Added IAP principals in load balancer backend service

Author: Deepraj1996

.terraform.lock

@@ -0,0 +1,37 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "lb-backend-iap" {
+#  source  = "terraform-google-modules/lb-http/google//modules/backend"
+#  version = "~> 12.0"
+
+  source = "../../modules/backend"
+  
+  project_id          = var.project_id
+  name                = "backend-with-iap"
+  iap_config = {
+    iap_members = ["user:[email protected]"]
+  }
+}
+
+module "lb-frontend" {
+  source  = "terraform-google-modules/lb-http/google//modules/frontend"
+  version = "~> 12.0"
+
+  project_id    = var.project_id
+  name          = "global-lb-fe-bucket"
+  url_map_input = module.lb-backend-iap.backend_service_info
+}

examples/backend-with-IAP/main.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "load-balancer-ip" {
+  value = module.lb-frontend.external_ip
+}

examples/backend-with-IAP/outputs.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type = string
+}

examples/backend-with-IAP/variables.tf

@@ -40,6 +40,8 @@ spec:
       - name: serverless_negs
         location: modules/serverless_negs
     examples:
+      - name: backend-with-IAP
+        location: examples/backend-with-IAP
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -346,6 +348,7 @@ spec:
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/iap.admin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com

metadata.yaml

@@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | groups | The list of backend instance group which serves the traffic. | <pre>list(object({<br>    group       = string<br>    description = optional(string)<br><br>    balancing_mode               = optional(string)<br>    capacity_scaler              = optional(number)<br>    max_connections              = optional(number)<br>    max_connections_per_instance = optional(number)<br>    max_connections_per_endpoint = optional(number)<br>    max_rate                     = optional(number)<br>    max_rate_per_instance        = optional(number)<br>    max_rate_per_endpoint        = optional(number)<br>    max_utilization              = optional(number)<br>  }))</pre> | `[]` | no |
 | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | <pre>object({<br>    host                = optional(string, null)<br>    request_path        = optional(string, null)<br>    request             = optional(string, null)<br>    response            = optional(string, null)<br>    port                = optional(number, null)<br>    port_name           = optional(string, null)<br>    proxy_header        = optional(string, null)<br>    port_specification  = optional(string, null)<br>    protocol            = optional(string, null)<br>    check_interval_sec  = optional(number, 5)<br>    timeout_sec         = optional(number, 5)<br>    healthy_threshold   = optional(number, 2)<br>    unhealthy_threshold = optional(number, 2)<br>    logging             = optional(bool, false)<br>  })</pre> | `null` | no |
 | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | <pre>list(object({<br>    host = string<br>    path = string<br>  }))</pre> | <pre>[<br>  {<br>    "host": "*",<br>    "path": "/*"<br>  }<br>]</pre> | no |
-| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure. | <pre>object({<br>    enable               = bool<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>  })</pre> | <pre>{<br>  "enable": false<br>}</pre> | no |
+| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service. | <pre>object({<br>    iap_members          = list(string)<br>    oauth2_client_id     = optional(string)<br>    oauth2_client_secret = optional(string)<br>  })</pre> | `null` | no |
 | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no |
 | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no |
 | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | <pre>object({<br>    enable      = bool<br>    sample_rate = number<br>  })</pre> | <pre>{<br>  "enable": true,<br>  "sample_rate": 1<br>}</pre> | no |

modules/backend/README.md

@@ -80,10 +80,10 @@ resource "google_compute_backend_service" "default" {
   }
 
   dynamic "iap" {
-    for_each = var.iap_config.enable ? [1] : []
+    for_each = length(var.iap_config.iap_members) > 0 ? [1] : []
     content {
       oauth2_client_id     = lookup(var.iap_config, "oauth2_client_id", "")
-      enabled              = var.iap_config.enable
+      enabled              = length(var.iap_config.iap_members) > 0
       oauth2_client_secret = lookup(var.iap_config, "oauth2_client_secret", "")
     }
   }
@@ -365,3 +365,12 @@ resource "google_compute_backend_bucket" "default" {
     }
   }
 }
+
+resource "google_iap_web_backend_service_iam_member" "member" {
+  for_each            = toset(var.iap_config.iap_members)
+  project             = google_compute_backend_service.default[0].project
+  web_backend_service = google_compute_backend_service.default[0].name
+  role                = "roles/iap.httpsResourceAccessor"
+  member              = each.value
+}
+

modules/backend/main.tf

@@ -32,6 +32,8 @@ spec:
     description: {}
   content:
     examples:
+      - name: backend-with-IAP
+        location: examples/backend-with-IAP
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -189,15 +191,13 @@ spec:
             spec:
               outputExpr: name
       - name: iap_config
-        description: Settings for enabling Cloud Identity Aware Proxy Structure.
+        description: Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service.
         varType: |-
           object({
-              enable               = bool
+              iap_members          = list(string)
               oauth2_client_id     = optional(string)
               oauth2_client_secret = optional(string)
             })
-        defaultValue:
-          enable: false
       - name: cdn_policy
         description: Cloud CDN configuration for this BackendService.
         varType: |-
@@ -333,6 +333,7 @@ spec:
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/iap.admin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com

modules/backend/metadata.yaml

@@ -154,13 +154,13 @@ variable "backend_bucket_name" {
 }
 
 variable "iap_config" {
-  description = "Settings for enabling Cloud Identity Aware Proxy Structure."
+  description = "Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service."
   type = object({
-    enable               = bool
+    iap_members          = list(string)
     oauth2_client_id     = optional(string)
     oauth2_client_secret = optional(string)
   })
-  default = { enable = false }
+  default = null
 }
 
 variable "cdn_policy" {

modules/backend/variables.tf

@@ -32,6 +32,8 @@ spec:
     description: {}
   content:
     examples:
+      - name: backend-with-IAP
+        location: examples/backend-with-IAP
       - name: cdn-policy
         location: examples/cdn-policy
       - name: certificate-map
@@ -338,6 +340,7 @@ spec:
           - roles/certificatemanager.owner
           - roles/vpcaccess.admin
           - roles/iam.serviceAccountAdmin
+          - roles/iap.admin
     services:
       - cloudresourcemanager.googleapis.com
       - storage-api.googleapis.com