Skip to content

Commit

Permalink
Use Fabric modules when possibile
Browse files Browse the repository at this point in the history
  • Loading branch information
wiktorn committed Feb 15, 2024
1 parent d158aec commit 63c8e0d
Show file tree
Hide file tree
Showing 7 changed files with 246 additions and 316 deletions.
30 changes: 16 additions & 14 deletions blueprints/networking/psc-glb-and-armor/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ Before we deploy the architecture, you will need the following information:

4. Copy the following command into a console and replace __[consumer-project-id]__ and __[producer-a-project-id]__ and __[producer-b-project-id]__ with your project’s IDs. Then run the following command to run the terraform script and create all relevant resources for this architecture:

terraform apply -var consumer_project_id=[consumer-project-id] -var producer_a_project_id=[producer-a-project-id] -var producer_b_project_id=[producer-b-project-id]
terraform apply -var consumer_project_id=[consumer-project-id] -var producer_a_project_id=[producer-a-project-id] -var producer_b_project_id=[producer-b-project-id] -var region=[gcp-region]

The resource creation will take a few minutes… but when it’s complete, you should see an output stating the command completed successfully with a list of the created resources.

Expand All @@ -85,13 +85,13 @@ __Congratulations__! You have successfully deployed an HTTP Load Balancer with C
You can simply invoke the service by calling

Check the default path (producer A):
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$LB_IP/anything
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$(terraform output -raw lb_ip)/uuid

Specifically call the producer A path:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$LB_IP/anything/a/*
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$(terraform output -raw lb_ip)/a/uuid

Specifically call the producer B path:
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$LB_IP/anything/b/*
curl -H "Authorization: Bearer $(gcloud auth print-identity-token)" -H "Content-Type: application/json" http://$(terraform output -raw lb_ip)/b/uuid

## Cleaning up your environment

Expand All @@ -106,12 +106,11 @@ The above command will delete the associated resources so there will be no billa
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [consumer_project_id](variables.tf#L17) | The consumer project, in which the GCLB and Cloud Armor should be created. | <code>string</code> || |
| [prefix](variables.tf#L22) | Prefix used for resource names. | <code>string</code> || |
| [producer_a_project_id](variables.tf#L31) | The producer A project, in which the LB, PSC Service Attachment and Cloud Run service should be created. | <code>string</code> || |
| [producer_b_project_id](variables.tf#L36) | The producer B project, in which the LB, PSC Service Attachment and Cloud Run service should be created. | <code>string</code> || |
| [project_create](variables.tf#L41) | Create project instead of using an existing one. | <code>bool</code> | | <code>false</code> |
| [region](variables.tf#L47) | The GCP region in which the resources should be deployed. | <code>string</code> | | <code>&#34;europe-west1&#34;</code> |
| [zone](variables.tf#L53) | The GCP zone for the VM. | <code>string</code> | | <code>&#34;europe-west1-b&#34;</code> |
| [producer_a_project_id](variables.tf#L28) | The producer A project, in which the LB, PSC Service Attachment and Cloud Run service should be created. | <code>string</code> || |
| [producer_b_project_id](variables.tf#L33) | The producer B project, in which the LB, PSC Service Attachment and Cloud Run service should be created. | <code>string</code> || |
| [region](variables.tf#L47) | The GCP region in which the resources should be deployed. | <code>string</code> || |
| [prefix](variables.tf#L22) | Prefix used for resource names. | <code>string</code> | | <code>&#34;&#34;</code> |
| [project_create_config](variables.tf#L38) | Create project instead of using an existing one. | <code title="object&#40;&#123;&#10; billing_account &#61; string&#10; parent &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |

## Outputs

Expand All @@ -123,12 +122,15 @@ The above command will delete the associated resources so there will be no billa

```hcl
module "psc-glb-and-armor-test" {
source = "./fabric/blueprints/networking/psc-glb-and-armor"
prefix = "test"
project_create = true
source = "./fabric/blueprints/networking/psc-glb-and-armor"
prefix = "test"
project_create_config = {
billing_account = var.billing_account_id
}
consumer_project_id = "project-1"
producer_a_project_id = "project-2"
producer_b_project_id = "project-3"
region = "europe-west2"
}
# tftest modules=6 resources=57
# tftest modules=14 resources=57
```
200 changes: 105 additions & 95 deletions blueprints/networking/psc-glb-and-armor/consumer.tf
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/**
* Copyright 2023 Google LLC
* Copyright 2024 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand All @@ -14,125 +14,135 @@
* limitations under the License.
*/

module "consumer_project" {
module "consumer-project" {
source = "../../../modules/project"
name = var.consumer_project_id
project_create = var.project_create
project_create = var.project_create_config != null

billing_account = try(var.project_create_config.billing_account)
parent = try(var.project_create_config.parent)
prefix = var.prefix
services = [
"iam.googleapis.com",
"compute.googleapis.com",
]
}

module "producer_a_project" {
source = "./modules/producer"
producer_project_id = var.producer_a_project_id
project_create = var.project_create
}

module "producer_b_project" {
source = "./modules/producer"
producer_project_id = var.producer_b_project_id
project_create = var.project_create
}

resource "google_compute_region_network_endpoint_group" "psc_neg_a" {
name = "psc-neg-a"
region = var.region
project = module.consumer_project.project_id
network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
psc_target_service = module.producer_a_project.psc_ilb_service_attachment.self_link

network = "default"
subnetwork = "default"
}

resource "google_compute_region_network_endpoint_group" "psc_neg_b" {
name = "psc-neg-b"
region = var.region
project = module.consumer_project.project_id
network_endpoint_type = "PRIVATE_SERVICE_CONNECT"
psc_target_service = module.producer_b_project.psc_ilb_service_attachment.self_link

network = "default"
subnetwork = "default"
module "producer-a" {
source = "./modules/producer"
consumer_project_id = module.consumer-project.project_id
prefix = var.prefix
producer_project_id = var.producer_a_project_id
project_create_config = var.project_create_config
}

resource "google_compute_global_forwarding_rule" "default" {
project = module.consumer_project.project_id
name = "global-rule"
load_balancing_scheme = "EXTERNAL_MANAGED"
target = google_compute_target_http_proxy.default.id
port_range = "80"
module "producer-b" {
source = "./modules/producer"
consumer_project_id = module.consumer-project.project_id
prefix = var.prefix
producer_project_id = var.producer_b_project_id
project_create_config = var.project_create_config
}

resource "google_compute_target_http_proxy" "default" {
project = module.consumer_project.project_id
name = "target-proxy"
description = "a description"
url_map = google_compute_url_map.default.id
module "consumer-vpc" {
source = "../../../modules/net-vpc"

name = "consumer"
project_id = module.consumer-project.project_id
subnets = [
{
ip_cidr_range = "10.0.0.0/24"
name = "consumer"
region = var.region
},
]
}

resource "google_compute_url_map" "default" {
project = module.consumer_project.project_id
name = "url-map-target-proxy"
description = "A simple URL Map, routing all traffic to the PSC NEG"
default_service = google_compute_backend_service.backend-a.id

host_rule {
hosts = ["*"]
path_matcher = "allpaths"
module "glb" {
source = "./../../../modules/net-lb-app-ext"
name = "glb"
project_id = module.consumer-project.project_id
use_classic_version = false
backend_service_configs = {
default = {
backends = [
{ backend = "neg-a" }
]
health_checks = []
protocol = "HTTPS"
security_policy = google_compute_security_policy.cloud-armor-policy.name
}
other = {
backends = [
{ backend = "neg-b" }
]
health_checks = []
protocol = "HTTPS"
security_policy = google_compute_security_policy.cloud-armor-policy.name
}
}

path_matcher {
name = "allpaths"
default_service = google_compute_backend_service.backend-a.id

path_rule {
paths = ["/anything/b/*"]
service = google_compute_backend_service.backend-b.id
# with a single serverless NEG the implied default health check is not needed
health_check_configs = {}
neg_configs = {
neg-a = {
psc = {
region = var.region
target_service = module.producer-a.exposed_service_psc_attachment.self_link
network = module.consumer-vpc.id
subnetwork = module.consumer-vpc.subnet_ids["${var.region}/consumer"]
}
}

path_rule {
paths = ["/anything/a/*"]
service = google_compute_backend_service.backend-a.id
neg-b = {
psc = {
region = var.region
target_service = module.producer-b.exposed_service_psc_attachment.self_link
network = module.consumer-vpc.id
subnetwork = module.consumer-vpc.subnet_ids["${var.region}/consumer"]
}
}
}
urlmap_config = {
default_service = "default"
host_rules = [{
hosts = ["*"]
path_matcher = "pathmap"
}]
path_matchers = {
pathmap = {
default_service = "default"
path_rules = [
{
paths = ["/b/*"]
service = "other"
route_action = {
url_rewrite = {
path_prefix = "/" # rewrite "/b/*" to "/*"
}
}
},
{
paths = ["/a/*"]
service = "default"
route_action = {
url_rewrite = {
path_prefix = "/" # rewrite "/b/*" to "/*"
}
}
},
]
}
}
}
}

resource "google_compute_security_policy" "policy" {

resource "google_compute_security_policy" "cloud-armor-policy" {
provider = google-beta
project = module.consumer_project.project_id
project = module.consumer-project.project_id
name = "ddos-protection"
adaptive_protection_config {
layer_7_ddos_defense_config {
enable = true
}
}
}

resource "google_compute_backend_service" "backend-a" {
provider = google-beta
project = module.consumer_project.project_id
name = "backend-a"
load_balancing_scheme = "EXTERNAL_MANAGED"
protocol = "HTTPS"
backend {
group = google_compute_region_network_endpoint_group.psc_neg_a.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}

resource "google_compute_backend_service" "backend-b" {
provider = google-beta
project = module.consumer_project.project_id
name = "backend-b"
load_balancing_scheme = "EXTERNAL_MANAGED"
protocol = "HTTPS"
backend {
group = google_compute_region_network_endpoint_group.psc_neg_b.id
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}
Loading

0 comments on commit 63c8e0d

Please sign in to comment.