diff --git a/Makefile b/Makefile index 5c2a6c3c..f15e5605 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.22 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.23 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd @@ -76,7 +76,7 @@ docker_test_lint: .PHONY: docker_generate_docs docker_generate_docs: docker run --rm -it \ - -e ENABLE_BPMETADATA \ + -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' @@ -85,6 +85,7 @@ docker_generate_docs: .PHONY: docker_generate_modules docker_generate_modules: docker run --rm -it \ + -e ENABLE_BPMETADATA \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_modules' diff --git a/README.md b/README.md index 992283f9..3629a0a8 100644 --- a/README.md +++ b/README.md @@ -29,13 +29,13 @@ intended for Terraform 0.12.x is [v4.5.0](https://registry.terraform.io/modules/ Current version is 12.0. Upgrade guides: -- [2.X -> 3.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v3.0.0.md) -- [3.X -> 4.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v4.0.md) -- [6.X -> 7.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v7.0.md) -- [7.X -> 8.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v8.0.md) -- [8.X -> 9.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v9.0.md) -- [9.X -> 10.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v10.0.md) -- [10.X -> 11.0](https://github.com/terraform-google-modules/terraform-google-lb-http/blob/master/docs/upgrading_to_v11.0.md) +- [2.X -> 3.0](/docs/upgrading-v2.0.0-v3.0.0.md) +- [3.X -> 4.0](/docs/upgrading_to_v4.0.md) +- [6.X -> 7.0](/docs/upgrading_to_v7.0.md) +- [7.X -> 8.0](/docs/upgrading_to_v8.0.md) +- [8.X -> 9.0](/docs/upgrading_to_v9.0.md) +- [9.X -> 10.0](/docs/upgrading_to_v10.0.md) +- [10.X -> 11.0](/docs/upgrading_to_v11.0.md) ## Usage diff --git a/autogen/README.md b/autogen/README.md index 0be0603a..4c3f746c 100644 --- a/autogen/README.md +++ b/autogen/README.md @@ -43,7 +43,7 @@ intended for Terraform 0.12.x is [v4.5.0](https://registry.terraform.io/modules/ ## Version -Current version is 9.0. Upgrade guides: +Current version is 12.0. Upgrade guides: - [2.X -> 3.0](/docs/upgrading-v2.0.0-v3.0.0.md) - [3.X -> 4.0](/docs/upgrading_to_v4.0.md) @@ -51,6 +51,7 @@ Current version is 9.0. Upgrade guides: - [7.X -> 8.0](/docs/upgrading_to_v8.0.md) - [8.X -> 9.0](/docs/upgrading_to_v9.0.md) - [9.X -> 10.0](/docs/upgrading_to_v10.0.md) +- [10.X -> 11.0](/docs/upgrading_to_v11.0.md) ## Usage diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 6e3c06e2..37f90561 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -132,4 +132,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 30483dc4..cc59d7ff 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.22' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.23' diff --git a/metadata.yaml b/metadata.yaml index 5736d573..cea54d3e 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -76,9 +76,50 @@ spec: location: examples/user-managed-google-managed-ssl interfaces: variables: + - name: project + description: The project to deploy to, if not set the default provider project is used. + varType: string + required: true + - name: name + description: Name for the forwarding rule and prefix for supporting resources + varType: string + required: true + - name: create_address + description: Create a new global IPv4 address + varType: bool + defaultValue: true - name: address description: Existing IPv4 address to use (the actual IP address value) varType: string + - name: enable_ipv6 + description: Enable IPv6 address on the CDN load-balancer + varType: bool + defaultValue: false + - name: create_ipv6_address + description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + varType: bool + defaultValue: false + - name: ipv6_address + description: An existing IPv6 address to use (the actual IP address value) + varType: string + - name: firewall_networks + description: Names of the networks to create firewall rules in + varType: list(string) + defaultValue: + - default + - name: firewall_projects + description: Names of the projects to create firewall rules in + varType: list(string) + defaultValue: + - default + - name: target_tags + description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. + varType: list(string) + defaultValue: [] + - name: target_service_accounts + description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. + varType: list(string) + defaultValue: [] - name: backends description: Map backend indices to list of backend maps. varType: |- @@ -186,67 +227,62 @@ spec: })) })) required: true - - name: certificate - description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: certificate_map - description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + - name: create_url_map + description: Set to `false` if url_map variable is provided. + varType: bool + defaultValue: true + - name: url_map + description: The url_map resource to use. Default is to send all traffic to first backend. varType: string - - name: create_address - description: Create a new global IPv4 address + - name: http_forward + description: Set to `false` to disable HTTP port 80 forward varType: bool defaultValue: true - - name: create_ipv6_address - description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + - name: ssl + description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" varType: bool defaultValue: false - name: create_ssl_certificate description: If `true`, Create certificate using `private_key/certificate` varType: bool defaultValue: false - - name: create_url_map - description: Set to `false` if url_map variable is provided. + - name: ssl_certificates + description: SSL cert self_link list. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: private_key + description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: certificate + description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: managed_ssl_certificate_domains + description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: certificate_map + description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + varType: string + - name: ssl_policy + description: Selfink to SSL Policy + varType: string + - name: quic + description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. varType: bool - defaultValue: true - name: edge_security_policy description: The resource URL for the edge security policy to associate with the backend service varType: string - - name: enable_ipv6 - description: Enable IPv6 address on the CDN load-balancer - varType: bool - defaultValue: false - - name: firewall_networks - description: Names of the networks to create firewall rules in - varType: list(string) - defaultValue: - - default - - name: firewall_projects - description: Names of the projects to create firewall rules in - varType: list(string) - defaultValue: - - default - - name: http_forward - description: Set to `false` to disable HTTP port 80 forward - varType: bool - defaultValue: true - - name: http_keep_alive_timeout_sec - description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). - varType: number - - name: http_port - description: The port for the HTTP load balancer - varType: number - defaultValue: 80 - - name: https_port - description: The port for the HTTPS load balancer - varType: number - defaultValue: 443 + - name: security_policy + description: The resource URL for the security policy to associate with the backend service + varType: string - name: https_redirect description: Set to `true` to enable https redirect on the lb. varType: bool defaultValue: false - - name: ipv6_address - description: An existing IPv6 address to use (the actual IP address value) - varType: string + - name: random_certificate_suffix + description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. + varType: bool + defaultValue: false - name: labels description: The labels to attach to resources created by this module varType: map(string) @@ -255,60 +291,24 @@ spec: description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director) varType: string defaultValue: EXTERNAL - - name: managed_ssl_certificate_domains - description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: name - description: Name for the forwarding rule and prefix for supporting resources - varType: string - required: true - name: network description: Network for INTERNAL_SELF_MANAGED load balancing scheme varType: string defaultValue: default - - name: private_key - description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: project - description: The project to deploy to, if not set the default provider project is used. - varType: string - required: true - - name: quic - description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. - varType: bool - - name: random_certificate_suffix - description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. - varType: bool - defaultValue: false - - name: security_policy - description: The resource URL for the security policy to associate with the backend service - varType: string - name: server_tls_policy description: The resource URL for the server TLS policy to associate with the https proxy service varType: string - - name: ssl - description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" - varType: bool - defaultValue: false - - name: ssl_certificates - description: SSL cert self_link list. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: ssl_policy - description: Selfink to SSL Policy - varType: string - - name: target_service_accounts - description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. - varType: list(string) - defaultValue: [] - - name: target_tags - description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. - varType: list(string) - defaultValue: [] - - name: url_map - description: The url_map resource to use. Default is to send all traffic to first backend. - varType: string + - name: http_port + description: The port for the HTTP load balancer + varType: number + defaultValue: 80 + - name: https_port + description: The port for the HTTPS load balancer + varType: number + defaultValue: 443 + - name: http_keep_alive_timeout_sec + description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). + varType: number outputs: - name: backend_services description: The backend service resources. @@ -343,3 +343,10 @@ spec: - run.googleapis.com - iam.googleapis.com - certificatemanager.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.0, < 7" + - source: hashicorp/google-beta + version: ">= 6.0, < 7" + - source: hashicorp/random + version: ">= 2.1" diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index f6ba6417..c975338d 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -151,11 +151,11 @@ spec: })) defaultValue: [] connections: - - source: - source: github.com/terraform-google-modules/terraform-google-vm//modules/mig - version: ~> 12.0 - spec: - outputExpr: '{"group": instance_group}' + - source: + source: github.com/terraform-google-modules/terraform-google-vm//modules/mig + version: ">= 12.0" + spec: + outputExpr: "{\"group\": instance_group, \"description\": \"Input created by connection\"}" - name: serverless_neg_backends description: The list of serverless backend which serves the traffic. varType: |- @@ -167,11 +167,11 @@ spec: })) defaultValue: [] connections: - - source: - source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2 - version: ~> 0.13 - spec: - outputExpr: '{"region": location, "service_name": service_name, "type": "cloud-run", "service_version": ""}' + - source: + source: github.com/GoogleCloudPlatform/terraform-google-cloud-run//modules/v2 + version: ">= 0.13" + spec: + outputExpr: "{\"region\": location, \"service_name\": service_name, \"type\": \"cloud-run\", \"service_version\": \"\"}" - name: iap_config description: Settings for enabling Cloud Identity Aware Proxy Structure. varType: |- @@ -290,18 +290,18 @@ spec: type: - list - - object - - host: string + - backend_service: string + host: string path: string - backend_service: string requirements: roles: - level: Project roles: - - roles/owner - - roles/storage.admin + - roles/compute.xpnAdmin - level: Project roles: - - roles/compute.xpnAdmin + - roles/owner + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/dynamic_backends/README.md b/modules/dynamic_backends/README.md index 7cd59451..559412c9 100644 --- a/modules/dynamic_backends/README.md +++ b/modules/dynamic_backends/README.md @@ -20,7 +20,7 @@ intended for Terraform 0.12.x is [v4.5.0](https://registry.terraform.io/modules/ ## Version -Current version is 9.0. Upgrade guides: +Current version is 12.0. Upgrade guides: - [2.X -> 3.0](/docs/upgrading-v2.0.0-v3.0.0.md) - [3.X -> 4.0](/docs/upgrading_to_v4.0.md) @@ -28,6 +28,7 @@ Current version is 9.0. Upgrade guides: - [7.X -> 8.0](/docs/upgrading_to_v8.0.md) - [8.X -> 9.0](/docs/upgrading_to_v9.0.md) - [9.X -> 10.0](/docs/upgrading_to_v10.0.md) +- [10.X -> 11.0](/docs/upgrading_to_v11.0.md) ## Usage diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 6f0e1cda..0bbbd954 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -50,6 +50,8 @@ spec: location: examples/https-gke - name: https-redirect location: examples/https-redirect + - name: lb-http-separate-frontend-and-backend + location: examples/lb-http-separate-frontend-and-backend - name: mig-nat-http-lb location: examples/mig-nat-http-lb - name: multi-backend-multi-mig-bucket-https-lb @@ -66,9 +68,50 @@ spec: location: examples/user-managed-google-managed-ssl interfaces: variables: + - name: project + description: The project to deploy to, if not set the default provider project is used. + varType: string + required: true + - name: name + description: Name for the forwarding rule and prefix for supporting resources + varType: string + required: true + - name: create_address + description: Create a new global IPv4 address + varType: bool + defaultValue: true - name: address description: Existing IPv4 address to use (the actual IP address value) varType: string + - name: enable_ipv6 + description: Enable IPv6 address on the CDN load-balancer + varType: bool + defaultValue: false + - name: create_ipv6_address + description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + varType: bool + defaultValue: false + - name: ipv6_address + description: An existing IPv6 address to use (the actual IP address value) + varType: string + - name: firewall_networks + description: Names of the networks to create firewall rules in + varType: list(string) + defaultValue: + - default + - name: firewall_projects + description: Names of the projects to create firewall rules in + varType: list(string) + defaultValue: + - default + - name: target_tags + description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. + varType: list(string) + defaultValue: [] + - name: target_service_accounts + description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. + varType: list(string) + defaultValue: [] - name: backends description: Map backend indices to list of backend maps. varType: |- @@ -176,67 +219,62 @@ spec: })) })) required: true - - name: certificate - description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: certificate_map - description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + - name: create_url_map + description: Set to `false` if url_map variable is provided. + varType: bool + defaultValue: true + - name: url_map + description: The url_map resource to use. Default is to send all traffic to first backend. varType: string - - name: create_address - description: Create a new global IPv4 address + - name: http_forward + description: Set to `false` to disable HTTP port 80 forward varType: bool defaultValue: true - - name: create_ipv6_address - description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + - name: ssl + description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" varType: bool defaultValue: false - name: create_ssl_certificate description: If `true`, Create certificate using `private_key/certificate` varType: bool defaultValue: false - - name: create_url_map - description: Set to `false` if url_map variable is provided. + - name: ssl_certificates + description: SSL cert self_link list. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: private_key + description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: certificate + description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: managed_ssl_certificate_domains + description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: certificate_map + description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + varType: string + - name: ssl_policy + description: Selfink to SSL Policy + varType: string + - name: quic + description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. varType: bool - defaultValue: true - name: edge_security_policy description: The resource URL for the edge security policy to associate with the backend service varType: string - - name: enable_ipv6 - description: Enable IPv6 address on the CDN load-balancer - varType: bool - defaultValue: false - - name: firewall_networks - description: Names of the networks to create firewall rules in - varType: list(string) - defaultValue: - - default - - name: firewall_projects - description: Names of the projects to create firewall rules in - varType: list(string) - defaultValue: - - default - - name: http_forward - description: Set to `false` to disable HTTP port 80 forward - varType: bool - defaultValue: true - - name: http_keep_alive_timeout_sec - description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). - varType: number - - name: http_port - description: The port for the HTTP load balancer - varType: number - defaultValue: 80 - - name: https_port - description: The port for the HTTPS load balancer - varType: number - defaultValue: 443 + - name: security_policy + description: The resource URL for the security policy to associate with the backend service + varType: string - name: https_redirect description: Set to `true` to enable https redirect on the lb. varType: bool defaultValue: false - - name: ipv6_address - description: An existing IPv6 address to use (the actual IP address value) - varType: string + - name: random_certificate_suffix + description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. + varType: bool + defaultValue: false - name: labels description: The labels to attach to resources created by this module varType: map(string) @@ -245,60 +283,24 @@ spec: description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director) varType: string defaultValue: EXTERNAL - - name: managed_ssl_certificate_domains - description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: name - description: Name for the forwarding rule and prefix for supporting resources - varType: string - required: true - name: network description: Network for INTERNAL_SELF_MANAGED load balancing scheme varType: string defaultValue: default - - name: private_key - description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: project - description: The project to deploy to, if not set the default provider project is used. - varType: string - required: true - - name: quic - description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. - varType: bool - - name: random_certificate_suffix - description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. - varType: bool - defaultValue: false - - name: security_policy - description: The resource URL for the security policy to associate with the backend service - varType: string - name: server_tls_policy description: The resource URL for the server TLS policy to associate with the https proxy service varType: string - - name: ssl - description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" - varType: bool - defaultValue: false - - name: ssl_certificates - description: SSL cert self_link list. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: ssl_policy - description: Selfink to SSL Policy - varType: string - - name: target_service_accounts - description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. - varType: list(string) - defaultValue: [] - - name: target_tags - description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. - varType: list(string) - defaultValue: [] - - name: url_map - description: The url_map resource to use. Default is to send all traffic to first backend. - varType: string + - name: http_port + description: The port for the HTTP load balancer + varType: number + defaultValue: 80 + - name: https_port + description: The port for the HTTPS load balancer + varType: number + defaultValue: 443 + - name: http_keep_alive_timeout_sec + description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). + varType: number outputs: - name: backend_services description: The backend service resources. @@ -320,11 +322,11 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/storage.admin + - roles/compute.xpnAdmin - level: Project roles: - - roles/compute.xpnAdmin + - roles/owner + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -333,3 +335,10 @@ spec: - run.googleapis.com - iam.googleapis.com - certificatemanager.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.0, < 7" + - source: hashicorp/google-beta + version: ">= 6.0, < 7" + - source: hashicorp/random + version: ">= 2.1" diff --git a/modules/frontend/main.tf b/modules/frontend/main.tf index f17d1966..366ce6af 100644 --- a/modules/frontend/main.tf +++ b/modules/frontend/main.tf @@ -35,6 +35,11 @@ locals { s.path => s.backend_service if s.host == host } } + + # Find a backend service to be used for url_map in absence of host "*" and path "/*" + first_host = try(keys(local.backend_services_by_host)[0], null) + first_path = try(keys(local.backend_services_by_host[local.first_host])[0], null) + first_backend_service = try(local.backend_services_by_host[local.first_host][local.first_path], null) } ### IPv4 block ### @@ -187,7 +192,7 @@ resource "google_compute_url_map" "default" { provider = google-beta project = var.project_id name = "${var.name}-url-map" - default_service = local.backend_services_by_host["*"]["/*"] + default_service = lookup(lookup(local.backend_services_by_host, "*", {}), "/*", local.first_backend_service) dynamic "host_rule" { for_each = local.backend_services_by_host @@ -201,10 +206,10 @@ resource "google_compute_url_map" "default" { for_each = local.backend_services_by_host content { name = path_matcher.key == "*" ? "default" : replace(path_matcher.key, ".", "") - default_service = path_matcher.value["/*"] + default_service = path_matcher.value[contains(keys(path_matcher.value), "/*") ? "/*" : keys(path_matcher.value)[0]] dynamic "path_rule" { - for_each = path_matcher.value + for_each = { for k, v in path_matcher.value : k => v if k != "/*" } content { paths = [path_rule.key] service = path_rule.value diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index daf223ee..046a8165 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -211,11 +211,11 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/storage.admin + - roles/compute.xpnAdmin - level: Project roles: - - roles/compute.xpnAdmin + - roles/owner + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/serverless_negs/README.md b/modules/serverless_negs/README.md index a36c482f..71791233 100644 --- a/modules/serverless_negs/README.md +++ b/modules/serverless_negs/README.md @@ -15,7 +15,7 @@ intended for Terraform 0.12.x is [v4.5.0](https://registry.terraform.io/modules/ ## Version -Current version is 9.0. Upgrade guides: +Current version is 12.0. Upgrade guides: - [2.X -> 3.0](/docs/upgrading-v2.0.0-v3.0.0.md) - [3.X -> 4.0](/docs/upgrading_to_v4.0.md) @@ -23,6 +23,7 @@ Current version is 9.0. Upgrade guides: - [7.X -> 8.0](/docs/upgrading_to_v8.0.md) - [8.X -> 9.0](/docs/upgrading_to_v9.0.md) - [9.X -> 10.0](/docs/upgrading_to_v10.0.md) +- [10.X -> 11.0](/docs/upgrading_to_v11.0.md) ## Usage diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 832eaa8c..b553c6fb 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -50,6 +50,8 @@ spec: location: examples/https-gke - name: https-redirect location: examples/https-redirect + - name: lb-http-separate-frontend-and-backend + location: examples/lb-http-separate-frontend-and-backend - name: mig-nat-http-lb location: examples/mig-nat-http-lb - name: multi-backend-multi-mig-bucket-https-lb @@ -66,9 +68,32 @@ spec: location: examples/user-managed-google-managed-ssl interfaces: variables: + - name: project + description: The project to deploy to, if not set the default provider project is used. + varType: string + required: true + - name: name + description: Name for the forwarding rule and prefix for supporting resources + varType: string + required: true + - name: create_address + description: Create a new global IPv4 address + varType: bool + defaultValue: true - name: address description: Existing IPv4 address to use (the actual IP address value) varType: string + - name: enable_ipv6 + description: Enable IPv6 address on the CDN load-balancer + varType: bool + defaultValue: false + - name: create_ipv6_address + description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + varType: bool + defaultValue: false + - name: ipv6_address + description: An existing IPv6 address to use (the actual IP address value) + varType: string - name: backends description: Map backend indices to list of backend maps. varType: |- @@ -158,57 +183,62 @@ spec: })) })) required: true - - name: certificate - description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: certificate_map - description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + - name: create_url_map + description: Set to `false` if url_map variable is provided. + varType: bool + defaultValue: true + - name: url_map + description: The url_map resource to use. Default is to send all traffic to first backend. varType: string - - name: create_address - description: Create a new global IPv4 address + - name: http_forward + description: Set to `false` to disable HTTP port 80 forward varType: bool defaultValue: true - - name: create_ipv6_address - description: Allocate a new IPv6 address. Conflicts with "ipv6_address" - if both specified, "create_ipv6_address" takes precedence. + - name: ssl + description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" varType: bool defaultValue: false - name: create_ssl_certificate description: If `true`, Create certificate using `private_key/certificate` varType: bool defaultValue: false - - name: create_url_map - description: Set to `false` if url_map variable is provided. + - name: ssl_certificates + description: SSL cert self_link list. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: private_key + description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: certificate + description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` + varType: string + - name: managed_ssl_certificate_domains + description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` + varType: list(string) + defaultValue: [] + - name: certificate_map + description: Certificate Map ID in format projects/{project}/locations/global/certificateMaps/{name}. Identifies a certificate map associated with the given target proxy. Requires `ssl` to be set to `true` + varType: string + - name: ssl_policy + description: Selfink to SSL Policy + varType: string + - name: quic + description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. varType: bool - defaultValue: true - name: edge_security_policy description: The resource URL for the edge security policy to associate with the backend service varType: string - - name: enable_ipv6 - description: Enable IPv6 address on the CDN load-balancer - varType: bool - defaultValue: false - - name: http_forward - description: Set to `false` to disable HTTP port 80 forward - varType: bool - defaultValue: true - - name: http_keep_alive_timeout_sec - description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). - varType: number - - name: http_port - description: The port for the HTTP load balancer - varType: number - defaultValue: 80 - - name: https_port - description: The port for the HTTPS load balancer - varType: number - defaultValue: 443 + - name: security_policy + description: The resource URL for the security policy to associate with the backend service + varType: string - name: https_redirect description: Set to `true` to enable https redirect on the lb. varType: bool defaultValue: false - - name: ipv6_address - description: An existing IPv6 address to use (the actual IP address value) - varType: string + - name: random_certificate_suffix + description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. + varType: bool + defaultValue: false - name: labels description: The labels to attach to resources created by this module varType: map(string) @@ -217,52 +247,24 @@ spec: description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director) varType: string defaultValue: EXTERNAL - - name: managed_ssl_certificate_domains - description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: name - description: Name for the forwarding rule and prefix for supporting resources - varType: string - required: true - name: network description: Network for INTERNAL_SELF_MANAGED load balancing scheme varType: string defaultValue: default - - name: private_key - description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` - varType: string - - name: project - description: The project to deploy to, if not set the default provider project is used. - varType: string - required: true - - name: quic - description: Specifies the QUIC override policy for this resource. Set true to enable HTTP/3 and Google QUIC support, false to disable both. Defaults to null which enables support for HTTP/3 only. - varType: bool - - name: random_certificate_suffix - description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. - varType: bool - defaultValue: false - - name: security_policy - description: The resource URL for the security policy to associate with the backend service - varType: string - name: server_tls_policy description: The resource URL for the server TLS policy to associate with the https proxy service varType: string - - name: ssl - description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" - varType: bool - defaultValue: false - - name: ssl_certificates - description: SSL cert self_link list. Requires `ssl` to be set to `true` - varType: list(string) - defaultValue: [] - - name: ssl_policy - description: Selfink to SSL Policy - varType: string - - name: url_map - description: The url_map resource to use. Default is to send all traffic to first backend. - varType: string + - name: http_port + description: The port for the HTTP load balancer + varType: number + defaultValue: 80 + - name: https_port + description: The port for the HTTPS load balancer + varType: number + defaultValue: 443 + - name: http_keep_alive_timeout_sec + description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). + varType: number outputs: - name: backend_services description: The backend service resources. @@ -284,11 +286,11 @@ spec: roles: - level: Project roles: - - roles/owner - - roles/storage.admin + - roles/compute.xpnAdmin - level: Project roles: - - roles/compute.xpnAdmin + - roles/owner + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com @@ -297,3 +299,10 @@ spec: - run.googleapis.com - iam.googleapis.com - certificatemanager.googleapis.com + providerVersions: + - source: hashicorp/google + version: ">= 6.0, < 7" + - source: hashicorp/google-beta + version: ">= 6.0, < 7" + - source: hashicorp/random + version: ">= 2.1" diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 0f4faa43..2ed42606 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -16,8 +16,12 @@ locals { int_required_project_roles = [ - "roles/owner", - "roles/storage.admin" + "roles/compute.loadBalancerAdmin", + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner" ] int_required_folder_roles = [ "roles/compute.xpnAdmin"