terraform-provider-google: missing way to create gcp internal HTTPS load balancer.
Community Note
- Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the “modular-magician” user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to “hashibot”, a community member has claimed the issue already.
Description
As per the GCP documentation, in order to create internal HTTPS load balancer, following items are needed, but I could not find them:
- regional ssl certificates
- proxy-only subnet
I have tried the following but in absence of the above resources (or due to my lack of understanding) I get a 503 from Google backend:
resource "google_compute_subnetwork" "XYZ-internal-lb-subnet" {
name = "XYZ-internal-lb-subnet"
ip_cidr_range = "10.100.10.0/24"
region = "us-east1"
network = "XYZ-staging"
}
resource "google_compute_health_check" "vault-health-check" {
name = "vault-health-check"
timeout_sec = 5
check_interval_sec = 10
https_health_check {
port = 8200
request_path = "/v1/sys/health"
}
}
resource "google_compute_region_backend_service" "vault-backend-service" {
name = "vault-backend-service"
region = "us-east1"
health_checks = [google_compute_health_check.vault-health-check.self_link]
protocol = "HTTPS"
backend {
group = google_compute_instance_group.vault-servers.self_link
balancing_mode = "RATE"
max_rate_per_instance = 1000
}
}
resource "google_compute_forwarding_rule" "vault-forwarding-rule" {
name = "vault-forwarding-rule2"
region = "us-east1"
ports = ["443"]
load_balancing_scheme = "INTERNAL_MANAGED"
backend_service = google_compute_region_backend_service.vault-backend-service.self_link
network = "projects/XYZ-165816/global/networks/XYZ-staging"
subnetwork = "staging-app"
}
resource "google_compute_instance_group" "vault-servers" {
name = "vault-servers"
named_port {
name = "https"
port = 443
}
instances = [
google_compute_instance.vault-1.self_link,
google_compute_instance.vault-2.self_link,
]
zone = "us-east1-b"
}
resource "google_compute_url_map" "vault-urlmap" {
name = "vault-urlmap"
default_service = google_compute_region_backend_service.vault-backend-service.self_link
}
resource "google_compute_target_https_proxy" "vault-https-proxy" {
name = "vault-https-proxy"
url_map = google_compute_url_map.vault-urlmap.self_link
ssl_certificates = ["wc-internal-cm-o"]
}
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 12
- Comments: 20 (2 by maintainers)
@jharshman I have been working on this but encountered an issue with creating a forwarding rule uses a subnetwork with purpose =
INTERNAL_HTTPS_LOAD_BALANCER. I’m talking with the relevant team but haven’t found a resolution yet.Specifically what I mean is that if I attempt to have Terraform provision the resources listed for the example (part 1, part 2), the creation of the forwarding rule fails with a 400. Have you been successful setting up a forwarding rule like this outside of Terraform?
@tysen Is there any ETA on this feature - or is there any working workaround with URL maps and all the stuff there is possible to configure via the
gcloudCLI on the internal HTTP(S) LB? https://cloud.google.com/load-balancing/docs/l7-internal/set-up-gce-vms@tysen I am able to create a L7 ILB from the UI when starting from scratch. However, having TF provision only part of the resources and then going into the UI to finish the forwarding rule does result in an error.