# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: blueprints.cloud.google.com/v1alpha1 kind: BlueprintMetadata metadata: name: terraform-google-regional-lb-http annotations: config.kubernetes.io/local-config: "true" spec: info: title: Regional HTTP Load Balancer Terraform Module source: repo: https://github.com/googlestaging/terraform-google-regional-lb-http.git sourceType: git version: 0.4.3 actuationTool: flavor: Terraform version: ">= 1.3" description: {} content: subBlueprints: - name: backend location: modules/backend - name: frontend location: modules/frontend examples: - name: cloud-run location: examples/cloud-run - name: gce-mig location: examples/gce-mig - name: internal-lb-cloud-run location: examples/internal-lb-cloud-run - name: internal-lb-gce-mig location: examples/internal-lb-gce-mig interfaces: variables: - name: name description: Name for the backend service. varType: string required: true - name: project_id description: The project to deploy to, if not set the default provider project is used. varType: string required: true - name: region description: The region where the load balancer backend service will be created varType: string required: true - name: load_balancing_scheme description: Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL_MANAGED for Envoy-based load balancer, and INTERNAL_SELF_MANAGED for traffic director) varType: string defaultValue: EXTERNAL_MANAGED - name: protocol description: The protocol this BackendService uses to communicate with backends. varType: string defaultValue: HTTP - name: port_name description: Name of backend port. The same name should appear in the instance groups referenced by this service. Required when the load balancing scheme is EXTERNAL. varType: string defaultValue: http - name: description description: Description of the backend service. varType: string - name: connection_draining_timeout_sec description: Time for which instance will be drained (not accept new connections, but still work to finish started). varType: number - name: enable_cdn description: Enable Cloud CDN for this BackendService. varType: bool defaultValue: false - name: session_affinity description: "Type of session affinity to use. Possible values are: NONE, CLIENT_IP, CLIENT_IP_PORT_PROTO, CLIENT_IP_PROTO, GENERATED_COOKIE, HEADER_FIELD, HTTP_COOKIE, STRONG_COOKIE_AFFINITY." varType: string - name: affinity_cookie_ttl_sec description: Lifetime of cookies in seconds if session_affinity is GENERATED_COOKIE. varType: number - name: locality_lb_policy description: The load balancing algorithm used within the scope of the locality. varType: string - name: security_policy description: Security policy in string. varType: string - name: timeout_sec description: This has different meaning for different type of load balancing. Please refer https://cloud.google.com/load-balancing/docs/backend-service#timeout-setting varType: number - name: health_check description: Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. varType: |- object({ host = optional(string, null) request_path = optional(string, null) request = optional(string, null) response = optional(string, null) port = optional(number, null) port_name = optional(string, null) proxy_header = optional(string, null) port_specification = optional(string, null) protocol = optional(string, null) check_interval_sec = optional(number, 10) timeout_sec = optional(number, 10) healthy_threshold = optional(number, 2) unhealthy_threshold = optional(number, 2) logging = optional(bool, true) }) - name: firewall_networks description: Names of the networks to create firewall rules in varType: list(string) defaultValue: - default - name: firewall_projects description: Names of the projects to create firewall rules in varType: list(string) defaultValue: - default - name: target_tags description: List of target tags for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. varType: list(string) defaultValue: [] - name: target_service_accounts description: List of target service accounts for health check firewall rule. Exactly one of target_tags or target_service_accounts should be specified. varType: list(string) defaultValue: [] - name: serverless_neg_backends description: The list of serverless backend which serves the traffic. varType: |- list(object({ region = string type = string // cloud-run, cloud-function, and app-engine service_name = string service_version = optional(string) capacity_scaler = optional(number, 1.0) })) defaultValue: [] - name: groups description: The list of backend instance group which serves the traffic. varType: |- list(object({ group = string description = optional(string) balancing_mode = optional(string) capacity_scaler = optional(number) max_connections = optional(number) max_connections_per_instance = optional(number) max_connections_per_endpoint = optional(number) max_rate = optional(number) max_rate_per_instance = optional(number) max_rate_per_endpoint = optional(number) max_utilization = optional(number) })) defaultValue: [] - name: create_address description: Create a new global IPv4 address varType: bool defaultValue: true - name: labels description: The labels to attach to resources created by this module varType: map(string) defaultValue: {} - name: ssl description: "Set to `true` to enable SSL support. If `true` then at least one of these are required: 1) `ssl_certificates` OR 2) `create_ssl_certificate` set to `true` and `private_key/certificate` OR 3) `managed_ssl_certificate_domains`, OR 4) `certificate_map`" varType: bool defaultValue: false - name: create_ssl_certificate description: If `true`, Create certificate using `private_key/certificate` varType: bool defaultValue: false - name: private_key description: Content of the private SSL key. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` varType: string - name: certificate description: Content of the SSL certificate. Requires `ssl` to be set to `true` and `create_ssl_certificate` set to `true` varType: string - name: ssl_certificates description: SSL cert self_link list. Requires `ssl` to be set to `true` varType: list(string) defaultValue: [] - name: managed_ssl_certificate_domains description: Create Google-managed SSL certificates for specified domains. Requires `ssl` to be set to `true` varType: list(string) defaultValue: [] - name: random_certificate_suffix description: Bool to enable/disable random certificate name generation. Set and keep this to true if you need to change the SSL cert. varType: bool defaultValue: false - name: network description: Network for INTERNAL_SELF_MANAGED load balancing scheme varType: string defaultValue: default - name: http_port description: The port for the HTTP load balancer varType: number defaultValue: 80 - name: https_port description: The port for the HTTPS load balancer varType: number defaultValue: 443 - name: create_url_map description: Set to `false` if url_map variable is provided. varType: bool defaultValue: true - name: https_redirect description: Set to `true` to enable https redirect on the lb. varType: bool defaultValue: false - name: ssl_policy description: Selfink to SSL Policy varType: string - name: server_tls_policy description: The resource URL for the server TLS policy to associate with the https proxy service varType: string - name: http_keep_alive_timeout_sec description: Specifies how long to keep a connection open, after completing a response, while there is no matching traffic (in seconds). varType: number - name: address description: Existing IPv4 address to use (the actual IP address value) varType: string - name: http_forward description: Set to `false` to disable HTTP port 80 forward varType: bool defaultValue: true - name: url_map_input description: List of host, path and backend service for creating url_map varType: |- list(object({ host = string path = string backend_service = string })) defaultValue: [] - name: url_map_resource_uri description: The url_map resource to use. Default is to send all traffic to first backend. varType: string outputs: - name: backend_services description: The region backend service resources. - name: external_ip description: The external IPv4 assigned to the fowarding rule. - name: http_proxy description: The HTTP proxy used by this module. - name: https_proxy description: The HTTPS proxy used by this module. - name: url_map description: The default URL map used by this module. requirements: roles: - level: Project roles: - roles/compute.xpnAdmin - level: Project roles: - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com - serviceusage.googleapis.com - compute.googleapis.com - run.googleapis.com - iam.googleapis.com - certificatemanager.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.0, < 7" - source: hashicorp/google-beta version: ">= 6.0, < 7" - source: hashicorp/random version: ">= 2.1"