A regional NEG that can support Serverless Products and proxying traffic to external backends.
Recreating a region network endpoint group that's in use by another resource will give a
resourceInUseByAnotherResource
error. Use lifecycle.create_before_destroy
to avoid this type of error.
To get more information about RegionNetworkEndpointGroup, see:
// Cloud Functions Example
resource "google_compute_region_network_endpoint_group" "function_neg" {
name = "function-neg"
network_endpoint_type = "SERVERLESS"
region = "us-central1"
cloud_function {
function = google_cloudfunctions_function.function_neg.name
}
}
resource "google_cloudfunctions_function" "function_neg" {
name = "function-neg"
description = "My function"
runtime = "nodejs10"
available_memory_mb = 128
source_archive_bucket = google_storage_bucket.bucket.name
source_archive_object = google_storage_bucket_object.archive.name
trigger_http = true
timeout = 60
entry_point = "helloGET"
}
resource "google_storage_bucket" "bucket" {
name = "cloudfunctions-function-example-bucket"
location = "US"
}
resource "google_storage_bucket_object" "archive" {
name = "index.zip"
bucket = google_storage_bucket.bucket.name
source = "path/to/index.zip"
}
// Cloud Run Example
resource "google_compute_region_network_endpoint_group" "cloudrun_neg" {
name = "cloudrun-neg"
network_endpoint_type = "SERVERLESS"
region = "us-central1"
cloud_run {
service = google_cloud_run_service.cloudrun_neg.name
}
}
resource "google_cloud_run_service" "cloudrun_neg" {
name = "cloudrun-neg"
location = "us-central1"
template {
spec {
containers {
image = "us-docker.pkg.dev/cloudrun/container/hello"
}
}
}
traffic {
percent = 100
latest_revision = true
}
}
// App Engine Example
resource "google_compute_region_network_endpoint_group" "appengine_neg" {
name = "appengine-neg"
network_endpoint_type = "SERVERLESS"
region = "us-central1"
app_engine {
service = google_app_engine_flexible_app_version.appengine_neg.service
version = google_app_engine_flexible_app_version.appengine_neg.version_id
}
}
resource "google_app_engine_flexible_app_version" "appengine_neg" {
version_id = "v1"
service = "appengine-network-endpoint-group"
runtime = "nodejs"
entrypoint {
shell = "node ./app.js"
}
deployment {
zip {
source_url = "https://storage.googleapis.com/${google_storage_bucket.appengine_neg.name}/${google_storage_bucket_object.appengine_neg.name}"
}
}
liveness_check {
path = "/"
}
readiness_check {
path = "/"
}
env_variables = {
port = "8080"
}
handlers {
url_regex = ".*\\/my-path\\/*"
security_level = "SECURE_ALWAYS"
login = "LOGIN_REQUIRED"
auth_fail_action = "AUTH_FAIL_ACTION_REDIRECT"
static_files {
path = "my-other-path"
upload_path_regex = ".*\\/my-path\\/*"
}
}
automatic_scaling {
cool_down_period = "120s"
cpu_utilization {
target_utilization = 0.5
}
}
delete_service_on_destroy = true
}
resource "google_storage_bucket" "appengine_neg" {
name = "appengine-neg"
location = "US"
}
resource "google_storage_bucket_object" "appengine_neg" {
name = "hello-world.zip"
bucket = google_storage_bucket.appengine_neg.name
source = "./test-fixtures/hello-world.zip"
}
// App Engine Example
resource "google_compute_region_network_endpoint_group" "appengine_neg" {
name = "appengine-neg"
network_endpoint_type = "SERVERLESS"
region = "us-central1"
app_engine {
}
}
resource "google_compute_region_network_endpoint_group" "psc_neg" {
name = "psc-neg"
region = "asia-northeast3"
network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
psc_target_service = "asia-northeast3-cloudkms.googleapis.com"
}
resource "google_compute_network" "default" {
name = "psc-network"
}
resource "google_compute_subnetwork" "default" {
name = "psc-subnetwork"
ip_cidr_range = "10.0.0.0/16"
region = "europe-west4"
network = google_compute_network.default.id
}
resource "google_compute_subnetwork" "psc_subnetwork" {
name = "psc-subnetwork-nat"
ip_cidr_range = "10.1.0.0/16"
region = "europe-west4"
purpose = "PRIVATE_SERVICE_CONNECT"
network = google_compute_network.default.id
}
resource "google_compute_health_check" "default" {
name = "psc-healthcheck"
check_interval_sec = 1
timeout_sec = 1
tcp_health_check {
port = "80"
}
}
resource "google_compute_region_backend_service" "default" {
name = "psc-backend"
region = "europe-west4"
health_checks = [google_compute_health_check.default.id]
}
resource "google_compute_forwarding_rule" "default" {
name = "psc-forwarding-rule"
region = "europe-west4"
load_balancing_scheme = "INTERNAL"
backend_service = google_compute_region_backend_service.default.id
all_ports = true
network = google_compute_network.default.name
subnetwork = google_compute_subnetwork.default.name
}
resource "google_compute_service_attachment" "default" {
name = "psc-service-attachment"
region = "europe-west4"
description = "A service attachment configured with Terraform"
enable_proxy_protocol = false
connection_preference = "ACCEPT_AUTOMATIC"
nat_subnets = [google_compute_subnetwork.psc_subnetwork.self_link]
target_service = google_compute_forwarding_rule.default.self_link
}
resource "google_compute_region_network_endpoint_group" "psc_neg_service_attachment" {
name = "psc-neg"
region = "europe-west4"
network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
psc_target_service = google_compute_service_attachment.default.self_link
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.default.self_link
}
resource "google_compute_region_network_endpoint_group" "region_network_endpoint_group_internet_ip_port" {
name = "ip-port-neg"
region = "us-central1"
network = google_compute_network.default.id
network_endpoint_type = "INTERNET_IP_PORT"
}
resource "google_compute_network" "default" {
name = "network"
}
resource "google_compute_region_network_endpoint_group" "region_network_endpoint_group_internet_fqdn_port" {
name = "ip-port-neg"
region = "us-central1"
network = google_compute_network.default.id
network_endpoint_type = "INTERNET_FQDN_PORT"
}
resource "google_compute_network" "default" {
name = "network"
}
The following arguments are supported:
name
-
(Required)
Name of the resource; provided by the client when the resource is
created. The name must be 1-63 characters long, and comply with
RFC1035. Specifically, the name must be 1-63 characters long and match
the regular expression [a-z]([-a-z0-9]*[a-z0-9])?
which means the
first character must be a lowercase letter, and all following
characters must be a dash, lowercase letter, or digit, except the last
character, which cannot be a dash.
region
-
(Required)
A reference to the region where the regional NEGs reside.
description
-
(Optional)
An optional description of this resource. Provide this property when
you create the resource.
network_endpoint_type
-
(Optional)
Type of network endpoints in this network endpoint group. Defaults to SERVERLESS.
Default value is SERVERLESS
.
Possible values are: SERVERLESS
, PRIVATE_SERVICE_CONNECT
, INTERNET_IP_PORT
, INTERNET_FQDN_PORT
.
psc_target_service
-
(Optional)
This field is only used for PSC and INTERNET NEGs.
The target service url used to set up private service connection to
a Google API or a PSC Producer Service Attachment.
network
-
(Optional)
This field is only used for PSC and INTERNET NEGs.
The URL of the network to which all network endpoints in the NEG belong. Uses
"default" project network if unspecified.
subnetwork
-
(Optional)
This field is only used for PSC NEGs.
Optional URL of the subnetwork to which all network endpoints in the NEG belong.
cloud_run
-
(Optional)
This field is only used for SERVERLESS NEGs.
Only one of cloud_run, app_engine, cloud_function or serverless_deployment may be set.
Structure is documented below.
app_engine
-
(Optional)
This field is only used for SERVERLESS NEGs.
Only one of cloud_run, app_engine, cloud_function or serverless_deployment may be set.
Structure is documented below.
cloud_function
-
(Optional)
This field is only used for SERVERLESS NEGs.
Only one of cloud_run, app_engine, cloud_function or serverless_deployment may be set.
Structure is documented below.
serverless_deployment
-
(Optional, Beta)
This field is only used for SERVERLESS NEGs.
Only one of cloudRun, appEngine, cloudFunction or serverlessDeployment may be set.
Structure is documented below.
project
- (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
service
-
(Optional)
Cloud Run service is the main resource of Cloud Run.
The service must be 1-63 characters long, and comply with RFC1035.
Example value: "run-service".
tag
-
(Optional)
Cloud Run tag represents the "named-revision" to provide
additional fine-grained traffic routing information.
The tag must be 1-63 characters long, and comply with RFC1035.
Example value: "revision-0010".
url_mask
-
(Optional)
A template to parse service and tag fields from a request URL.
URL mask allows for routing to multiple Run services without having
to create multiple network endpoint groups and backend services.
For example, request URLs "foo1.domain.com/bar1" and "foo1.domain.com/bar2"
an be backed by the same Serverless Network Endpoint Group (NEG) with
URL mask ".domain.com/". The URL mask will parse them to { service="bar1", tag="foo1" }
and { service="bar2", tag="foo2" } respectively.
The app_engine
block supports:
service
-
(Optional)
Optional serving service.
The service name must be 1-63 characters long, and comply with RFC1035.
Example value: "default", "my-service".
version
-
(Optional)
Optional serving version.
The version must be 1-63 characters long, and comply with RFC1035.
Example value: "v1", "v2".
url_mask
-
(Optional)
A template to parse service and version fields from a request URL.
URL mask allows for routing to multiple App Engine services without
having to create multiple Network Endpoint Groups and backend services.
For example, the request URLs "foo1-dot-appname.appspot.com/v1" and
"foo1-dot-appname.appspot.com/v2" can be backed by the same Serverless NEG with
URL mask "-dot-appname.appspot.com/". The URL mask will parse
them to { service = "foo1", version = "v1" } and { service = "foo1", version = "v2" } respectively.
The cloud_function
block supports:
function
-
(Optional)
A user-defined name of the Cloud Function.
The function name is case-sensitive and must be 1-63 characters long.
Example value: "func1".
url_mask
-
(Optional)
A template to parse function field from a request URL. URL mask allows
for routing to multiple Cloud Functions without having to create
multiple Network Endpoint Groups and backend services.
For example, request URLs "mydomain.com/function1" and "mydomain.com/function2"
can be backed by the same Serverless NEG with URL mask "/". The URL mask
will parse them to { function = "function1" } and { function = "function2" } respectively.
The serverless_deployment
block supports:
platform
-
(Required)
The platform of the NEG backend target(s). Possible values:
API Gateway: apigateway.googleapis.com
resource
-
(Optional)
The user-defined name of the workload/instance. This value must be provided explicitly or in the urlMask.
The resource identified by this value is platform-specific and is as follows: API Gateway: The gateway ID, App Engine: The service name,
Cloud Functions: The function name, Cloud Run: The service name
version
-
(Optional)
The optional resource version. The version identified by this value is platform-specific and is follows:
API Gateway: Unused, App Engine: The service version, Cloud Functions: Unused, Cloud Run: The service tag
url_mask
-
(Optional)
A template to parse platform-specific fields from a request URL. URL mask allows for routing to multiple resources
on the same serverless platform without having to create multiple Network Endpoint Groups and backend resources.
The fields parsed by this template are platform-specific and are as follows: API Gateway: The gateway ID,
App Engine: The service and version, Cloud Functions: The function name, Cloud Run: The service and tag
In addition to the arguments listed above, the following computed attributes are exported:
id
- an identifier for the resource with format projects/{{project}}/regions/{{region}}/networkEndpointGroups/{{name}}
self_link
- The URI of the created resource.This resource provides the following Timeouts configuration options:
create
- Default is 20 minutes.delete
- Default is 20 minutes.RegionNetworkEndpointGroup can be imported using any of these accepted formats:
projects/{{project}}/regions/{{region}}/networkEndpointGroups/{{name}}
{{project}}/{{region}}/{{name}}
{{region}}/{{name}}
{{name}}
In Terraform v1.5.0 and later, use an import
block to import RegionNetworkEndpointGroup using one of the formats above. For example:
import {
id = "projects/{{project}}/regions/{{region}}/networkEndpointGroups/{{name}}"
to = google_compute_region_network_endpoint_group.default
}
When using the terraform import
command, RegionNetworkEndpointGroup can be imported using one of the formats above. For example:
$ terraform import google_compute_region_network_endpoint_group.default projects/{{project}}/regions/{{region}}/networkEndpointGroups/{{name}}
$ terraform import google_compute_region_network_endpoint_group.default {{project}}/{{region}}/{{name}}
$ terraform import google_compute_region_network_endpoint_group.default {{region}}/{{name}}
$ terraform import google_compute_region_network_endpoint_group.default {{name}}
This resource supports User Project Overrides.