add cf origin certs, swap LB to HTTPS

2025-06-16 09:39:09 +00:00 · 2020-12-11 00:16:58 -05:00 · 2020-12-11 00:16:58 -05:00 · 18583f145a
commit 18583f145a
parent 961989197c
6 changed files with 97 additions and 26 deletions
--- a/terraform/weblb.tf
+++ b/terraform/weblb.tf
@ -1,3 +1,11 @@
+// Maps all requests to the backend service
+resource "google_compute_url_map" "web_lb" {
+  name = "lb-um-web-${var.environment_tag}"
+
+  default_service = google_compute_backend_service.web_lb.id
+}
+
+// Regional load balancer
 resource "google_compute_backend_service" "web_lb" {
  name = "lb-rbes-web-${var.environment_tag}"

@ -9,30 +17,56 @@ resource "google_compute_backend_service" "web_lb" {
  }
 }

-resource "google_compute_url_map" "web_lb" {
-  name = "lb-um-web-${var.environment_tag}"
+// Origin TLS cert from Cloudflare
+resource "google_compute_ssl_certificate" "origin_tls" {
+  name_prefix = "cf-origin-web-${var.environment_tag}-"
+  private_key = tls_private_key.tls_pk.private_key_pem
+  certificate = cloudflare_origin_ca_certificate.web.certificate

-  default_service = google_compute_backend_service.web_lb.id
+  lifecycle {
+    create_before_destroy = true
+  }
 }

-resource "google_compute_target_http_proxy" "web_lb" {
-  name    = "lb-http-web-${var.environment_tag}"
-  url_map = google_compute_url_map.web_lb.id
+// HTTPS proxy
+resource "google_compute_target_https_proxy" "web_lb" {
+  name             = "lb-http-web-${var.environment_tag}"
+  url_map          = google_compute_url_map.web_lb.id
+  ssl_certificates = [google_compute_ssl_certificate.origin_tls.id]
 }

+// Static IPs, Anycast
 resource "google_compute_global_address" "web_lb-ipv4" {
  name       = "lb-ga-web-ipv4-${var.environment_tag}"
  ip_version = "IPV4"
 }

+resource "google_compute_global_address" "web_lb-ipv6" {
+  name       = "lb-ga-web-ipv6-${var.environment_tag}"
+  ip_version = "IPV6"
+}
+
+// Forwarding rules (if request on 443, send to proxy)
 resource "google_compute_global_forwarding_rule" "web_lb-ipv4" {
  provider = google-beta

  name       = "lb-fr-web-ipv4-${var.environment_tag}"
-  target     = google_compute_target_http_proxy.web_lb.self_link
-  port_range = "80"
-  ip_version = "IPV4"
+  target     = google_compute_target_https_proxy.web_lb.self_link
+  port_range = "443"
+  ip_address = google_compute_global_address.web_lb-ipv4.address
 }
+
+
+resource "google_compute_global_forwarding_rule" "web_lb-ipv6" {
+  provider = google-beta
+
+  name       = "lb-fr-web-ipv6-${var.environment_tag}"
+  target     = google_compute_target_https_proxy.web_lb.self_link
+  port_range = "443"
+  ip_address = google_compute_global_address.web_lb-ipv6.address
+}
+
+// Cloudflare DNS records
 resource "cloudflare_record" "web-ipv4" {
  zone_id = var.cloudflare_zone_id
  name    = "web-${var.environment_tag}"
@ -40,18 +74,6 @@ resource "cloudflare_record" "web-ipv4" {
  value   = google_compute_global_forwarding_rule.web_lb-ipv4.ip_address
  proxied = true
 }
-resource "google_compute_global_address" "web_lb-ipv6" {
-  name       = "lb-ga-web-ipv6-${var.environment_tag}"
-  ip_version = "IPV6"
-}
-resource "google_compute_global_forwarding_rule" "web_lb-ipv6" {
-  provider = google-beta
-
-  name       = "lb-fr-web-ipv6-${var.environment_tag}"
-  target     = google_compute_target_http_proxy.web_lb.self_link
-  port_range = "80"
-  ip_address = google_compute_global_address.web_lb-ipv6.address
-}

 resource "cloudflare_record" "web-ipv6" {
  zone_id = var.cloudflare_zone_id
@ -61,6 +83,7 @@ resource "cloudflare_record" "web-ipv6" {
  proxied = true
 }

+// Regional groups so the backend service knows what it can route to for a given region
 resource "google_compute_region_network_endpoint_group" "web_lb" {
  provider = google-beta
  for_each = toset(var.ui_regions)