Add support for Regional L7 XLB. (#5531) (#10738)

Signed-off-by: Modular Magician <[email protected]>

Author: modular-magician

.changelog/5531.txt

@@ -0,0 +1,3 @@
+```release-note:enhancement
+compute: added support for regional external HTTP(S) load balancer
+```

google/resource_compute_region_backend_service.go

@@ -566,10 +566,10 @@ or serverless NEG as a backend.`,
 				Type:         schema.TypeString,
 				Optional:     true,
 				ForceNew:     true,
-				ValidateFunc: validation.StringInSlice([]string{"EXTERNAL", "INTERNAL", "INTERNAL_MANAGED", ""}, false),
+				ValidateFunc: validation.StringInSlice([]string{"EXTERNAL", "EXTERNAL_MANAGED", "INTERNAL", "INTERNAL_MANAGED", ""}, false),
 				Description: `Indicates what kind of load balancing this regional backend service
 will be used for. A backend service created for one type of load
-balancing cannot be used with the other(s). Default value: "INTERNAL" Possible values: ["EXTERNAL", "INTERNAL", "INTERNAL_MANAGED"]`,
+balancing cannot be used with the other(s). Default value: "INTERNAL" Possible values: ["EXTERNAL", "EXTERNAL_MANAGED", "INTERNAL", "INTERNAL_MANAGED"]`,
 				Default: "INTERNAL",
 			},
 			"locality_lb_policy": {
@@ -796,7 +796,7 @@ runtime value should be 1900. Defaults to 1900.`,
 				Optional: true,
 				Description: `A named port on a backend instance group representing the port for
 communication to the backend VMs in that group. Required when the
-loadBalancingScheme is EXTERNAL, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED
+loadBalancingScheme is EXTERNAL, EXTERNAL_MANAGED, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED
 and the backends are instance groups. The named port must be defined on each
 backend instance group. This parameter has no meaning if the backends are NEGs. API sets a
 default of "http" if not given.
@@ -3581,7 +3581,7 @@ func resourceComputeRegionBackendServiceEncoder(d *schema.ResourceData, meta int
 		obj["iap"] = iap
 	}
 
-	if d.Get("load_balancing_scheme").(string) == "INTERNAL_MANAGED" {
+	if d.Get("load_balancing_scheme").(string) == "EXTERNAL_MANAGED" || d.Get("load_balancing_scheme").(string) == "INTERNAL_MANAGED" {
 		return obj, nil
 	}
 

google/resource_compute_subnetwork.go

@@ -1157,8 +1157,8 @@ func expandComputeSubnetworkLogConfig(v interface{}, d TerraformResourceData, co
 	if len(l) == 0 || l[0] == nil {
 		purpose, ok := d.GetOkExists("purpose")
 
-		if ok && purpose.(string) == "INTERNAL_HTTPS_LOAD_BALANCER" {
-			// Subnetworks for L7ILB do not accept any values for logConfig
+		if ok && (purpose.(string) == "REGIONAL_MANAGED_PROXY" || purpose.(string) == "INTERNAL_HTTPS_LOAD_BALANCER") {
+			// Subnetworks for regional L7 ILB/XLB do not accept any values for logConfig
 			return nil, nil
 		}
 		// send enable = false to ensure logging is disabled if there is no config

website/docs/r/compute_forwarding_rule.html.markdown

@@ -802,6 +802,212 @@ resource "google_compute_subnetwork" "proxy" {
   role          = "ACTIVE"
 }
 ```
+<div class = "oics-button" style="float: right; margin: 0 0 -15px">
+  <a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.jpy.wang%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=forwarding_rule_regional_http_xlb&cloudshell_image=gcr.io%2Fgraphite-cloud-shell-images%2Fterraform%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
+    <img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
+  </a>
+</div>
+## Example Usage - Forwarding Rule Regional Http Xlb
+
+
+```hcl
+// Forwarding rule for Regional External Load Balancing
+resource "google_compute_forwarding_rule" "default" {
+  provider = google-beta
+  depends_on = [google_compute_subnetwork.proxy]
+  name   = "website-forwarding-rule"
+  region = "us-central1"
+
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+  port_range            = "80"
+  target                = google_compute_region_target_http_proxy.default.id
+  network               = google_compute_network.default.id
+  ip_address            = google_compute_address.default.id
+  network_tier          = "STANDARD"
+}
+
+resource "google_compute_region_target_http_proxy" "default" {
+  provider = google-beta
+
+  region  = "us-central1"
+  name    = "website-proxy"
+  url_map = google_compute_region_url_map.default.id
+}
+
+resource "google_compute_region_url_map" "default" {
+  provider = google-beta
+
+  region          = "us-central1"
+  name            = "website-map"
+  default_service = google_compute_region_backend_service.default.id
+}
+
+resource "google_compute_region_backend_service" "default" {
+  provider = google-beta
+
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+
+  backend {
+    group = google_compute_region_instance_group_manager.rigm.instance_group
+    balancing_mode = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
+
+  region      = "us-central1"
+  name        = "website-backend"
+  protocol    = "HTTP"
+  timeout_sec = 10
+
+  health_checks = [google_compute_region_health_check.default.id]
+}
+
+data "google_compute_image" "debian_image" {
+  provider = google-beta
+  family   = "debian-9"
+  project  = "debian-cloud"
+}
+
+resource "google_compute_region_instance_group_manager" "rigm" {
+  provider = google-beta
+  region   = "us-central1"
+  name     = "website-rigm"
+  version {
+    instance_template = google_compute_instance_template.instance_template.id
+    name              = "primary"
+  }
+  base_instance_name = "internal-glb"
+  target_size        = 1
+}
+
+resource "google_compute_instance_template" "instance_template" {
+  provider     = google-beta
+  name         = "template-website-backend"
+  machine_type = "e2-medium"
+
+  network_interface {
+    network = google_compute_network.default.id
+    subnetwork = google_compute_subnetwork.default.id
+  }
+
+  disk {
+    source_image = data.google_compute_image.debian_image.self_link
+    auto_delete  = true
+    boot         = true
+  }
+
+  tags = ["allow-ssh", "load-balanced-backend"]
+}
+
+resource "google_compute_region_health_check" "default" {
+  depends_on = [google_compute_firewall.fw4]
+  provider = google-beta
+
+  region = "us-central1"
+  name   = "website-hc"
+  http_health_check {
+    port_specification = "USE_SERVING_PORT"
+  }
+}
+
+resource "google_compute_address" "default" {
+  name = "website-ip-1"
+  provider = google-beta
+  region = "us-central1"
+  network_tier = "STANDARD"
+}
+
+resource "google_compute_firewall" "fw1" {
+  provider = google-beta
+  name = "website-fw-1"
+  network = google_compute_network.default.id
+  source_ranges = ["10.1.2.0/24"]
+  allow {
+    protocol = "tcp"
+  }
+  allow {
+    protocol = "udp"
+  }
+  allow {
+    protocol = "icmp"
+  }
+  direction = "INGRESS"
+}
+
+resource "google_compute_firewall" "fw2" {
+  depends_on = [google_compute_firewall.fw1]
+  provider = google-beta
+  name = "website-fw-2"
+  network = google_compute_network.default.id
+  source_ranges = ["0.0.0.0/0"]
+  allow {
+    protocol = "tcp"
+    ports = ["22"]
+  }
+  target_tags = ["allow-ssh"]
+  direction = "INGRESS"
+}
+
+resource "google_compute_firewall" "fw3" {
+  depends_on = [google_compute_firewall.fw2]
+  provider = google-beta
+  name = "website-fw-3"
+  network = google_compute_network.default.id
+  source_ranges = ["130.211.0.0/22", "35.191.0.0/16"]
+  allow {
+    protocol = "tcp"
+  }
+  target_tags = ["load-balanced-backend"]
+  direction = "INGRESS"
+}
+
+resource "google_compute_firewall" "fw4" {
+  depends_on = [google_compute_firewall.fw3]
+  provider = google-beta
+  name = "website-fw-4"
+  network = google_compute_network.default.id
+  source_ranges = ["10.129.0.0/26"]
+  target_tags = ["load-balanced-backend"]
+  allow {
+    protocol = "tcp"
+    ports = ["80"]
+  }
+  allow {
+    protocol = "tcp"
+    ports = ["443"]
+  }
+  allow {
+    protocol = "tcp"
+    ports = ["8000"]
+  }
+  direction = "INGRESS"
+}
+
+resource "google_compute_network" "default" {
+  provider = google-beta
+  name                    = "website-net"
+  auto_create_subnetworks = false
+  routing_mode = "REGIONAL"
+}
+
+resource "google_compute_subnetwork" "default" {
+  provider = google-beta
+  name          = "website-net-default"
+  ip_cidr_range = "10.1.2.0/24"
+  region        = "us-central1"
+  network       = google_compute_network.default.id
+}
+
+resource "google_compute_subnetwork" "proxy" {
+  provider = google-beta
+  name          = "website-net-proxy"
+  ip_cidr_range = "10.129.0.0/26"
+  region        = "us-central1"
+  network       = google_compute_network.default.id
+  purpose       = "REGIONAL_MANAGED_PROXY"
+  role          = "ACTIVE"
+}
+```
 
 ## Argument Reference
 
@@ -867,14 +1073,15 @@ The following arguments are supported:
 * `load_balancing_scheme` -
   (Optional)
   This signifies what the ForwardingRule will be used for and can be
-  EXTERNAL, INTERNAL, or INTERNAL_MANAGED. EXTERNAL is used for Classic
+  EXTERNAL, EXTERNAL_MANAGED, INTERNAL, or INTERNAL_MANAGED. EXTERNAL is used for Classic
   Cloud VPN gateways, protocol forwarding to VMs from an external IP address,
   and HTTP(S), SSL Proxy, TCP Proxy, and Network TCP/UDP load balancers.
   INTERNAL is used for protocol forwarding to VMs from an internal IP address,
   and internal TCP/UDP load balancers.
+  EXTERNAL_MANAGED is used for regional external HTTP(S) load balancers.
   INTERNAL_MANAGED is used for internal HTTP(S) load balancers.
   Default value is `EXTERNAL`.
-  Possible values are `EXTERNAL`, `INTERNAL`, and `INTERNAL_MANAGED`.
+  Possible values are `EXTERNAL`, `EXTERNAL_MANAGED`, `INTERNAL`, and `INTERNAL_MANAGED`.
 
 * `network` -
   (Optional)

website/docs/r/compute_region_backend_service.html.markdown

@@ -410,7 +410,7 @@ The following arguments are supported:
   will be used for. A backend service created for one type of load
   balancing cannot be used with the other(s).
   Default value is `INTERNAL`.
-  Possible values are `EXTERNAL`, `INTERNAL`, and `INTERNAL_MANAGED`.
+  Possible values are `EXTERNAL`, `EXTERNAL_MANAGED`, `INTERNAL`, and `INTERNAL_MANAGED`.
 
 * `locality_lb_policy` -
   (Optional)
@@ -449,7 +449,7 @@ The following arguments are supported:
   (Optional)
   A named port on a backend instance group representing the port for
   communication to the backend VMs in that group. Required when the
-  loadBalancingScheme is EXTERNAL, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED
+  loadBalancingScheme is EXTERNAL, EXTERNAL_MANAGED, INTERNAL_MANAGED, or INTERNAL_SELF_MANAGED
   and the backends are instance groups. The named port must be defined on each
   backend instance group. This parameter has no meaning if the backends are NEGs. API sets a
   default of "http" if not given.

website/docs/r/os_config_os_policy_assignment.html.markdown

@@ -703,24 +703,6 @@ The `disruption_budget` block supports:
   (Optional)
   Specifies the relative value defined as a percentage, which will be multiplied by a reference value.
 
-The `source` block supports:
-    
-* `allow_insecure` -
-  (Optional)
-  Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
-    
-* `gcs` -
-  (Optional)
-  A Cloud Storage object.
-    
-* `local_path` -
-  (Optional)
-  A local path within the VM to use.
-    
-* `remote` -
-  (Optional)
-  A generic remote file.
-    
 - - -
 
 * `description` -
@@ -970,6 +952,24 @@ The `zypper` block supports:
   (Required)
   Required. A one word, unique name for this repository. This is the `repo id` in the zypper config file and also the `display_name` if `display_name` is omitted. This id is also used as the unique identifier when checking for GuestPolicy conflicts.
 
+The `file` block supports:
+    
+* `allow_insecure` -
+  (Optional)
+  Defaults to false. When false, files are subject to validations based on the file type: Remote: A checksum must be specified. Cloud Storage: An object generation number must be specified.
+    
+* `gcs` -
+  (Optional)
+  A Cloud Storage object.
+    
+* `local_path` -
+  (Optional)
+  A local path within the VM to use.
+    
+* `remote` -
+  (Optional)
+  A generic remote file.
+    
 The `gcs` block supports:
 
 * `bucket` -