I'm trying to create a regional load balancer using terrafrom, but i'am unable to create the forwarding rules and regional http(s) proxies.
resource "google_compute_region_ssl_certificate" "ssl-crt" {
project = "proyecto-pegachucho"
name_prefix = "my-certificate-"
region = var.lb_region
private_key = file("lb_http/certificate/privateKey.key")
certificate = file("lb_http/certificate/certificate.crt")
lifecycle {
create_before_destroy = true
}
}
resource "google_compute_forwarding_rule" "lb-front-HTTP" {
name = var.lb_front_name
load_balancing_scheme = "INTERNAL_MANAGED"
port_range = var.lb_front_port_range
target = google_compute_region_target_http_proxy.lb-proxy-http.self_link
region = var.lb_region
network = var.lb_network
subnetwork = var.lb_subnetwork
ip_address = "10.10.30.5"
}
resource "google_compute_forwarding_rule" "lb-front-HTTPS" {
name = "lb-https-front"
port_range = "443"
load_balancing_scheme = "INTERNAL_MANAGED"
ip_address = "10.10.30.6"
target = google_compute_region_target_https_proxy.lb-proxy-https.self_link
region = var.lb_region
network = var.lb_network
subnetwork = var.lb_subnetwork
}
resource "google_compute_region_target_http_proxy" "lb-proxy-http" {
name = var.lb_proxy_name
region = var.lb_region
project = "proyecto-pegachucho"
url_map = google_compute_region_url_map.lb_url_map.self_link
}
resource "google_compute_region_target_https_proxy" "lb-proxy-https" {
name = "test-proxy"
region = var.lb_region
project = "proyecto-pegachucho"
url_map = google_compute_region_url_map.lb_url_map.self_link
ssl_certificates = [google_compute_region_ssl_certificate.ssl-crt.id]
}
resource "google_compute_region_url_map" "lb_url_map" {
name = var.url_map_name
region = var.lb_region
default_service = google_compute_region_backend_service.lb-backend.self_link
}
resource "google_compute_region_backend_service" "lb-backend" {
name = var.lb_backend_name
region = var.lb_region
project = "proyecto-pegachucho"
load_balancing_scheme = "INTERNAL_MANAGED"
port_name = var.lb_backend_port_name
protocol = var.lb_backend_protocol
timeout_sec = var.lb_backend_timeout
health_checks = [var.healthcheck_output]
locality_lb_policy = "ROUND_ROBIN"
backend {
group = var.ig_id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
This throws the following error:
Error: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid
on lb_http\lb_http.tf line 13, in resource "google_compute_forwarding_rule" "lb-front-HTTP":
13: resource "google_compute_forwarding_rule" "lb-front-HTTP" {
Error: Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpsProxies/test-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule., invalid
on lb_http\lb_http.tf line 24, in resource "google_compute_forwarding_rule" "lb-front-HTTPS":
24: resource "google_compute_forwarding_rule" "lb-front-HTTPS" {
I tried using google beta provider but it seems that i don´t have permissions while i have owner permissions on my terraform service account.
Error: Error creating RegionSslCertificate: googleapi: Error 403: Required 'compute.regionSslCertificates.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/sslCertificates/my-certificate-20210628014206664300000001', forbidden
on lb_http\lb_http.tf line 1, in resource "google_compute_region_ssl_certificate" "ssl-crt":
1: resource "google_compute_region_ssl_certificate" "ssl-crt" {
Error: Error creating RegionBackendService: googleapi: Error 403: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'
More details:
Reason: forbidden, Message: Required 'compute.regionBackendServices.create' permission for 'projects/proyecto-pegachucho/regions/us-central1/backendServices/lb-backend'
Reason: forbidden, Message: Required 'compute.healthChecks.useReadOnly' permission for 'projects/proyecto-pegachucho/global/healthChecks/hsbc-healthcheck-dev'
Reason: forbidden, Message: Required 'compute.instanceGroups.use' permission for 'projects/proyecto-pegachucho/zones/us-central1-b/instanceGroups/tomcats-ig'
on lb_http\lb_http.tf line 59, in resource "google_compute_region_backend_service" "lb-backend":
59: resource "google_compute_region_backend_service" "lb-backend" {
You must create a proxy-only subnet before you create forwarding rules for your internal HTTP(S) load balancers. Each region of a virtual private network (VPC) in which you use internal HTTP(S) load balancers must have a proxy-only subnet.
The error message displayed describes it in the last sentence:
Error creating ForwardingRule: googleapi: Error 400: Invalid value for field 'resource.target': 'https://www.googleapis.com/compute/v1/projects/proyecto-pegachucho/regions/us-central1/targetHttpProxies/lb-proxy'. A reserved and active subnetwork is required in the same region and VPC as the forwarding rule.
To solve this you can either manually create said proxy-only subnet through the gcloud compute networks subnets create command or use the terraform variant through google_compute_subnetwork where all the same fields are available, you can use the documentation in create as a guide and then trespass it all over to terraform.
Note that this must be done before creating the forwarding rules for your internal HTTP(S) LB
I hope the provided solution can be of help!