connections              = optional(number)<br>    max_connections_per_instance = optional(number)<br>    max_connections_per_endpoint = optional(number)<br>    max_rate                     = optional(number)<br>    max_rate_per_instance        = optional(number)<br>    max_rate_per_endpoint        = optional(number)<br>    max_utilization              = optional(number)<br>  }))</pre> | `[]` | no |
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
-| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
+| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>    iap_members          = optional(list(string))<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
 | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no |
 | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | <pre>object({<br>    enable      = bool<br>    sample_rate = number<br>  })</pre> | <pre>{<br>  "enable": true,<br>  "sample_rate": 1<br>}</pre> | no |

modules/backend/main.tf

@@ -17,6 +17,7 @@
 locals {
   is_backend_bucket       = var.backend_bucket_name != null && var.backend_bucket_name != ""
   serverless_neg_backends = local.is_backend_bucket ? [] : var.serverless_neg_backends
+  iap_access_members      = var.iap_config.enable ? coalesce(var.iap_config.iap_members, []) : []
 }
 
 resource "google_compute_backend_service" "default" {
@@ -365,3 +366,12 @@ resource "google_compute_backend_bucket" "default" {
     }
   }
 }
+
+resource "google_iap_web_backend_service_iam_member" "member" {
+  for_each            = toset(local.iap_access_members)
+  project             = google_compute_backend_service.default[0].project
+  web_backend_service = google_compute_backend_service.default[0].name
+  role                = "roles/iap.httpsResourceAccessor"
+  member              = each.value
+}
+

modules/backend/metadata.display.yaml

@@ -1,4 +1,4 @@
-# Copyright 2024 Google LLC
+# Copyright 2025 Google LLC
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -31,6 +31,9 @@ spec:
         affinity_cookie_ttl_sec:
           name: affinity_cookie_ttl_sec
           title: Affinity Cookie Ttl Sec
+        backend_bucket_name:
+          name: backend_bucket_name
+          title: Backend Bucket Name
         cdn_policy:
           name: cdn_policy
           title: Cdn Policy
@@ -66,6 +69,9 @@ spec:
         firewall_projects:
           name: firewall_projects
           title: Firewall Projects
+        firewall_source_ranges:
+          name: firewall_source_ranges
+          title: Firewall Source Ranges
         groups:
           name: groups
           title: Groups
@@ -79,6 +85,12 @@ spec:
         iap_config:
           name: iap_config
           title: Iap Config
+          properties:
+            iap_members:
+              name: iap_members
+              title: Iap Members
+              regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$
+              validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:[email protected]. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member).
         load_balancing_scheme:
           name: load_balancing_scheme
           title: Load Balancing Scheme
@@ -125,3 +137,6 @@ spec:
         target_tags:
           name: target_tags
           title: Target Tags
+        timeout_sec:
+          name: timeout_sec
+          title: Timeout Sec