Create firewall rule for backend port if distinct from HC port

[petomalina]

I am using this module with Istio where ingress has a health endpoint on :15021/healthz/ready while listening on :8080: for traffic.

Since the health check is targetting the first endpoint, it does not create a firewall rule for the traffic endpoint.

This is the rule I am creating manually at the moment:

data "google_compute_lb_ip_ranges" "ip_ranges" {}

resource "google_compute_firewall" "lb-http-ingress" {
  name = "global-ingress-0"

  project = var.xpn_project_id
  network = var.xpn_network_id

  source_ranges = concat(
    data.google_compute_lb_ip_ranges.ip_ranges.network,
    data.google_compute_lb_ip_ranges.ip_ranges.http_ssl_tcp_internal,
  )

  target_tags = [
    "lb-target"
  ]

  allow {
    protocol = "tcp"
    ports    = ["8080"]
  }
}

It would make sense for this module to support such a scenario natively.

[morgante]

Can you provide an example of the module configuration you're using?

[petomalina]

@morgante I am sharing my config. I redacted some values that I found unnecessary for this case. Let me know if there's something specific you are missing.

moodule "lb-http" {
  source  = "GoogleCloudPlatform/lb-http/google"
  version = "5.1.1"

  project           = var.project_id
  name              = var.lb_name
  create_address    = false
  address           = data.google_compute_global_address.global-public-ip.address
  target_tags = [
    "lb-target"
  ]

  # custom url map
  url_map = google_compute_url_map.sandcastle-global-urlmap.self_link
  create_url_map = false

  backends = {
    default = merge(var.default_backend_params, {
      description = "istio global public LB"
      protocol    = "HTTP"
      port_name   = "http"
      port        = 8080 // <- this is ingress port
      timeout_sec = 30

      health_check = {
        request_path        = "/healthz/ready"
        host                = null
        port                = 15021 // <- this is the ingress health port
        healthy_threshold   = 1
        unhealthy_threshold = 3
        check_interval_sec  = 7
        timeout_sec         = 5
        logging             = true
      }

      groups = [
        merge(var.default_group_params, {
          group       = "https://www.googleapis.com/compute/v1/projects/${var.project_id}/zones/${var.gke_zones[0]}/networkEndpointGroups/istio-ingress-neg"
          description = "NEG zonal backend"
        })
      ]
    })
  }
}

[morgante]

Thank you, this makes sense to support. We should add an additional firewall rule like the existing one which adds rules for any backends which have a different health check port.

I will include this in our backlog, but we would also be happy to review a pull request if you're able to get to it sooner.