Last active
April 1, 2021 00:38
-
-
Save atward/21fb09a0a3d7df991b0e54670f436d7d to your computer and use it in GitHub Desktop.
Example Terraform GCP Global HTTP LB with HTTP/2 backend instance group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module "http_lb" { | |
source = "GoogleCloudPlatform/lb-http/google" | |
version = "~> 4.5" | |
project = var.project_id | |
name = "demo" | |
http_forward = false | |
ssl = true | |
private_key = tls_private_key.example.private_key_pem | |
certificate = tls_self_signed_cert.example.cert_pem | |
target_tags = [ | |
"mig-group1" | |
] | |
backends = { | |
default = { | |
description = null | |
protocol = "HTTP2" | |
port = 443 | |
port_name = "http2" | |
timeout_sec = 10 | |
enable_cdn = false | |
custom_request_headers = null | |
security_policy = null | |
connection_draining_timeout_sec = null | |
session_affinity = null | |
affinity_cookie_ttl_sec = null | |
health_check = { | |
check_interval_sec = null | |
timeout_sec = null | |
healthy_threshold = null | |
unhealthy_threshold = null | |
request_path = "/" | |
port = 443 | |
host = null | |
logging = null | |
} | |
log_config = { | |
enable = true | |
sample_rate = 1.0 | |
} | |
groups = [ | |
{ | |
# Each node pool instance group should be added to the backend. | |
group = module.mig.instance_group | |
balancing_mode = null | |
capacity_scaler = null | |
description = null | |
max_connections = null | |
max_connections_per_instance = null | |
max_connections_per_endpoint = null | |
max_rate = null | |
max_rate_per_instance = null | |
max_rate_per_endpoint = null | |
max_utilization = null | |
}, | |
] | |
iap_config = { | |
enable = false | |
oauth2_client_id = null | |
oauth2_client_secret = null | |
} | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# https://registry.terraform.io/modules/terraform-google-modules/vm/google/latest/submodules/mig | |
module "mig" { | |
source = "terraform-google-modules/vm/google//modules/mig" | |
version = "6.2.0" | |
hostname = "demo" | |
project_id = var.project_id | |
region = var.region | |
instance_template = module.instance_template.self_link | |
target_size = 2 | |
named_ports = [{ | |
name = "http2", | |
port = 443 | |
}] | |
update_policy = [{ | |
type = "PROACTIVE" | |
minimal_action = "REPLACE" | |
replacement_method = "SUBSTITUTE" | |
instance_redistribution_type = "PROACTIVE" | |
max_surge_fixed = 4 | |
max_unavailable_fixed = 3 | |
min_ready_sec = 0 | |
max_surge_percent = null | |
max_unavailable_percent = null | |
}] | |
} | |
# https://registry.terraform.io/modules/terraform-google-modules/vm/google/latest/submodules/instance_template | |
module "instance_template" { | |
source = "terraform-google-modules/vm/google//modules/instance_template" | |
version = "6.2.0" | |
project_id = var.project_id | |
subnetwork = var.subnetwork | |
subnetwork_project = var.project_id | |
service_account = var.service_account | |
source_image_family = "debian-10" | |
source_image_project = "debian-cloud" | |
machine_type = "g1-small" | |
disk_size_gb = 10 | |
startup_script = file("${path.module}/startup_apache.sh") | |
tags = [ | |
"mig-group1" | |
] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_version = ">= 0.12.6" | |
} | |
provider "google" { | |
region = var.region | |
} | |
provider "google-beta" { | |
region = var.region | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "tls_private_key" "example" { | |
algorithm = "RSA" | |
rsa_bits = 2048 | |
} | |
resource "tls_self_signed_cert" "example" { | |
key_algorithm = tls_private_key.example.algorithm | |
private_key_pem = tls_private_key.example.private_key_pem | |
# Certificate expires after 7 days | |
validity_period_hours = 168 | |
# Generate a new certificate if Terraform is run within one | |
# day of the certificate's expiration time. | |
early_renewal_hours = 24 | |
# Reasonable set of uses for a server SSL certificate. | |
allowed_uses = [ | |
"key_encipherment", | |
"digital_signature", | |
"server_auth", | |
] | |
dns_names = ["example.com", "example.net"] | |
subject { | |
common_name = "example.com" | |
organization = "ACME Examples, Inc" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -x | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get -yq update | |
apt-get -yq upgrade | |
apt-get install -y nginx ssl-cert | |
# ssl-cert package generates self signed certs | |
# /etc/ssl/certs/ssl-cert-snakeoil.pem | |
# /etc/ssl/private/ssl-cert-snakeoil.key | |
# make-ssl-cert generate-default-snakeoil --force-overwrite | |
cat > /etc/nginx/sites-available/default <<HTTP2_CONF | |
server { | |
server_name _; | |
root /var/www/html; | |
index index.html index.htm index.nginx-debian.html; | |
listen 443 ssl http2; | |
access_log /var/log/nginx/example.com_access.log; | |
error_log /var/log/nginx/example.com_error.log; | |
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; | |
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; | |
} | |
HTTP2_CONF | |
nginx -t && service nginx restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -x | |
export DEBIAN_FRONTEND=noninteractive | |
apt-get -yq update | |
apt-get -yq upgrade | |
apt-get install -y apache2 ssl-cert | |
# ssl-cert package generates self signed certs | |
# /etc/ssl/certs/ssl-cert-snakeoil.pem | |
# /etc/ssl/private/ssl-cert-snakeoil.key | |
# make-ssl-cert generate-default-snakeoil --force-overwrite | |
a2enmod ssl | |
a2enmod http2 | |
cat > /etc/apache2/sites-available/http2.conf <<HTTP2_CONF | |
<VirtualHost *:443> | |
#ServerName example.com | |
#ServerAlias www.example.com | |
DocumentRoot /var/www/html/ | |
SSLEngine on | |
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key | |
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem | |
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 | |
Protocols h2 | |
</VirtualHost> | |
HTTP2_CONF | |
cat > /etc/apache2/ports.conf <<PORTS_CONF | |
Listen 443 | |
PORTS_CONF | |
a2dissite 000-default | |
a2ensite http2 | |
apachectl configtest && service apache2 restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
variable "region" { | |
default = "australia-southeast1" | |
} | |
variable "project_id" { | |
default = "" | |
} | |
variable "subnetwork" { | |
default = "default" | |
} | |
variable "service_account" { | |
default = { | |
email = null | |
scopes = [] | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment