Allow cross-project backend services in ILB L7 module (#991)

* wip * neg, README * fix neg variable * fix neg project id, enable global access, add service directory
2022-11-18 09:48:41 +01:00 · 2022-11-18 09:48:41 +01:00 · 002ba4eef7
parent ddd47b0095
commit 002ba4eef7
7 changed files with 186 additions and 89 deletions
--- a/modules/net-ilb-l7/README.md
+++ b/modules/net-ilb-l7/README.md
--- a/modules/net-ilb-l7/backend-service.tf
+++ b/modules/net-ilb-l7/backend-service.tf
@ -31,9 +31,13 @@ locals {
 }

 resource "google_compute_region_backend_service" "default" {
-  provider                        = google-beta
-  for_each                        = var.backend_service_configs
-  project                         = var.project_id
+  provider = google-beta
+  for_each = var.backend_service_configs
+  project = (
+    each.value.project_id == null
+    ? var.project_id
+    : each.value.project_id
+  )
  region                          = var.region
  name                            = "${var.name}-${each.key}"
  description                     = var.description
--- a/modules/net-ilb-l7/health-check.tf
+++ b/modules/net-ilb-l7/health-check.tf
@ -17,9 +17,13 @@
 # tfdoc:file:description Health check resource.

 resource "google_compute_health_check" "default" {
-  provider            = google-beta
-  for_each            = var.health_check_configs
-  project             = var.project_id
+  provider = google-beta
+  for_each = var.health_check_configs
+  project = (
+    each.value.project_id == null
+    ? var.project_id
+    : each.value.project_id
+  )
  name                = "${var.name}-${each.key}"
  description         = each.value.description
  check_interval_sec  = each.value.check_interval_sec
--- a/modules/net-ilb-l7/main.tf
+++ b/modules/net-ilb-l7/main.tf
@ -33,13 +33,15 @@ locals {
    "${v.neg}-${v.ip_address}-${coalesce(v.port, "none")}" => v
  }
  neg_regional = {
-    for k, v in var.neg_configs : k => v.cloudrun if v.cloudrun != null
+    for k, v in var.neg_configs :
+    k => merge(v.cloudrun, { project_id = v.project_id }) if v.cloudrun != null
  }
  neg_zonal = {
    # we need to rebuild new objects as we cannot merge different types
    for k, v in var.neg_configs : k => {
      endpoints  = v.gce != null ? v.gce.endpoints : v.hybrid.endpoints
      network    = v.gce != null ? v.gce.network : v.hybrid.network
+      project_id = v.project_id
      subnetwork = v.gce != null ? v.gce.subnetwork : null
      type       = v.gce != null ? "GCE_VM_IP_PORT" : "NON_GCP_PRIVATE_IP_PORT"
      zone       = v.gce != null ? v.gce.zone : v.hybrid.zone
@ -66,7 +68,15 @@ resource "google_compute_forwarding_rule" "default" {
  subnetwork            = var.vpc_config.subnetwork
  labels                = var.labels
  target                = local.fwd_rule_target
-  # service_directory_registrations
+  # during the preview phase you cannot change this attribute on an existing rule
+  allow_global_access = var.global_access
+  dynamic "service_directory_registrations" {
+    for_each = var.service_directory_registration == null ? [] : [""]
+    content {
+      namespace = var.service_directory_registration.namespace
+      service   = var.service_directory_registration.service
+    }
+  }
 }

 resource "google_compute_region_ssl_certificate" "default" {
@ -98,8 +108,12 @@ resource "google_compute_region_target_https_proxy" "default" {
 }

 resource "google_compute_instance_group" "default" {
-  for_each    = var.group_configs
-  project     = var.project_id
+  for_each = var.group_configs
+  project = (
+    each.value.project_id == null
+    ? var.project_id
+    : each.value.project_id
+  )
  zone        = each.value.zone
  name        = "${var.name}-${each.key}"
  description = var.description
@ -115,9 +129,13 @@ resource "google_compute_instance_group" "default" {

 resource "google_compute_network_endpoint_group" "default" {
  for_each = local.neg_zonal
-  project  = var.project_id
-  zone     = each.value.zone
-  name     = "${var.name}-${each.key}"
+  project = (
+    each.value.project_id == null
+    ? var.project_id
+    : each.value.project_id
+  )
+  zone = each.value.zone
+  name = "${var.name}-${each.key}"
  # re-enable once provider properly supports this
  # default_port = each.value.default_port
  description           = var.description
@ -134,7 +152,9 @@ resource "google_compute_network_endpoint_group" "default" {

 resource "google_compute_network_endpoint" "default" {
  for_each = local.neg_endpoints
-  project  = var.project_id
+  project = (
+    google_compute_network_endpoint_group.default[each.value.neg].project
+  )
  network_endpoint_group = (
    google_compute_network_endpoint_group.default[each.value.neg].name
  )
@ -145,8 +165,12 @@ resource "google_compute_network_endpoint" "default" {
 }

 resource "google_compute_region_network_endpoint_group" "default" {
-  for_each              = local.neg_regional
-  project               = var.project_id
+  for_each = local.neg_regional
+  project = (
+    each.value.project_id == null
+    ? var.project_id
+    : each.value.project_id
+  )
  region                = each.value.region
  name                  = "${var.name}-${each.key}"
  description           = var.description
--- a/modules/net-ilb-l7/variables-backend-service.tf
+++ b/modules/net-ilb-l7/variables-backend-service.tf
@ -25,6 +25,7 @@ variable "backend_service_configs" {
    locality_lb_policy              = optional(string)
    log_sample_rate                 = optional(number)
    port_name                       = optional(string)
+    project_id                      = optional(string)
    protocol                        = optional(string)
    session_affinity                = optional(string)
    timeout_sec                     = optional(number)
--- a/modules/net-ilb-l7/variables-health-check.tf
+++ b/modules/net-ilb-l7/variables-health-check.tf
@ -23,6 +23,7 @@ variable "health_check_configs" {
    description         = optional(string, "Terraform managed.")
    enable_logging      = optional(bool, false)
    healthy_threshold   = optional(number)
+    project_id          = optional(string)
    timeout_sec         = optional(number)
    unhealthy_threshold = optional(number)
    grpc = optional(object({
--- a/modules/net-ilb-l7/variables.tf
+++ b/modules/net-ilb-l7/variables.tf
@ -26,12 +26,20 @@ variable "description" {
  default     = "Terraform managed."
 }

+# during the preview phase you cannot change this attribute on an existing rule
+variable "global_access" {
+  description = "Allow client access from all regions."
+  type        = bool
+  default     = null
+}
+
 variable "group_configs" {
  description = "Optional unmanaged groups to create. Can be referenced in backends via key or outputs."
  type = map(object({
    zone        = string
    instances   = optional(list(string), [])
    named_ports = optional(map(number), {})
+    project_id  = optional(string)
  }))
  default  = {}
  nullable = false
@ -51,6 +59,7 @@ variable "name" {
 variable "neg_configs" {
  description = "Optional network endpoint groups to create. Can be referenced in backends via key or outputs."
  type = map(object({
+    project_id = optional(string)
    cloudrun = optional(object({
      region = string
      target_service = optional(object({
@ -143,6 +152,15 @@ variable "region" {
  type        = string
 }

+variable "service_directory_registration" {
+  description = "Service directory namespace and service used to register this load balancer."
+  type = object({
+    namespace = string
+    service   = string
+  })
+  default = null
+}
+
 variable "ssl_certificates" {
  description = "SSL target proxy certificates (only if protocol is HTTPS)."
  type = object({