GoogleComputeRegionBackendService class final

Factory wrapper for google_compute_region_backend_service (provider hashicorp/google ~> 7.0).

A regional backend service is the load-balancing target for Internal Application LBs, Internal Proxy NLBs, Regional External Application LBs, Regional External Proxy NLBs, and Internal / External Passthrough Network LBs. It groups a set of backends (instance groups or network endpoint groups) inside a single GCP region and routes traffic to them according to the configured protocol, loadBalancingScheme, localityLbPolicy, and sessionAffinity.

For globally-scoped load balancing use google_compute_backend_service (curated separately). The regional resource accepts INTERNAL and INTERNAL_MANAGED schemes that the global resource will reject at apply time, and it also surfaces a handful of regional-only blocks: ComputeRegionBackendServiceRegionBackendServiceFailoverPolicy (Internal Passthrough NLB failover), ComputeRegionBackendServiceRegionBackendServiceHaPolicy (self-managed HA for Passthrough NLBs), and ComputeRegionBackendServiceRegionBackendServiceNetworkPassThroughLbTrafficPolicy (zonal affinity for Internal Passthrough NLBs). It does not support the global-only blocks locality_lb_policies, security_settings, or max_stream_duration, nor the global-only compression_mode, custom_request_headers, custom_response_headers, edge_security_policy, or service_lb_policy attributes.

Required identity:

• localName: Terraform local name (the address segment after google_compute_region_backend_service.).
• name: GCP resource name (1-63 chars, lowercase RFC1035).
• region: GCP region. The Terraform schema lists this as optional+computed (the provider falls back to the provider-level region), but it is wrapped as required here to keep cross-region composition explicit.

Cross-resource references (typical wiring):

• healthChecks: list of self-links to google_compute_health_check or google_compute_region_health_check resources. Required unless every backend is an internet/serverless NEG, or the resource uses ComputeRegionBackendServiceRegionBackendServiceHaPolicy (HA-managed services cannot coexist with health checks).
• securityPolicy: self-link to a regional Cloud Armor google_compute_region_security_policy. Regional Cloud Armor support is restricted to certain load_balancing_scheme values (notably the regional managed schemes); the API rejects incompatible combinations at apply time.
• ComputeRegionBackendServiceRegionBackendServiceBackend.group: self-link of an instance group, regional MIG, or region_network_endpoint_group. All backends in one service must share a kind (no mixing instance groups with NEGs).
• network: self-link of a google_compute_network. Required for Internal Passthrough NLBs when ComputeRegionBackendServiceRegionBackendServiceHaPolicy is set, and for External Passthrough NLBs when haPolicy.fastIpMove is enabled. Only settable when loadBalancingScheme is INTERNAL, or EXTERNAL with haPolicy.fastIpMove.

Example (internal application LB backend, IAP-protected):

final api = GoogleComputeRegionBackendService(
  localName: 'api',
  name: TfArg.literal('api-rbs'),
  region: TfArg.literal('asia-northeast1'),
  protocol: TfArg.literal(RegionBackendServiceProtocol.https),
  loadBalancingScheme:
      TfArg.literal(RegionBackendServiceLoadBalancingScheme.internalManaged),
  portName: TfArg.literal('https'),
  timeoutSec: TfArg.literal(30),
  healthChecks: TfArg.literal([
    // From Batch 2: either `google_compute_health_check` or
    // `google_compute_region_health_check` is acceptable.
    'projects/p/regions/asia-northeast1/healthChecks/api-hc',
  ]),
  securityPolicy: TfArg.literal(
    // var.security_policy_id — see Batch 4 regional Cloud Armor.
    'projects/p/regions/asia-northeast1/securityPolicies/edge-deny-all',
  ),
  backends: [
    ComputeRegionBackendServiceRegionBackendServiceBackend(
      group: TfArg.literal(
        // var.backend_group_id — typically a Batch 4 regional NEG
        // or a Batch 3 regional MIG self-link.
        'projects/p/regions/asia-northeast1/networkEndpointGroups/api-rneg',
      ),
      balancingMode: RegionBackendServiceBalancingMode.rate,
      maxRatePerEndpoint: 100,
      capacityScaler: 1.0,
    ),
  ],
  iap: const ComputeRegionBackendServiceRegionBackendServiceIap(
    enabled: true,
    oauth2ClientId: 'xxx.apps.googleusercontent.com',
    oauth2ClientSecret: 'super-secret', // sensitive — masked at synth.
  ),
  logConfig: const ComputeRegionBackendServiceRegionBackendServiceLogConfig(
    enable: true,
    sampleRate: 1.0,
  ),
);

Sensitive fields (round-trip through the generated sensitiveFields set): iap.oauth2_client_secret and the computed iap.oauth2_client_secret_sha256 (provider-side detail). The global security_settings.aws_v4_authentication.access_key is not present on the regional resource — security_settings has no regional analog.

Constructors

GoogleComputeRegionBackendService({required String localName, required TfArg<String> name, TfArg<String>? region, TfArg<String>? description, TfArg<RegionBackendServiceProtocol>? protocol, TfArg<String>? portName, TfArg<RegionBackendServiceLoadBalancingScheme>? loadBalancingScheme, TfArg<RegionBackendServiceLocalityLbPolicy>? localityLbPolicy, TfArg<RegionBackendServiceSessionAffinity>? sessionAffinity, TfArg<num>? affinityCookieTtlSec, TfArg<num>? timeoutSec, TfArg<num>? connectionDrainingTimeoutSec, TfArg<bool>? enableCdn, TfArg<RegionBackendServiceIpAddressSelectionPolicy>? ipAddressSelectionPolicy, TfArg<String>? network, TfArg<List<String>>? healthChecks, TfArg<String>? securityPolicy, List<ComputeRegionBackendServiceRegionBackendServiceBackend>? backends, ComputeRegionBackendServiceRegionBackendServiceCdnPolicy? cdnPolicy, ComputeRegionBackendServiceRegionBackendServiceIap? iap, ComputeRegionBackendServiceRegionBackendServiceCircuitBreakers? circuitBreakers, ComputeRegionBackendServiceRegionBackendServiceConsistentHash? consistentHash, ComputeRegionBackendServiceRegionBackendServiceOutlierDetection? outlierDetection, ComputeRegionBackendServiceRegionBackendServiceLogConfig? logConfig, List<ComputeRegionBackendServiceRegionBackendServiceCustomMetric>? customMetrics, ComputeRegionBackendServiceRegionBackendServiceStrongSessionAffinityCookie? strongSessionAffinityCookie, ComputeRegionBackendServiceRegionBackendServiceFailoverPolicy? failoverPolicy, ComputeRegionBackendServiceRegionBackendServiceHaPolicy? haPolicy, ComputeRegionBackendServiceRegionBackendServiceNetworkPassThroughLbTrafficPolicy? networkPassThroughLbTrafficPolicy, ComputeRegionBackendServiceRegionBackendServiceTlsSettings? tlsSettings, ComputeRegionBackendServiceRegionBackendServiceParams? params, TfArg<String>? project, LifecycleOptions? lifecycle, List<DependencyTarget>? dependsOn})

Properties

argMap → Map<String, TfArg?>

Argument-name → TfArg map. Keys are snake_case (Terraform JSON name). Synth emits these keys directly; the factory is responsible for the camelCase → snake_case translation at construction time.

final, inherited

creationTimestamp → TfRef<String>

Reference to creation_timestamp (RFC3339).

no setter

dependsOn → List<DependencyTarget>?

Optional depends_on = [...]. Each entry is a DependencyTarget — either a wholesale resource (rendered as bare address) or an explicit TfRef (rendered via bareAddress).

final, inherited

fingerprint → TfRef<String>

Reference to fingerprint — used by the API for optimistic locking.

no setter

generatedId → TfRef<int>

Reference to the server-assigned numeric generated_id.

no setter

hashCode → int

The hash code for this object.

no setter, inherited

id → TfRef<String>

Reference to id attribute (projects/{project}/regions/{region}/backendServices/{name}).

no setter

kind → ResourceKind

Always ResourceKind.resource. Overridden by Data.

no setter, inherited

lifecycle → LifecycleOptions?

Optional lifecycle { ... } block.

final, inherited

localName → String

User-supplied local name within a Stack.

final, inherited

nameRef → TfRef<String>

Reference to name attribute.

no setter

provider → ProviderBinding?

Optional explicit provider binding. Only the type is referenced here; the concrete Provider class lives in terradart_google (provider classes are defined per-provider, outside the core runtime).

final, inherited

runtimeType → Type

A representation of the runtime type of the object.

no setter, inherited

selfLink → TfRef<String>

Reference to self_link attribute (HTTPS API path). The canonical reference downstream google_compute_region_url_map / google_compute_region_target_*_proxy resources expect.

no setter

sensitiveFields → Set<String>

Field names that are @Sensitive per the IR-derived per-resource constant. Curated factories override with a baked-in static const Set<String> (file-private in v0.5+).

no setter

supportsDeletionProtection → bool

Capability flag: true when this resource's underlying Terraform schema has a deletion_protection boolean attribute that the synth-time devMode flow can flip to false. Defaults to false; the codegen emitter overrides this to true for wrappers whose schema includes the attribute.

no setter, inherited

terraformType → String

Terraform resource type, e.g. google_pubsub_topic.

final, inherited

tfAddress → String

no setter, inherited

Methods

noSuchMethod(Invocation invocation) → dynamic

Invoked when a nonexistent method or property is accessed.

inherited

toString() → String

A string representation of this object.

inherited

Operators

operator ==(Object other) → bool

The equality operator.

inherited

Constants

tfType → const String