FAQ | This is a LIVE service | Changelog

Skip to content

Allow passing custom options to backend config in Load Balancer

@av603, @si202 and myself were working on the UFS infrastructure today. In summary, and for reasons we don't need to get into here, we want to configure mTLS at the load balancer end. Since that config can't be passed through to the backend, we had to roll our own Load Balancer.

It's likely that a few HR apps will need to configure mTLS in future and so it'd be nice if this module supported that.

To support mTLS, it is only required that the module pass through the security_policy and server_tls_policy settings to the load balancer backend configuration. However a more general solution would be to allow all the appropriate values in the backends variable to be overridden.

So, for example, we could add a new variable called load_balancer_backend which allows overriding the values it makes sense to override. So, it might have the following definition:

variable "load_balancer_backend" {
  default = {}
  type = object({
    port_name               = optional(string)
    description             = optional(string)
    enable_cdn              = optional(bool)
    compression_mode        = optional(string)
    security_policy         = optional(string, null)
    edge_security_policy    = optional(string, null)
    custom_request_headers  = optional(list(string))
    custom_response_headers = optional(list(string))

    connection_draining_timeout_sec = optional(number)
    session_affinity                = optional(string)
    affinity_cookie_ttl_sec         = optional(number)
    locality_lb_policy              = optional(string)

    log_config = object({
      enable      = optional(bool)
      sample_rate = optional(number)
    })

    cdn_policy = optional(object({
      cache_mode                   = optional(string)
      signed_url_cache_max_age_sec = optional(string)
      default_ttl                  = optional(number)
      max_ttl                      = optional(number)
      client_ttl                   = optional(number)
      negative_caching             = optional(bool)
      negative_caching_policy = optional(object({
        code = optional(number)
        ttl  = optional(number)
      }))
      serve_while_stale = optional(number)
      cache_key_policy = optional(object({
        include_host           = optional(bool)
        include_protocol       = optional(bool)
        include_query_string   = optional(bool)
        query_string_blacklist = optional(list(string))
        query_string_whitelist = optional(list(string))
        include_http_headers   = optional(list(string))
        include_named_cookies  = optional(list(string))
      }))
      bypass_cache_on_request_headers = optional(list(string))
    }))

    outlier_detection = optional(object({
      base_ejection_time = optional(object({
        seconds = number
        nanos   = optional(number)
      }))
      consecutive_errors                    = optional(number)
      consecutive_gateway_failure           = optional(number)
      enforcing_consecutive_errors          = optional(number)
      enforcing_consecutive_gateway_failure = optional(number)
      enforcing_success_rate                = optional(number)
      interval = optional(object({
        seconds = number
        nanos   = optional(number)
      }))
      max_ejection_percent        = optional(number)
      success_rate_minimum_hosts  = optional(number)
      success_rate_request_volume = optional(number)
      success_rate_stdev_factor   = optional(number)
    }))
  })
}

Note that this omits the project, protocol, groups and iap_config options which need to be controlled by this module or are otherwise not appropriate to customise.

The module would then pass the values through to the load balancer module.

This would allow for the original customisation of security_policy and server_tls_policy but also allow for richer Load Balancer configuration moving forward.

Edited by Dr Rich Wareham