feat: add support for backend bucket to modules/backend (#511)

Author: q2w

examples/external-lb-backend-bucket/gcp-logo.svg

@@ -0,0 +1,54 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+module "lb-frontend" {
+  source  = "terraform-google-modules/lb-http/google//modules/frontend"
+  version = "~> 12.0"
+
+  project_id    = var.project_id
+  name          = "global-lb-fe-bucket"
+  url_map_input = module.lb-backend.backend_service_info
+}
+
+module "lb-backend" {
+  source  = "terraform-google-modules/lb-http/google//modules/backend"
+  version = "~> 12.0"
+
+  project_id          = var.project_id
+  name                = "global-lb-be-bucket"
+  backend_bucket_name = module.gcs.name
+  enable_cdn          = true
+}
+
+module "gcs" {
+  source  = "terraform-google-modules/cloud-storage/google//modules/simple_bucket"
+  version = "~> 10.0"
+
+  project_id    = var.project_id
+  location      = "us-central1"
+  name          = "gcs-bucket"
+  force_destroy = true
+  iam_members   = [{ member = "allUsers", role = "roles/storage.objectViewer" }]
+}
+
+// The image object in Cloud Storage.
+// Note that the path in the bucket matches the paths in the url map path rule above.
+resource "google_storage_bucket_object" "image" {
+  name         = "assets/gcp-logo.svg"
+  content      = file("./gcp-logo.svg")
+  content_type = "image/svg+xml"
+  bucket       = module.gcs.name
+}

examples/external-lb-backend-bucket/main.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+output "load-balancer-ip" {
+  value = module.lb-frontend.external_ip
+}

examples/external-lb-backend-bucket/outputs.tf

@@ -0,0 +1,19 @@
+/**
+ * Copyright 2025 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+variable "project_id" {
+  type = string
+}

examples/external-lb-backend-bucket/variables.tf

@@ -52,6 +52,8 @@ spec:
         location: examples/cross-project-mig-backend
       - name: dynamic-backend
         location: examples/dynamic-backend
+      - name: external-lb-backend-bucket
+        location: examples/external-lb-backend-bucket
       - name: gke-node-port
         location: examples/https-gke/gke-node-port
       - name: https-gke

metadata.yaml

@@ -7,6 +7,7 @@ This module creates `google_compute_backend_service` resource and its dependenci
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | affinity\_cookie\_ttl\_sec | Lifetime of cookies in seconds if session\_affinity is GENERATED\_COOKIE. | `number` | `null` | no |
+| backend\_bucket\_name | The name of GCS bucket which serves the traffic. | `string` | `""` | no |
 | cdn\_policy | Cloud CDN configuration for this BackendService. | <pre>object({<br>    cache_mode                      = optional(string)<br>    signed_url_cache_max_age_sec    = optional(string)<br>    default_ttl                     = optional(number)<br>    max_ttl                         = optional(number)<br>    client_ttl                      = optional(number)<br>    negative_caching                = optional(bool)<br>    serve_while_stale               = optional(number)<br>    bypass_cache_on_request_headers = optional(list(string))<br>    negative_caching_policy = optional(object({<br>      code = optional(number)<br>      ttl  = optional(number)<br>    }))<br>    cache_key_policy = optional(object({<br>      include_host           = optional(bool)<br>      include_protocol       = optional(bool)<br>      include_query_string   = optional(bool)<br>      query_string_blacklist = optional(list(string))<br>      query_string_whitelist = optional(list(string))<br>      include_http_headers   = optional(list(string))<br>      include_named_cookies  = optional(list(string))<br>    }))<br>  })</pre> | `{}` | no |
 | compression\_mode | Compress text responses using Brotli or gzip compression. | `string` | `"DISABLED"` | no |
 | connection\_draining\_timeout\_sec | Time for which instance will be drained (not accept new connections, but still work to finish started). | `number` | `null` | no |

modules/backend/README.md

@@ -14,8 +14,13 @@
  * limitations under the License.
  */
 
+locals {
+  is_backend_bucket = var.backend_bucket_name != null && var.backend_bucket_name != ""
+}
+
 resource "google_compute_backend_service" "default" {
   provider = google-beta
+  count    = !local.is_backend_bucket ? 1 : 0
 
   project = var.project_id
   name    = var.name
@@ -310,3 +315,52 @@ resource "google_compute_firewall" "allow_proxy" {
     protocol = "tcp"
   }
 }
+
+resource "google_compute_backend_bucket" "default" {
+  provider = google-beta
+  count    = local.is_backend_bucket ? 1 : 0
+
+  project     = var.project_id
+  name        = var.name
+  bucket_name = var.backend_bucket_name
+  enable_cdn  = var.enable_cdn
+
+  description = var.description
+
+  # CDN policy configuration, if CDN is enabled
+  dynamic "cdn_policy" {
+    for_each = var.enable_cdn ? [1] : []
+    content {
+      cache_mode                   = var.cdn_policy.cache_mode
+      signed_url_cache_max_age_sec = var.cdn_policy.signed_url_cache_max_age_sec
+      default_ttl                  = var.cdn_policy.default_ttl
+      max_ttl                      = var.cdn_policy.max_ttl
+      client_ttl                   = var.cdn_policy.client_ttl
+      negative_caching             = var.cdn_policy.negative_caching
+      serve_while_stale            = var.cdn_policy.serve_while_stale
+
+      dynamic "negative_caching_policy" {
+        for_each = var.cdn_policy.negative_caching_policy != null ? [1] : []
+        content {
+          code = var.cdn_policy.negative_caching_policy.code
+          ttl  = var.cdn_policy.negative_caching_policy.ttl
+        }
+      }
+
+      dynamic "cache_key_policy" {
+        for_each = var.cdn_policy.cache_key_policy != null ? [1] : []
+        content {
+          query_string_whitelist = var.cdn_policy.cache_key_policy.query_string_whitelist
+          include_http_headers   = var.cdn_policy.cache_key_policy.include_http_headers
+        }
+      }
+
+      dynamic "bypass_cache_on_request_headers" {
+        for_each = var.cdn_policy.bypass_cache_on_request_headers != null && try(length(var.cdn_policy.bypass_cache_on_request_headers), 0) > 0 ? toset(var.cdn_policy.bypass_cache_on_request_headers) : []
+        content {
+          header_name = bypass_cache_on_request_headers.value
+        }
+      }
+    }
+  }
+}