From 43233a20cccd7d0714b79d4f4c925452c0c87480 Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Fri, 13 Sep 2024 11:47:30 +0200
Subject: [PATCH 1/5] Adding IPv6 support to lb_internal module

---
 modules/lb_internal/README.md    |  3 ++-
 modules/lb_internal/main.tf      | 18 ++++++++++++++----
 modules/lb_internal/variables.tf | 13 ++++++++++++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/modules/lb_internal/README.md b/modules/lb_internal/README.md
index 1780d00..a26f592 100644
--- a/modules/lb_internal/README.md
+++ b/modules/lb_internal/README.md
@@ -43,8 +43,9 @@ No modules.
 | <a name="input_failover_ratio"></a> [failover\_ratio](#input\_failover\_ratio) | (Optional) The value of the field must be in [0, 1]. If the ratio of the healthy VMs in the primary backend is at or below this number, traffic arriving at the load-balanced IP will be directed to the failover\_backends. In case where 'failoverRatio' is not set or all the VMs in the backup backend are unhealthy, the traffic will be directed back to the primary backend in the `force` mode, where traffic will be spread to the healthy VMs with the best effort, or to all VMs when no VM is healthy. This field is only used with l4 load balancing. | `number` | `null` | no |
 | <a name="input_health_check"></a> [health\_check](#input\_health\_check) | (Optional) Name of either the global google\_compute\_health\_check or google\_compute\_region\_health\_check to use. Conflicts with health\_check\_port. | `string` | `null` | no |
 | <a name="input_health_check_port"></a> [health\_check\_port](#input\_health\_check\_port) | (Optional) Port number for TCP healthchecking, default 22. This setting is ignored when `health_check` is provided. | `number` | `22` | no |
-| <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | n/a | `any` | `null` | no |
+| <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | (Optional) An existing private IP address on which LB listens. IP version must correspond `ip_version`.<br>In case of IPv6 address specify address with a netmask, for example: fd20:6db:d1b6:1000:0:1::/96.<br>If empty, a new ephemeral IP address is created on the PREMIUM tier. | `any` | `null` | no |
 | <a name="input_ip_protocol"></a> [ip\_protocol](#input\_ip\_protocol) | The IP protocol for the frontend forwarding rule, valid values are TCP and UDP. | `string` | `"TCP"` | no |
+| <a name="input_ip_version"></a> [ip\_version](#input\_ip\_version) | (Optional) The IP version that will be used by this Load Balancer. Possible values are: IPV4 (default), IPV6. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the load balancer (that is, both the forwarding rule and the backend service) | `string` | n/a | yes |
 | <a name="input_network"></a> [network](#input\_network) | n/a | `any` | `null` | no |
 | <a name="input_ports"></a> [ports](#input\_ports) | Which port numbers are forwarded to the backends (up to 5 ports). Conflicts with all\_ports. | `list(number)` | `[]` | no |
diff --git a/modules/lb_internal/main.tf b/modules/lb_internal/main.tf
index ce6f0c1..a04e155 100755
--- a/modules/lb_internal/main.tf
+++ b/modules/lb_internal/main.tf
@@ -23,16 +23,18 @@ resource "google_compute_region_backend_service" "this" {
   dynamic "backend" {
     for_each = var.backends
     content {
-      group    = backend.value
-      failover = false
+      group          = backend.value
+      failover       = false
+      balancing_mode = "CONNECTION"
     }
   }
 
   dynamic "backend" {
     for_each = var.failover_backends
     content {
-      group    = backend.value
-      failover = true
+      group          = backend.value
+      failover       = true
+      balancing_mode = "CONNECTION"
     }
   }
 
@@ -55,6 +57,13 @@ resource "google_compute_region_backend_service" "this" {
       failover_ratio                       = var.failover_ratio
     }
   }
+
+  # For provider >=v6 `iap { enabled = false }` block is required for convergence.
+  # For provider <=v5 `iap { enabled = false }` is not complete (has missing arguments).
+  # To overcome issues we are ignore `iap { }` block.
+  lifecycle {
+    ignore_changes = [iap]
+  }
 }
 
 resource "google_compute_forwarding_rule" "this" {
@@ -63,6 +72,7 @@ resource "google_compute_forwarding_rule" "this" {
   region  = var.region
 
   load_balancing_scheme = "INTERNAL"
+  ip_version            = var.ip_version
   ip_address            = var.ip_address
   ip_protocol           = var.ip_protocol
   all_ports             = var.all_ports
diff --git a/modules/lb_internal/variables.tf b/modules/lb_internal/variables.tf
index 82175f6..65420e7 100644
--- a/modules/lb_internal/variables.tf
+++ b/modules/lb_internal/variables.tf
@@ -42,8 +42,19 @@ variable "subnetwork" {
   type = string
 }
 
+variable "ip_version" {
+  description = "(Optional) The IP version that will be used by this Load Balancer. Possible values are: IPV4 (default), IPV6."
+  type        = string
+  default     = null
+}
+
 variable "ip_address" {
-  default = null
+  description = <<-EOF
+    (Optional) An existing private IP address on which LB listens. IP version must correspond `ip_version`.
+    In case of IPv6 address specify address with a netmask, for example: fd20:6db:d1b6:1000:0:1::/96.
+    If empty, a new ephemeral IP address is created on the PREMIUM tier.
+  EOF
+  default     = null
 }
 
 variable "ip_protocol" {

From d22a87cfcf65d39e1074e8af4101867e0e0e42ed Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Wed, 18 Sep 2024 14:31:59 +0200
Subject: [PATCH 2/5] Reverting


From 902a895deb9dc99ba39d1758634429a734bb821c Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Wed, 18 Sep 2024 16:10:00 +0200
Subject: [PATCH 3/5] Adding var type

---
 modules/lb_internal/README.md    | 2 +-
 modules/lb_internal/variables.tf | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/lb_internal/README.md b/modules/lb_internal/README.md
index a26f592..b780033 100644
--- a/modules/lb_internal/README.md
+++ b/modules/lb_internal/README.md
@@ -43,7 +43,7 @@ No modules.
 | <a name="input_failover_ratio"></a> [failover\_ratio](#input\_failover\_ratio) | (Optional) The value of the field must be in [0, 1]. If the ratio of the healthy VMs in the primary backend is at or below this number, traffic arriving at the load-balanced IP will be directed to the failover\_backends. In case where 'failoverRatio' is not set or all the VMs in the backup backend are unhealthy, the traffic will be directed back to the primary backend in the `force` mode, where traffic will be spread to the healthy VMs with the best effort, or to all VMs when no VM is healthy. This field is only used with l4 load balancing. | `number` | `null` | no |
 | <a name="input_health_check"></a> [health\_check](#input\_health\_check) | (Optional) Name of either the global google\_compute\_health\_check or google\_compute\_region\_health\_check to use. Conflicts with health\_check\_port. | `string` | `null` | no |
 | <a name="input_health_check_port"></a> [health\_check\_port](#input\_health\_check\_port) | (Optional) Port number for TCP healthchecking, default 22. This setting is ignored when `health_check` is provided. | `number` | `22` | no |
-| <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | (Optional) An existing private IP address on which LB listens. IP version must correspond `ip_version`.<br>In case of IPv6 address specify address with a netmask, for example: fd20:6db:d1b6:1000:0:1::/96.<br>If empty, a new ephemeral IP address is created on the PREMIUM tier. | `any` | `null` | no |
+| <a name="input_ip_address"></a> [ip\_address](#input\_ip\_address) | (Optional) An existing private IP address on which LB listens. IP version must correspond `ip_version`.<br>In case of IPv6 address specify address with a netmask, for example: fd20:6db:d1b6:1000:0:1::/96.<br>If empty, a new ephemeral IP address is created on the PREMIUM tier. | `string` | `null` | no |
 | <a name="input_ip_protocol"></a> [ip\_protocol](#input\_ip\_protocol) | The IP protocol for the frontend forwarding rule, valid values are TCP and UDP. | `string` | `"TCP"` | no |
 | <a name="input_ip_version"></a> [ip\_version](#input\_ip\_version) | (Optional) The IP version that will be used by this Load Balancer. Possible values are: IPV4 (default), IPV6. | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the load balancer (that is, both the forwarding rule and the backend service) | `string` | n/a | yes |
diff --git a/modules/lb_internal/variables.tf b/modules/lb_internal/variables.tf
index 65420e7..f966a50 100644
--- a/modules/lb_internal/variables.tf
+++ b/modules/lb_internal/variables.tf
@@ -54,6 +54,7 @@ variable "ip_address" {
     In case of IPv6 address specify address with a netmask, for example: fd20:6db:d1b6:1000:0:1::/96.
     If empty, a new ephemeral IP address is created on the PREMIUM tier.
   EOF
+  type        = string
   default     = null
 }
 

From 21475ec2df439260f5a9d9985cf0f2f435159b30 Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Wed, 18 Sep 2024 16:17:55 +0200
Subject: [PATCH 4/5] Improving README

---
 modules/lb_internal/README.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/lb_internal/README.md b/modules/lb_internal/README.md
index b780033..81e7ed2 100644
--- a/modules/lb_internal/README.md
+++ b/modules/lb_internal/README.md
@@ -1,5 +1,13 @@
 # Internally-Facing Regional TCP/UDP Load Balancer on GCP
 
+This module creates an Internal Regional Passthrough Network Load Balancer that can be used to distribute outgoing traffic across VM-Series firewalls. 
+
+## Limitations
+
+### Supported Module Version with Regards to the Changed Provider's Default Values
+
+- Module versions `<=2.0.6` supports `terraform-provider-google` version `<6.0`. If you are using `terraform-provider-google` version `6.0` and above choose module version `2.0.7` and above. This limitation is related to the [change](https://github.com/hashicorp/terraform-provider-google/commit/267f964bd4f2d9b48e8771c2a8397de3f6655ef7) in the default value of `balancing_mode` introduced in the `terraform-provider-google` version `6.0` 
+
 ## Reference
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements

From c8793fb85207a442a47850bf73c97ec2458cc481 Mon Sep 17 00:00:00 2001
From: Pavel Raunou <praunou@paloaltonetworks.com>
Date: Wed, 18 Sep 2024 16:19:47 +0200
Subject: [PATCH 5/5] Improving README

---
 modules/lb_internal/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/lb_internal/README.md b/modules/lb_internal/README.md
index 81e7ed2..5b2ddac 100644
--- a/modules/lb_internal/README.md
+++ b/modules/lb_internal/README.md
@@ -6,7 +6,7 @@ This module creates an Internal Regional Passthrough Network Load Balancer that
 
 ### Supported Module Version with Regards to the Changed Provider's Default Values
 
-- Module versions `<=2.0.6` supports `terraform-provider-google` version `<6.0`. If you are using `terraform-provider-google` version `6.0` and above choose module version `2.0.7` and above. This limitation is related to the [change](https://github.com/hashicorp/terraform-provider-google/commit/267f964bd4f2d9b48e8771c2a8397de3f6655ef7) in the default value of `balancing_mode` introduced in the `terraform-provider-google` version `6.0` 
+- Module versions `<=2.0.6` support `terraform-provider-google` versions `<6.0`. If you are using `terraform-provider-google` version `6.0` and above choose module version `2.0.7` and above. This limitation is related to the [change](https://github.com/hashicorp/terraform-provider-google/commit/267f964bd4f2d9b48e8771c2a8397de3f6655ef7) in the default value of `balancing_mode` introduced in the `terraform-provider-google` version `6.0` 
 
 ## Reference
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->