feat: Add submodule which ignores changes to backend group (#81)

* feat: Add autogenerated dynamic backends submodule

* Add make build command to CONTRIBUTING.md

Author: morgante

CONTRIBUTING.md

@@ -10,17 +10,20 @@ The following dependencies must be installed on the development system:
 - [Google Cloud SDK][google-cloud-sdk]
 - [make]
 
-## Generating Documentation for Inputs and Outputs
+## Generating Modules
+
+Run `make build` to generate new module code.
+
+### Submodules
+The main module Terraform code is stored in the [./autogen](./autogen) folder. Changes should be made there and then reflected into the submodules via `make build`.
+
+### Generating Documentation for Inputs and Outputs
 
 The Inputs and Outputs tables in the READMEs of the root module,
 submodules, and example modules are automatically generated based on
 the `variables` and `outputs` of the respective modules. These tables
 must be refreshed if the module interfaces are changed.
 
-### Execution
-
-Run `make generate_docs` to generate new Inputs and Outputs tables.
-
 ## Integration Testing
 
 Integration tests are used to verify the behaviour of the root module,

Makefile

@@ -80,6 +80,17 @@ docker_generate_docs:
 		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
 		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs'
 
+## Generate files from autogen
+.PHONY: docker_generate_modules
+docker_generate_modules:
+	docker run --rm -it \
+		-v "$(CURDIR)":/workspace \
+		$(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \
+		/bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_modules'
+
 # Alias for backwards compatibility
 .PHONY: generate_docs
 generate_docs: docker_generate_docs
+
+.PHONY: build
+build: docker_generate_modules docker_generate_docs

README.md

@@ -2,6 +2,8 @@
 
 Modular Global HTTP Load Balancer for GCE using forwarding rules.
 
+If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the [dynamic backends](./modules/dynamic_backends) submodule.
+
 ### Load Balancer Types
 * [TCP load balancer](https://github.com/terraform-google-modules/terraform-google-lb)
 * **HTTP/S load balancer**

autogen/README.md

@@ -0,0 +1,129 @@
+# Global HTTP Load Balancer Terraform Module
+
+Modular Global HTTP Load Balancer for GCE using forwarding rules.
+
+{% if root %}
+If you would like to allow for backend groups to be managed outside Terraform, such as via GKE services, see the [dynamic backends](./modules/dynamic_backends) submodule.
+{% elif dynamic_backends %}
+This submodule allows for configuring dynamic backend outside Terraform.
+As such, any changes to the `backends.groups` variable after creation will be ignored.
+{% endif %}
+
+### Load Balancer Types
+* [TCP load balancer](https://github.com/terraform-google-modules/terraform-google-lb)
+* **HTTP/S load balancer**
+* [Internal load balancer](https://github.com/terraform-google-modules/terraform-google-lb-internal)
+
+## Compatibility
+
+This module is meant for use with Terraform 0.12. If you haven't [upgraded](https://www.terraform.io/upgrade-guides/0-12.html) and
+need a Terraform 0.11.x-compatible version of this module, the last released version intended for Terraform 0.11.x is
+[1.0.10](https://registry.terraform.io/modules/GoogleCloudPlatform/lb-http/google/1.0.10).
+
+## Usage
+
+```HCL
+module "gce-lb-http" {
+  source            = "GoogleCloudPlatform/lb-http/google{{ module_path }}"
+  name              = "group-http-lb"
+  target_tags       = [module.mig1.target_tags, module.mig2.target_tags]
+  backends = {
+    default = {
+      description                     = null
+      protocol                        = "HTTP"
+      port                            = var.service_port
+      port_name                       = var.service_port_name
+      timeout_sec                     = 10
+      connection_draining_timeout_sec = null
+      enable_cdn                      = false
+
+      health_check = {
+        check_interval_sec  = null
+        timeout_sec         = null
+        healthy_threshold   = null
+        unhealthy_threshold = null
+        request_path        = "/"
+        port                = var.service_port
+        host                = null
+      }
+
+      groups = [
+        {
+          # Each node pool instance group should be added to the backend.
+          group                        = var.backend
+          balancing_mode               = null
+          capacity_scaler              = null
+          description                  = null
+          max_connections              = null
+          max_connections_per_instance = null
+          max_connections_per_endpoint = null
+          max_rate                     = null
+          max_rate_per_instance        = null
+          max_rate_per_endpoint        = null
+          max_utilization              = null
+        },
+      ]
+    }
+  }
+}
+```
+
+## Resources created
+
+**Figure 1.** *diagram of terraform resources*
+
+![architecture diagram](./diagram.png)
+
+## Version
+
+Current version is 3.0. Upgrade guides:
+- [1.X -> 2.X](https://www.terraform.io/upgrade-guides/0-12.html)
+- [2.X -> 3.0](./docs/upgrading-v2.0.0-v3.0.0.md)
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|:----:|:-----:|:-----:|
+| address | IP address self link | string | `"null"` | no |
+| backends | Map backend indices to list of backend maps. | object | n/a | yes |
+| cdn | Set to `true` to enable cdn on backend. | bool | `"false"` | no |
+| certificate | Content of the SSL certificate. Required if `ssl` is `true` and `ssl_certificates` is empty. | string | `"null"` | no |
+| create\_address | Create a new global address | bool | `"true"` | no |
+| create\_url\_map | Set to `false` if url_map variable is provided. | bool | `"true"` | no |
+| firewall\_networks | Names of the networks to create firewall rules in | list(string) | `<list>` | no |
+| firewall\_projects | Names of the projects to create firewall rules in | list(string) | `<list>` | no |
+| http\_forward | Set to `false` to disable HTTP port 80 forward | bool | `"true"` | no |
+| ip\_version | IP version for the Global address (IPv4 or v6) - Empty defaults to IPV4 | string | `"null"` | no |
+| name | Name for the forwarding rule and prefix for supporting resources | string | n/a | yes |
+| private\_key | Content of the private SSL key. Required if `ssl` is `true` and `ssl_certificates` is empty. | string | `"null"` | no |
+| project | The project to deploy to, if not set the default provider project is used. | string | n/a | yes |
+| quic | Set to `true` to enable QUIC support | bool | `"false"` | no |
+| security\_policy | The resource URL for the security policy to associate with the backend service | string | `"null"` | no |
+| ssl | Set to `true` to enable SSL support, requires variable `ssl_certificates` - a list of self_link certs | bool | `"false"` | no |
+| ssl\_certificates | SSL cert self_link list. Required if `ssl` is `true` and no `private_key` and `certificate` is provided. | list(string) | `<list>` | no |
+| ssl\_policy | Selfink to SSL Policy | string | `"null"` | no |
+| target\_tags | List of target tags for health check firewall rule. | list(string) | n/a | yes |
+| url\_map | The url_map resource to use. Default is to send all traffic to first backend. | string | `"null"` | no |
+| use\_ssl\_certificates | If true, use the certificates provided by `ssl_certificates`, otherwise, create cert from `private_key` and `certificate` | bool | `"false"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| backend\_services | The backend service resources. |
+| external\_ip | The external IP assigned to the global fowarding rule. |
+| http\_proxy | The HTTP proxy used by this module. |
+| https\_proxy | The HTTPS proxyused by this module. |
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+
+- [`google_compute_global_forwarding_rule.http`](https://www.terraform.io/docs/providers/google/r/compute_global_forwarding_rule.html): The global HTTP forwarding rule.
+- [`google_compute_global_forwarding_rule.https`](https://www.terraform.io/docs/providers/google/r/compute_global_forwarding_rule.html): The global HTTPS forwarding rule created when `ssl` is `true`.
+- [`google_compute_target_http_proxy.default`](https://www.terraform.io/docs/providers/google/r/compute_target_http_proxy.html): The HTTP proxy resource that binds the url map. Created when input `ssl` is `false`.
+- [`google_compute_target_https_proxy.default`](https://www.terraform.io/docs/providers/google/r/compute_target_https_proxy.html): The HTTPS proxy resource that binds the url map. Created when input `ssl` is `true`.
+- [`google_compute_ssl_certificate.default`](https://www.terraform.io/docs/providers/google/r/compute_ssl_certificate.html): The certificate resource created when input `ssl` is `true`.
+- [`google_compute_url_map.default`](https://www.terraform.io/docs/providers/google/r/compute_url_map.html): The default URL map resource when input `url_map` is not provided.
+- [`google_compute_backend_service.default.*`](https://www.terraform.io/docs/providers/google/r/compute_backend_service.html): The backend services created for each of the `backend_params` elements.
+- [`google_compute_health_check.default.*`](https://www.terraform.io/docs/providers/google/r/compute_health_check.html): Health check resources create for each of the backend services.
+- [`google_compute_firewall.default-hc`](https://www.terraform.io/docs/providers/google/r/compute_firewall.html): Firewall rule created for each of the backed services to alllow health checks to the instance group.

autogen/main.tf.tmpl

@@ -0,0 +1,207 @@
+/**
+ * Copyright 2017 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+locals {
+  address = var.create_address ? join("", google_compute_global_address.default.*.address) : var.address
+  url_map = var.create_url_map ? join("", google_compute_url_map.default.*.self_link) : var.url_map
+}
+
+resource "google_compute_global_forwarding_rule" "http" {
+  project    = var.project
+  count      = var.http_forward ? 1 : 0
+  name       = var.name
+  target     = google_compute_target_http_proxy.default[0].self_link
+  ip_address = local.address
+  port_range = "80"
+}
+
+resource "google_compute_global_forwarding_rule" "https" {
+  project    = var.project
+  count      = var.ssl ? 1 : 0
+  name       = "${var.name}-https"
+  target     = google_compute_target_https_proxy.default[0].self_link
+  ip_address = local.address
+  port_range = "443"
+}
+
+resource "google_compute_global_address" "default" {
+  count      = var.create_address ? 1 : 0
+  project    = var.project
+  name       = "${var.name}-address"
+  ip_version = var.ip_version
+}
+
+# HTTP proxy when http forwarding is true
+resource "google_compute_target_http_proxy" "default" {
+  project = var.project
+  count   = var.http_forward ? 1 : 0
+  name    = "${var.name}-http-proxy"
+  url_map = local.url_map
+}
+
+# HTTPS proxy when ssl is true
+resource "google_compute_target_https_proxy" "default" {
+  project = var.project
+  count   = var.ssl ? 1 : 0
+  name    = "${var.name}-https-proxy"
+  url_map = local.url_map
+
+  ssl_certificates = compact(concat(var.ssl_certificates, google_compute_ssl_certificate.default.*.self_link, ), )
+  ssl_policy       = var.ssl_policy
+  quic_override    = var.quic ? "ENABLE" : null
+}
+
+resource "google_compute_ssl_certificate" "default" {
+  project     = var.project
+  count       = var.ssl && ! var.use_ssl_certificates ? 1 : 0
+  name_prefix = "${var.name}-certificate-"
+  private_key = var.private_key
+  certificate = var.certificate
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "google_compute_url_map" "default" {
+  project         = var.project
+  count           = var.create_url_map ? 1 : 0
+  name            = "${var.name}-url-map"
+  default_service = google_compute_backend_service.default[keys(var.backends)[0]].self_link
+
+}
+
+resource "google_compute_backend_service" "default" {
+  for_each = var.backends
+
+  project = var.project
+  name    = "${var.name}-backend-${each.key}"
+
+  port_name                       = each.value.port_name
+  protocol                        = each.value.protocol
+  timeout_sec                     = lookup(each.value, "timeout_sec", null)
+  description                     = lookup(each.value, "description", null)
+  connection_draining_timeout_sec = lookup(each.value, "connection_draining_timeout_sec", null)
+  enable_cdn                      = lookup(each.value, "enable_cdn", false)
+  security_policy                 = var.security_policy
+  health_checks                   = [google_compute_health_check.default[each.key].self_link]
+
+  dynamic "backend" {
+    for_each = toset(each.value["groups"])
+    content {
+      balancing_mode               = lookup(backend.value, "balancing_mode")
+      capacity_scaler              = lookup(backend.value, "capacity_scaler")
+      description                  = lookup(backend.value, "description")
+      group                        = lookup(backend.value, "group")
+      max_connections              = lookup(backend.value, "max_connections")
+      max_connections_per_instance = lookup(backend.value, "max_connections_per_instance")
+      max_connections_per_endpoint = lookup(backend.value, "max_connections_per_endpoint")
+      max_rate                     = lookup(backend.value, "max_rate")
+      max_rate_per_instance        = lookup(backend.value, "max_rate_per_instance")
+      max_rate_per_endpoint        = lookup(backend.value, "max_rate_per_endpoint")
+      max_utilization              = lookup(backend.value, "max_utilization")
+    }
+  }
+
+  depends_on = [google_compute_health_check.default]
+
+  {% if dynamic_backends %}
+  lifecycle {
+    ignore_changes = [backend]
+  }
+  {% endif %}
+}
+
+resource "google_compute_health_check" "default" {
+  for_each = var.backends
+  project  = var.project
+  name     = "${var.name}-hc-${each.key}"
+
+  check_interval_sec  = lookup(each.value["health_check"], "check_interval_sec", 5)
+  timeout_sec         = lookup(each.value["health_check"], "timeout_sec", 5)
+  healthy_threshold   = lookup(each.value["health_check"], "healthy_threshold", 2)
+  unhealthy_threshold = lookup(each.value["health_check"], "unhealthy_threshold", 2)
+
+  dynamic "http_health_check" {
+    for_each = each.value["protocol"] == "HTTP" ? [
+      {
+        host         = lookup(each.value["health_check"], "host", null)
+        request_path = lookup(each.value["health_check"], "request_path", null)
+        port         = lookup(each.value["health_check"], "port", null)
+      }
+    ] : []
+
+    content {
+      host         = lookup(http_health_check.value, "host", null)
+      request_path = lookup(http_health_check.value, "request_path", null)
+      port         = lookup(http_health_check.value, "port", null)
+    }
+  }
+
+  dynamic "https_health_check" {
+    for_each = each.value["protocol"] == "HTTPS" ? [
+      {
+        host         = lookup(each.value["health_check"], "host", null)
+        request_path = lookup(each.value["health_check"], "request_path", null)
+        port         = lookup(each.value["health_check"], "port", null)
+      }
+    ] : []
+
+    content {
+      host         = lookup(https_health_check.value, "host", null)
+      request_path = lookup(https_health_check.value, "request_path", null)
+      port         = lookup(https_health_check.value, "port", null)
+    }
+  }
+
+  dynamic "http2_health_check" {
+    for_each = each.value["protocol"] == "HTTP2" ? [
+      {
+        host         = lookup(each.value["health_check"], "host", null)
+        request_path = lookup(each.value["health_check"], "request_path", null)
+        port         = lookup(each.value["health_check"], "port", null)
+      }
+    ] : []
+
+    content {
+      host         = lookup(http2_health_check.value, "host", null)
+      request_path = lookup(http2_health_check.value, "request_path", null)
+      port         = lookup(http2_health_check.value, "port", null)
+    }
+  }
+
+}
+
+resource "google_compute_firewall" "default-hc" {
+  count   = length(var.firewall_networks)
+  project = length(var.firewall_networks) == 1 && var.firewall_projects[0] == "default" ? var.project : var.firewall_projects[count.index]
+  name    = "${var.name}-hc-${count.index}"
+  network = var.firewall_networks[count.index]
+  source_ranges = [
+    "130.211.0.0/22",
+    "35.191.0.0/16"
+  ]
+  target_tags = var.target_tags
+
+  dynamic "allow" {
+    for_each = var.backends
+    content {
+      protocol = "tcp"
+      ports    = [allow.value.port]
+    }
+  }
+}