本页面提供可在部署外部应用负载均衡器时使用的 Terraform 模块。根据您的首选后端类型,使用以下示例之一部署示例外部应用负载均衡器。
如果您刚开始使用 Terraform for Google Cloud,请参阅 Terraform 使用入门。
具有代管式实例组 (MIG) 后端的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Compute Engine 后端的外部 HTTP 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/multi-mig-http-lb
目录中运行 terraform plan
命令。
如需详细了解此示例并了解如何运行此示例,请参阅 GitHub 上的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 10.0"
name = var.network_prefix
project = var.project
target_tags = [
"${var.network_prefix}-group1",
module.cloud-nat-group1.router_name,
"${var.network_prefix}-group2",
module.cloud-nat-group2.router_name
]
firewall_networks = [google_compute_network.default.name]
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
{
group = module.mig2.instance_group
},
]
iap_config = {
enable = false
}
}
}
}
具有 MIG 后端和自定义标头的外部应用负载均衡器
您可以使用 Terraform 资源来启动具有已启用 Cloud CDN 的后端服务以及自定义请求和响应标头的外部应用负载均衡器。
如需详细了解负载均衡器设置,请参阅主要设置指南。
# VPC
resource "google_compute_network" "default" {
name = "l7-xlb-network"
provider = google-beta
auto_create_subnetworks = false
}
# backend subnet
resource "google_compute_subnetwork" "default" {
name = "l7-xlb-subnet"
provider = google-beta
ip_cidr_range = "10.0.1.0/24"
region = "us-central1"
network = google_compute_network.default.id
}
# reserved IP address
resource "google_compute_global_address" "default" {
provider = google-beta
name = "l7-xlb-static-ip"
}
# forwarding rule
resource "google_compute_global_forwarding_rule" "default" {
name = "l7-xlb-forwarding-rule"
provider = google-beta
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
target = google_compute_target_http_proxy.default.id
ip_address = google_compute_global_address.default.id
}
# http proxy
resource "google_compute_target_http_proxy" "default" {
name = "l7-xlb-target-http-proxy"
provider = google-beta
url_map = google_compute_url_map.default.id
}
# url map
resource "google_compute_url_map" "default" {
name = "l7-xlb-url-map"
provider = google-beta
default_service = google_compute_backend_service.default.id
}
# backend service with custom request and response headers
resource "google_compute_backend_service" "default" {
name = "l7-xlb-backend-service"
provider = google-beta
protocol = "HTTP"
port_name = "my-port"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
enable_cdn = true
custom_request_headers = ["X-Client-Geo-Location: {client_region_subdivision}, {client_city}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
health_checks = [google_compute_health_check.default.id]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
# instance template
resource "google_compute_instance_template" "default" {
name = "l7-xlb-mig-template"
provider = google-beta
machine_type = "e2-small"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
access_config {
# add external ip to fetch packages
}
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
# install nginx and serve a simple web page
metadata = {
startup-script = <<-EOF1
#! /bin/bash
set -euo pipefail
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y nginx-light jq
NAME=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/hostname")
IP=$(curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip")
METADATA=$(curl -f -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/attributes/?recursive=True" | jq 'del(.["startup-script"])')
cat <<EOF > /var/www/html/index.html
<pre>
Name: $NAME
IP: $IP
Metadata: $METADATA
</pre>
EOF
EOF1
}
lifecycle {
create_before_destroy = true
}
}
# health check
resource "google_compute_health_check" "default" {
name = "l7-xlb-hc"
provider = google-beta
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}
# MIG
resource "google_compute_instance_group_manager" "default" {
name = "l7-xlb-mig1"
provider = google-beta
zone = "us-central1-c"
named_port {
name = "http"
port = 8080
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
# allow access from health check ranges
resource "google_compute_firewall" "default" {
name = "l7-xlb-fw-allow-hc"
provider = google-beta
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
allow {
protocol = "tcp"
}
target_tags = ["allow-health-check"]
}
具有后端存储桶和 MIG 的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Compute Engine 后端以及从 Cloud Storage 存储桶传送的静态资源的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Storage 存储桶和对象、Cloud Router、自签名 SSL 证书、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/multi-backend-multi-mig-bucket-https-lb
目录中运行 terraform plan
命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-https" {
source = "terraform-google-modules/lb-http/google"
version = "~> 10.0"
name = var.network_name
project = var.project
target_tags = [
"${var.network_name}-group1",
module.cloud-nat-group1.router_name,
"${var.network_name}-group2",
module.cloud-nat-group2.router_name,
"${var.network_name}-group3",
module.cloud-nat-group3.router_name
]
firewall_networks = [google_compute_network.default.self_link]
url_map = google_compute_url_map.ml-bkd-ml-mig-bckt-s-lb.self_link
create_url_map = false
ssl = true
private_key = tls_private_key.example.private_key_pem
certificate = tls_self_signed_cert.example.cert_pem
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
{
group = module.mig2.instance_group
},
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
mig1 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
]
iap_config = {
enable = false
}
}
mig2 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig2.instance_group
},
]
iap_config = {
enable = false
}
}
mig3 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
}
}
resource "google_compute_url_map" "ml-bkd-ml-mig-bckt-s-lb" {
// note that this is the name of the load balancer
name = var.network_name
default_service = module.gce-lb-https.backend_services["default"].self_link
host_rule {
hosts = ["*"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = module.gce-lb-https.backend_services["default"].self_link
path_rule {
paths = [
"/group1",
"/group1/*"
]
service = module.gce-lb-https.backend_services["mig1"].self_link
}
path_rule {
paths = [
"/group2",
"/group2/*"
]
service = module.gce-lb-https.backend_services["mig2"].self_link
}
path_rule {
paths = [
"/group3",
"/group3/*"
]
service = module.gce-lb-https.backend_services["mig3"].self_link
}
path_rule {
paths = [
"/assets",
"/assets/*"
]
service = google_compute_backend_bucket.assets.self_link
}
}
}
resource "google_compute_backend_bucket" "assets" {
name = random_id.assets-bucket.hex
description = "Contains static resources for example app"
bucket_name = google_storage_bucket.assets.name
enable_cdn = true
}
resource "google_storage_bucket" "assets" {
name = random_id.assets-bucket.hex
location = "US"
// delete bucket and contents on destroy.
force_destroy = true
}
// The image object in Cloud Storage.
// Note that the path in the bucket matches the paths in the url map path rule above.
resource "google_storage_bucket_object" "image" {
name = "assets/gcp-logo.svg"
content = file("gcp-logo.svg")
content_type = "image/svg+xml"
bucket = google_storage_bucket.assets.name
}
// Make object public readable.
resource "google_storage_object_acl" "image-acl" {
bucket = google_storage_bucket.assets.name
object = google_storage_bucket_object.image.name
predefined_acl = "publicRead"
}
具有 Cloud Run 后端的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 Cloud Run 后端的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 Cloud Run 服务、自签名 SSL 证书、设置 HTTP 到 HTTPs 重定向的网址映射、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/cloudrun
目录中运行 terraform plan
命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "lb-http" {
source = "terraform-google-modules/lb-http/google//modules/serverless_negs"
version = "~> 10.0"
name = var.lb_name
project = var.project_id
ssl = var.ssl
managed_ssl_certificate_domains = [var.domain]
https_redirect = var.ssl
labels = { "example-label" = "cloud-run-example" }
backends = {
default = {
description = null
groups = [
{
group = google_compute_region_network_endpoint_group.serverless_neg.id
}
]
enable_cdn = false
iap_config = {
enable = false
}
log_config = {
enable = false
}
}
}
}
resource "google_compute_region_network_endpoint_group" "serverless_neg" {
provider = google-beta
name = "serverless-neg"
network_endpoint_type = "SERVERLESS"
region = var.region
cloud_run {
service = google_cloud_run_service.default.name
}
}
resource "google_cloud_run_service" "default" {
name = "example"
location = var.region
project = var.project_id
template {
spec {
containers {
image = "gcr.io/cloudrun/hello"
}
}
}
metadata {
annotations = {
# For valid annotation values and descriptions, see
# https://cloud.google.com/sdk/gcloud/reference/run/deploy#--ingress
"run.googleapis.com/ingress" = "all"
}
}
}
resource "google_cloud_run_service_iam_member" "public-access" {
location = google_cloud_run_service.default.location
project = google_cloud_run_service.default.project
service = google_cloud_run_service.default.name
role = "roles/run.invoker"
member = "allUsers"
}
具有 HTTP 到 HTTPS 重定向的外部应用负载均衡器
您可以使用 Terraform 模块启动具有 HTTP 到 HTTPS 重定向的外部 HTTPS 负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、自签名 SSL 证书、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/https-redirect
目录中运行 terraform plan
命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 10.0"
name = "ci-https-redirect"
project = var.project
target_tags = [var.network_name]
firewall_networks = [google_compute_network.default.name]
ssl = true
ssl_certificates = [google_compute_ssl_certificate.example.self_link]
https_redirect = true
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = false
}
groups = [
{
group = module.mig.instance_group
}
]
iap_config = {
enable = false
}
}
}
}
使用共享 VPC 的外部应用负载均衡器
您可以使用 Terraform 模块启动共享 VPC 设置中的外部应用负载均衡器。
此模块创建多个 Terraform 资源,包括 VPC 网络和子网、Cloud Router、所有必要的负载均衡器组件以及后端实例组。如需了解详情,请下载或克隆代码库,并在 /terraform-google-lb-http/examples/shared-vpc
目录中运行 terraform plan
命令。
如需详细了解此示例以及如何运行此示例,请参阅 GitHub 中的 README。
module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 10.0"
name = "group-http-lb"
project = var.service_project
target_tags = ["allow-shared-vpc-mig"]
firewall_projects = [var.host_project]
firewall_networks = [var.network]
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = {
request_path = "/"
port = 80
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig.instance_group
}
]
iap_config = {
enable = false
}
}
}
}