From 2c202c1a39cc804236acefff6d2355d87f97861b Mon Sep 17 00:00:00 2001 From: Deepraj Date: Wed, 6 Aug 2025 07:13:10 +0000 Subject: [PATCH 01/16] Added IAP principals in load balancer backend service --- .terraform.lock | 0 examples/backend-with-IAP/main.tf | 37 ++++++++++++++++++ examples/backend-with-IAP/outputs.tf | 19 +++++++++ examples/backend-with-IAP/variables.tf | 19 +++++++++ metadata.yaml | 3 ++ modules/backend/README.md | 2 +- modules/backend/main.tf | 13 ++++++- modules/backend/metadata.yaml | 9 +++-- modules/backend/variables.tf | 6 +-- modules/dynamic_backends/metadata.yaml | 3 ++ modules/frontend/metadata.yaml | 3 ++ modules/serverless_negs/metadata.yaml | 3 ++ .../backend-with-iap/backend_with_iap_test.go | 39 +++++++++++++++++++ test/setup/iam.tf | 3 +- test/setup/main.tf | 1 + 15 files changed, 149 insertions(+), 11 deletions(-) create mode 100644 .terraform.lock create mode 100644 examples/backend-with-IAP/main.tf create mode 100644 examples/backend-with-IAP/outputs.tf create mode 100644 examples/backend-with-IAP/variables.tf create mode 100644 test/integration/backend-with-iap/backend_with_iap_test.go diff --git a/.terraform.lock b/.terraform.lock new file mode 100644 index 00000000..e69de29b diff --git a/examples/backend-with-IAP/main.tf b/examples/backend-with-IAP/main.tf new file mode 100644 index 00000000..156ced41 --- /dev/null +++ b/examples/backend-with-IAP/main.tf @@ -0,0 +1,37 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +module "lb-backend-iap" { +# source = "terraform-google-modules/lb-http/google//modules/backend" +# version = "~> 12.0" + + source = "../../modules/backend" + + project_id = var.project_id + name = "backend-with-iap" + iap_config = { + iap_members = ["user:test@test.test"] + } +} + +module "lb-frontend" { + source = "terraform-google-modules/lb-http/google//modules/frontend" + version = "~> 12.0" + + project_id = var.project_id + name = "global-lb-fe-bucket" + url_map_input = module.lb-backend-iap.backend_service_info +} diff --git a/examples/backend-with-IAP/outputs.tf b/examples/backend-with-IAP/outputs.tf new file mode 100644 index 00000000..456878ac --- /dev/null +++ b/examples/backend-with-IAP/outputs.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +output "load-balancer-ip" { + value = module.lb-frontend.external_ip +} diff --git a/examples/backend-with-IAP/variables.tf b/examples/backend-with-IAP/variables.tf new file mode 100644 index 00000000..419e3a19 --- /dev/null +++ b/examples/backend-with-IAP/variables.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2025 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "project_id" { + type = string +} diff --git a/metadata.yaml b/metadata.yaml index 722dd8f8..c12b4bf3 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -40,6 +40,8 @@ spec: - name: serverless_negs location: modules/serverless_negs examples: + - name: backend-with-IAP + location: examples/backend-with-IAP - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -346,6 +348,7 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/backend/README.md b/modules/backend/README.md index 7fd910de..52ba9b17 100644 --- a/modules/backend/README.md +++ b/modules/backend/README.md @@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci | groups | The list of backend instance group which serves the traffic. | 
list(object({
    group       = string
    description = optional(string)

    balancing_mode               = optional(string)
    capacity_scaler              = optional(number)
    max_connections              = optional(number)
    max_connections_per_instance = optional(number)
    max_connections_per_endpoint = optional(number)
    max_rate                     = optional(number)
    max_rate_per_instance        = optional(number)
    max_rate_per_endpoint        = optional(number)
    max_utilization              = optional(number)
  }))
| `[]` | no | | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | 
object({
    host                = optional(string, null)
    request_path        = optional(string, null)
    request             = optional(string, null)
    response            = optional(string, null)
    port                = optional(number, null)
    port_name           = optional(string, null)
    proxy_header        = optional(string, null)
    port_specification  = optional(string, null)
    protocol            = optional(string, null)
    check_interval_sec  = optional(number, 5)
    timeout_sec         = optional(number, 5)
    healthy_threshold   = optional(number, 2)
    unhealthy_threshold = optional(number, 2)
    logging             = optional(bool, false)
  })
| `null` | no | | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | 
list(object({
    host = string
    path = string
  }))
| 
[
  {
    "host": "*",
    "path": "/*"
  }
]
| no | -| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure. | 
object({
    enable               = bool
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
  })
| 
{
  "enable": false
}
| no | +| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    iap_members          = list(string)
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
  })
| `null` | no | | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no | | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no | | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | 
object({
    enable      = bool
    sample_rate = number
  })
| 
{
  "enable": true,
  "sample_rate": 1
}
| no | diff --git a/modules/backend/main.tf b/modules/backend/main.tf index ebe6f035..dfa5f9bc 100644 --- a/modules/backend/main.tf +++ b/modules/backend/main.tf @@ -80,10 +80,10 @@ resource "google_compute_backend_service" "default" { } dynamic "iap" { - for_each = var.iap_config.enable ? [1] : [] + for_each = length(var.iap_config.iap_members) > 0 ? [1] : [] content { oauth2_client_id = lookup(var.iap_config, "oauth2_client_id", "") - enabled = var.iap_config.enable + enabled = length(var.iap_config.iap_members) > 0 oauth2_client_secret = lookup(var.iap_config, "oauth2_client_secret", "") } } @@ -365,3 +365,12 @@ resource "google_compute_backend_bucket" "default" { } } } + +resource "google_iap_web_backend_service_iam_member" "member" { + for_each = toset(var.iap_config.iap_members) + project = google_compute_backend_service.default[0].project + web_backend_service = google_compute_backend_service.default[0].name + role = "roles/iap.httpsResourceAccessor" + member = each.value +} + diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index bd890051..0d80e9aa 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -32,6 +32,8 @@ spec: description: {} content: examples: + - name: backend-with-IAP + location: examples/backend-with-IAP - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -189,15 +191,13 @@ spec: spec: outputExpr: name - name: iap_config - description: Settings for enabling Cloud Identity Aware Proxy Structure. + description: Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service. varType: |- object({ - enable = bool + iap_members = list(string) oauth2_client_id = optional(string) oauth2_client_secret = optional(string) }) - defaultValue: - enable: false - name: cdn_policy description: Cloud CDN configuration for this BackendService. varType: |- @@ -333,6 +333,7 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/backend/variables.tf b/modules/backend/variables.tf index 0cca6482..bceaa37b 100644 --- a/modules/backend/variables.tf +++ b/modules/backend/variables.tf @@ -154,13 +154,13 @@ variable "backend_bucket_name" { } variable "iap_config" { - description = "Settings for enabling Cloud Identity Aware Proxy Structure." + description = "Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service." type = object({ - enable = bool + iap_members = list(string) oauth2_client_id = optional(string) oauth2_client_secret = optional(string) }) - default = { enable = false } + default = null } variable "cdn_policy" { diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 5cc581d6..51998a38 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -32,6 +32,8 @@ spec: description: {} content: examples: + - name: backend-with-IAP + location: examples/backend-with-IAP - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -338,6 +340,7 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 9446c41a..292be59b 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -32,6 +32,8 @@ spec: description: {} content: examples: + - name: backend-with-IAP + location: examples/backend-with-IAP - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -246,6 +248,7 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index d272f1aa..95b2e4bb 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -32,6 +32,8 @@ spec: description: {} content: examples: + - name: backend-with-IAP + location: examples/backend-with-IAP - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -302,6 +304,7 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - storage-api.googleapis.com diff --git a/test/integration/backend-with-iap/backend_with_iap_test.go b/test/integration/backend-with-iap/backend_with_iap_test.go new file mode 100644 index 00000000..c6323da8 --- /dev/null +++ b/test/integration/backend-with-iap/backend_with_iap_test.go @@ -0,0 +1,39 @@ +// Copyright 2025 Google LLC +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package backend_with_iap + +import ( + "testing" + + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" + "github.com/stretchr/testify/assert" + + test "github.com/terraform-google-modules/terraform-google-lb-http/test/integration" +) + +func TestExternalLbBackendBucket(t *testing.T) { + bpt := tft.NewTFBlueprintTest(t) + + bpt.DefineVerify(func(assert *assert.Assertions) { + bpt.DefaultVerify(assert) + + loadBalancerIp := bpt.GetStringOutput("load-balancer-ip") + + test.AssertResponseStatus(t, assert, "http://"+loadBalancerIp, 200) + }) + + bpt.Test() +} + diff --git a/test/setup/iam.tf b/test/setup/iam.tf index 033e829d..fd9646dd 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -22,7 +22,8 @@ locals { "roles/iam.serviceAccountUser", "roles/certificatemanager.owner", "roles/vpcaccess.admin", - "roles/iam.serviceAccountAdmin" + "roles/iam.serviceAccountAdmin", + "roles/iap.admin" ] int_required_folder_roles = [ "roles/compute.xpnAdmin" diff --git a/test/setup/main.tf b/test/setup/main.tf index 3d51ae0c..505e3baf 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -63,5 +63,6 @@ module "project-ci-lb-http-1" { "iam.googleapis.com", "certificatemanager.googleapis.com", "vpcaccess.googleapis.com", + "iap.googleapis.com", ] } From 721407c44c30d5b0fbdb2f6d78d3e783ff97a97f Mon Sep 17 00:00:00 2001 From: Deepraj Date: Wed, 6 Aug 2025 09:34:31 +0000 Subject: [PATCH 02/16] added cft test commands in cloudbuild --- build/int.cloudbuild.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 08f66775..b3bbcfee 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -158,6 +158,27 @@ steps: - verify internal-lb-http gce-mig name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' args: ['/bin/bash', '-c', 'cft test run TestInternalLbGCEMIG --stage teardown --verbose'] + # Backend Service with IAP Enabled +- id: init backend-with-iap + waitFor: + - teardown internal-lb-http gce-mig + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage init --verbose'] +- id: apply backend-with-iap + waitFor: + - init backend-with-iap + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage apply --verbose'] +- id: verify backend-with-iap + waitFor: + - apply backend-with-iap + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage verify --verbose'] +- id: teardown backend-with-iap + waitFor: + - verify backend-with-iap + name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage teardown --verbose'] tags: - 'ci' - 'integration' From 9b22215af39b2c8132abc243650edfb492eec841 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Wed, 6 Aug 2025 09:42:42 +0000 Subject: [PATCH 03/16] Updated source and version --- examples/backend-with-IAP/main.tf | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/examples/backend-with-IAP/main.tf b/examples/backend-with-IAP/main.tf index 156ced41..a118df4a 100644 --- a/examples/backend-with-IAP/main.tf +++ b/examples/backend-with-IAP/main.tf @@ -15,13 +15,11 @@ */ module "lb-backend-iap" { -# source = "terraform-google-modules/lb-http/google//modules/backend" -# version = "~> 12.0" + source = "terraform-google-modules/lb-http/google//modules/backend" + version = "~> 12.0" - source = "../../modules/backend" - - project_id = var.project_id - name = "backend-with-iap" + project_id = var.project_id + name = "backend-with-iap" iap_config = { iap_members = ["user:test@test.test"] } From 83d29c4c8449c2d73a47873cf944dc7ae138d23f Mon Sep 17 00:00:00 2001 From: Zheng Qin Date: Sun, 10 Aug 2025 21:48:24 -0400 Subject: [PATCH 04/16] feat: per module requirements configs for lb-http (#520) Co-authored-by: Zheng Qin --- Makefile | 2 +- metadata.yaml | 16 +++--- modules/backend/metadata.yaml | 17 ++---- modules/dynamic_backends/metadata.yaml | 11 ++-- modules/frontend/metadata.yaml | 18 ++----- modules/serverless_negs/metadata.yaml | 14 +++-- test/setup/iam.tf | 58 +++++++++++++++++---- test/setup/main.tf | 72 ++++++++++++++++++-------- 8 files changed, 126 insertions(+), 82 deletions(-) diff --git a/Makefile b/Makefile index ffb1a949..6f87f72a 100644 --- a/Makefile +++ b/Makefile @@ -79,7 +79,7 @@ docker_generate_docs: -e ENABLE_BPMETADATA=1 \ -v "$(CURDIR)":/workspace \ $(REGISTRY_URL)/${DOCKER_IMAGE_DEVELOPER_TOOLS}:${DOCKER_TAG_VERSION_DEVELOPER_TOOLS} \ - /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs' + /bin/bash -c 'source /usr/local/bin/task_helper_functions.sh && generate_docs --per-module-requirements' ## Generate files from autogen .PHONY: docker_generate_modules diff --git a/metadata.yaml b/metadata.yaml index f2f13f11..319b41e8 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,25 +338,21 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/iap.admin + - roles/storage.admin + - roles/compute.admin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 2bae1812..5b88ffb7 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -331,25 +331,18 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin + - roles/compute.networkAdmin + - roles/iap.admin - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/iap.admin + - roles/compute.admin + - roles/storage.admin services: - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - run.googleapis.com - - iam.googleapis.com - - certificatemanager.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 62310313..d5488bb1 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -328,9 +328,6 @@ spec: description: The default URL map used by this module. requirements: roles: - - level: Project - roles: - - roles/compute.xpnAdmin - level: Project roles: - roles/storage.admin @@ -342,13 +339,13 @@ spec: - roles/iam.serviceAccountAdmin - roles/iap.admin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 6d238d05..5289e68a 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -246,26 +246,18 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: - - roles/storage.admin - roles/compute.admin - - roles/run.admin - - roles/iam.serviceAccountUser + - roles/storage.admin + - roles/iap.admin - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/iap.admin + - roles/iam.serviceAccountUser services: - - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com + - certificatemanager.googleapis.com - compute.googleapis.com - run.googleapis.com - - iam.googleapis.com - - certificatemanager.googleapis.com - - vpcaccess.googleapis.com + - storage-api.googleapis.com providerVersions: - source: hashicorp/google version: ">= 6.0, < 7" diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 2a827015..9f0342d7 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,9 +294,8 @@ spec: roles: - level: Project roles: - - roles/compute.xpnAdmin - - level: Project - roles: + - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin @@ -304,15 +303,14 @@ spec: - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/iap.admin services: + - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com - - storage-api.googleapis.com - - serviceusage.googleapis.com - compute.googleapis.com - - run.googleapis.com - iam.googleapis.com - - certificatemanager.googleapis.com + - run.googleapis.com + - serviceusage.googleapis.com + - storage-api.googleapis.com - vpcaccess.googleapis.com providerVersions: - source: hashicorp/google diff --git a/test/setup/iam.tf b/test/setup/iam.tf index fd9646dd..7a379c5d 100644 --- a/test/setup/iam.tf +++ b/test/setup/iam.tf @@ -15,16 +15,54 @@ */ locals { - int_required_project_roles = [ - "roles/storage.admin", - "roles/compute.admin", - "roles/run.admin", - "roles/iam.serviceAccountUser", - "roles/certificatemanager.owner", - "roles/vpcaccess.admin", - "roles/iam.serviceAccountAdmin", - "roles/iap.admin" - ] + per_module_roles = { + root = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + backend = [ + "roles/compute.admin", + "roles/storage.admin", + "roles/run.admin", + "roles/compute.networkAdmin", + "roles/iap.admin", + "roles/iam.serviceAccountUser", + "roles/iam.serviceAccountAdmin", + "roles/iap.admin" + ] + dynamic_backends = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + frontend = [ + "roles/compute.admin", + "roles/storage.admin", + "roles/iap.admin", + "roles/certificatemanager.owner", + "roles/iam.serviceAccountUser" + ] + serverless_negs = [ + "roles/storage.admin", + "roles/compute.admin", + "roles/run.admin", + "roles/iam.serviceAccountUser", + "roles/certificatemanager.owner", + "roles/vpcaccess.admin", + "roles/iam.serviceAccountAdmin" + ] + } + + int_required_project_roles = tolist(toset(flatten(values(local.per_module_roles)))) int_required_folder_roles = [ "roles/compute.xpnAdmin" ] diff --git a/test/setup/main.tf b/test/setup/main.tf index 505e3baf..efe704a1 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -14,6 +14,55 @@ * limitations under the License. */ +locals { + per_module_services = { + root = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + backend = [ + "compute.googleapis.com", + "run.googleapis.com", + "storage-api.googleapis.com", + "vpcaccess.googleapis.com", + "cloudresourcemanager.googleapis.com", + "iap.googleapis.com", + ] + dynamic_backends = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + frontend = [ + "compute.googleapis.com", + "storage-api.googleapis.com", + "run.googleapis.com", + "certificatemanager.googleapis.com", + ] + serverless_negs = [ + "cloudresourcemanager.googleapis.com", + "storage-api.googleapis.com", + "serviceusage.googleapis.com", + "compute.googleapis.com", + "run.googleapis.com", + "iam.googleapis.com", + "certificatemanager.googleapis.com", + "vpcaccess.googleapis.com", + ] + } +} + module "project-ci-lb-http" { source = "terraform-google-modules/project-factory/google" version = "~> 17.0" @@ -28,16 +77,7 @@ module "project-ci-lb-http" { disable_services_on_destroy = false deletion_policy = "DELETE" - activate_apis = [ - "cloudresourcemanager.googleapis.com", - "storage-api.googleapis.com", - "serviceusage.googleapis.com", - "compute.googleapis.com", - "run.googleapis.com", - "iam.googleapis.com", - "certificatemanager.googleapis.com", - "vpcaccess.googleapis.com", - ] + activate_apis = tolist(toset(flatten(values(local.per_module_services)))) } module "project-ci-lb-http-1" { @@ -54,15 +94,5 @@ module "project-ci-lb-http-1" { disable_services_on_destroy = false deletion_policy = "DELETE" - activate_apis = [ - "cloudresourcemanager.googleapis.com", - "storage-api.googleapis.com", - "serviceusage.googleapis.com", - "compute.googleapis.com", - "run.googleapis.com", - "iam.googleapis.com", - "certificatemanager.googleapis.com", - "vpcaccess.googleapis.com", - "iap.googleapis.com", - ] + activate_apis = tolist(toset(flatten(values(local.per_module_services)))) } From d27d2dd4e7589f2790cf0a8b99d5aacf0211bb16 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Tue, 12 Aug 2025 12:00:01 +0000 Subject: [PATCH 05/16] updated metadata --- Makefile | 2 +- metadata.yaml | 4 ++-- modules/backend/metadata.yaml | 7 ++++--- modules/dynamic_backends/metadata.yaml | 5 ++--- modules/frontend/metadata.yaml | 2 -- modules/serverless_negs/metadata.yaml | 4 +--- 6 files changed, 10 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index 6f87f72a..2404371e 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/metadata.yaml b/metadata.yaml index 319b41e8..fe610e0c 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: - - roles/run.admin - - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin + - roles/run.admin + - roles/iam.serviceAccountUser services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 5b88ffb7..e4bef851 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -331,16 +331,17 @@ spec: roles: - level: Project roles: - - roles/run.admin - - roles/compute.networkAdmin - - roles/iap.admin - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin + - roles/run.admin + - roles/compute.networkAdmin + - roles/iap.admin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com + - iap.googleapis.com - run.googleapis.com - storage-api.googleapis.com - vpcaccess.googleapis.com diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index d5488bb1..d05d02ad 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,14 +330,13 @@ spec: roles: - level: Project roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/iap.admin + - roles/storage.admin + - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 5289e68a..ef9db9fd 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -250,8 +250,6 @@ spec: - roles/storage.admin - roles/iap.admin - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin - roles/iam.serviceAccountUser services: - certificatemanager.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 9f0342d7..e4df66e8 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,15 +294,13 @@ spec: roles: - level: Project roles: + - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From fc5f26e47701ffba1615e8a35c8762714eef454f Mon Sep 17 00:00:00 2001 From: Deepraj Date: Thu, 14 Aug 2025 06:46:18 +0000 Subject: [PATCH 06/16] lint error fix --- metadata.yaml | 6 +++--- modules/backend/metadata.yaml | 2 +- modules/dynamic_backends/metadata.yaml | 4 ++-- modules/serverless_negs/metadata.yaml | 2 +- test/setup/main.tf | 1 + 5 files changed, 8 insertions(+), 7 deletions(-) diff --git a/metadata.yaml b/metadata.yaml index 319b41e8..7a4c12a7 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index e4bef851..ddf72a7b 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -331,13 +331,13 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin + - roles/iam.serviceAccountUser services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index d05d02ad..325f5a19 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: + - roles/storage.admin + - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 881c9b37..eabecaf3 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner + - roles/vpcaccess.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/test/setup/main.tf b/test/setup/main.tf index cc066f08..efe704a1 100644 --- a/test/setup/main.tf +++ b/test/setup/main.tf @@ -33,6 +33,7 @@ locals { "vpcaccess.googleapis.com", "cloudresourcemanager.googleapis.com", "iap.googleapis.com", + ] dynamic_backends = [ "cloudresourcemanager.googleapis.com", "storage-api.googleapis.com", From c1fb134aed2a56e94684d0456eed1f6c1a97b0d9 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Mon, 18 Aug 2025 08:32:25 +0000 Subject: [PATCH 07/16] updated default value for iap_config variable object and description. fixed lint errors --- examples/lb-http-separate-frontend-and-backend/main.tf | 3 ++- metadata.yaml | 4 ++-- modules/backend/README.md | 2 +- modules/backend/metadata.yaml | 6 ++++-- modules/backend/variables.tf | 4 ++-- modules/dynamic_backends/metadata.yaml | 6 +++--- modules/serverless_negs/metadata.yaml | 2 +- 7 files changed, 15 insertions(+), 12 deletions(-) diff --git a/examples/lb-http-separate-frontend-and-backend/main.tf b/examples/lb-http-separate-frontend-and-backend/main.tf index 8ba29ca4..2dcebc1f 100644 --- a/examples/lb-http-separate-frontend-and-backend/main.tf +++ b/examples/lb-http-separate-frontend-and-backend/main.tf @@ -70,6 +70,7 @@ module "cloud-nat-group2" { module "lb-http-backend" { source = "terraform-google-modules/lb-http/google//modules/backend" version = "~> 12.0" + project_id = var.project_id name = "backend-lb" target_tags = [ @@ -104,7 +105,7 @@ module "lb-http-backend" { ] iap_config = { - enable = false + iap_members = [] } } diff --git a/metadata.yaml b/metadata.yaml index 7a4c12a7..fe610e0c 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/certificatemanager.owner + - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - - roles/vpcaccess.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/README.md b/modules/backend/README.md index 8dc2e00d..63b8c60a 100644 --- a/modules/backend/README.md +++ b/modules/backend/README.md @@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci | groups | The list of backend instance group which serves the traffic. | 
list(object({
    group       = string
    description = optional(string)

    balancing_mode               = optional(string)
    capacity_scaler              = optional(number)
    max_connections              = optional(number)
    max_connections_per_instance = optional(number)
    max_connections_per_endpoint = optional(number)
    max_rate                     = optional(number)
    max_rate_per_instance        = optional(number)
    max_rate_per_endpoint        = optional(number)
    max_utilization              = optional(number)
  }))
| `[]` | no | | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | 
object({
    host                = optional(string, null)
    request_path        = optional(string, null)
    request             = optional(string, null)
    response            = optional(string, null)
    port                = optional(number, null)
    port_name           = optional(string, null)
    proxy_header        = optional(string, null)
    port_specification  = optional(string, null)
    protocol            = optional(string, null)
    check_interval_sec  = optional(number, 5)
    timeout_sec         = optional(number, 5)
    healthy_threshold   = optional(number, 2)
    unhealthy_threshold = optional(number, 2)
    logging             = optional(bool, false)
  })
| `null` | no | | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | 
list(object({
    host = string
    path = string
  }))
| 
[
  {
    "host": "*",
    "path": "/*"
  }
]
| no | -| iap\_config | Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    iap_members          = list(string)
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
  })
| `null` | no | +| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    iap_members          = list(string)
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
  })
| 
{
  "iap_members": []
}
| no | | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no | | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no | | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | 
object({
    enable      = bool
    sample_rate = number
  })
| 
{
  "enable": true,
  "sample_rate": 1
}
| no | diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index ddf72a7b..e40bc893 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -191,13 +191,15 @@ spec: spec: outputExpr: name - name: iap_config - description: Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service. + description: Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. varType: |- object({ iap_members = list(string) oauth2_client_id = optional(string) oauth2_client_secret = optional(string) }) + defaultValue: + iap_members: [] - name: cdn_policy description: Cloud CDN configuration for this BackendService. varType: |- @@ -331,13 +333,13 @@ spec: roles: - level: Project roles: + - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin - - roles/iam.serviceAccountUser services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/backend/variables.tf b/modules/backend/variables.tf index 553ae138..c41c698d 100644 --- a/modules/backend/variables.tf +++ b/modules/backend/variables.tf @@ -154,13 +154,13 @@ variable "backend_bucket_name" { } variable "iap_config" { - description = "Settings for enabling Cloud Identity Aware Proxy Structure and Users/SAs to be given IAP HttpResourceAccessor access to the service." + description = "Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service." type = object({ iap_members = list(string) oauth2_client_id = optional(string) oauth2_client_secret = optional(string) }) - default = null + default = { iap_members = [] } } variable "cdn_policy" { diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 325f5a19..0899ce03 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: - - roles/storage.admin - - roles/compute.admin - - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin + - roles/run.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index eabecaf3..555ec5f3 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From 739224a5b2616cc09928369eae87ad004417dcdc Mon Sep 17 00:00:00 2001 From: Deepraj Date: Tue, 19 Aug 2025 06:30:03 +0000 Subject: [PATCH 08/16] updated folder name backend-with-iap --- examples/{backend-with-IAP => backend-with-iap}/main.tf | 0 examples/{backend-with-IAP => backend-with-iap}/outputs.tf | 0 examples/{backend-with-IAP => backend-with-iap}/variables.tf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename examples/{backend-with-IAP => backend-with-iap}/main.tf (100%) rename examples/{backend-with-IAP => backend-with-iap}/outputs.tf (100%) rename examples/{backend-with-IAP => backend-with-iap}/variables.tf (100%) diff --git a/examples/backend-with-IAP/main.tf b/examples/backend-with-iap/main.tf similarity index 100% rename from examples/backend-with-IAP/main.tf rename to examples/backend-with-iap/main.tf diff --git a/examples/backend-with-IAP/outputs.tf b/examples/backend-with-iap/outputs.tf similarity index 100% rename from examples/backend-with-IAP/outputs.tf rename to examples/backend-with-iap/outputs.tf diff --git a/examples/backend-with-IAP/variables.tf b/examples/backend-with-iap/variables.tf similarity index 100% rename from examples/backend-with-IAP/variables.tf rename to examples/backend-with-iap/variables.tf From 106025664c2ffd7df0c301c50258589692831955 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Wed, 20 Aug 2025 11:57:17 +0000 Subject: [PATCH 09/16] updated iap_config object to have enabled boolean field and iap_members variable --- build/int.cloudbuild.yaml | 8 ++++---- examples/backend-with-iap/main.tf | 1 + .../lb-http-separate-frontend-and-backend/main.tf | 6 +++--- metadata.yaml | 8 ++++---- modules/backend/README.md | 2 +- modules/backend/main.tf | 4 ++-- modules/backend/metadata.yaml | 12 +++++++----- modules/backend/variables.tf | 5 +++-- modules/dynamic_backends/metadata.yaml | 8 ++++---- modules/frontend/metadata.yaml | 6 +++--- modules/serverless_negs/metadata.yaml | 6 +++--- 11 files changed, 35 insertions(+), 31 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index b3bbcfee..46c287a7 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -163,22 +163,22 @@ steps: waitFor: - teardown internal-lb-http gce-mig name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage init --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage init --verbose'] - id: apply backend-with-iap waitFor: - init backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage apply --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage apply --verbose'] - id: verify backend-with-iap waitFor: - apply backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage verify --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage verify --verbose'] - id: teardown backend-with-iap waitFor: - verify backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-IAP --stage teardown --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage teardown --verbose'] tags: - 'ci' - 'integration' diff --git a/examples/backend-with-iap/main.tf b/examples/backend-with-iap/main.tf index a118df4a..ce556beb 100644 --- a/examples/backend-with-iap/main.tf +++ b/examples/backend-with-iap/main.tf @@ -21,6 +21,7 @@ module "lb-backend-iap" { project_id = var.project_id name = "backend-with-iap" iap_config = { + enable = true iap_members = ["user:test@test.test"] } } diff --git a/examples/lb-http-separate-frontend-and-backend/main.tf b/examples/lb-http-separate-frontend-and-backend/main.tf index 2dcebc1f..3a25f810 100644 --- a/examples/lb-http-separate-frontend-and-backend/main.tf +++ b/examples/lb-http-separate-frontend-and-backend/main.tf @@ -68,8 +68,8 @@ module "cloud-nat-group2" { } module "lb-http-backend" { - source = "terraform-google-modules/lb-http/google//modules/backend" - version = "~> 12.0" + source = "terraform-google-modules/lb-http/google//modules/backend" + version = "~> 12.0" project_id = var.project_id name = "backend-lb" @@ -105,7 +105,7 @@ module "lb-http-backend" { ] iap_config = { - iap_members = [] + enable = false } } diff --git a/metadata.yaml b/metadata.yaml index fe610e0c..d62f9e80 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -40,8 +40,8 @@ spec: - name: serverless_negs location: modules/serverless_negs examples: - - name: backend-with-IAP - location: examples/backend-with-IAP + - name: backend-with-iap + location: examples/backend-with-iap - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/run.admin + - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - - roles/run.admin - - roles/iam.serviceAccountUser services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/README.md b/modules/backend/README.md index 63b8c60a..845bdcf6 100644 --- a/modules/backend/README.md +++ b/modules/backend/README.md @@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci | groups | The list of backend instance group which serves the traffic. | 
list(object({
    group       = string
    description = optional(string)

    balancing_mode               = optional(string)
    capacity_scaler              = optional(number)
    max_connections              = optional(number)
    max_connections_per_instance = optional(number)
    max_connections_per_endpoint = optional(number)
    max_rate                     = optional(number)
    max_rate_per_instance        = optional(number)
    max_rate_per_endpoint        = optional(number)
    max_utilization              = optional(number)
  }))
| `[]` | no | | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | 
object({
    host                = optional(string, null)
    request_path        = optional(string, null)
    request             = optional(string, null)
    response            = optional(string, null)
    port                = optional(number, null)
    port_name           = optional(string, null)
    proxy_header        = optional(string, null)
    port_specification  = optional(string, null)
    protocol            = optional(string, null)
    check_interval_sec  = optional(number, 5)
    timeout_sec         = optional(number, 5)
    healthy_threshold   = optional(number, 2)
    unhealthy_threshold = optional(number, 2)
    logging             = optional(bool, false)
  })
| `null` | no | | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | 
list(object({
    host = string
    path = string
  }))
| 
[
  {
    "host": "*",
    "path": "/*"
  }
]
| no | -| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    iap_members          = list(string)
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
  })
| 
{
  "iap_members": []
}
| no | +| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    enable               = bool
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
    iap_members          = list(string)
  })
| 
{
  "enable": false,
  "iap_members": []
}
| no | | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no | | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no | | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | 
object({
    enable      = bool
    sample_rate = number
  })
| 
{
  "enable": true,
  "sample_rate": 1
}
| no | diff --git a/modules/backend/main.tf b/modules/backend/main.tf index 258cf5ad..14d35867 100644 --- a/modules/backend/main.tf +++ b/modules/backend/main.tf @@ -80,10 +80,10 @@ resource "google_compute_backend_service" "default" { } dynamic "iap" { - for_each = length(var.iap_config.iap_members) > 0 ? [1] : [] + for_each = var.iap_config.enable ? [1] : [] content { oauth2_client_id = lookup(var.iap_config, "oauth2_client_id", "") - enabled = length(var.iap_config.iap_members) > 0 + enabled = var.iap_config.enable oauth2_client_secret = lookup(var.iap_config, "oauth2_client_secret", "") } } diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index e40bc893..1d95051f 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -32,8 +32,8 @@ spec: description: {} content: examples: - - name: backend-with-IAP - location: examples/backend-with-IAP + - name: backend-with-iap + location: examples/backend-with-iap - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -194,11 +194,13 @@ spec: description: Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. varType: |- object({ - iap_members = list(string) + enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) + iap_members = list(string) }) defaultValue: + enable: false iap_members: [] - name: cdn_policy description: Cloud CDN configuration for this BackendService. @@ -333,13 +335,13 @@ spec: roles: - level: Project roles: + - roles/compute.networkAdmin + - roles/iap.admin - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin - - roles/compute.networkAdmin - - roles/iap.admin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/backend/variables.tf b/modules/backend/variables.tf index c41c698d..47357a10 100644 --- a/modules/backend/variables.tf +++ b/modules/backend/variables.tf @@ -156,11 +156,12 @@ variable "backend_bucket_name" { variable "iap_config" { description = "Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service." type = object({ - iap_members = list(string) + enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) + iap_members = list(string) }) - default = { iap_members = [] } + default = { enable = false, iap_members = [] } } variable "cdn_policy" { diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 0899ce03..ba9a6da3 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -32,8 +32,8 @@ spec: description: {} content: examples: - - name: backend-with-IAP - location: examples/backend-with-IAP + - name: backend-with-iap + location: examples/backend-with-iap - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin + - roles/iam.serviceAccountUser + - roles/certificatemanager.owner services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index ef9db9fd..fd56f01e 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -32,8 +32,8 @@ spec: description: {} content: examples: - - name: backend-with-IAP - location: examples/backend-with-IAP + - name: backend-with-iap + location: examples/backend-with-iap - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -246,11 +246,11 @@ spec: roles: - level: Project roles: + - roles/iam.serviceAccountUser - roles/compute.admin - roles/storage.admin - roles/iap.admin - roles/certificatemanager.owner - - roles/iam.serviceAccountUser services: - certificatemanager.googleapis.com - compute.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 555ec5f3..664a8716 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -32,8 +32,8 @@ spec: description: {} content: examples: - - name: backend-with-IAP - location: examples/backend-with-IAP + - name: backend-with-iap + location: examples/backend-with-iap - name: cdn-policy location: examples/cdn-policy - name: certificate-map @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/storage.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From ad0dc827a326ace7839b93998a194b0281d8ba47 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Thu, 21 Aug 2025 09:24:33 +0000 Subject: [PATCH 10/16] lint error fix --- examples/lb-http-separate-frontend-and-backend/main.tf | 1 + metadata.yaml | 4 ++-- modules/backend/metadata.yaml | 6 +++--- modules/dynamic_backends/metadata.yaml | 4 ++-- modules/serverless_negs/metadata.yaml | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/examples/lb-http-separate-frontend-and-backend/main.tf b/examples/lb-http-separate-frontend-and-backend/main.tf index 3a25f810..61eda110 100644 --- a/examples/lb-http-separate-frontend-and-backend/main.tf +++ b/examples/lb-http-separate-frontend-and-backend/main.tf @@ -106,6 +106,7 @@ module "lb-http-backend" { iap_config = { enable = false + iap_members = [] } } diff --git a/metadata.yaml b/metadata.yaml index d62f9e80..04679a68 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/storage.admin + - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 1d95051f..9b4f1ffd 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -335,13 +335,13 @@ spec: roles: - level: Project roles: - - roles/compute.networkAdmin - - roles/iap.admin - - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin + - roles/compute.networkAdmin + - roles/iap.admin + - roles/iam.serviceAccountUser services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index ba9a6da3..53806ee0 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner + - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 664a8716..20d6985d 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: + - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/storage.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From 6f03fd985ac23719f77f014562c4cd002c5fda06 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Fri, 22 Aug 2025 10:54:59 +0000 Subject: [PATCH 11/16] integration test fix --- build/int.cloudbuild.yaml | 8 ++--- examples/backend-with-iap/outputs.tf | 11 +++++-- .../main.tf | 1 - metadata.yaml | 2 +- modules/backend/README.md | 4 ++- modules/backend/metadata.yaml | 9 ++++-- modules/backend/outputs.tf | 10 +++++++ modules/backend/variables.tf | 4 +-- modules/dynamic_backends/metadata.yaml | 6 ++-- modules/frontend/metadata.yaml | 4 +-- modules/serverless_negs/metadata.yaml | 6 ++-- .../backend-with-iap/backend_with_iap_test.go | 29 +++++++++++-------- 12 files changed, 60 insertions(+), 34 deletions(-) diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 46c287a7..aa513346 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -163,22 +163,22 @@ steps: waitFor: - teardown internal-lb-http gce-mig name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage init --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage init --verbose'] - id: apply backend-with-iap waitFor: - init backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage apply --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage apply --verbose'] - id: verify backend-with-iap waitFor: - apply backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage verify --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage verify --verbose'] - id: teardown backend-with-iap waitFor: - verify backend-with-iap name: 'gcr.io/cloud-foundation-cicd/$_DOCKER_IMAGE_DEVELOPER_TOOLS:$_DOCKER_TAG_VERSION_DEVELOPER_TOOLS' - args: ['/bin/bash', '-c', 'cft test run TestAll/examples/backend-with-iap --stage teardown --verbose'] + args: ['/bin/bash', '-c', 'cft test run TestLbBackendServiceIap --stage teardown --verbose'] tags: - 'ci' - 'integration' diff --git a/examples/backend-with-iap/outputs.tf b/examples/backend-with-iap/outputs.tf index 456878ac..ac843af5 100644 --- a/examples/backend-with-iap/outputs.tf +++ b/examples/backend-with-iap/outputs.tf @@ -14,6 +14,13 @@ * limitations under the License. */ -output "load-balancer-ip" { - value = module.lb-frontend.external_ip + +output "project_id" { + value = module.lb-backend-iap.project_id + description = "Project ID of the service" +} + +output "service_name" { + value = module.lb-backend-iap.service_name + description = "Name of the created service" } diff --git a/examples/lb-http-separate-frontend-and-backend/main.tf b/examples/lb-http-separate-frontend-and-backend/main.tf index 61eda110..3a25f810 100644 --- a/examples/lb-http-separate-frontend-and-backend/main.tf +++ b/examples/lb-http-separate-frontend-and-backend/main.tf @@ -106,7 +106,6 @@ module "lb-http-backend" { iap_config = { enable = false - iap_members = [] } } diff --git a/metadata.yaml b/metadata.yaml index 04679a68..f6e7f929 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/README.md b/modules/backend/README.md index 845bdcf6..34369fcc 100644 --- a/modules/backend/README.md +++ b/modules/backend/README.md @@ -22,7 +22,7 @@ This module creates `google_compute_backend_service` resource and its dependenci | groups | The list of backend instance group which serves the traffic. | 
list(object({
    group       = string
    description = optional(string)

    balancing_mode               = optional(string)
    capacity_scaler              = optional(number)
    max_connections              = optional(number)
    max_connections_per_instance = optional(number)
    max_connections_per_endpoint = optional(number)
    max_rate                     = optional(number)
    max_rate_per_instance        = optional(number)
    max_rate_per_endpoint        = optional(number)
    max_utilization              = optional(number)
  }))
| `[]` | no | | health\_check | Input for creating HttpHealthCheck or HttpsHealthCheck resource for health checking this BackendService. A health check must be specified unless the backend service uses an internet or serverless NEG as a backend. | 
object({
    host                = optional(string, null)
    request_path        = optional(string, null)
    request             = optional(string, null)
    response            = optional(string, null)
    port                = optional(number, null)
    port_name           = optional(string, null)
    proxy_header        = optional(string, null)
    port_specification  = optional(string, null)
    protocol            = optional(string, null)
    check_interval_sec  = optional(number, 5)
    timeout_sec         = optional(number, 5)
    healthy_threshold   = optional(number, 2)
    unhealthy_threshold = optional(number, 2)
    logging             = optional(bool, false)
  })
| `null` | no | | host\_path\_mappings | The list of host/path for which traffic could be sent to the backend service | 
list(object({
    host = string
    path = string
  }))
| 
[
  {
    "host": "*",
    "path": "/*"
  }
]
| no | -| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    enable               = bool
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
    iap_members          = list(string)
  })
| 
{
  "enable": false,
  "iap_members": []
}
| no | +| iap\_config | Settings for enabling Cloud Identity Aware Proxy and Users/SAs to be given IAP HttpResourceAccessor access to the service. | 
object({
    enable               = bool
    oauth2_client_id     = optional(string)
    oauth2_client_secret = optional(string)
    iap_members          = optional(list(string))
  })
| 
{
  "enable": false
}
| no | | load\_balancing\_scheme | Load balancing scheme type (EXTERNAL for classic external load balancer, EXTERNAL\_MANAGED for Envoy-based load balancer, INTERNAL\_MANAGED for internal load balancer and INTERNAL\_SELF\_MANAGED for traffic director) | `string` | `"EXTERNAL_MANAGED"` | no | | locality\_lb\_policy | The load balancing algorithm used within the scope of the locality. | `string` | `null` | no | | log\_config | This field denotes the logging options for the load balancer traffic served by this backend service. If logging is enabled, logs will be exported to Stackdriver. | 
object({
    enable      = bool
    sample_rate = number
  })
| 
{
  "enable": true,
  "sample_rate": 1
}
| no | @@ -44,5 +44,7 @@ This module creates `google_compute_backend_service` resource and its dependenci |------|-------------| | apphub\_service\_uri | Service URI in CAIS style to be used by Apphub. | | backend\_service\_info | Host, path and backend service mapping | +| project\_id | Project ID of the service | +| service\_name | Name of the created service | diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 9b4f1ffd..f0369f9f 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -197,11 +197,10 @@ spec: enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) - iap_members = list(string) + iap_members = optional(list(string)) }) defaultValue: enable: false - iap_members: [] - name: cdn_policy description: Cloud CDN configuration for this BackendService. varType: |- @@ -331,17 +330,21 @@ spec: - backend_service: string host: string path: string + - name: project_id + description: Project ID of the service + - name: service_name + description: Name of the created service requirements: roles: - level: Project roles: + - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin - - roles/iam.serviceAccountUser services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/backend/outputs.tf b/modules/backend/outputs.tf index a8dab938..d072070b 100644 --- a/modules/backend/outputs.tf +++ b/modules/backend/outputs.tf @@ -43,3 +43,13 @@ output "apphub_service_uri" { ) description = "Service URI in CAIS style to be used by Apphub." } + +output "project_id" { + value = var.project_id + description = "Project ID of the service" +} + +output "service_name" { + value = var.name + description = "Name of the created service" +} diff --git a/modules/backend/variables.tf b/modules/backend/variables.tf index 47357a10..f825bda1 100644 --- a/modules/backend/variables.tf +++ b/modules/backend/variables.tf @@ -159,9 +159,9 @@ variable "iap_config" { enable = bool oauth2_client_id = optional(string) oauth2_client_secret = optional(string) - iap_members = list(string) + iap_members = optional(list(string)) }) - default = { enable = false, iap_members = [] } + default = { enable = false } } variable "cdn_policy" { diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 53806ee0..fc05406c 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: + - roles/certificatemanager.owner + - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index fd56f01e..4ae47ec9 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -246,11 +246,11 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountUser - - roles/compute.admin - roles/storage.admin - roles/iap.admin - roles/certificatemanager.owner + - roles/iam.serviceAccountUser + - roles/compute.admin services: - certificatemanager.googleapis.com - compute.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 20d6985d..fae7288a 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/storage.admin - - roles/compute.admin - - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin + - roles/run.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/test/integration/backend-with-iap/backend_with_iap_test.go b/test/integration/backend-with-iap/backend_with_iap_test.go index c6323da8..a9d5bc3c 100644 --- a/test/integration/backend-with-iap/backend_with_iap_test.go +++ b/test/integration/backend-with-iap/backend_with_iap_test.go @@ -15,25 +15,30 @@ package backend_with_iap import ( + "fmt" "testing" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" + "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" - test "github.com/terraform-google-modules/terraform-google-lb-http/test/integration" + //test "github.com/terraform-google-modules/terraform-google-lb-http/test/integration" ) -func TestExternalLbBackendBucket(t *testing.T) { - bpt := tft.NewTFBlueprintTest(t) - - bpt.DefineVerify(func(assert *assert.Assertions) { - bpt.DefaultVerify(assert) - - loadBalancerIp := bpt.GetStringOutput("load-balancer-ip") - - test.AssertResponseStatus(t, assert, "http://"+loadBalancerIp, 200) +func TestLbBackendServiceIap(t *testing.T) { + backendServiceWithIAP := tft.NewTFBlueprintTest(t) + + backendServiceWithIAP.DefineVerify(func(assert *assert.Assertions) { + + projectID := backendServiceWithIAP.GetTFSetupStringOutput("project_id") + serviceName := backendServiceWithIAP.GetStringOutput("service_name") + + backendServiceDescribeCmd := gcloud.Run(t, "compute backend-services describe", gcloud.WithCommonArgs([]string{serviceName, "--project", projectID, "--global", "--format", "json"})) + + //verify IAP is enabled in backend-services + iapConfig := backendServiceDescribeCmd.Get("iap").Map() + assert.Equal("true", iapConfig["enabled"].String(), fmt.Sprintf("IAP should be enabled")) }) - - bpt.Test() + backendServiceWithIAP.Test() } From 3cbc9d502a3f3ae4db336f0ff49e6509f99af6b4 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Fri, 22 Aug 2025 11:07:57 +0000 Subject: [PATCH 12/16] removed trailing whitespaces --- modules/backend/metadata.yaml | 4 ++-- modules/dynamic_backends/metadata.yaml | 4 ++-- modules/frontend/metadata.yaml | 2 +- modules/serverless_negs/metadata.yaml | 6 +++--- .../integration/backend-with-iap/backend_with_iap_test.go | 8 +++----- 5 files changed, 11 insertions(+), 13 deletions(-) diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index f0369f9f..4a0265db 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin + - roles/iam.serviceAccountUser + - roles/iam.serviceAccountAdmin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index fc05406c..9ca2cc40 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: + - roles/run.admin + - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - - roles/run.admin - - roles/iam.serviceAccountUser services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 4ae47ec9..57334e9d 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -246,11 +246,11 @@ spec: roles: - level: Project roles: + - roles/compute.admin - roles/storage.admin - roles/iap.admin - roles/certificatemanager.owner - roles/iam.serviceAccountUser - - roles/compute.admin services: - certificatemanager.googleapis.com - compute.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index fae7288a..20d6985d 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: + - roles/storage.admin + - roles/compute.admin + - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin - - roles/run.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/test/integration/backend-with-iap/backend_with_iap_test.go b/test/integration/backend-with-iap/backend_with_iap_test.go index a9d5bc3c..bc065609 100644 --- a/test/integration/backend-with-iap/backend_with_iap_test.go +++ b/test/integration/backend-with-iap/backend_with_iap_test.go @@ -21,20 +21,18 @@ import ( "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/tft" "github.com/stretchr/testify/assert" "github.com/GoogleCloudPlatform/cloud-foundation-toolkit/infra/blueprint-test/pkg/gcloud" - - //test "github.com/terraform-google-modules/terraform-google-lb-http/test/integration" ) func TestLbBackendServiceIap(t *testing.T) { backendServiceWithIAP := tft.NewTFBlueprintTest(t) backendServiceWithIAP.DefineVerify(func(assert *assert.Assertions) { - + projectID := backendServiceWithIAP.GetTFSetupStringOutput("project_id") serviceName := backendServiceWithIAP.GetStringOutput("service_name") - + backendServiceDescribeCmd := gcloud.Run(t, "compute backend-services describe", gcloud.WithCommonArgs([]string{serviceName, "--project", projectID, "--global", "--format", "json"})) - + //verify IAP is enabled in backend-services iapConfig := backendServiceDescribeCmd.Get("iap").Map() assert.Equal("true", iapConfig["enabled"].String(), fmt.Sprintf("IAP should be enabled")) From 1080e6953abe242d60aca2f789403408a4e6eecd Mon Sep 17 00:00:00 2001 From: Deepraj Date: Fri, 22 Aug 2025 14:45:12 +0000 Subject: [PATCH 13/16] added ui validation for iap_members field --- metadata.display.yaml | 2 +- metadata.yaml | 6 +++--- modules/backend/metadata.display.yaml | 16 +++++++++++++++- modules/backend/metadata.yaml | 2 +- modules/dynamic_backends/metadata.display.yaml | 2 +- modules/dynamic_backends/metadata.yaml | 4 ++-- modules/frontend/metadata.display.yaml | 5 ++++- modules/frontend/metadata.yaml | 2 +- modules/serverless_negs/metadata.display.yaml | 2 +- modules/serverless_negs/metadata.yaml | 4 ++-- 10 files changed, 31 insertions(+), 14 deletions(-) diff --git a/metadata.display.yaml b/metadata.display.yaml index acb5c79d..8ea229ef 100644 --- a/metadata.display.yaml +++ b/metadata.display.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/metadata.yaml b/metadata.yaml index f6e7f929..d62f9e80 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: - - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/metadata.display.yaml b/modules/backend/metadata.display.yaml index ce481043..f83d5785 100644 --- a/modules/backend/metadata.display.yaml +++ b/modules/backend/metadata.display.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -31,6 +31,9 @@ spec: affinity_cookie_ttl_sec: name: affinity_cookie_ttl_sec title: Affinity Cookie Ttl Sec + backend_bucket_name: + name: backend_bucket_name + title: Backend Bucket Name cdn_policy: name: cdn_policy title: Cdn Policy @@ -66,6 +69,9 @@ spec: firewall_projects: name: firewall_projects title: Firewall Projects + firewall_source_ranges: + name: firewall_source_ranges + title: Firewall Source Ranges groups: name: groups title: Groups @@ -79,6 +85,11 @@ spec: iap_config: name: iap_config title: Iap Config + iap_members: + name: iap_members + title: Iap Members + regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$ + validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:email@example.com. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member). load_balancing_scheme: name: load_balancing_scheme title: Load Balancing Scheme @@ -125,3 +136,6 @@ spec: target_tags: name: target_tags title: Target Tags + timeout_sec: + name: timeout_sec + title: Timeout Sec diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 4a0265db..9057e61f 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: - - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin - roles/iam.serviceAccountUser - roles/iam.serviceAccountAdmin + - roles/compute.admin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/dynamic_backends/metadata.display.yaml b/modules/dynamic_backends/metadata.display.yaml index 8f5ed328..7b533863 100644 --- a/modules/dynamic_backends/metadata.display.yaml +++ b/modules/dynamic_backends/metadata.display.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 9ca2cc40..53806ee0 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: + - roles/storage.admin + - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - - roles/storage.admin - - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/frontend/metadata.display.yaml b/modules/frontend/metadata.display.yaml index 20435325..cee668c1 100644 --- a/modules/frontend/metadata.display.yaml +++ b/modules/frontend/metadata.display.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -67,6 +67,9 @@ spec: https_redirect: name: https_redirect title: Https Redirect + internal_forwarding_rules_config: + name: internal_forwarding_rules_config + title: Internal Forwarding Rules Config ipv6_address: name: ipv6_address title: Ipv6 Address diff --git a/modules/frontend/metadata.yaml b/modules/frontend/metadata.yaml index 57334e9d..4ae47ec9 100644 --- a/modules/frontend/metadata.yaml +++ b/modules/frontend/metadata.yaml @@ -246,11 +246,11 @@ spec: roles: - level: Project roles: - - roles/compute.admin - roles/storage.admin - roles/iap.admin - roles/certificatemanager.owner - roles/iam.serviceAccountUser + - roles/compute.admin services: - certificatemanager.googleapis.com - compute.googleapis.com diff --git a/modules/serverless_negs/metadata.display.yaml b/modules/serverless_negs/metadata.display.yaml index 01ad3ef9..6a6b669b 100644 --- a/modules/serverless_negs/metadata.display.yaml +++ b/modules/serverless_negs/metadata.display.yaml @@ -1,4 +1,4 @@ -# Copyright 2024 Google LLC +# Copyright 2025 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index 20d6985d..b61f3ea9 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/storage.admin - - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin + - roles/storage.admin + - roles/compute.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From 92113c153a504df9801fcaad9ff4963589af4206 Mon Sep 17 00:00:00 2001 From: Deepraj Date: Fri, 22 Aug 2025 15:34:09 +0000 Subject: [PATCH 14/16] iap_members logic update and regex validation --- metadata.yaml | 2 +- modules/backend/main.tf | 3 ++- modules/backend/metadata.display.yaml | 11 ++++++----- modules/backend/metadata.yaml | 6 +++--- modules/dynamic_backends/metadata.yaml | 4 ++-- modules/serverless_negs/metadata.yaml | 2 +- 6 files changed, 15 insertions(+), 13 deletions(-) diff --git a/metadata.yaml b/metadata.yaml index d62f9e80..18e95d68 100644 --- a/metadata.yaml +++ b/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: - - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin + - roles/run.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/backend/main.tf b/modules/backend/main.tf index 14d35867..5487fdc3 100644 --- a/modules/backend/main.tf +++ b/modules/backend/main.tf @@ -17,6 +17,7 @@ locals { is_backend_bucket = var.backend_bucket_name != null && var.backend_bucket_name != "" serverless_neg_backends = local.is_backend_bucket ? [] : var.serverless_neg_backends + iap_access_members = var.iap_config.enable ? coalesce(var.iap_config.iap_members, []) : [] } resource "google_compute_backend_service" "default" { @@ -367,7 +368,7 @@ resource "google_compute_backend_bucket" "default" { } resource "google_iap_web_backend_service_iam_member" "member" { - for_each = toset(var.iap_config.iap_members) + for_each = toset(local.iap_access_members) project = google_compute_backend_service.default[0].project web_backend_service = google_compute_backend_service.default[0].name role = "roles/iap.httpsResourceAccessor" diff --git a/modules/backend/metadata.display.yaml b/modules/backend/metadata.display.yaml index f83d5785..8ec61619 100644 --- a/modules/backend/metadata.display.yaml +++ b/modules/backend/metadata.display.yaml @@ -85,11 +85,12 @@ spec: iap_config: name: iap_config title: Iap Config - iap_members: - name: iap_members - title: Iap Members - regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$ - validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:email@example.com. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member). + properties: + iap_members: + name: iap_members + title: Iap Members + regexValidation: ^(?:allUsers|allAuthenticatedUsers)$|^((?:user|group|serviceAccount):(?:[a-zA-Z0-9._-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})|(?:domain:(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})|(?:projectOwner|projectEditor|projectViewer):[a-z][a-z0-9-]{0,28}[a-z0-9])$ + validation: Must be allUsers, allAuthenticatedUsers, or a service account in the format serviceAccount:email@example.com. [More info](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam#google_iap_web_backend_service_iam_member). load_balancing_scheme: name: load_balancing_scheme title: Load Balancing Scheme diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index 9057e61f..f0369f9f 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -338,13 +338,13 @@ spec: roles: - level: Project roles: + - roles/iam.serviceAccountUser + - roles/iam.serviceAccountAdmin + - roles/compute.admin - roles/storage.admin - roles/run.admin - roles/compute.networkAdmin - roles/iap.admin - - roles/iam.serviceAccountUser - - roles/iam.serviceAccountAdmin - - roles/compute.admin services: - cloudresourcemanager.googleapis.com - compute.googleapis.com diff --git a/modules/dynamic_backends/metadata.yaml b/modules/dynamic_backends/metadata.yaml index 53806ee0..ba9a6da3 100644 --- a/modules/dynamic_backends/metadata.yaml +++ b/modules/dynamic_backends/metadata.yaml @@ -330,13 +330,13 @@ spec: roles: - level: Project roles: + - roles/vpcaccess.admin + - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - - roles/vpcaccess.admin - - roles/iam.serviceAccountAdmin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com diff --git a/modules/serverless_negs/metadata.yaml b/modules/serverless_negs/metadata.yaml index b61f3ea9..fae7288a 100644 --- a/modules/serverless_negs/metadata.yaml +++ b/modules/serverless_negs/metadata.yaml @@ -294,13 +294,13 @@ spec: roles: - level: Project roles: - - roles/run.admin - roles/iam.serviceAccountUser - roles/certificatemanager.owner - roles/vpcaccess.admin - roles/iam.serviceAccountAdmin - roles/storage.admin - roles/compute.admin + - roles/run.admin services: - certificatemanager.googleapis.com - cloudresourcemanager.googleapis.com From 0a41688962c915ec74f78b7821a96d762753c659 Mon Sep 17 00:00:00 2001 From: abhishek kumar tiwari Date: Tue, 26 Aug 2025 11:44:02 +0530 Subject: [PATCH 15/16] Update Makefile --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2404371e..6f87f72a 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25.4 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.25 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd From 75845bec628f64f17da1a94ad0fd1dd65e7b80b7 Mon Sep 17 00:00:00 2001 From: bryan0515 Date: Wed, 27 Aug 2025 09:06:58 -0700 Subject: [PATCH 16/16] Address comments from https://github.com/terraform-google-modules/terraform-google-lb-http/pull/528 --- examples/backend-with-iap/outputs.tf | 7 +------ modules/backend/README.md | 2 -- modules/backend/metadata.yaml | 4 ---- modules/backend/outputs.tf | 10 ---------- .../backend-with-iap/backend_with_iap_test.go | 2 +- 5 files changed, 2 insertions(+), 23 deletions(-) diff --git a/examples/backend-with-iap/outputs.tf b/examples/backend-with-iap/outputs.tf index ac843af5..02b12921 100644 --- a/examples/backend-with-iap/outputs.tf +++ b/examples/backend-with-iap/outputs.tf @@ -16,11 +16,6 @@ output "project_id" { - value = module.lb-backend-iap.project_id + value = var.project_id description = "Project ID of the service" } - -output "service_name" { - value = module.lb-backend-iap.service_name - description = "Name of the created service" -} diff --git a/modules/backend/README.md b/modules/backend/README.md index 34369fcc..409758bc 100644 --- a/modules/backend/README.md +++ b/modules/backend/README.md @@ -44,7 +44,5 @@ This module creates `google_compute_backend_service` resource and its dependenci |------|-------------| | apphub\_service\_uri | Service URI in CAIS style to be used by Apphub. | | backend\_service\_info | Host, path and backend service mapping | -| project\_id | Project ID of the service | -| service\_name | Name of the created service | diff --git a/modules/backend/metadata.yaml b/modules/backend/metadata.yaml index f0369f9f..a51690f0 100644 --- a/modules/backend/metadata.yaml +++ b/modules/backend/metadata.yaml @@ -330,10 +330,6 @@ spec: - backend_service: string host: string path: string - - name: project_id - description: Project ID of the service - - name: service_name - description: Name of the created service requirements: roles: - level: Project diff --git a/modules/backend/outputs.tf b/modules/backend/outputs.tf index d072070b..a8dab938 100644 --- a/modules/backend/outputs.tf +++ b/modules/backend/outputs.tf @@ -43,13 +43,3 @@ output "apphub_service_uri" { ) description = "Service URI in CAIS style to be used by Apphub." } - -output "project_id" { - value = var.project_id - description = "Project ID of the service" -} - -output "service_name" { - value = var.name - description = "Name of the created service" -} diff --git a/test/integration/backend-with-iap/backend_with_iap_test.go b/test/integration/backend-with-iap/backend_with_iap_test.go index bc065609..1ded15b5 100644 --- a/test/integration/backend-with-iap/backend_with_iap_test.go +++ b/test/integration/backend-with-iap/backend_with_iap_test.go @@ -29,7 +29,7 @@ func TestLbBackendServiceIap(t *testing.T) { backendServiceWithIAP.DefineVerify(func(assert *assert.Assertions) { projectID := backendServiceWithIAP.GetTFSetupStringOutput("project_id") - serviceName := backendServiceWithIAP.GetStringOutput("service_name") + serviceName := "backend-with-iap" backendServiceDescribeCmd := gcloud.Run(t, "compute backend-services describe", gcloud.WithCommonArgs([]string{serviceName, "--project", projectID, "--global", "--format", "json"}))