Add global load balancer IP ranges to google_netblock_ip_ranges

[danielcompton]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

When I'm setting up firewall rules, I need to allow requests from the Google global load balancers. Currently, health checker IPs are the same as the GFE IPs.

The source IP address for actual load-balanced traffic is the same as the health checks probe IP ranges.

https://cloud.google.com/load-balancing/docs/https#source_ip_addresses

There are two issues with using the health check IP range here:

1. If the HTTP load balancer ever uses a new range that the health checks don't, then my firewall rules won't be updated to use the new range
2. I need to add a comment to my firewall rule saying "This is actually for the load balancer, even though it says it's for the health check"

New or Affected Resource(s)

• google_netblock_ip_ranges

Potential Terraform Configuration

data "google_netblock_ip_ranges" "netblock" {
  range_type = "external-http-load-balancer"
}

References

I assume this should go on the google_netblock_ip_ranges data source rather than creating a new specific resource like google_compute_lb_ip_ranges.

[bdronneau]

Hey,

If you're looking for

• 35.191.0.0/16
• 130.211.0.0/22

With:

data "google_compute_lb_ip_ranges" "google" {
}

output lb_ssl {
  value       = data.google_compute_lb_ip_ranges.google.http_ssl_tcp_internal
}

Output:

Outputs:

test = [
  "130.211.0.0/22",
  "35.191.0.0/16",
]

[danielcompton]

Thanks! I did see that you can get the same result from using other data resources. This issue is more about creating a new resource that is semantically correct and represents the intent better. Especially in firewall rules, it's not always clear why something has been created.