Setting up Terraform for GCP
Start creating .tf files:
terraform {
required_providers {
google = {
source = "hashicorp/google"
}
}
}
provider "google" {
version = "3.5.0"
credentials = file("myproject-123456-f72073802721.json")
project = "myproject-123456"
region = "us-central1"
zone = "us-central1-a"
}
Create new VPC Network with subnets in Oregon and London
# Create new network called 'my-network'
resource "google_compute_network" "TF_NETWORK" {
name = "my-network"
auto_create_subnetworks = false
}
# Create subnet 172.16.1.0/24 in us-west1 (Oregon);
# Enable private API access & 1 minute 100% flow logging
resource "google_compute_subnetwork" "TF_SUBNET_1" {
name = "my-network-subnet-oregon"
ip_cidr_range = "172.16.1.0/24"
region = "us-west1"
network = google_compute_network.TF_NETWORK.id
private_ip_google_access = true
log_config {
aggregation_interval = "INTERVAL_1_MIN"
flow_sampling = 1.0
metadata = "INCLUDE_ALL_METADATA"
}
}
# Create subnet 172.16.2.0/24 in europe-west2 (London)
# Add secondary IP range 192.168.200.0/26
resource "google_compute_subnetwork" "TF_SUBNET_2" {
name = "my-network-subnet-london"
ip_cidr_range = "172.16.2.0/24"
region = "europe-west2"
network = google_compute_network.TF_NETWORK.id
secondary_ip_range {
range_name = "tf-subnet-london-secondary-range"
ip_cidr_range = "192.168.200.0/26"
}
}Create (ingress) firewall rules
# Allow ICMP, SSH, and DNS from RFC-1918 Private Address Space
resource "google_compute_firewall" "TF_FWRULE_1" {
name = "allow-ssh-and-dns-from-rfc-1918"
network = google_compute_network.TF_NETWORK.name
allow {
protocol = "icmp"
}
allow {
protocol = "tcp"
ports = ["22"]
}
allow {
protocol = "udp"
ports = ["53"]
}
source_ranges = ["10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"]
}
# Allow HTTP & HTTPS from Internet w/ logging enabled;
# applied to instances with network tag 'nginx' or 'apache'
resource "google_compute_firewall" "TF_FWRULE_2" {
name = "allow-http-and-https-from-internet"
network = google_compute_network.TF_NETWORK.name
enable_logging = true
allow {
protocol = "tcp"
ports = ["80", "443"]
}
target_tags = ["nginx", "apache"]
}Create an External L7 Load balancer
# Create basic port 80 healthcheck
resource "google_compute_health_check" "TF_HEALTHCHECK" {
name = "check-website-backend"
check_interval_sec = 15
timeout_sec = 3
tcp_health_check {
port = "80"
}
}
# Create Backend service
with backend timeout of 15 seconds and client IP session affinity
resource "google_compute_backend_service" "TF_BACKEND_SERVICE" {
name = "website-backend-service"
health_checks = [google_compute_health_check.TF_HEALTHCHECK.id]
timeout_sec = 15
session_affinity = "CLIENT_IP"
}
# Create URL map (Load balancer)
resource "google_compute_url_map" "TF_URL_MAP" {
name = "my-load-balancer"
default_service = google_compute_backend_service.TF_BACKEND_SERVICE.id
}
# Create HTTP target proxy
resource "google_compute_target_http_proxy" "TF_TPROXY_HTTP" {
name = "my-http-target-proxy"
url_map = google_compute_url_map.TF_URL_MAP.id
}
# Create ssl cert/key HTTPS target proxy
resource "google_compute_ssl_certificate" "TF_SSL_CERT" {
name = "my-ssl-certificate"
private_key = file("mykey.key")
certificate = file("mycert.crt")
}
resource "google_compute_target_https_proxy" "TF_TPROXY_HTTPS" {
name = "my-https-target-proxy"
url_map = google_compute_url_map.TF_URL_MAP.id
ssl_certificates = [google_compute_ssl_certificate.TF_SSL_CERT.id]
}
# Allocate External Global IP Address
resource "google_compute_global_address" "TF_IP_ADDRESS" {
name = "gcp-l7-externalip-global"
}
# Create HTTP frontend
resource "google_compute_global_forwarding_rule" "TF_FWD_RULE_1" {
name = "my-frontend-http"
ip_address = google_compute_global_address.TF_GLOBAL_IP_ADDRESS.address
port_range = "80"
target = google_compute_target_http_proxy.TF_TPROXY_HTTP.id
}
# Create HTTPS frontend
resource "google_compute_global_forwarding_rule" "TF_FWD_RULE_2" {
name = "my-frontend-https"
ip_address = google_compute_global_address.TF_GLOBAL_IP_ADDRESS.address
port_range = "443"
target = google_compute_target_https_proxy.TF_TPROXY_HTTPS.id
}
Layer 77 