Discover web_backend_service name in GCP/LoadBalancers/Backend created from helm apply inGKE/k8s api

Terraform Providers Google
1

I’m trying to deliver a service in GKE using helm with Google IAP protection enabled in a specific web_backend_service using terraform. My main issue is the names of resources created in GCP for resource web_backend_service there isn’t a name matching from terraform code after create the HTTP Load Balancer with helm.

Let me explain better…

  1. I deliver the service with helm using a code like this…
resource "helm_release" "jenkins" {
  ...
}
  1. After that, I’m trying to allow permission with Terraform but the main issue is the name of the web_backend_service is not well known in my terraform code…
    Let me share in my case, GCP create 2 HTTPS loadbalancers with the same Backend Names:
  • k8s-be-30667--289e6a19e503de26
  • k8s1-289e6a19-jenkins-onefront-jenkins-onefront-8080-588e64ecl
    Let me show you also the names of the two HTTPS loadbalancers (both of them with the same Backend Names showed previously)
  • k8s2-um-x0rsnpra-jenkins-onefro-jenkins-onefront-secon-05u5hswf
  • k8s2-um-x0rsnpra-jenkins-onefront-jenkins-onefront-bytgshhl
    3.Let me shoy you the BackendConfig yaml created in k8s/gke with helm
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  annotations:
    meta.helm.sh/release-name: jenkins-onefront
    meta.helm.sh/release-namespace: jenkins-onefront
  labels:
    app.kubernetes.io/component: jenkins-master
    app.kubernetes.io/instance: jenkins-onefront
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: jenkins
    helm.sh/chart: jenkins-2.12.1-2
  name: jenkins
  namespace: jenkins-onefront
  selfLink: /apis/cloud.google.com/v1/namespaces/jenkins-onefront/backendconfigs/jenkins
  uid: 4a0f56dd-8577-4bd3-b3b9-50bef09127f9
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: iap

My problem is there are no relationship betweeen these resource names created on GCP and the web_backend_service parameter name in terraform resource iap_web_backend_service_iam - web_backend_service
k8s-be-30667--289e6a19e503de26
k8s1-289e6a19-jenkins-onefront-jenkins-onefront-8080-588e64ecl

Affected Resource(s)

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iap_web_backend_service_iam

resource "google_iap_web_backend_service_iam_binding" "binding" {
  project = google_compute_backend_service.default.project
  web_backend_service = google_compute_backend_service.default.name 
  role = "roles/iap.httpsResourceAccessor"
  members = [
    "user:jane@example.com",
  ]
}
1 Like