Name: Global External HTTPS Load Balancer
Brand: IaC Bazaar
Price: 299.00 USD
Availability: InStock

gcp-http-load-balancer

Global external HTTPS Application Load Balancer — GCP's most confusing surface (7+ interlocking resources) wired correctly in one module: static anycast IP, Google-managed TLS certificates, URL-map host/path routing to instance-group or NEG backends, optional Cloud CDN and Cloud Armor, plus an HTTP→HTTPS redirect listener. Works with Terraform and OpenTofu (>= 1.6), Google provider >= 7.0, < 8.0.

Secure defaults:

Modern EXTERNAL_MANAGED load-balancing scheme
SSL policy with MODERN profile and TLS 1.2 minimum
HTTPS-only: port 80 serves a 301 redirect (toggleable)
Cloud Armor attachment per backend when the policy is enabled
Backend request logging on (sample rate 1.0)

Usage

module "lb" {
  source = "./gcp-http-load-balancer"

  project_id      = "my-project"
  name            = "web"
  domains         = ["www.example.com"]
  default_backend = "app"

  backends = {
    app = {
      groups       = [{ group = google_compute_instance_group_manager.app.instance_group }]
      health_check = { port = 8080, request_path = "/healthz" }
    }
    api = {
      # Serverless NEG (Cloud Run): no health check, no timeout
      groups       = [{ group = google_compute_region_network_endpoint_group.run.id }]
      health_check = null
    }
  }

  host_rules = {
    api = {
      hosts           = ["api.example.com"]
      default_backend = "api"
    }
  }
}

Inputs

Name	Type	Default	Description
`project_id`	string	—	Host project (required)
`name`	string	—	Resource name prefix (required)
`backends`	map(object)	—	Backend services: groups, protocol, CDN, health check (required)
`default_backend`	string	—	Backend key for unmatched traffic (required)
`create_ip_address`	bool	`true`	Reserve a static global IP
`ip_address`	string	`null`	Existing IP when not creating one
`domains`	list(string)	`[]`	Domains for the managed certificate
`ssl_certificates`	list(string)	`[]`	Existing cert self links
`ssl_policy_profile`	string	`MODERN`	`COMPATIBLE`/`MODERN`/`RESTRICTED`
`min_tls_version`	string	`TLS_1_2`	Minimum TLS version
`enable_quic`	bool	`false`	QUIC/HTTP3
`enable_http_redirect`	bool	`true`	Port-80 301 redirect
`host_rules`	map(object)	`{}`	Host/path routing rules
`create_security_policy`	bool	`false`	Create Cloud Armor policy
`security_policy_rules`	map(object)	`{}`	Armor rules (CEL expression or src_ip_ranges)
`security_policy_default_action`	string	`allow`	Catch-all rule action
`labels`	map(string)	`{}`	Labels on address + forwarding rules

Outputs

ip_address, url_map_self_link, backend_service_self_links, managed_certificate_self_link, https_proxy_self_link, ssl_policy_self_link, security_policy_self_link, https_forwarding_rule, http_forwarding_rule.

Notes

Managed certificates stay in PROVISIONING until the domain's A/AAAA record points at the LB IP; budget up to ~30 minutes after DNS is correct. The cert name embeds a hash of the domain set, so changing domains replaces it via create-before-destroy without downtime.
Serverless NEGs (Cloud Run / App Engine / Cloud Functions): set health_check = null and leave timeout_sec unset — the platform manages both.
At least one of domains or ssl_certificates is required (plan-time check).
Instance-group backends default to UTILIZATION balancing; override per group with balancing_mode / max_rate_per_instance etc.

Requirements

Terraform or OpenTofu >= 1.6
hashicorp/google >= 7.0, < 8.0
API: compute.googleapis.com

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

Global External HTTPS Load Balancer

Verification

Conformance

Provenance

Functional

Documentation

gcp-http-load-balancer

Usage

Inputs

Outputs

Notes

Requirements

Verification

License