本页面提供可在部署外部应用负载均衡器时使用的 Terraform 模块。根据您的首选后端类型,使用以下示例之一部署示例外部应用负载均衡器。
如果您刚开始使用 Terraform for Google Cloud,请参阅 Terraform 使用入门。
如需使用预构建的 Terraform 模板来简化 Google Cloud的网络基础架构的设置和管理,请探索简化的 Cloud 网络配置解决方案 GitHub 代码库。
具有托管式实例组 (MIG) 后端的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Compute Engine 后端的外部 HTTP 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/multi-mig-http-lb 目录中运行 terraform plan 命令。
如需详细了解此示例并了解如何运行此示例,请参阅 GitHub 上的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 12.0"
name = var.network_prefix
project = var.project
target_tags = [
"${var.network_prefix}-group1",
module.cloud-nat-group1.router_name,
"${var.network_prefix}-group2",
module.cloud-nat-group2.router_name
]
firewall_networks = [google_compute_network.default.name]
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
{
group = module.mig2.instance_group
},
]
iap_config = {
enable = false
}
}
}
}具有 MIG 后端和自定义标头的外部应用负载均衡器
您可以使用 Terraform 资源来启动具有已启用 Cloud CDN 的后端服务以及自定义请求和响应标头的外部应用负载均衡器。
如需详细了解负载均衡器设置,请参阅主要设置指南。
# VPC
resource "google_compute_network" "default" {
name = "l7-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "l7-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "l7-xlb-static-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "l7-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
target = google_compute_target_http_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# http proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-xlb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# url map
resource "google_compute_url_map" "default" {
name = "l7-xlb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service with custom request and response headers
resource "google_compute_backend_service" "default" {
name = "l7-xlb-backend-service"
provider = google-beta
protocol = "HTTP"
port_name = "my-port"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
enable_cdn = true
custom_request_headers = ["X-Client-Geo-Location: {client_region_subdivision}, {client_city}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "l7-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-12"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-xlb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "l7-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "http"
port = 8080
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "l7-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}具有后端存储桶和 MIG 的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Compute Engine 后端以及从 Cloud Storage 存储桶传送的静态资源的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Storage 存储桶和对象、Cloud Router、自签名 SSL 证书、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/multi-backend-multi-mig-bucket-https-lb 目录中运行 terraform plan 命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-https" {
source = "terraform-google-modules/lb-http/google"
version = "~> 12.0"
name = var.network_name
project = var.project
target_tags = [
"${var.network_name}-group1",
module.cloud-nat-group1.router_name,
"${var.network_name}-group2",
module.cloud-nat-group2.router_name,
"${var.network_name}-group3",
module.cloud-nat-group3.router_name
]
firewall_networks = [google_compute_network.default.self_link]
url_map = google_compute_url_map.ml-bkd-ml-mig-bckt-s-lb.self_link
create_url_map = false
ssl = true
private_key = tls_private_key.example.private_key_pem
certificate = tls_self_signed_cert.example.cert_pem
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
{
group = module.mig2.instance_group
},
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
mig1 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
]
iap_config = {
enable = false
}
}
mig2 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig2.instance_group
},
]
iap_config = {
enable = false
}
}
mig3 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
}
}
resource "google_compute_url_map" "ml-bkd-ml-mig-bckt-s-lb" {
// note that this is the name of the load balancer
name = var.network_name
default_service = module.gce-lb-https.backend_services["default"].self_link
host_rule {
hosts = ["*"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = module.gce-lb-https.backend_services["default"].self_link
path_rule {
paths = [
"/group1",
"/group1/*"
]
service = module.gce-lb-https.backend_services["mig1"].self_link
}
path_rule {
paths = [
"/group2",
"/group2/*"
]
service = module.gce-lb-https.backend_services["mig2"].self_link
}
path_rule {
paths = [
"/group3",
"/group3/*"
]
service = module.gce-lb-https.backend_services["mig3"].self_link
}
path_rule {
paths = [
"/assets",
"/assets/*"
]
service = google_compute_backend_bucket.assets.self_link
}
}
}
resource "google_compute_backend_bucket" "assets" {
name = random_id.assets-bucket.hex
description = "Contains static resources for example app"
bucket_name = google_storage_bucket.assets.name
enable_cdn = true
}
resource "google_storage_bucket" "assets" {
name = random_id.assets-bucket.hex
location = "US"
// delete bucket and contents on destroy.
force_destroy = true
}
// The image object in Cloud Storage.
// Note that the path in the bucket matches the paths in the url map path rule above.
resource "google_storage_bucket_object" "image" {
name = "assets/gcp-logo.svg"
content = file("gcp-logo.svg")
content_type = "image/svg+xml"
bucket = google_storage_bucket.assets.name
}
// Make object public readable.
resource "google_storage_object_acl" "image-acl" {
bucket = google_storage_bucket.assets.name
object = google_storage_bucket_object.image.name
predefined_acl = "publicRead"
}具有 Cloud Run 后端的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Cloud Run 后端的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 Cloud Run 服务、自签名 SSL 证书、设置 HTTP 到 HTTPs 重定向的网址映射、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/cloudrun 目录中运行 terraform plan 命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "lb-http" {
source = "terraform-google-modules/lb-http/google//modules/serverless_negs"
version = "~> 12.0"
name = var.lb_name
project = var.project_id
ssl = var.ssl
managed_ssl_certificate_domains = [var.domain]
https_redirect = var.ssl
labels = { "example-label" = "cloud-run-example" }
backends = {
default = {
description = null
groups = [
{
group = google_compute_region_network_endpoint_group.serverless_neg.id
}
]
enable_cdn = false
iap_config = {
enable = false
}
log_config = {
enable = false
}
}
}
}
resource "google_compute_region_network_endpoint_group" "serverless_neg" {
provider = google-beta
name = "serverless-neg"
network_endpoint_type = "SERVERLESS"
region = var.region
cloud_run {
service = google_cloud_run_service.default.name
}
}
resource "google_cloud_run_service" "default" {
name = "example"
location = var.region
project = var.project_id
template {
spec {
containers {
image = "gcr.io/cloudrun/hello"
}
}
}
metadata {
annotations = {
# For valid annotation values and descriptions, see
# https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress
"run.googleapis.com/ingress" = "all"
}
}
}
resource "google_cloud_run_service_iam_member" "public-access" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.invoker"
member = "allUsers"
}具有 HTTP 到 HTTPS 重定向的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 HTTP 到 HTTPS 重定向的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、自签名 SSL 证书、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/https-redirect 目录中运行 terraform plan 命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 12.0"
name = "ci-https-redirect"
project = var.project
target_tags = [var.network_name]
firewall_networks = [google_compute_network.default.name]
ssl = true
ssl_certificates = [google_compute_ssl_certificate.example.self_link]
https_redirect = true
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = false
}
groups = [
{
group = module.mig.instance_group
}
]
iap_config = {
enable = false
}
}
}
}使用共享 VPC 的外部应用负载均衡器
您可以使用 Terraform 模块启动共享 VPC 设置中的外部应用负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/shared-vpc 目录中运行 terraform plan 命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 12.0"
name = "group-http-lb"
project = var.service_project
target_tags = ["allow-shared-vpc-mig"]
firewall_projects = [var.host_project]
firewall_networks = [var.network]
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig.instance_group
}
]
iap_config = {
enable = false
}
}
}
}