diff --git a/load_balancer.tf b/load_balancer.tf
index 8092e96639f8e12e17b32937ab3b00a7f44960ce..5faa9663441c69a17884897fea0ed568867e6d57 100644
--- a/load_balancer.tf
+++ b/load_balancer.tf
@@ -1,9 +1,9 @@
# load_balancer.tf configures Cloud Load Balancer resources for the Cloud Run
-# service if var.ingress_style == "load-balancer".
+# service if var.use_load_balancer == true.
# A network endpoint group for the "webapp" application.
resource "google_compute_region_network_endpoint_group" "webapp" {
- count = var.ingress_style == "load-balancer" ? 1 : 0
+ count = var.use_load_balancer ? 1 : 0
name = var.name
network_endpoint_type = "SERVERLESS"
@@ -16,7 +16,7 @@ resource "google_compute_region_network_endpoint_group" "webapp" {
}
resource "google_compute_ssl_policy" "default" {
- count = var.ingress_style == "load-balancer" && var.ssl_policy == null ? 1 : 0
+ count = var.use_load_balancer && var.ssl_policy == null ? 1 : 0
name = "${var.name}-modern"
profile = "MODERN"
@@ -28,7 +28,7 @@ resource "google_compute_ssl_policy" "default" {
#
# [1] https://registry.terraform.io/modules/GoogleCloudPlatform/lb-http/google/latest/submodules/serverless_negs
module "webapp_http_load_balancer" {
- count = var.ingress_style == "load-balancer" ? 1 : 0
+ count = var.use_load_balancer ? 1 : 0
# The double slash is important(!)
source = "GoogleCloudPlatform/lb-http/google//modules/serverless_negs"
@@ -43,7 +43,7 @@ module "webapp_http_load_balancer" {
# Use custom TLS certs if var.use_ssl_certificates is true, otherwise, use the Google-managed certs.
use_ssl_certificates = var.use_ssl_certificates
ssl_certificates = var.ssl_certificates
- managed_ssl_certificate_domains = local.dns_names
+ managed_ssl_certificate_domains = var.dns_names
ssl_policy = var.ssl_policy == null ? google_compute_ssl_policy.default[0].id : var.ssl_policy
# Whether to create an IPv6 address to the load balancer.
diff --git a/locals.tf b/locals.tf
index 3ca469d0bfc3da460523931c1dc3195a17b9a106..5aec9f1d8d76268d1274be17c45807dd209c25cc 100644
--- a/locals.tf
+++ b/locals.tf
@@ -4,48 +4,15 @@ locals {
# Project containing existing Cloud SQL instance.
sql_instance_project = coalesce(var.sql_instance_project, var.project)
- # Should a DNS domain mapping be created?
- domain_mapping_present = anytrue([for dm in google_cloud_run_domain_mapping.webapp : true])
-
- # DNS names for web app
- dns_names = var.dns_name != "" ? [var.dns_name] : var.dns_names
-
- # DNS records for webapp. Merge records from any domain mappings or load balancers.
- dns_records = flatten(concat(
- [
- for domain_mapping in google_cloud_run_domain_mapping.webapp : [
- {
- type = domain_mapping.status[0].resource_records[0].type
- rrdata = domain_mapping.status[0].resource_records[0].rrdata
- }
- ]
- ],
- [
- for load_balancer in module.webapp_http_load_balancer : [
- {
- type = "A"
- rrdata = load_balancer.external_ip
- },
- {
- type = "AAAA"
- rrdata = load_balancer.external_ipv6_address
- }
- ]
- ]
- ))
-
pre_deploy_job_image_name = var.pre_deploy_job_image_name == null ? var.image_name : var.pre_deploy_job_image_name
pre_deploy_job_environment_variables = var.pre_deploy_job_environment_variables == null ? var.environment_variables : var.pre_deploy_job_environment_variables
- # Certain ingress styles imply that we disallow external access to the base Cloud Run service.
- webapp_allowed_ingress = lookup({
- load-balancer = "internal-and-cloud-load-balancing"
- }, var.ingress_style, var.allowed_ingress)
+ webapp_allowed_ingress = var.use_load_balancer ? "internal-and-cloud-load-balancing" : var.allowed_ingress
# Whether we should monitor the custom domain - only possible if there are a dns names
# set and unauthenticated invocation is enabled.
- can_monitor_custom_dns = length(local.dns_names) > 0 && var.allow_unauthenticated_invocations
+ can_monitor_custom_dns = length(var.dns_names) > 0 && var.allow_unauthenticated_invocations
# Holds which VPC connector can be used for the auth proxy Cloud Function egress settings
auth_proxy_egress_connector = var.enable_static_egress_ip ? google_vpc_access_connector.static-ip-connector[0].id : var.auth_proxy_egress_connector
@@ -61,7 +28,7 @@ locals {
},
},
local.can_monitor_custom_dns ? {
- for dns_name in local.dns_names :
+ for dns_name in var.dns_names :
(dns_name) => {
host = dns_name
enable_auth_proxy = local.webapp_allowed_ingress == "internal",
diff --git a/main.tf b/main.tf
index 59b03c5b85cb33b3de3820ad0e5c23f296dade54..f54296f277dd410c1a6a8a2f70a11986f37a232b 100644
--- a/main.tf
+++ b/main.tf
@@ -220,27 +220,6 @@ resource "google_cloud_run_service_iam_member" "webapp_all_users_invoker" {
member = "allUsers"
}
-# Domain mapping for default web-application. Only present if the domain is
-# verified. We use the custom DNS name of the webapp if provided but otherwise
-# the webapp is hosted at [SERVICE NAME].[PROJECT DNS ZONE]. We can't create
-# the domain mapping if the domain is *not* verified because Google won't let
-# us.
-resource "google_cloud_run_domain_mapping" "webapp" {
- for_each = toset(var.ingress_style == "domain-mapping" ? local.dns_names : [])
-
- location = var.cloud_run_region
- name = each.key
-
- metadata {
- # For managed Cloud Run, the namespace *must* be the project name.
- namespace = var.project
- }
-
- spec {
- route_name = google_cloud_run_service.webapp.name
- }
-}
-
module "uptime_monitoring" {
for_each = local.monitor_hosts
diff --git a/outputs.tf b/outputs.tf
index 30279816fc485375e946fe2f62ac3599cb7aee5e..2b5771001e565a7873704f40938f8526dd95bc92 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -15,38 +15,6 @@ output "load_balancer" {
value = module.webapp_http_load_balancer
}
-output "domain_mapping_present" {
- description = "Flag indicating if a domain mapping is present for the webapp"
- value = local.domain_mapping_present
-}
-
-output "domain_mapping_resource_record" {
- value = try(local.dns_records[0], {})
- description = <<EOI
- Deprecated. Use dns_resource_records output instead.
-
- Resource record for DNS hostnames. If a domain mapping or load balancing is configured
- the following keys will be set: type and rrdata. If no mapping is configured, the
- map will be empty.
- EOI
-}
-
-output "dns_resource_records" {
- value = local.dns_records
- description = <<EOI
- List of DNS records for web application. Each element is an object with "type" and "rrdata"
- keys.
- EOI
-}
-
-output "domain_mapping_dns_name" {
- description = <<EOI
-DNS name (minus trailing dot) of webapp. Will be blank if no DNS name
-configured.
-EOI
- value = var.dns_name
-}
-
output "static_egress_ip" {
description = <<EOI
The static egress IP assigned to this cloud run instance. Only populated
diff --git a/variables.tf b/variables.tf
index a6a4cdca5f2890c69bbcdd984e616b2a497cc008..43b5645c3267e1f853a1960c0cf3f52b597240ab 100644
--- a/variables.tf
+++ b/variables.tf
@@ -164,48 +164,19 @@ EOI
default = true
}
-variable "ingress_style" {
- type = string
- default = "domain-mapping"
- description = "Whether to configure a load balancer or create a domain mapping"
- validation {
- condition = contains(["domain-mapping", "load-balancer"], var.ingress_style)
- error_message = "Ingress style must be one of 'domain-mapping' or 'load-balancer'."
- }
-}
-
-variable "dns_name" {
- default = ""
- type = string
- description = <<EOI
- Deprecated: use the dns_names variable instead.
-
- If non-empty, var.dns_names will be ignored.
-
- If non-empty, a domain mapping will be created for the webapp from this host
- to point to the webapp or a load balancer will be created for this host depending
- on the value of the ingress_style variable.
-
- The domain must first have been verified by Google and the account being used by
- the google provider must have been added as an owner.
-
- If and only if a domain mapping has been created, the
- "domain_mapping_present" output will be true.
-
- If a domain mapping or load balancer has been created, the "dns_resource_records"
- output contains the appropriate DNS records.
- EOI
+variable "use_load_balancer" {
+ type = bool
+ default = true
+ description = "Whether to configure a load balancer or use the default run.app generated hostname."
}
variable "dns_names" {
type = list(any)
default = []
description = <<EOI
- List of DNS names for web application. Note that no records are created,
- the records to be created can be found in the dns_resource_records output.
-
- Ignored if var.dns_name is non-empty.
- EOI
+List of DNS names for the web application. Note that DNS records are _NOT_ created. The DNS entries in this list are
+used in the load balancer module to ensure the SSL certificate is generate with the required SANs.
+EOI
}
variable "use_ssl_certificates" {
@@ -224,7 +195,7 @@ variable "ssl_certificates" {
description = <<EOI
A list of self-links to any custom TLS certificates to add to the load balancer.
- Requires that var.ingress_style be "load-balancer". The self-link is available as
+ Requires that var.use_load_balancer be "true". The self-link is available as
the "self_link" attribute of "google_compute_ssl_certificate" resources.
EOI
}
@@ -330,16 +301,12 @@ variable "allowed_ingress" {
default = "all"
type = string
description = <<EOL
- Specify the allowed ingress to the service. Should be one of:
- "all", "internal" or "internal-and-cloud-load-balancing".
-
- If var.ingress_style == "load-balancer", the provided var.allowed_ingress will be ignored
- and the allowed ingress will be set automatically to "internal-and-cloud-load-balancing".
+Specify the allowed ingress to the service. Should be one of:
+"all", "internal" or "internal-and-cloud-load-balancing".
- Setting this to a value other than "all" implies that the service will be
- moved to the "beta" launch stage. See
- https://cloud.google.com/run/docs/troubleshooting#launch-stage-validation.
- EOL
+If var.use_load_balancer == true, the provided var.allowed_ingress will be ignored
+and the allowed ingress will be set automatically to "internal-and-cloud-load-balancing".
+EOL
}
variable "service_annotations" {