padok-team · Synehan · Nov 13, 2024 · Nov 14, 2024
diff --git a/README.md b/README.md
@@ -15,9 +15,13 @@ Terraform module which creates **Load Balancer** resources on **GCP**.
 
 ## Usage
 
+### Backend Oriented
+
+This pattern will create the backend associated the buckets and cloud run / compute. It does not allow more complex pattern (like same hosts serving a cloud run and a bucket).
+
 ```hcl
 module "my_lb" {
-  source = "[email protected]:padok-team/terraform-google-lb.git?ref=v1.0.1"
+  source = "[email protected]:padok-team/terraform-google-lb.git?ref=v2.0.0"
 
   name = "my-lb"
   buckets_backends = {
@@ -48,6 +52,44 @@ module "my_lb" {
 }
 ```
 
+### Host and Path oriented
+
+This pattern does not create the backend neither the cdn policies associated.
+
+```hcl
+module "my_lb" {
+  source = "[email protected]:padok-team/terraform-google-lb.git?ref=v2.0.0"
+
+  name = "my-lb"
+
+  default_service_self_link = data.google_compute_backend_bucket.playground.id
+
+  advance_hosts_rules = {
+    echo-playground = {
+      hosts = ["echo.playground.padok.cloud"]
+      default_service_id = data.google_compute_backend_bucket.playground_echo.id
+      path_rules = [
+        {
+          paths = [/api/*]
+          service_id = data.google_compute_backend_service.playground_echo.id
+        },
+        {
+          paths = [/*]
+          service_id = data.google_compute_backend_bucket.playground_echo.id
+        },
+      ]
+    }
+    beta-playground = {
+      hosts = ["beta.playground.padok.cloud"]
+      default_service_id = data.google_compute_backend_service.playground_beta.id
+    }
+  }
+
+  ssl_certificates    = [data.google_compute_ssl_certificate.playground.self_link]
+  custom_cdn_policies = {}
+}
+```
+
 ### Embedded CDN Policies
 
 Currently, this module only supports the following CDN policy. You can reference it directly in the module usage:
@@ -78,6 +120,8 @@ Alternatively, you can set custom CDN Policies as explained in the [Terraform do
 - [Multiple backend usage](examples/multi-backend-lb/main.tf)
 - [Custom CDN policy usage](examples/custom-cdn-policy/main.tf)
 - [Custom certificate usage](examples/lb-with-custom-certificate/main.tf)
+- [Certificate Map usage](examples/certificate-map-usage/main.tf)
+- [Advance Hosts rules usage](examples/lb-advance-hosts-rules/main.tf)
 
 <!-- BEGIN_TF_DOCS -->
 ## Modules

diff --git a/examples/certificate-map-usage/main.tf b/examples/certificate-map-usage/main.tf
@@ -0,0 +1,91 @@
+# This example creates a SSL certificate and attach it to e new load balancer
+
+locals {
+  project_id = "padok-cloud-factory"
+  domains = {
+    frontend = "frontend-library.playground.padok.cloud"
+    www      = "www.frontend-library.playground.padok.cloud"
+  }
+}
+
+provider "google" {
+  region = "europe-west1"
+}
+
+terraform {
+  required_version = "~> 1.5.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+resource "google_certificate_manager_certificate_map" "this" {
+  name    = "playground-tls"
+  project = local.project_id
+  labels = {
+    "terraform" : true
+  }
+}
+
+resource "google_certificate_manager_certificate" "these" {
+  for_each    = local.domains
+  project     = local.project_id
+  name        = each.key
+  description = "Cert with LB authorization"
+  managed {
+    domains = [each.value]
+  }
+  labels = {
+    "terraform" : true
+  }
+}
+
+resource "google_certificate_manager_certificate_map_entry" "these" {
+  for_each     = local.domains
+  name         = each.key
+  project      = local.project_id
+  map          = google_certificate_manager_certificate_map.this.name
+  certificates = [google_certificate_manager_certificate.these[each.key].id]
+  hostname     = each.value.domain
+}
+
+module "my_lb" {
+  source = "../.."
+
+  name       = "my-lb"
+  project_id = local.project_id
+
+  buckets_backends = {
+    frontend = {
+      hosts = ["frontend-library.playground.padok.cloud", "www.frontend-library.playground.padok.cloud"]
+      path_rules = [
+        {
+          paths = ["/*"]
+        }
+      ]
+      bucket_name = google_storage_bucket.this.name
+    }
+  }
+  service_backends    = {}
+  certificate_map_id  = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.this.id}"
+  custom_cdn_policies = {}
+}
+
+resource "google_storage_bucket" "this" {
+  name     = "example-custom-certificate"
+  project  = local.project_id
+  location = "EU"
+  #checkov:skip=CKV_GCP_62: Example, no connexion logging required
+  #checkov:skip=CKV_GCP_78: Example, no versioning required
+
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  website {
+    main_page_suffix = "index.html"
+    not_found_page   = "index.html"
+  }
+}
diff --git a/examples/certificate-map-usage/outputs.tf b/examples/certificate-map-usage/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/examples/certificate-map-usage/variables.tf b/examples/certificate-map-usage/variables.tf
diff --git a/examples/lb-advance-hosts-rules/main.tf b/examples/lb-advance-hosts-rules/main.tf
@@ -0,0 +1,109 @@
+# This example creates a SSL certificate and attach it to e new load balancer
+
+locals {
+  project_id      = "padok-cloud-factory"
+  domains_library = ["library.playground.padok.cloud", "www.library.playground.padok.cloud"]
+}
+
+provider "google" {
+  region = "europe-west1"
+}
+
+provider "google-beta" {
+  region = "europe-west1"
+}
+
+terraform {
+  required_version = "~> 1.5.0"
+  required_providers {
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 6.0"
+    }
+    google-beta = {
+      source  = "hashicorp/google-beta"
+      version = "~> 6.0"
+    }
+  }
+}
+
+
+resource "google_compute_managed_ssl_certificate" "this" {
+  name    = "playground-tls"
+  project = local.project_id
+  managed {
+    domains = local.domains_library
+  }
+}
+
+module "my_lb" {
+  source = "../.."
+
+  name       = "my-lb"
+  project_id = local.project_id
+
+  advance_hosts_rules = {
+    library = {
+      hosts              = local.domains_library
+      default_service_id = google_compute_backend_bucket.this.id
+      path_rules = [
+        {
+          paths      = ["/*"]
+          service_id = google_compute_backend_bucket.this.id
+        },
+        {
+          paths      = ["/api/*"]
+          service_id = google_compute_backend_service.this.id
+        }
+      ]
+    }
+  }
+
+  ssl_certificates = [google_compute_managed_ssl_certificate.this.id]
+
+}
+
+resource "google_storage_bucket" "this" {
+  name     = "example-custom-certificate"
+  project  = local.project_id
+  location = "EU"
+  #checkov:skip=CKV_GCP_62: Example, no connexion logging required
+  #checkov:skip=CKV_GCP_78: Example, no versioning required
+
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  website {
+    main_page_suffix = "index.html"
+    not_found_page   = "index.html"
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "this" {
+  provider              = google-beta
+  project               = local.project_id
+  name                  = "my-cloud-run-serverless-neg"
+  network_endpoint_type = "SERVERLESS"
+  region                = "europe-west1"
+  cloud_run {
+    service = "library"
+  }
+}
+
+resource "google_compute_backend_service" "this" {
+  name    = "my-cloud-run"
+  project = local.project_id
+
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+
+  backend {
+    group = google_compute_region_network_endpoint_group.this.id
+  }
+}
+
+resource "google_compute_backend_bucket" "this" {
+  name    = "example-custom-certificate"
+  project = local.project_id
+
+
+  bucket_name = google_storage_bucket.this.name
+}
diff --git a/examples/lb-advance-hosts-rules/outputs.tf b/examples/lb-advance-hosts-rules/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/examples/lb-advance-hosts-rules/variables.tf b/examples/lb-advance-hosts-rules/variables.tf
diff --git a/main.tf b/main.tf
@@ -9,7 +9,7 @@ resource "google_compute_url_map" "https" {
   name    = "${var.name}-https"
   project = var.project_id
 
-  default_service = try(google_compute_backend_bucket.this[keys(google_compute_backend_bucket.this)[0]].self_link, google_compute_backend_service.this[keys(google_compute_backend_service.this)[0]].self_link)
+  default_service = try(google_compute_backend_bucket.this[keys(google_compute_backend_bucket.this)[0]].self_link, google_compute_backend_service.this[keys(google_compute_backend_service.this)[0]].self_link, var.default_service_self_link)
 
   dynamic "host_rule" {
     for_each = var.service_backends
@@ -60,6 +60,32 @@ resource "google_compute_url_map" "https" {
       }
     }
   }
+
+  # Allow More advance rules
+  dynamic "host_rule" {
+    for_each = var.advance_hosts_rules
+
+    content {
+      hosts        = host_rule.value.hosts
+      path_matcher = host_rule.key
+    }
+  }
+
+  dynamic "path_matcher" {
+    for_each = var.advance_hosts_rules
+    content {
+      name            = path_matcher.key
+      default_service = path_matcher.value.default_service_id
+      dynamic "path_rule" {
+        for_each = path_matcher.value.path_rules != null ? path_matcher.value.path_rules : []
+        content {
+          paths   = path_rule.value.paths
+          service = path_rule.value.service_id
+        }
+      }
+    }
+  }
+
 }
 
 resource "google_compute_url_map" "http" {
@@ -88,6 +114,7 @@ resource "google_compute_target_https_proxy" "this" {
   url_map          = google_compute_url_map.https.self_link
   ssl_certificates = var.ssl_certificates
   ssl_policy       = google_compute_ssl_policy.this.self_link
+  certificate_map  = var.certificate_map_id
 }
 
 resource "google_compute_target_http_proxy" "this" {

diff --git a/variables.tf b/variables.tf
@@ -29,6 +29,17 @@ variable "ssl_certificates" {
   default     = []
 }
 
+variable "certificate_map_id" {
+  description = <<EOF
+    ID of a certificate map to attach to the load balancer. Must start with `//certificatemanager.googleapis.com/`
+    This will exclude all other certificates that are configured on the loadbalancer.
+    This is usefull when you want to preconfigure certificates before migration
+    (https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#terraform_2).
+    EOF
+  type        = string
+  default     = null
+}
+
 variable "buckets_backends" {
   description = "A map of buckets to add as the load balancer backends."
   type = map(object({
@@ -40,6 +51,7 @@ variable "buckets_backends" {
     }))
     security_policy = optional(string)
   }))
+  default = {}
 }
 
 variable "service_backends" {
@@ -52,6 +64,7 @@ variable "service_backends" {
     }))
     security_policy = optional(string)
   }))
+  default = {}
 }
 
 variable "custom_cdn_policies" {
@@ -71,3 +84,22 @@ variable "custom_cdn_policies" {
   }))
   default = {}
 }
+
+variable "default_service_self_link" {
+  description = "Override the default service of the load balancer. Should be the self_link of the service"
+  type        = string
+  default     = null
+}
+
+variable "advance_hosts_rules" {
+  description = "Define a more advance URL map for the Loadbalancer. Should not be used in combinaison with service_backend and bucket_backend"
+  type = map(object({
+    hosts              = list(string)     # List of host that will be served by this host rule
+    default_service_id = optional(string) # Default service id for this host rule
+    path_rules = optional(list(object({
+      paths      = list(string) # List of paths
+      service_id = string       # Service id that will service those paths
+    })))
+  }))
+  default = {}
+}
diff --git a/versions.tf b/versions.tf
@@ -3,11 +3,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "~> 4.0"
+      version = "~> 6.0"
     }
     random = {
       source  = "hashicorp/random"
-      version = "~> 3.5.0"
+      version = "~> 3.6.0"
     }
   }
 }