Google Git
Sign in
third-party-mirror / terraform-provider-google-beta / 7018e2f3f116fdacfd66c03551fbf0c3db62170a / . / v5.18.0 / website / docs / r / compute_backend_service.html.markdown
blob: ecab112800ae010860a660e0170ab1e4cfe04c82 [file] [log] [blame]
---
# ----------------------------------------------------------------------------
#
# *** AUTO GENERATED CODE *** Type: MMv1 ***
#
# ----------------------------------------------------------------------------
#
# This file is automatically generated by Magic Modules and manual
# changes will be clobbered when the file is regenerated.
#
# Please read more about how to change this file in
# .github/CONTRIBUTING.md.
#
# ----------------------------------------------------------------------------
subcategory: "Compute Engine"
description: |-
A Backend Service defines a group of virtual machines that will serve
traffic for load balancing.
---
# google\_compute\_backend\_service
A Backend Service defines a group of virtual machines that will serve
traffic for load balancing. This resource is a global backend service,
appropriate for external load balancing or self-managed internal load balancing.
For managed internal load balancing, use a regional backend service instead.
Currently self-managed internal load balancing is only available in beta.
To get more information about BackendService, see:
* [API documentation](https://cloud.google.com/compute/docs/reference/v1/backendServices)
* How-to Guides
* [Official Documentation](https://cloud.google.com/compute/docs/load-balancing/http/backend-service)
~> **Warning:** All arguments including the following potentially sensitive
values will be stored in the raw state as plain text: `iap.oauth2_client_secret`, `iap.oauth2_client_secret_sha256`.
[Read more about sensitive data in state](https://www.terraform.io/language/state/sensitive-data).
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_basic&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Basic
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_http_health_check.default.id]
}
resource "google_compute_http_health_check" "default" {
name = "health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_external_iap&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service External Iap
```hcl
resource "google_compute_backend_service" "default" {
name = "tf-test-backend-service-external"
protocol = "HTTP"
load_balancing_scheme = "EXTERNAL"
iap {
oauth2_client_id = "abc"
oauth2_client_secret = "xyz"
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_cache_simple&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Cache Simple
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_http_health_check.default.id]
enable_cdn = true
cdn_policy {
signed_url_cache_max_age_sec = 7200
}
}
resource "google_compute_http_health_check" "default" {
name = "health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_cache_include_http_headers&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Cache Include Http Headers
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
enable_cdn = true
cdn_policy {
cache_mode = "USE_ORIGIN_HEADERS"
cache_key_policy {
include_host = true
include_protocol = true
include_query_string = true
include_http_headers = ["X-My-Header-Field"]
}
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_cache_include_named_cookies&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Cache Include Named Cookies
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
enable_cdn = true
cdn_policy {
cache_mode = "CACHE_ALL_STATIC"
default_ttl = 3600
client_ttl = 7200
max_ttl = 10800
cache_key_policy {
include_host = true
include_protocol = true
include_query_string = true
include_named_cookies = ["__next_preview_data", "__prerender_bypass"]
}
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_cache&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Cache
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_http_health_check.default.id]
enable_cdn = true
cdn_policy {
cache_mode = "CACHE_ALL_STATIC"
default_ttl = 3600
client_ttl = 7200
max_ttl = 10800
negative_caching = true
signed_url_cache_max_age_sec = 7200
}
}
resource "google_compute_http_health_check" "default" {
name = "health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_cache_bypass_cache_on_request_headers&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Cache Bypass Cache On Request Headers
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_http_health_check.default.id]
enable_cdn = true
cdn_policy {
cache_mode = "CACHE_ALL_STATIC"
default_ttl = 3600
client_ttl = 7200
max_ttl = 10800
negative_caching = true
signed_url_cache_max_age_sec = 7200
bypass_cache_on_request_headers {
header_name = "Authorization"
}
bypass_cache_on_request_headers {
header_name = "Proxy-Authorization"
}
}
}
resource "google_compute_http_health_check" "default" {
name = "health-check"
request_path = "/"
check_interval_sec = 1
timeout_sec = 1
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_traffic_director_round_robin&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Traffic Director Round Robin
```hcl
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "backend-service"
health_checks = [google_compute_health_check.health_check.id]
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
locality_lb_policy = "ROUND_ROBIN"
}
resource "google_compute_health_check" "health_check" {
provider = google-beta
name = "health-check"
http_health_check {
port = 80
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_traffic_director_ring_hash&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Traffic Director Ring Hash
```hcl
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "backend-service"
health_checks = [google_compute_health_check.health_check.id]
load_balancing_scheme = "INTERNAL_SELF_MANAGED"
locality_lb_policy = "RING_HASH"
session_affinity = "HTTP_COOKIE"
circuit_breakers {
max_connections = 10
}
consistent_hash {
http_cookie {
ttl {
seconds = 11
nanos = 1111
}
name = "mycookie"
}
}
outlier_detection {
consecutive_errors = 2
}
}
resource "google_compute_health_check" "health_check" {
provider = google-beta
name = "health-check"
http_health_check {
port = 80
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_network_endpoint&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service Network Endpoint
```hcl
resource "google_compute_global_network_endpoint_group" "external_proxy" {
provider = google-beta
name = "network-endpoint"
network_endpoint_type = "INTERNET_FQDN_PORT"
default_port = "443"
}
resource "google_compute_global_network_endpoint" "proxy" {
provider = google-beta
global_network_endpoint_group = google_compute_global_network_endpoint_group.external_proxy.id
fqdn = "test.example.com"
port = google_compute_global_network_endpoint_group.external_proxy.default_port
}
resource "google_compute_backend_service" "default" {
provider = google-beta
name = "backend-service"
enable_cdn = true
timeout_sec = 10
connection_draining_timeout_sec = 10
custom_request_headers = ["host: ${google_compute_global_network_endpoint.proxy.fqdn}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
backend {
group = google_compute_global_network_endpoint_group.external_proxy.id
}
}
```
<div class = "oics-button" style="float: right; margin: 0 0 -15px">
<a href="https://console.cloud.google.com/cloudshell/open?cloudshell_git_repo=https%3A%2F%2Fgithub.com%2Fterraform-google-modules%2Fdocs-examples.git&cloudshell_working_dir=backend_service_external_managed&cloudshell_image=gcr.io%2Fcloudshell-images%2Fcloudshell%3Alatest&open_in_editor=main.tf&cloudshell_print=.%2Fmotd&cloudshell_tutorial=.%2Ftutorial.md" target="_blank">
<img alt="Open in Cloud Shell" src="//gstatic.com/cloudssh/images/open-btn.svg" style="max-height: 44px; margin: 32px auto; max-width: 100%;">
</a>
</div>
## Example Usage - Backend Service External Managed
```hcl
resource "google_compute_backend_service" "default" {
name = "backend-service"
health_checks = [google_compute_health_check.default.id]
load_balancing_scheme = "EXTERNAL_MANAGED"
}
resource "google_compute_health_check" "default" {
name = "health-check"
http_health_check {
port = 80
}
}
```
## Argument Reference
The following arguments are supported:
* `name` -
(Required)
Name of the resource. Provided by the client when the resource is
created. The name must be 1-63 characters long, and comply with
RFC1035. Specifically, the name must be 1-63 characters long and match
the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` which means the
first character must be a lowercase letter, and all following
characters must be a dash, lowercase letter, or digit, except the last
character, which cannot be a dash.
- - -
* `affinity_cookie_ttl_sec` -
(Optional)
Lifetime of cookies in seconds if session_affinity is
GENERATED_COOKIE. If set to 0, the cookie is non-persistent and lasts
only until the end of the browser session (or equivalent). The
maximum allowed value for TTL is one day.
When the load balancing scheme is INTERNAL, this field is not used.
* `backend` -
(Optional)
The set of backends that serve this BackendService.
Structure is [documented below](#nested_backend).
* `circuit_breakers` -
(Optional)
Settings controlling the volume of connections to a backend service. This field
is applicable only when the load_balancing_scheme is set to INTERNAL_SELF_MANAGED.
Structure is [documented below](#nested_circuit_breakers).
* `compression_mode` -
(Optional)
Compress text responses using Brotli or gzip compression, based on the client's Accept-Encoding header.
Possible values are: `AUTOMATIC`, `DISABLED`.
* `consistent_hash` -
(Optional)
Consistent Hash-based load balancing can be used to provide soft session
affinity based on HTTP headers, cookies or other properties. This load balancing
policy is applicable only for HTTP connections. The affinity to a particular
destination host will be lost when one or more hosts are added/removed from the
destination service. This field specifies parameters that control consistent
hashing. This field only applies if the load_balancing_scheme is set to
INTERNAL_SELF_MANAGED. This field is only applicable when locality_lb_policy is
set to MAGLEV or RING_HASH.
Structure is [documented below](#nested_consistent_hash).
* `cdn_policy` -
(Optional)
Cloud CDN configuration for this BackendService.
Structure is [documented below](#nested_cdn_policy).
* `connection_draining_timeout_sec` -
(Optional)
Time for which instance will be drained (not accept new
connections, but still work to finish started).
* `custom_request_headers` -
(Optional)
Headers that the HTTP/S load balancer should add to proxied
requests.
* `custom_response_headers` -
(Optional)
Headers that the HTTP/S load balancer should add to proxied
responses.
* `description` -
(Optional)
An optional description of this resource.
* `enable_cdn` -
(Optional)
If true, enable Cloud CDN for this BackendService.
* `health_checks` -
(Optional)
The set of URLs to the HttpHealthCheck or HttpsHealthCheck resource
for health checking this BackendService. Currently at most one health
check can be specified.
A health check must be specified unless the backend service uses an internet
or serverless NEG as a backend.
For internal load balancing, a URL to a HealthCheck resource must be specified instead.
* `iap` -
(Optional)
Settings for enabling Cloud Identity Aware Proxy
Structure is [documented below](#nested_iap).
* `load_balancing_scheme` -
(Optional)
Indicates whether the backend service will be used with internal or
external load balancing. A backend service created for one type of
load balancing cannot be used with the other. For more information, refer to
[Choosing a load balancer](https://cloud.google.com/load-balancing/docs/backend-service).
Default value is `EXTERNAL`.
Possible values are: `EXTERNAL`, `INTERNAL_SELF_MANAGED`, `INTERNAL_MANAGED`, `EXTERNAL_MANAGED`.
* `locality_lb_policy` -
(Optional)
The load balancing algorithm used within the scope of the locality.
The possible values are:
* `ROUND_ROBIN`: This is a simple policy in which each healthy backend
is selected in round robin order.
* `LEAST_REQUEST`: An O(1) algorithm which selects two random healthy
hosts and picks the host which has fewer active requests.
* `RING_HASH`: The ring/modulo hash load balancer implements consistent
hashing to backends. The algorithm has the property that the
addition/removal of a host from a set of N hosts only affects
1/N of the requests.
* `RANDOM`: The load balancer selects a random healthy host.
* `ORIGINAL_DESTINATION`: Backend host is selected based on the client
connection metadata, i.e., connections are opened
to the same address as the destination address of
the incoming connection before the connection
was redirected to the load balancer.
* `MAGLEV`: used as a drop in replacement for the ring hash load balancer.
Maglev is not as stable as ring hash but has faster table lookup
build times and host selection times. For more information about
Maglev, refer to https://ai.google/research/pubs/pub44824
* `WEIGHTED_MAGLEV`: Per-instance weighted Load Balancing via health check
reported weights. If set, the Backend Service must
configure a non legacy HTTP-based Health Check, and
health check replies are expected to contain
non-standard HTTP response header field
X-Load-Balancing-Endpoint-Weight to specify the
per-instance weights. If set, Load Balancing is weight
based on the per-instance weights reported in the last
processed health check replies, as long as every
instance either reported a valid weight or had
UNAVAILABLE_WEIGHT. Otherwise, Load Balancing remains
equal-weight.
This field is applicable to either:
* A regional backend service with the service_protocol set to HTTP, HTTPS, or HTTP2,
and loadBalancingScheme set to INTERNAL_MANAGED.
* A global backend service with the load_balancing_scheme set to INTERNAL_SELF_MANAGED.
* A regional backend service with loadBalancingScheme set to EXTERNAL (External Network
Load Balancing). Only MAGLEV and WEIGHTED_MAGLEV values are possible for External
Network Load Balancing. The default is MAGLEV.
If session_affinity is not NONE, and this field is not set to MAGLEV, WEIGHTED_MAGLEV,
or RING_HASH, session affinity settings will not take effect.
Only ROUND_ROBIN and RING_HASH are supported when the backend service is referenced
by a URL map that is bound to target gRPC proxy that has validate_for_proxyless
field set to true.
Possible values are: `ROUND_ROBIN`, `LEAST_REQUEST`, `RING_HASH`, `RANDOM`, `ORIGINAL_DESTINATION`, `MAGLEV`, `WEIGHTED_MAGLEV`.
* `locality_lb_policies` -
(Optional)
A list of locality load balancing policies to be used in order of
preference. Either the policy or the customPolicy field should be set.
Overrides any value set in the localityLbPolicy field.
localityLbPolicies is only supported when the BackendService is referenced
by a URL Map that is referenced by a target gRPC proxy that has the
validateForProxyless field set to true.
Structure is [documented below](#nested_locality_lb_policies).
* `outlier_detection` -
(Optional)
Settings controlling eviction of unhealthy hosts from the load balancing pool.
Applicable backend service types can be a global backend service with the
loadBalancingScheme set to INTERNAL_SELF_MANAGED or EXTERNAL_MANAGED.
Structure is [documented below](#nested_outlier_detection).
* `port_name` -
(Optional)
Name of backend port. The same name should appear in the instance
groups referenced by this service. Required when the load balancing
scheme is EXTERNAL.
* `protocol` -
(Optional)
The protocol this BackendService uses to communicate with backends.
The default is HTTP. **NOTE**: HTTP2 is only valid for beta HTTP/2 load balancer
types and may result in errors if used with the GA API. **NOTE**: With protocol “UNSPECIFIED”,
the backend service can be used by Layer 4 Internal Load Balancing or Network Load Balancing
with TCP/UDP/L3_DEFAULT Forwarding Rule protocol.
Possible values are: `HTTP`, `HTTPS`, `HTTP2`, `TCP`, `SSL`, `GRPC`, `UNSPECIFIED`.
* `security_policy` -
(Optional)
The security policy associated with this backend service.
* `edge_security_policy` -
(Optional)
The resource URL for the edge security policy associated with this backend service.
* `security_settings` -
(Optional)
The security settings that apply to this backend service. This field is applicable to either
a regional backend service with the service_protocol set to HTTP, HTTPS, or HTTP2, and
load_balancing_scheme set to INTERNAL_MANAGED; or a global backend service with the
load_balancing_scheme set to INTERNAL_SELF_MANAGED.
Structure is [documented below](#nested_security_settings).
* `session_affinity` -
(Optional)
Type of session affinity to use. The default is NONE. Session affinity is
not applicable if the protocol is UDP.
Possible values are: `NONE`, `CLIENT_IP`, `CLIENT_IP_PORT_PROTO`, `CLIENT_IP_PROTO`, `GENERATED_COOKIE`, `HEADER_FIELD`, `HTTP_COOKIE`.
* `timeout_sec` -
(Optional)
How many seconds to wait for the backend before considering it a
failed request. Default is 30 seconds. Valid range is [1, 86400].
* `log_config` -
(Optional)
This field denotes the logging options for the load balancer traffic served by this backend service.
If logging is enabled, logs will be exported to Stackdriver.
Structure is [documented below](#nested_log_config).
* `project` - (Optional) The ID of the project in which the resource belongs.
If it is not provided, the provider project is used.
<a name="nested_backend"></a>The `backend` block supports:
* `balancing_mode` -
(Optional)
Specifies the balancing mode for this backend.
For global HTTP(S) or TCP/SSL load balancing, the default is
UTILIZATION. Valid values are UTILIZATION, RATE (for HTTP(S))
and CONNECTION (for TCP/SSL).
See the [Backend Services Overview](https://cloud.google.com/load-balancing/docs/backend-service#balancing-mode)
for an explanation of load balancing modes.
Default value is `UTILIZATION`.
Possible values are: `UTILIZATION`, `RATE`, `CONNECTION`.
* `capacity_scaler` -
(Optional)
A multiplier applied to the group's maximum servicing capacity
(based on UTILIZATION, RATE or CONNECTION).
Default value is 1, which means the group will serve up to 100%
of its configured capacity (depending on balancingMode). A
setting of 0 means the group is completely drained, offering
0% of its available Capacity. Valid range is [0.0,1.0].
* `description` -
(Optional)
An optional description of this resource.
Provide this property when you create the resource.
* `group` -
(Required)
The fully-qualified URL of an Instance Group or Network Endpoint
Group resource. In case of instance group this defines the list
of instances that serve traffic. Member virtual machine
instances from each instance group must live in the same zone as
the instance group itself. No two backends in a backend service
are allowed to use same Instance Group resource.
For Network Endpoint Groups this defines list of endpoints. All
endpoints of Network Endpoint Group must be hosted on instances
located in the same zone as the Network Endpoint Group.
Backend services cannot mix Instance Group and
Network Endpoint Group backends.
Note that you must specify an Instance Group or Network Endpoint
Group resource using the fully-qualified URL, rather than a
partial URL.
* `max_connections` -
(Optional)
The max number of simultaneous connections for the group. Can
be used with either CONNECTION or UTILIZATION balancing modes.
For CONNECTION mode, either maxConnections or one
of maxConnectionsPerInstance or maxConnectionsPerEndpoint,
as appropriate for group type, must be set.
* `max_connections_per_instance` -
(Optional)
The max number of simultaneous connections that a single
backend instance can handle. This is used to calculate the
capacity of the group. Can be used in either CONNECTION or
UTILIZATION balancing modes.
For CONNECTION mode, either maxConnections or
maxConnectionsPerInstance must be set.
* `max_connections_per_endpoint` -
(Optional)
The max number of simultaneous connections that a single backend
network endpoint can handle. This is used to calculate the
capacity of the group. Can be used in either CONNECTION or
UTILIZATION balancing modes.
For CONNECTION mode, either
maxConnections or maxConnectionsPerEndpoint must be set.
* `max_rate` -
(Optional)
The max requests per second (RPS) of the group.
Can be used with either RATE or UTILIZATION balancing modes,
but required if RATE mode. For RATE mode, either maxRate or one
of maxRatePerInstance or maxRatePerEndpoint, as appropriate for
group type, must be set.
* `max_rate_per_instance` -
(Optional)
The max requests per second (RPS) that a single backend
instance can handle. This is used to calculate the capacity of
the group. Can be used in either balancing mode. For RATE mode,
either maxRate or maxRatePerInstance must be set.
* `max_rate_per_endpoint` -
(Optional)
The max requests per second (RPS) that a single backend network
endpoint can handle. This is used to calculate the capacity of
the group. Can be used in either balancing mode. For RATE mode,
either maxRate or maxRatePerEndpoint must be set.
* `max_utilization` -
(Optional)
Used when balancingMode is UTILIZATION. This ratio defines the
CPU utilization target for the group. Valid range is [0.0, 1.0].
<a name="nested_circuit_breakers"></a>The `circuit_breakers` block supports:
* `connect_timeout` -
(Optional, [Beta](https://terraform.io/docs/providers/google/guides/provider_versions.html))
The timeout for new network connections to hosts.
Structure is [documented below](#nested_connect_timeout).
* `max_requests_per_connection` -
(Optional)
Maximum requests for a single backend connection. This parameter
is respected by both the HTTP/1.1 and HTTP/2 implementations. If
not specified, there is no limit. Setting this parameter to 1
will effectively disable keep alive.
* `max_connections` -
(Optional)
The maximum number of connections to the backend cluster.
Defaults to 1024.
* `max_pending_requests` -
(Optional)
The maximum number of pending requests to the backend cluster.
Defaults to 1024.
* `max_requests` -
(Optional)
The maximum number of parallel requests to the backend cluster.
Defaults to 1024.
* `max_retries` -
(Optional)
The maximum number of parallel retries to the backend cluster.
Defaults to 3.
<a name="nested_connect_timeout"></a>The `connect_timeout` block supports:
* `seconds` -
(Required)
Span of time at a resolution of a second.
Must be from 0 to 315,576,000,000 inclusive.
* `nanos` -
(Optional)
Span of time that's a fraction of a second at nanosecond
resolution. Durations less than one second are represented
with a 0 seconds field and a positive nanos field. Must
be from 0 to 999,999,999 inclusive.
<a name="nested_consistent_hash"></a>The `consistent_hash` block supports:
* `http_cookie` -
(Optional)
Hash is based on HTTP Cookie. This field describes a HTTP cookie
that will be used as the hash key for the consistent hash load
balancer. If the cookie is not present, it will be generated.
This field is applicable if the sessionAffinity is set to HTTP_COOKIE.
Structure is [documented below](#nested_http_cookie).
* `http_header_name` -
(Optional)
The hash based on the value of the specified header field.
This field is applicable if the sessionAffinity is set to HEADER_FIELD.
* `minimum_ring_size` -
(Optional)
The minimum number of virtual nodes to use for the hash ring.
Larger ring sizes result in more granular load
distributions. If the number of hosts in the load balancing pool
is larger than the ring size, each host will be assigned a single
virtual node.
Defaults to 1024.
<a name="nested_http_cookie"></a>The `http_cookie` block supports:
* `ttl` -
(Optional)
Lifetime of the cookie.
Structure is [documented below](#nested_ttl).
* `name` -
(Optional)
Name of the cookie.
* `path` -
(Optional)
Path to set for the cookie.
<a name="nested_ttl"></a>The `ttl` block supports:
* `seconds` -
(Required)
Span of time at a resolution of a second.
Must be from 0 to 315,576,000,000 inclusive.
* `nanos` -
(Optional)
Span of time that's a fraction of a second at nanosecond
resolution. Durations less than one second are represented
with a 0 seconds field and a positive nanos field. Must
be from 0 to 999,999,999 inclusive.
<a name="nested_cdn_policy"></a>The `cdn_policy` block supports:
* `cache_key_policy` -
(Optional)
The CacheKeyPolicy for this CdnPolicy.
Structure is [documented below](#nested_cache_key_policy).
* `signed_url_cache_max_age_sec` -
(Optional)
Maximum number of seconds the response to a signed URL request
will be considered fresh, defaults to 1hr (3600s). After this
time period, the response will be revalidated before
being served.
When serving responses to signed URL requests, Cloud CDN will
internally behave as though all responses from this backend had a
"Cache-Control: public, max-age=[TTL]" header, regardless of any
existing Cache-Control header. The actual headers served in
responses will not be altered.
* `default_ttl` -
(Optional)
Specifies the default TTL for cached content served by this origin for responses
that do not have an existing valid TTL (max-age or s-max-age).
* `max_ttl` -
(Optional)
Specifies the maximum allowed TTL for cached content served by this origin.
* `client_ttl` -
(Optional)
Specifies the maximum allowed TTL for cached content served by this origin.
* `negative_caching` -
(Optional)
Negative caching allows per-status code TTLs to be set, in order to apply fine-grained caching for common errors or redirects.
* `negative_caching_policy` -
(Optional)
Sets a cache TTL for the specified HTTP status code. negativeCaching must be enabled to configure negativeCachingPolicy.
Omitting the policy and leaving negativeCaching enabled will use Cloud CDN's default cache TTLs.
Structure is [documented below](#nested_negative_caching_policy).
* `cache_mode` -
(Optional)
Specifies the cache setting for all responses from this backend.
The possible values are: USE_ORIGIN_HEADERS, FORCE_CACHE_ALL and CACHE_ALL_STATIC
Possible values are: `USE_ORIGIN_HEADERS`, `FORCE_CACHE_ALL`, `CACHE_ALL_STATIC`.
* `serve_while_stale` -
(Optional)
Serve existing content from the cache (if available) when revalidating content with the origin, or when an error is encountered when refreshing the cache.
* `bypass_cache_on_request_headers` -
(Optional)
Bypass the cache when the specified request headers are matched - e.g. Pragma or Authorization headers. Up to 5 headers can be specified.
The cache is bypassed for all cdnPolicy.cacheMode settings.
Structure is [documented below](#nested_bypass_cache_on_request_headers).
<a name="nested_cache_key_policy"></a>The `cache_key_policy` block supports:
* `include_host` -
(Optional)
If true requests to different hosts will be cached separately.
* `include_protocol` -
(Optional)
If true, http and https requests will be cached separately.
* `include_query_string` -
(Optional)
If true, include query string parameters in the cache key
according to query_string_whitelist and
query_string_blacklist. If neither is set, the entire query
string will be included.
If false, the query string will be excluded from the cache
key entirely.
* `query_string_blacklist` -
(Optional)
Names of query string parameters to exclude in cache keys.
All other parameters will be included. Either specify
query_string_whitelist or query_string_blacklist, not both.
'&' and '=' will be percent encoded and not treated as
delimiters.
* `query_string_whitelist` -
(Optional)
Names of query string parameters to include in cache keys.
All other parameters will be excluded. Either specify
query_string_whitelist or query_string_blacklist, not both.
'&' and '=' will be percent encoded and not treated as
delimiters.
* `include_http_headers` -
(Optional)
Allows HTTP request headers (by name) to be used in the
cache key.
* `include_named_cookies` -
(Optional)
Names of cookies to include in cache keys.
<a name="nested_negative_caching_policy"></a>The `negative_caching_policy` block supports:
* `code` -
(Optional)
The HTTP status code to define a TTL against. Only HTTP status codes 300, 301, 308, 404, 405, 410, 421, 451 and 501
can be specified as values, and you cannot specify a status code more than once.
* `ttl` -
(Optional)
The TTL (in seconds) for which to cache responses with the corresponding status code. The maximum allowed value is 1800s
(30 minutes), noting that infrequently accessed objects may be evicted from the cache before the defined TTL.
<a name="nested_bypass_cache_on_request_headers"></a>The `bypass_cache_on_request_headers` block supports:
* `header_name` -
(Required)
The header field name to match on when bypassing cache. Values are case-insensitive.
<a name="nested_iap"></a>The `iap` block supports:
* `oauth2_client_id` -
(Required)
OAuth2 Client ID for IAP
* `oauth2_client_secret` -
(Required)
OAuth2 Client Secret for IAP
**Note**: This property is sensitive and will not be displayed in the plan.
* `oauth2_client_secret_sha256` -
(Output)
OAuth2 Client Secret SHA-256 for IAP
**Note**: This property is sensitive and will not be displayed in the plan.
<a name="nested_locality_lb_policies"></a>The `locality_lb_policies` block supports:
* `policy` -
(Optional)
The configuration for a built-in load balancing policy.
Structure is [documented below](#nested_policy).
* `custom_policy` -
(Optional)
The configuration for a custom policy implemented by the user and
deployed with the client.
Structure is [documented below](#nested_custom_policy).
<a name="nested_policy"></a>The `policy` block supports:
* `name` -
(Required)
The name of a locality load balancer policy to be used. The value
should be one of the predefined ones as supported by localityLbPolicy,
although at the moment only ROUND_ROBIN is supported.
This field should only be populated when the customPolicy field is not
used.
Note that specifying the same policy more than once for a backend is
not a valid configuration and will be rejected.
The possible values are:
* `ROUND_ROBIN`: This is a simple policy in which each healthy backend
is selected in round robin order.
* `LEAST_REQUEST`: An O(1) algorithm which selects two random healthy
hosts and picks the host which has fewer active requests.
* `RING_HASH`: The ring/modulo hash load balancer implements consistent
hashing to backends. The algorithm has the property that the
addition/removal of a host from a set of N hosts only affects
1/N of the requests.
* `RANDOM`: The load balancer selects a random healthy host.
* `ORIGINAL_DESTINATION`: Backend host is selected based on the client
connection metadata, i.e., connections are opened
to the same address as the destination address of
the incoming connection before the connection
was redirected to the load balancer.
* `MAGLEV`: used as a drop in replacement for the ring hash load balancer.
Maglev is not as stable as ring hash but has faster table lookup
build times and host selection times. For more information about
Maglev, refer to https://ai.google/research/pubs/pub44824
Possible values are: `ROUND_ROBIN`, `LEAST_REQUEST`, `RING_HASH`, `RANDOM`, `ORIGINAL_DESTINATION`, `MAGLEV`.
<a name="nested_custom_policy"></a>The `custom_policy` block supports:
* `name` -
(Required)
Identifies the custom policy.
The value should match the type the custom implementation is registered
with on the gRPC clients. It should follow protocol buffer
message naming conventions and include the full path (e.g.
myorg.CustomLbPolicy). The maximum length is 256 characters.
Note that specifying the same custom policy more than once for a
backend is not a valid configuration and will be rejected.
* `data` -
(Optional)
An optional, arbitrary JSON object with configuration data, understood
by a locally installed custom policy implementation.
<a name="nested_outlier_detection"></a>The `outlier_detection` block supports:
* `base_ejection_time` -
(Optional)
The base time that a host is ejected for. The real time is equal to the base
time multiplied by the number of times the host has been ejected. Defaults to
30000ms or 30s.
Structure is [documented below](#nested_base_ejection_time).
* `consecutive_errors` -
(Optional)
Number of errors before a host is ejected from the connection pool. When the
backend host is accessed over HTTP, a 5xx return code qualifies as an error.
Defaults to 5.
* `consecutive_gateway_failure` -
(Optional)
The number of consecutive gateway failures (502, 503, 504 status or connection
errors that are mapped to one of those status codes) before a consecutive
gateway failure ejection occurs. Defaults to 5.
* `enforcing_consecutive_errors` -
(Optional)
The percentage chance that a host will be actually ejected when an outlier
status is detected through consecutive 5xx. This setting can be used to disable
ejection or to ramp it up slowly. Defaults to 100.
* `enforcing_consecutive_gateway_failure` -
(Optional)
The percentage chance that a host will be actually ejected when an outlier
status is detected through consecutive gateway failures. This setting can be
used to disable ejection or to ramp it up slowly. Defaults to 0.
* `enforcing_success_rate` -
(Optional)
The percentage chance that a host will be actually ejected when an outlier
status is detected through success rate statistics. This setting can be used to
disable ejection or to ramp it up slowly. Defaults to 100.
* `interval` -
(Optional)
Time interval between ejection sweep analysis. This can result in both new
ejections as well as hosts being returned to service. Defaults to 10 seconds.
Structure is [documented below](#nested_interval).
* `max_ejection_percent` -
(Optional)
Maximum percentage of hosts in the load balancing pool for the backend service
that can be ejected. Defaults to 10%.
* `success_rate_minimum_hosts` -
(Optional)
The number of hosts in a cluster that must have enough request volume to detect
success rate outliers. If the number of hosts is less than this setting, outlier
detection via success rate statistics is not performed for any host in the
cluster. Defaults to 5.
* `success_rate_request_volume` -
(Optional)
The minimum number of total requests that must be collected in one interval (as
defined by the interval duration above) to include this host in success rate
based outlier detection. If the volume is lower than this setting, outlier
detection via success rate statistics is not performed for that host. Defaults
to 100.
* `success_rate_stdev_factor` -
(Optional)
This factor is used to determine the ejection threshold for success rate outlier
ejection. The ejection threshold is the difference between the mean success
rate, and the product of this factor and the standard deviation of the mean
success rate: mean - (stdev * success_rate_stdev_factor). This factor is divided
by a thousand to get a double. That is, if the desired factor is 1.9, the
runtime value should be 1900. Defaults to 1900.
<a name="nested_base_ejection_time"></a>The `base_ejection_time` block supports:
* `seconds` -
(Required)
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000
inclusive.
* `nanos` -
(Optional)
Span of time that's a fraction of a second at nanosecond resolution. Durations
less than one second are represented with a 0 `seconds` field and a positive
`nanos` field. Must be from 0 to 999,999,999 inclusive.
<a name="nested_interval"></a>The `interval` block supports:
* `seconds` -
(Required)
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000
inclusive.
* `nanos` -
(Optional)
Span of time that's a fraction of a second at nanosecond resolution. Durations
less than one second are represented with a 0 `seconds` field and a positive
`nanos` field. Must be from 0 to 999,999,999 inclusive.
<a name="nested_security_settings"></a>The `security_settings` block supports:
* `client_tls_policy` -
(Required)
ClientTlsPolicy is a resource that specifies how a client should authenticate
connections to backends of a service. This resource itself does not affect
configuration unless it is attached to a backend service resource.
* `subject_alt_names` -
(Required)
A list of alternate names to verify the subject identity in the certificate.
If specified, the client will verify that the server certificate's subject
alt name matches one of the specified values.
<a name="nested_log_config"></a>The `log_config` block supports:
* `enable` -
(Optional)
Whether to enable logging for the load balancer traffic served by this backend service.
* `sample_rate` -
(Optional)
This field can only be specified if logging is enabled for this backend service. The value of
the field must be in [0, 1]. This configures the sampling rate of requests to the load balancer
where 1.0 means all logged requests are reported and 0.0 means no logged requests are reported.
The default value is 1.0.
## Attributes Reference
In addition to the arguments listed above, the following computed attributes are exported:
* `id` - an identifier for the resource with format `projects/{{project}}/global/backendServices/{{name}}`
* `creation_timestamp` -
Creation timestamp in RFC3339 text format.
* `fingerprint` -
Fingerprint of this resource. A hash of the contents stored in this
object. This field is used in optimistic locking.
* `generated_id` -
The unique identifier for the resource. This identifier is defined by the server.
* `self_link` - The URI of the created resource.
## Timeouts
This resource provides the following
[Timeouts](https://developer.hashicorp.com/terraform/plugin/sdkv2/resources/retries-and-customizable-timeouts) configuration options:
- `create` - Default is 20 minutes.
- `update` - Default is 20 minutes.
- `delete` - Default is 20 minutes.
## Import
BackendService can be imported using any of these accepted formats:
* `projects/{{project}}/global/backendServices/{{name}}`
* `{{project}}/{{name}}`
* `{{name}}`
In Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import BackendService using one of the formats above. For example:
```tf
import {
id = "projects/{{project}}/global/backendServices/{{name}}"
to = google_compute_backend_service.default
}
```
When using the [`terraform import` command](https://developer.hashicorp.com/terraform/cli/commands/import), BackendService can be imported using one of the formats above. For example:
```
$ terraform import google_compute_backend_service.default projects/{{project}}/global/backendServices/{{name}}
$ terraform import google_compute_backend_service.default {{project}}/{{name}}
$ terraform import google_compute_backend_service.default {{name}}
```
## User Project Overrides
This resource supports [User Project Overrides](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override).