roleypoly/v3
1
0
Fork 0
mirror of https://github.com/roleypoly/roleypoly.git synced 2025-04-25 11:59:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
v3/terraform/weblb.tf

125 lines
3.7 KiB
HCL
Raw Blame History

// Maps all requests to the backend service
resource "google_compute_url_map" "web_lb" {
name = "lb-um-web-${var.environment_tag}"
host_rule {
hosts = var.ui_hostnames
path_matcher = "path-matcher-1" // Matching google console due to bug with mutating url_maps
}
path_matcher {
name = "path-matcher-1"
default_service = google_compute_backend_service.web_lb.id
}
// Blackhole. No addresses will ever be this, and hosts without IPv6 will fail regardless.
// Not matching the host_rule should be seen as treason.
default_url_redirect {
host_redirect = "[100::]"
path_redirect = "/"
strip_query = true
}
}
// Regional load balancer
resource "google_compute_backend_service" "web_lb" {
name = "lb-rbes-web-${var.environment_tag}"
dynamic "backend" {
for_each = toset(var.ui_regions)
content {
group = google_compute_region_network_endpoint_group.web_lb[backend.value].id
}
}
}
// Origin TLS cert from Cloudflare
resource "google_compute_ssl_certificate" "origin_tls" {
name_prefix = "cf-origin-web-${var.environment_tag}-"
private_key = tls_private_key.tls_pk.private_key_pem
certificate = cloudflare_origin_ca_certificate.web.certificate
lifecycle {
create_before_destroy = true
}
}
// HTTPS proxy
resource "google_compute_target_https_proxy" "web_lb" {
name = "lb-http-web-${var.environment_tag}"
url_map = google_compute_url_map.web_lb.id
ssl_certificates = [google_compute_ssl_certificate.origin_tls.id]
}
// Static IPs, Anycast
resource "google_compute_global_address" "web_lb-ipv4" {
name = "lb-ga-web-ipv4-${var.environment_tag}"
ip_version = "IPV4"
}
resource "google_compute_global_address" "web_lb-ipv6" {
name = "lb-ga-web-ipv6-${var.environment_tag}"
ip_version = "IPV6"
}
// Forwarding rules (if request on 443, send to proxy)
resource "google_compute_global_forwarding_rule" "web_lb-ipv4" {
provider = google-beta
name = "lb-fr-web-ipv4-${var.environment_tag}"
target = google_compute_target_https_proxy.web_lb.self_link
port_range = "443"
ip_address = google_compute_global_address.web_lb-ipv4.address
}
resource "google_compute_global_forwarding_rule" "web_lb-ipv6" {
provider = google-beta
name = "lb-fr-web-ipv6-${var.environment_tag}"
target = google_compute_target_https_proxy.web_lb.self_link
port_range = "443"
ip_address = google_compute_global_address.web_lb-ipv6.address
}
// Cloudflare DNS records
locals {
// for web-example.roleypoly.com, grab the .roleypoly.com. This may break for .co.uk, etc, so don't use that. :)
uiDNSReplace = regex("\\.[a-z0-9-]+\\.[a-z]+$", var.ui_hostnames[0])
}
resource "cloudflare_record" "web-ipv4" {
for_each = toset(var.ui_hostnames)
zone_id = var.cloudflare_zone_id
name = replace(each.value, local.uiDNSReplace, "")
type = "A"
value = google_compute_global_forwarding_rule.web_lb-ipv4.ip_address
proxied = true
}
resource "cloudflare_record" "web-ipv6" {
for_each = toset(var.ui_hostnames)
zone_id = var.cloudflare_zone_id
name = replace(each.value, local.uiDNSReplace, "")
type = "AAAA"
value = google_compute_global_forwarding_rule.web_lb-ipv6.ip_address
proxied = true
}
// Regional groups so the backend service knows what it can route to for a given region
resource "google_compute_region_network_endpoint_group" "web_lb" {
provider = google-beta
for_each = toset(var.ui_regions)
lifecycle {
create_before_destroy = true
}
name = "lb-fr-neg-${each.key}-${var.environment_tag}"
region = google_cloud_run_service.web[each.key].location
network_endpoint_type = "SERVERLESS"
cloud_run {
service = google_cloud_run_service.web[each.key].name
}
}
Reference in a new issue View git blame Copy permalink