google_compute_backend_service doesn't support serverless NEGs

[andyroyle]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

terraform: 0.12.28
google-beta: 3.32.0

Affected Resource(s)

• google_compute_backend_service

Terraform Configuration Files

resource "google_compute_backend_service" "backend-service" {
  provider = google-beta

  name            = "my-backend-service

  backend {
      group = "https://www.googleapis.com/compute/beta/projects/my-project/regions/europe-west1/networkEndpointGroups/my-serverless-neg"
  }
}

Expected Behavior

Backend should be created.

Actual Behavior

Error creating BackendService: googleapi: Error 400: Invalid value for field 'resource.backends[0].maxUtilization': '1.0'. Max utilization is not supported for Serverless network endpoint groups., invalid

The api doesn't allow specifying maxUtilization for a serverless NEG backend, there is code for explicitly supporting global NEGs (see here) but it's specifically looking for global/networkEndpointGroups in the string, so the serverless NEGs don't trigger this behaviour.

Since the Serverless NEGs are now in Beta I thought it prudent to open an issue (in case the fix for this is already in the pipeline).

I can easily send a PR to fix this logic so that it also applies to regional NEGs but I'm not sure of the wider implication here and wouldn't want to break any other behaviour.

[edwardmedia]

@andyroyle can you see if google_compute_region_backend_service works for you? If not, can you post your debug log?

[kentb]

I'm able to reproduce the same issue.
I know Serverless NEGs is coming out on the next release.
It'll be good to have this fix come out soon, so we can properly use the Serverless NEGs.

Terraform Version

terraform: 0.13.0
google-beta: 3.34.0

Affected Resource(s)

• google_compute_backend_service

Terraform Configuration Files

resource "google_compute_backend_service" "backend-service" {
  provider = google-beta

  name            = "my-backend-service"
  backend {
      group = "https://www.googleapis.com/compute/beta/projects/my-project/regions/us-east4/networkEndpointGroups/my-serverless-neg"
  }
}

Expected Behavior

Backend should be created.

Actual Behavior

Error: Error creating BackendService: googleapi: Error 400: Invalid value for field 'resource.backends[0].maxUtilization': '0.8'. Max utilization is not supported for Serverless network endpoint groups., invalid

[kentb]

backend-service-serverless-neg-error.txt
Here's the Debug log from the above run.
Note that I replaced the actual project name, serverless neg name w/ the dummy name from above example.

[edwardmedia]

@kentb does google_compute_region_backend_service work for you?

[kentb]

@edwardmedia
It doesn't work since it requires healthchecks, serverless NEG's also do not have healthchecks.
According to GCP docs, Serverless NEGs only work with Global backend service.
https://cloud.google.com/load-balancing/docs/backend-service

[kentb]

If it helps, here are the details of a Backend Service I created using gcloud commands, connected to 2 Serverless NEGs in us-east4 and europe-west1. (Names are swapped w/ more generic ones)

$gcloud compute backend-services describe my-backend-service

affinityCookieTtlSec: 0
backends:
- balancingMode: UTILIZATION
  capacityScaler: 0.0
  group: https://www.googleapis.com/compute/v1/projects/myproject-123456/regions/us-east4/networkEndpointGroups/my-backend-service-us-east4-serverless-neg
- balancingMode: UTILIZATION
  capacityScaler: 0.0
  group: https://www.googleapis.com/compute/v1/projects/myproject-123456/regions/europe-west1/networkEndpointGroups/my-backend-service-europe-west1-serverless-neg
connectionDraining:
  drainingTimeoutSec: 0
creationTimestamp: '2020-08-07T09:27:40.228-07:00'
description: ''
enableCDN: false
fingerprint: xxx
id: 'xxx'
kind: compute#backendService
loadBalancingScheme: EXTERNAL
logConfig:
  enable: false
name: my-backend-service
port: 80
portName: http
protocol: HTTP
selfLink: https://www.googleapis.com/compute/v1/projects/myproject-123456/global/backendServices/my-backend-service
sessionAffinity: NONE
timeoutSec: 30

[edwardmedia]

@andyroyle v3.35.0 has just released today which contains below feature. Let me know if that helps address your issue. Thanks

New Resource: google_compute_region_network_endpoint_group (supports serverless NEGs) (#6960)

https://github.com/hashicorp/terraform-provider-google/blob/master/CHANGELOG.md

[robcharlwood]

@edwardmedia I don't believe this helps - unless I'm missing something. That release allows you to create the serverless NEG resource. However, you still cant reference that resource within the google_compute_backend_service since its not "serverless neg aware" and tries to apply max utilisation to the resource. :)

[icco]

I filed #7051 as I ran into the point that @robcharlwood points out.

[edwardmedia]

@slevenick By removing the maxUtilization from the payload, I can create that backend-service. Below is the payload I used

 {
  "backends": [
   {
    "balancingMode": "UTILIZATION",
    "capacityScaler": 1,
    "group": "projects/myproject/regions/us-central1/networkEndpointGroups/issue6876function-neg",
   }
  ],
  "connectionDraining": {
   "drainingTimeoutSec": 10
  },
  "iap": {
   "enabled": false,
"oauth2ClientId": "",
   "oauth2ClientSecret": ""
  },
  "loadBalancingScheme": "EXTERNAL",
  "name": "issue6876region-service",
  "sessionAffinity": "CLIENT_IP"
 }

[edwardmedia]

closing this issue as #7051 for tracking this issue

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!