Move to for_each + revamp interface/functionality #57
Conversation
There was a problem hiding this comment.
Other than a few nits, I personally agree with most the interface changes except the health checks. It does make things more readable IMO. I'll let one of the other contributers weigh in as well since this would be a breaking change, but I'd suggest you go ahead and uncomment the TODOs and re-push and we can continue the discussion.
|
Overall I think the new interface seems reasonable and would be happy to look at a full PR. |
|
Cool, i'll fix the nits raised and give you both a shout when its ready. re: health checks. health_check = {
check_interval_sec = 5
timeout_sec = 5
healthy_threshold = 1
unhealthy_threshold = 3
port = 443
request_path = "/healthz"
host = "localhost"
} |
|
@Dev25 I think in general to adhere to a dependency injection pattern and for maintainability of the module, it makes more sense to allow the user to pass in a |
|
For whats its worth i do see value in this module creating basic health checks internally rather then forcing all users to create them outside. Easier to get started with this module and it's unlikely most users would want very specialised checks e.g. response body checking/setting a proxy header where your right we would probably just want to pass a Given GCP health checks have already migrated from Perhaps meet in the middle and do both? Define a basic set of params allowed (thresholds + path + port + host) but also allow users to provide a Regarding fixing the tests etc, i assume we want to wait for PR #58 to be merged in first and then i can update this/get CI tests passing? |
There was a problem hiding this comment.
I definitely see your point about wanting to make the health checks simpler for users but my concern is that this adds much more complexity to the module which could be more difficult to maintain especially with the new interface for compute_health_check. Every module needs examples where we can show users how to do this. Personally I don't think it's unreasonable to expect users to create their own health checks. For example:
resource "google_compute_health_check" "http2" {
name = "https-health-check"
http2_health_check {
port = "443"
request_path = "/health"
}
}
module "lb_http" {
...
backends = {
"default" = {
protocol = "HTTP2"
port_name = "https"
timeout_sec = 60
enable_cdn = false
health_check = google_compute_https_health_check.http2.self_link
}
}
...
}
IMO, the health check piece seems unnecessarily complex to add this logic into the module itself. For the same reason we don't create a VPC, etc. in the terraform-google-vm or this module even though a VPC resource is expected to exist and be passed in by the user. I know this module currently allows the user to create health checks, but if we're massively changing the interface anyway, I think it's a good time to remove this explicit dependency to adhere better to separation of concerns. I'm happy to be overruled by @morgante or @aaron-lane if they disagree though.
|
I understand the complexity involved, but I'm in favor of keeping health checks embedded inside the module for now. We might remove it in the future, but for now I want to minimize breaking changes. |
|
|
||
| locals { | ||
| address = var.create_address ? join("", google_compute_global_address.default.*.address) : var.address | ||
| url_map = var.create_url_map ? join("", google_compute_url_map.default.*.self_link) : var.url_map |
There was a problem hiding this comment.
FYI the join is a workaround from hashicorp/terraform#16726 (comment) otherwise users will get errors whenever they try to import a resource into their tfstate (any resource, happened to me for GKE node pools)
Error: Invalid index
on .terraform/modules/lb_http/main.tf line 22, in locals:
22: address = compact(concat([var.address], google_compute_global_address.default.*.address), )[0]
|----------------
| google_compute_global_address.default is empty tuple
| var.address is null
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/lb_http/main.tf line 23, in locals:
23: url_map = compact(concat([var.url_map], google_compute_url_map.default.*.self_link), )[0]
|----------------
| google_compute_url_map.default is empty tuple
| var.url_map is null
The given key does not identify an element in this collection value.
Error: Invalid index
on .terraform/modules/gke/modules/beta-private-cluster/main.tf line 37, in locals:
37: region = var.region == null ? join("-", slice(split("-", var.zones[0]), 0, 2)) : var.region
|----------------
| var.zones is empty list of string
The given key does not identify an element in this collection value.
|
Took a while but CI tests pass, PTAL @morgante @onetwopunch will do a CHANGELOG now. |
|
Thanks for your patience! Unfortunately right now it's challenging to allow public access to Cloud Build logs unfortunately. |
|
Updated with latest master, one thing i noticed is the README/ Looks like it doesn't play nice with the backends object map I've managed to get it to run by temporarily setting the |
|
@aaron-lane and @morgante I added an PR for an upgrade guide for upgrading from 2.0 using the multi-mig example. #68. @Dev25 this upgrade process was not trivial due to the interdependence of
the url_map is not updated first with the new backend. So when creating, the url_map is dependent on the backend existing, but when migrating, the backend is dependent on url_map. Meaning you will have to update the url_map's default_service manually then re-apply. I'm not sure how to get around this, but if you have ideas, please let me know. To verify this, try the following: |
|
The interconnected nature of a global LB definately complicates things here in a single module, prior/outside of this module for complex LBs (multiple backends + IPs) i have a module dedicated just for backends, another for front end (binding a url map to forwarding rules) and then manage the URLMap on its own. Maybe this module could be broken down into sub modules to promote that style? I find it easier to keep backends separate and then wire them together, especially when dealing with multiple domains/forwarding rules (max 15 certs per IP atm) fronting the same backends. Regarding upgrading from 2->3, i didn't have to do the upgrade myself but if you had to do it in place did you consider manually removing the old state, creating the new backends/HC via Definitely not the most straight forward upgrade process, especially with having to manually remove resources outside of terraform, but would at least be graceful. |
|
Can' t wait to use this 👍 |
|
PR has been updated with latest master. |
|
What's holding this off? |
|
🎉 |
This PR consists of multiple new features + moving to for_each and is something that i've been using in production for managing complex LBs (effecitvely a multi gke cluster ingress with multiple backends + specific routing)
Do we agree on the new interface? Once there is a consensus i can look at updating examples/fixing TODOs etc
Changes:
max_connections_per_endpoint+max_rate_per_endpointssl_policyto be set for restricting TLS ciphers/protocols on frontendBelow is an example of usage, for better readability with lots of backends i merge a default null map for group backend params
Fixes #59.