Google Compute Engine URL Map
This page shows how to write Terraform for Compute Engine URL Map and write them securely.
google_compute_url_map (Terraform)
The URL Map in Compute Engine can be configured in Terraform with the resource name google_compute_url_map
. The following sections describe 4 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "google_compute_url_map" "web_https" {
provider = google
name = "web-url-map-https"
default_service = google_compute_backend_bucket.static_site.self_link
}
resource "google_compute_url_map" "http" {
name = local.HTTP_URLMAP_NAME
project = data.google_project.primary.number
default_url_redirect {
https_redirect = true
redirect_response_code = "MOVED_PERMANENTLY_DEFAULT"
resource "google_compute_url_map" "main" {
name = "gaup"
default_service = google_compute_backend_bucket.main.self_link
}
resource "google_compute_managed_ssl_certificate" "main" {
resource "google_compute_url_map" "marketing_site_https" {
name = "marketing-site-https-url-map"
description = "URL Map for the Remarkable Sidekick Marketing Page"
default_service = google_compute_backend_bucket.marketing_site.id
Parameters
-
creation_timestamp
optional computed - string
Creation timestamp in RFC3339 text format.
-
default_service
optional - string
The backend service or backend bucket to use when none of the given rules match.
-
description
optional - string
An optional description of this resource. Provide this property when you create the resource.
-
fingerprint
optional computed - string
Fingerprint of this resource. A hash of the contents stored in this object. This field is used in optimistic locking.
The unique identifier for the resource.
-
name
required - string
Name of the resource. Provided by the client when the resource is created. The name must be 1-63 characters long, and comply with RFC1035. Specifically, the name must be 1-63 characters long and match the regular expression 'a-z?' which means the first character must be a lowercase letter, and all following characters must be a dash, lowercase letter, or digit, except the last character, which cannot be a dash.
-
project
optional computed - string -
self_link
optional computed - string -
default_route_action
list block-
cors_policy
list block-
allow_credentials
optional - bool
In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access-Control-Allow-Credentials header.
-
allow_headers
optional - list of string
Specifies the content for the Access-Control-Allow-Headers header.
-
allow_methods
optional - list of string
Specifies the content for the Access-Control-Allow-Methods header.
-
allow_origin_regexes
optional - list of string
Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes.
-
allow_origins
optional - list of string
Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes.
-
disabled
optional - bool
If true, specifies the CORS policy is disabled. The default value is false, which indicates that the CORS policy is in effect.
-
expose_headers
optional - list of string
Specifies the content for the Access-Control-Expose-Headers header.
-
max_age
optional - number
Specifies how long results of a preflight request can be cached in seconds. This translates to the Access-Control-Max-Age header.
-
-
fault_injection_policy
list block-
abort
list block-
http_status
optional - number
The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive.
-
percentage
optional - number
The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
-
delay
list block-
percentage
optional - number
The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
fixed_delay
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
-
-
request_mirror_policy
list block-
backend_service
required - string
The full or partial URL to the BackendService resource being mirrored to.
-
-
retry_policy
list block-
num_retries
optional - number
Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1.
-
retry_conditions
optional - list of string
Specfies one or more conditions when this retry rule applies. Valid values are: 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, connection failure, and refused streams. gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. refused-stream:Loadbalancer will retry if the backend service resets the stream with a REFUSEDSTREAM error code. This reset type indicates that it is safe to retry. cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted _ unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable
-
per_try_timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
-
timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
url_rewrite
list block-
host_rewrite
optional - string
Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters.
-
path_prefix_rewrite
optional - string
Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters.
-
-
weighted_backend_services
list block-
backend_service
optional - string
The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the loadbalancer applies any relevant headerActions specified as part of this backendServiceWeight.
-
weight
optional - number
Specifies the fraction of traffic sent to backendService, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backendService, subsequent requests will be sent to the same backendService as determined by the BackendService's session affinity policy. The value must be between 0 and 1000
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
optional - string
The name of the header to add.
-
header_value
optional - string
The value of the header to add.
-
replace
optional - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
optional - string
The name of the header to add.
-
header_value
optional - string
The value of the header to add.
-
replace
optional - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
-
-
default_url_redirect
list block-
host_redirect
optional - string
The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters.
-
https_redirect
optional - bool
If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false.
-
path_redirect
optional - string
The path that will be used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
prefix_redirect
optional - string
The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
redirect_response_code
optional - string
The HTTP Status code to use for this RedirectAction. Supported values are: MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. FOUND, which corresponds to 302. SEE_OTHER which corresponds to 303. TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. Possible values: ["FOUND", "MOVED_PERMANENTLY_DEFAULT", "PERMANENT_REDIRECT", "SEE_OTHER", "TEMPORARY_REDIRECT"]
-
strip_query
required - bool
If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. The default is set to false. This field is required to ensure an empty block is not set. The normal default value is false.
-
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
host_rule
set block-
description
optional - string
An optional description of this resource. Provide this property when you create the resource.
-
hosts
required - set of string
The list of host patterns to match. They must be valid hostnames, except will match any string of ([a-z0-9-.]). In that case, * must be the first character and must be followed in the pattern by either - or ..
-
path_matcher
required - string
The name of the PathMatcher to use to match the path portion of the URL if the hostRule matches the URL's host portion.
-
-
path_matcher
list block-
default_service
optional - string
The backend service or backend bucket to use when none of the given paths match.
-
description
optional - string
An optional description of this resource. Provide this property when you create the resource.
-
name
required - string
The name to which this PathMatcher is referred by the HostRule.
-
default_route_action
list block-
cors_policy
list block-
allow_credentials
optional - bool
In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access-Control-Allow-Credentials header.
-
allow_headers
optional - list of string
Specifies the content for the Access-Control-Allow-Headers header.
-
allow_methods
optional - list of string
Specifies the content for the Access-Control-Allow-Methods header.
-
allow_origin_regexes
optional - list of string
Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes.
-
allow_origins
optional - list of string
Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either an item in allowOrigins or an item in allowOriginRegexes.
-
disabled
optional - bool
If true, specifies the CORS policy is disabled. The default value is false, which indicates that the CORS policy is in effect.
-
expose_headers
optional - list of string
Specifies the content for the Access-Control-Expose-Headers header.
-
max_age
optional - number
Specifies how long results of a preflight request can be cached in seconds. This translates to the Access-Control-Max-Age header.
-
-
fault_injection_policy
list block-
abort
list block-
http_status
optional - number
The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive.
-
percentage
optional - number
The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
-
delay
list block-
percentage
optional - number
The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
fixed_delay
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
-
-
request_mirror_policy
list block-
backend_service
required - string
The full or partial URL to the BackendService resource being mirrored to.
-
-
retry_policy
list block-
num_retries
optional - number
Specifies the allowed number retries. This number must be > 0. If not specified, defaults to 1.
-
retry_conditions
optional - list of string
Specfies one or more conditions when this retry rule applies. Valid values are: 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, connection failure, and refused streams. gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. refused-stream:Loadbalancer will retry if the backend service resets the stream with a REFUSEDSTREAM error code. This reset type indicates that it is safe to retry. cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted _ unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable
-
per_try_timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
-
timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 seconds field and a positive nanos field. Must be from 0 to 999,999,999 inclusive.
-
seconds
optional - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min 60 min/hr 24 hr/day 365.25 days/year 10000 years
-
-
url_rewrite
list block-
host_rewrite
optional - string
Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters.
-
path_prefix_rewrite
optional - string
Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters.
-
-
weighted_backend_services
list block-
backend_service
optional - string
The full or partial URL to the default BackendService resource. Before forwarding the request to backendService, the loadbalancer applies any relevant headerActions specified as part of this backendServiceWeight.
-
weight
optional - number
Specifies the fraction of traffic sent to backendService, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backendService, subsequent requests will be sent to the same backendService as determined by the BackendService's session affinity policy. The value must be between 0 and 1000
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
optional - string
The name of the header to add.
-
header_value
optional - string
The value of the header to add.
-
replace
optional - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
optional - string
The name of the header to add.
-
header_value
optional - string
The value of the header to add.
-
replace
optional - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
-
-
default_url_redirect
list block-
host_redirect
optional - string
The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters.
-
https_redirect
optional - bool
If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false.
-
path_redirect
optional - string
The path that will be used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
prefix_redirect
optional - string
The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
redirect_response_code
optional - string
The HTTP Status code to use for this RedirectAction. Supported values are: MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. FOUND, which corresponds to 302. SEE_OTHER which corresponds to 303. TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. Possible values: ["FOUND", "MOVED_PERMANENTLY_DEFAULT", "PERMANENT_REDIRECT", "SEE_OTHER", "TEMPORARY_REDIRECT"]
-
strip_query
required - bool
If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. This field is required to ensure an empty block is not set. The normal default value is false.
-
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
path_rule
list block-
paths
required - set of string
The list of path patterns to match. Each must start with / and the only place a * is allowed is at the end following a /. The string fed to the path matcher does not include any text after the first ? or #, and those chars are not allowed here.
-
service
optional - string
The backend service or backend bucket to use if any of the given paths match.
-
route_action
list block-
cors_policy
list block-
allow_credentials
optional - bool
In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access- Control-Allow-Credentials header. Defaults to false.
-
allow_headers
optional - list of string
Specifies the content for the Access-Control-Allow-Headers header.
-
allow_methods
optional - list of string
Specifies the content for the Access-Control-Allow-Methods header.
-
allow_origin_regexes
optional - list of string
Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either allow_origins or allow_origin_regex.
-
allow_origins
optional - list of string
Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either allow_origins or allow_origin_regex.
-
disabled
required - bool
If true, specifies the CORS policy is disabled.
-
expose_headers
optional - list of string
Specifies the content for the Access-Control-Expose-Headers header.
-
max_age
optional - number
Specifies how long the results of a preflight request can be cached. This translates to the content for the Access-Control-Max-Age header.
-
-
fault_injection_policy
list block-
abort
list block-
http_status
required - number
The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive.
-
percentage
required - number
The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
-
delay
list block-
percentage
required - number
The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
fixed_delay
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
-
-
request_mirror_policy
list block-
backend_service
required - string
The BackendService resource being mirrored to.
-
-
retry_policy
list block-
num_retries
optional - number
Specifies the allowed number retries. This number must be > 0.
-
retry_conditions
optional - list of string
Specifies one or more conditions when this retry rule applies. Valid values are: 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, connection failure, and refused streams. gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. refused-stream: Loadbalancer will retry if the backend service resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted * unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable
-
per_try_timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
-
timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
url_rewrite
list block-
host_rewrite
optional - string
Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters.
-
path_prefix_rewrite
optional - string
Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters.
-
-
weighted_backend_services
list block-
backend_service
required - string
The default BackendService resource. Before forwarding the request to backendService, the loadbalancer applies any relevant headerActions specified as part of this backendServiceWeight.
-
weight
required - number
Specifies the fraction of traffic sent to backendService, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backendService, subsequent requests will be sent to the same backendService as determined by the BackendService's session affinity policy. The value must be between 0 and 1000
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
-
-
url_redirect
list block-
host_redirect
optional - string
The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters.
-
https_redirect
optional - bool
If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. The default is set to false.
-
path_redirect
optional - string
The path that will be used in the redirect response instead of the one that was supplied in the request. pathRedirect cannot be supplied together with prefixRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
prefix_redirect
optional - string
The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request. prefixRedirect cannot be supplied together with pathRedirect. Supply one alone or neither. If neither is supplied, the path of the original request will be used for the redirect. The value must be between 1 and 1024 characters.
-
redirect_response_code
optional - string
The HTTP Status code to use for this RedirectAction. Supported values are: MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. FOUND, which corresponds to 302. SEE_OTHER which corresponds to 303. TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. Possible values: ["FOUND", "MOVED_PERMANENTLY_DEFAULT", "PERMANENT_REDIRECT", "SEE_OTHER", "TEMPORARY_REDIRECT"]
-
strip_query
required - bool
If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. This field is required to ensure an empty block is not set. The normal default value is false.
-
-
-
route_rules
list block-
priority
required - number
For routeRules within a given pathMatcher, priority determines the order in which load balancer will interpret routeRules. RouteRules are evaluated in order of priority, from the lowest to highest number. The priority of a rule decreases as its number increases (1, 2, 3, N+1). The first rule that matches the request is applied. You cannot configure two or more routeRules with the same priority. Priority for each rule must be set to a number between 0 and 2147483647 inclusive. Priority numbers can have gaps, which enable you to add or remove rules in the future without affecting the rest of the rules. For example, 1, 2, 3, 4, 5, 9, 12, 16 is a valid series of priority numbers to which you could add rules numbered from 6 to 8, 10 to 11, and 13 to 15 in the future without any impact on existing rules.
-
service
optional - string
The backend service resource to which traffic is directed if this rule is matched. If routeAction is additionally specified, advanced routing actions like URL Rewrites, etc. take effect prior to sending the request to the backend. However, if service is specified, routeAction cannot contain any weightedBackendService s. Conversely, if routeAction specifies any weightedBackendServices, service must not be specified. Only one of urlRedirect, service or routeAction.weightedBackendService must be set.
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
match_rules
list block-
full_path_match
optional - string
For satisfying the matchRule condition, the path of the request must exactly match the value specified in fullPathMatch after removing any query parameters and anchor that may be part of the original URL. FullPathMatch must be between 1 and 1024 characters. Only one of prefixMatch, fullPathMatch or regexMatch must be specified.
-
ignore_case
optional - bool
Specifies that prefixMatch and fullPathMatch matches are case sensitive. Defaults to false.
-
prefix_match
optional - string
For satisfying the matchRule condition, the request's path must begin with the specified prefixMatch. prefixMatch must begin with a /. The value must be between 1 and 1024 characters. Only one of prefixMatch, fullPathMatch or regexMatch must be specified.
-
regex_match
optional - string
For satisfying the matchRule condition, the path of the request must satisfy the regular expression specified in regexMatch after removing any query parameters and anchor supplied with the original URL. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript Only one of prefixMatch, fullPathMatch or regexMatch must be specified.
-
header_matches
list block-
exact_match
optional - string
The value should exactly match contents of exactMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set.
-
header_name
required - string
The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method".
-
invert_match
optional - bool
If set to false, the headerMatch is considered a match if the match criteria above are met. If set to true, the headerMatch is considered a match if the match criteria above are NOT met. Defaults to false.
-
prefix_match
optional - string
The value of the header must start with the contents of prefixMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set.
-
present_match
optional - bool
A header with the contents of headerName must exist. The match takes place whether or not the request's header has a value or not. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set.
-
regex_match
optional - string
The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to PORT and a regular expression that satisfies the RFC2616 Host header's port specifier. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set.
-
suffix_match
optional - string
The value of the header must end with the contents of suffixMatch. Only one of exactMatch, prefixMatch, suffixMatch, regexMatch, presentMatch or rangeMatch must be set.
-
range_match
list block-
range_end
required - number
The end of the range (exclusive).
-
range_start
required - number
The start of the range (inclusive).
-
-
-
metadata_filters
list block-
filter_match_criteria
required - string
Specifies how individual filterLabel matches within the list of filterLabels contribute towards the overall metadataFilter match. Supported values are: - MATCH_ANY: At least one of the filterLabels must have a matching label in the provided metadata. - MATCH_ALL: All filterLabels must have matching labels in the provided metadata. Possible values: ["MATCH_ALL", "MATCH_ANY"]
-
filter_labels
list block-
name
required - string
Name of metadata label. The name can have a maximum length of 1024 characters and must be at least 1 character long.
-
value
required - string
The value of the label must match the specified value. value can have a maximum length of 1024 characters.
-
-
-
query_parameter_matches
list block-
exact_match
optional - string
The queryParameterMatch matches if the value of the parameter exactly matches the contents of exactMatch. Only one of presentMatch, exactMatch and regexMatch must be set.
-
name
required - string
The name of the query parameter to match. The query parameter must exist in the request, in the absence of which the request match fails.
-
present_match
optional - bool
Specifies that the queryParameterMatch matches if the request contains the query parameter, irrespective of whether the parameter has a value or not. Only one of presentMatch, exactMatch and regexMatch must be set.
-
regex_match
optional - string
The queryParameterMatch matches if the value of the parameter matches the regular expression specified by regexMatch. For the regular expression grammar, please see en.cppreference.com/w/cpp/regex/ecmascript Only one of presentMatch, exactMatch and regexMatch must be set.
-
-
-
route_action
list block-
cors_policy
list block-
allow_credentials
optional - bool
In response to a preflight request, setting this to true indicates that the actual request can include user credentials. This translates to the Access- Control-Allow-Credentials header. Defaults to false.
-
allow_headers
optional - list of string
Specifies the content for the Access-Control-Allow-Headers header.
-
allow_methods
optional - list of string
Specifies the content for the Access-Control-Allow-Methods header.
-
allow_origin_regexes
optional - list of string
Specifies the regular expression patterns that match allowed origins. For regular expression grammar please see en.cppreference.com/w/cpp/regex/ecmascript An origin is allowed if it matches either allow_origins or allow_origin_regex.
-
allow_origins
optional - list of string
Specifies the list of origins that will be allowed to do CORS requests. An origin is allowed if it matches either allow_origins or allow_origin_regex.
-
disabled
optional - bool
If true, specifies the CORS policy is disabled. which indicates that the CORS policy is in effect. Defaults to false.
-
expose_headers
optional - list of string
Specifies the content for the Access-Control-Expose-Headers header.
-
max_age
optional - number
Specifies how long the results of a preflight request can be cached. This translates to the content for the Access-Control-Max-Age header.
-
-
fault_injection_policy
list block-
abort
list block-
http_status
optional - number
The HTTP status code used to abort the request. The value must be between 200 and 599 inclusive.
-
percentage
optional - number
The percentage of traffic (connections/operations/requests) which will be aborted as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
-
delay
list block-
percentage
optional - number
The percentage of traffic (connections/operations/requests) on which delay will be introduced as part of fault injection. The value must be between 0.0 and 100.0 inclusive.
-
fixed_delay
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
-
-
request_mirror_policy
list block-
backend_service
required - string
The BackendService resource being mirrored to.
-
-
retry_policy
list block-
num_retries
required - number
Specifies the allowed number retries. This number must be > 0.
-
retry_conditions
optional - list of string
Specfies one or more conditions when this retry rule applies. Valid values are: 5xx: Loadbalancer will attempt a retry if the backend service responds with any 5xx response code, or if the backend service does not respond at all, example: disconnects, reset, read timeout, connection failure, and refused streams. gateway-error: Similar to 5xx, but only applies to response codes 502, 503 or 504. connect-failure: Loadbalancer will retry on failures connecting to backend services, for example due to connection timeouts. retriable-4xx: Loadbalancer will retry for retriable 4xx response codes. Currently the only retriable error supported is 409. refused-stream: Loadbalancer will retry if the backend service resets the stream with a REFUSED_STREAM error code. This reset type indicates that it is safe to retry. cancelled: Loadbalancer will retry if the gRPC status code in the response header is set to cancelled deadline-exceeded: Loadbalancer will retry if the gRPC status code in the response header is set to deadline-exceeded resource-exhausted: Loadbalancer will retry if the gRPC status code in the response header is set to resource-exhausted * unavailable: Loadbalancer will retry if the gRPC status code in the response header is set to unavailable
-
per_try_timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
-
timeout
list block-
nanos
optional - number
Span of time that's a fraction of a second at nanosecond resolution. Durations less than one second are represented with a 0 'seconds' field and a positive 'nanos' field. Must be from 0 to 999,999,999 inclusive.
-
seconds
required - string
Span of time at a resolution of a second. Must be from 0 to 315,576,000,000 inclusive.
-
-
url_rewrite
list block-
host_rewrite
optional - string
Prior to forwarding the request to the selected service, the request's host header is replaced with contents of hostRewrite. The value must be between 1 and 255 characters.
-
path_prefix_rewrite
optional - string
Prior to forwarding the request to the selected backend service, the matching portion of the request's path is replaced by pathPrefixRewrite. The value must be between 1 and 1024 characters.
-
-
weighted_backend_services
list block-
backend_service
required - string
The default BackendService resource. Before forwarding the request to backendService, the loadbalancer applies any relevant headerActions specified as part of this backendServiceWeight.
-
weight
required - number
Specifies the fraction of traffic sent to backendService, computed as weight / (sum of all weightedBackendService weights in routeAction) . The selection of a backend service is determined only for new traffic. Once a user's request has been directed to a backendService, subsequent requests will be sent to the same backendService as determined by the BackendService's session affinity policy. The value must be between 0 and 1000
-
header_action
list block-
request_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the request prior to forwarding the request to the backendService.
-
response_headers_to_remove
optional - list of string
A list of header names for headers that need to be removed from the response prior to sending the response back to the client.
-
request_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
response_headers_to_add
list block-
header_name
required - string
The name of the header.
-
header_value
required - string
The value of the header to add.
-
replace
required - bool
If false, headerValue is appended to any values that already exist for the header. If true, headerValue is set for the header, discarding any values that were set for that header.
-
-
-
-
-
url_redirect
list block-
host_redirect
optional - string
The host that will be used in the redirect response instead of the one that was supplied in the request. The value must be between 1 and 255 characters.
-
https_redirect
optional - bool
If set to true, the URL scheme in the redirected request is set to https. If set to false, the URL scheme of the redirected request will remain the same as that of the request. This must only be set for UrlMaps used in TargetHttpProxys. Setting this true for TargetHttpsProxy is not permitted. Defaults to false.
-
path_redirect
optional - string
The path that will be used in the redirect response instead of the one that was supplied in the request. Only one of pathRedirect or prefixRedirect must be specified. The value must be between 1 and 1024 characters.
-
prefix_redirect
optional - string
The prefix that replaces the prefixMatch specified in the HttpRouteRuleMatch, retaining the remaining portion of the URL before redirecting the request.
-
redirect_response_code
optional - string
The HTTP Status code to use for this RedirectAction. Supported values are: MOVED_PERMANENTLY_DEFAULT, which is the default value and corresponds to 301. FOUND, which corresponds to 302. SEE_OTHER which corresponds to 303. TEMPORARY_REDIRECT, which corresponds to 307. In this case, the request method will be retained. * PERMANENT_REDIRECT, which corresponds to 308. In this case, the request method will be retained. Possible values: ["FOUND", "MOVED_PERMANENTLY_DEFAULT", "PERMANENT_REDIRECT", "SEE_OTHER", "TEMPORARY_REDIRECT"]
-
strip_query
optional - bool
If set to true, any accompanying query portion of the original URL is removed prior to redirecting the request. If set to false, the query portion of the original URL is retained. Defaults to false.
-
-
-
-
test
list block-
description
optional - string
Description of this test case.
-
host
required - string
Host portion of the URL.
-
path
required - string
Path portion of the URL.
-
service
required - string
The backend service or backend bucket link that should be matched by this test.
-
-
timeouts
single block
Explanation in Terraform Registry
UrlMaps are used to route requests to a backend service based on rules that you define for the host and path of an incoming URL. To get more information about UrlMap, see:
Tips: Best Practices for The Other Google Compute Engine Resources
In addition to the google_compute_disk, Google Compute Engine has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
google_compute_disk
Ensure the encryption key for your GCE disk is stored securely
It is better to store the encryption key for your GCE disk securely. Secret Manager could be used instead.
google_compute_firewall
Ensure your VPC firewall blocks unwanted outbound traffic
It is better to block unwanted outbound traffic not to expose resources in the VPC to unwanted attacks.
google_compute_instance
Ensure appropriate service account is assigned to your GCE instance
It is better to create a custom service account for the instance and assign it.
google_compute_project_metadata
Ensure OS login for your GCE instances is enabled at project level
It is better to enable OS login for your GCE instances. Enabling OS login ensures that SSH keys used to connect to instances are mapped with IAM users, allowing centralized and automated SSH key management.
google_compute_ssl_policy
Ensure to use modern TLS protocols
It's better to adopt TLS v1.2+ instead of outdated TLS protocols.
google_compute_subnetwork
Ensure VPC flow logging is enabled
It is better to enable VPC flow logging. VPC flow logging allows us to audit traffic in your network.
Frequently asked questions
What is Google Compute Engine URL Map?
Google Compute Engine URL Map is a resource for Compute Engine of Google Cloud Platform. Settings can be wrote in Terraform.
Where can I find the example code for the Google Compute Engine URL Map?
For Terraform, the MatthewCYLau/react-serverless-gcp-terraform, kennedycmr/terraform-google-cloudrun-public-byo-domainname and rdeknijf/github-actions-upgrader source code examples are useful. See the Terraform Example section for further details.