Internal Load Balancer Terraform Module

Modular Internal Load Balancer for GCE using forwarding rules.

Load Balancer Types

• TCP load balancer
• HTTP/S load balancer
• Internal load balancer

Compatibility

This module is meant for use with Terraform 1.3+ and tested using Terraform 1.3+. If you find incompatibilities using Terraform >=1.3, please open an issue.

Upgrading

The following guides are available to assist with upgrades:

• 1.X -> 2.0
• 5.x -> 6.x

Usage

module "gce-ilb" {
  source            = "GoogleCloudPlatform/lb-internal/google"
  version           = "~> 6.0"
  region            = var.region
  name              = "group2-ilb"
  ports             = ["80"]
  source_tags       = ["allow-group1"]
  target_tags       = ["allow-group2", "allow-group3"]

  health_check = {
    type                = "http"
    check_interval_sec  = 1
    healthy_threshold   = 4
    timeout_sec         = 1
    unhealthy_threshold = 5
    response            = ""
    proxy_header        = "NONE"
    port                = 80
    port_name           = "health-check-port"
    request             = ""
    request_path        = "/"
    host                = "1.2.3.4"
    enable_log          = false
  }

  backends = [
    {
      group       = module.mig2.instance_group
      description = ""
      failover    = false
    },
    {
      group       = module.mig3.instance_group
      description = ""
      failover    = false
    },
  ]
}

Inputs

Name	Description	Type	Default	Required
all_ports	Boolean for all_ports setting on forwarding rule. The ports or all_ports are mutually exclusive.	bool	null	no
backends	List of backends, should be a map of key-value pairs for each backend, must have the 'group' key.	list(any)	n/a	yes
connection_draining_timeout_sec	Time for which instance will be drained	number	null	no
create_backend_firewall	Controls if firewall rules for the backends will be created or not. Health-check firewall rules are controlled separately.	bool	true	no
create_health_check_firewall	Controls if firewall rules for the health check will be created or not. If this rule is not present backend healthcheck will fail.	bool	true	no
firewall_enable_logging	Controls if firewall rules that are created are to have logging configured. This will be ignored for firewall rules that are not created.	bool	false	no
global_access	Allow all regions on the same VPC network access.	bool	false	no
health_check	Health check to determine whether instances are responsive and able to do work	object({ type = string check_interval_sec = optional(number) healthy_threshold = optional(number) timeout_sec = optional(number) unhealthy_threshold = optional(number) response = optional(string) proxy_header = optional(string) port = optional(number) port_name = optional(string) request = optional(string) request_path = optional(string) host = optional(string) enable_log = optional(bool) })	n/a	yes
ip_address	IP address of the internal load balancer, if empty one will be assigned. Default is empty.	string	null	no
ip_protocol	The IP protocol for the backend and frontend forwarding rule. TCP or UDP.	string	"TCP"	no
is_mirroring_collector	Indicates whether or not this load balancer can be used as a collector for packet mirroring. This can only be set to true for load balancers that have their loadBalancingScheme set to INTERNAL.	bool	false	no
labels	The labels to attach to resources created by this module.	map(string)	{}	no
name	Name for the forwarding rule and prefix for supporting resources.	string	n/a	yes
network	Name of the network to create resources in.	string	"default"	no
network_project	Name of the project for the network. Useful for shared VPC. Default is var.project.	string	""	no
ports	List of ports to forward to backend services. Max is 5. The ports or all_ports are mutually exclusive.	list(string)	null	no
project	The project to deploy to, if not set the default provider project is used.	string	""	no
region	Region for cloud resources.	string	"us-central1"	no
service_label	Service label is used to create internal DNS name	string	null	no
session_affinity	The session affinity for the backends example: NONE, CLIENT_IP. Default is NONE.	string	"NONE"	no
source_ip_ranges	List of source ip ranges for traffic between the internal load balancer.	list(string)	null	no
source_service_accounts	List of source service accounts for traffic between the internal load balancer.	list(string)	null	no
source_tags	List of source tags for traffic between the internal load balancer.	list(string)	n/a	yes
subnetwork	Name of the subnetwork to create resources in.	string	"default"	no
target_service_accounts	List of target service accounts for traffic between the internal load balancer.	list(string)	null	no
target_tags	List of target tags for traffic between the internal load balancer.	list(string)	n/a	yes

Outputs

Name	Description
forwarding_rule	The forwarding rule self_link.
forwarding_rule_id	The forwarding rule id.
ip_address	The internal IP assigned to the regional forwarding rule.

Resources created

• google_compute_forwarding_rule.default: The internal regional forwarding rule.
• google_compute_region_backend_service.default: The backend service registered to the given instance_group.
• google_compute_health_check.tcp: The TCP health check for the instance_group targets.
• google_compute_health_check.http: The HTTP health check for the instance_group targets.
• google_compute_health_check.https: The HTTPS health check for the instance_group targets.
• google_compute_firewall.default-ilb-fw: Firewall rule that allows traffic from the source_tags resources to target_tags on the service_port.
• google_compute_firewall.default-hc: Firewall rule that allows traffic for health checks to the target_tags resources.