2. GCP-테라폼- HTTPS LB
<1> 환경설정
<2> 설정
<1> 환경설정
1
gcloud auth list
2
gcloud config list project
<2> 설정
1
설정 파일 보기
$ ls *.tf
main.tf mig.tf outputs.tf tls.tf variables.tf versions.tf
$ more versions.tf
terraform {
required_version = ">= 0.13"
required_providers {
google = {
source = "hashicorp/google"
version = ">= 3.53, < 5.0"
}
google-beta = {
source = "hashicorp/google-beta"
version = ">= 4.40, < 5.0"
}
random = {
source = "hashicorp/random"
}
template = {
source = "hashicorp/template"
}
tls = {
source = "hashicorp/tls"
}
}
}
$ more main.tf
provider "google" {
project = var.project
}
provider "google-beta" {
project = var.project
}
resource "google_compute_network" "default" {
name = var.network_name
auto_create_subnetworks = "false"
}
resource "google_compute_subnetwork" "group1" {
name = var.network_name
ip_cidr_range = "10.125.0.0/20"
network = google_compute_network.default.self_link
region = var.group1_region
private_ip_google_access = true
}
# Router and Cloud NAT are required for installing packages from repos (apache, php etc)
resource "google_compute_router" "group1" {
name = "${var.network_name}-gw-group1"
network = google_compute_network.default.self_link
region = var.group1_region
}
module "cloud-nat-group1" {
source = "terraform-google-modules/cloud-nat/google"
version = "~> 2.2"
router = google_compute_router.group1.name
project_id = var.project
region = var.group1_region
name = "${var.network_name}-cloud-nat-group1"
}
resource "google_compute_subnetwork" "group2" {
name = var.network_name
ip_cidr_range = "10.126.0.0/20"
network = google_compute_network.default.self_link
region = var.group2_region
private_ip_google_access = true
}
# Router and Cloud NAT are required for installing packages from repos (apache, php etc)
resource "google_compute_router" "group2" {
name = "${var.network_name}-gw-group2"
network = google_compute_network.default.self_link
region = var.group2_region
}
module "cloud-nat-group2" {
source = "terraform-google-modules/cloud-nat/google"
version = "~> 2.2"
router = google_compute_router.group2.name
project_id = var.project
region = var.group2_region
name = "${var.network_name}-cloud-nat-group2"
}
resource "google_compute_subnetwork" "group3" {
name = var.network_name
ip_cidr_range = "10.127.0.0/20"
network = google_compute_network.default.self_link
region = var.group3_region
private_ip_google_access = true
}
# Router and Cloud NAT are required for installing packages from repos (apache, php etc)
resource "google_compute_router" "group3" {
name = "${var.network_name}-gw-group3"
network = google_compute_network.default.self_link
region = var.group3_region
}
module "cloud-nat-group3" {
source = "terraform-google-modules/cloud-nat/google"
version = "~> 2.2"
router = google_compute_router.group3.name
project_id = var.project
region = var.group3_region
name = "${var.network_name}-cloud-nat-group3"
}
resource "random_id" "assets-bucket" {
prefix = "terraform-static-content-"
byte_length = 2
}
locals {
health_check = {
request_path = "/"
port = 80
}
}
# [START cloudloadbalancing_ext_http_gce_plus_bucket]
module "gce-lb-https" {
source = "../../"
name = var.network_name
project = var.project
target_tags = [
"${var.network_name}-group1",
module.cloud-nat-group1.router_name,
"${var.network_name}-group2",
module.cloud-nat-group2.router_name,
"${var.network_name}-group3",
module.cloud-nat-group3.router_name
]
firewall_networks = [google_compute_network.default.self_link]
url_map = google_compute_url_map.ml-bkd-ml-mig-bckt-s-lb.self_link
create_url_map = false
ssl = true
private_key = tls_private_key.example.private_key_pem
certificate = tls_self_signed_cert.example.cert_pem
backends = {
default = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
{
group = module.mig2.instance_group
},
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
mig1 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig1.instance_group
},
]
iap_config = {
enable = false
}
}
mig2 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig2.instance_group
},
]
iap_config = {
enable = false
}
}
mig3 = {
protocol = "HTTP"
port = 80
port_name = "http"
timeout_sec = 10
enable_cdn = false
health_check = local.health_check
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
group = module.mig3.instance_group
},
]
iap_config = {
enable = false
}
}
}
}
resource "google_compute_url_map" "ml-bkd-ml-mig-bckt-s-lb" {
// note that this is the name of the load balancer
name = var.network_name
default_service = module.gce-lb-https.backend_services["default"].self_link
host_rule {
hosts = ["*"]
path_matcher = "allpaths"
}
path_matcher {
name = "allpaths"
default_service = module.gce-lb-https.backend_services["default"].self_link
path_rule {
paths = [
"/group1",
"/group1/*"
]
service = module.gce-lb-https.backend_services["mig1"].self_link
}
path_rule {
paths = [
"/group2",
"/group2/*"
]
service = module.gce-lb-https.backend_services["mig2"].self_link
}
path_rule {
paths = [
"/group3",
"/group3/*"
]
service = module.gce-lb-https.backend_services["mig3"].self_link
}
path_rule {
paths = [
"/assets",
"/assets/*"
]
service = google_compute_backend_bucket.assets.self_link
}
}
}
resource "google_compute_backend_bucket" "assets" {
name = random_id.assets-bucket.hex
description = "Contains static resources for example app"
bucket_name = google_storage_bucket.assets.name
enable_cdn = true
}
resource "google_storage_bucket" "assets" {
name = random_id.assets-bucket.hex
location = "US"
// delete bucket and contents on destroy.
force_destroy = true
}
// The image object in Cloud Storage.
// Note that the path in the bucket matches the paths in the url map path rule above.
resource "google_storage_bucket_object" "image" {
name = "assets/gcp-logo.svg"
content = file("gcp-logo.svg")
content_type = "image/svg+xml"
bucket = google_storage_bucket.assets.name
}
// Make object public readable.
resource "google_storage_object_acl" "image-acl" {
bucket = google_storage_bucket.assets.name
object = google_storage_bucket_object.image.name
predefined_acl = "publicRead"
}
# [END cloudloadbalancing_ext_http_gce_plus_bucket]
$ ls *.tf
main.tf mig.tf outputs.tf tls.tf variables.tf versions.tf
$ more mig.tf
data "template_file" "group1-startup-script" {
template = file(format("%s/gceme.sh.tpl", path.module))
vars = {
PROXY_PATH = "/group1"
}
}
data "template_file" "group2-startup-script" {
template = file(format("%s/gceme.sh.tpl", path.module))
vars = {
PROXY_PATH = "/group2"
}
}
data "template_file" "group3-startup-script" {
template = file(format("%s/gceme.sh.tpl", path.module))
vars = {
PROXY_PATH = "/group3"
}
}
module "mig1_template" {
source = "terraform-google-modules/vm/google//modules/instance_template"
version = "~> 7.9"
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group1.self_link
service_account = {
email = ""
scopes = ["cloud-platform"]
}
name_prefix = "${var.network_name}-group1"
startup_script = data.template_file.group1-startup-script.rendered
source_image_family = "ubuntu-2004-lts"
source_image_project = "ubuntu-os-cloud"
tags = [
"${var.network_name}-group1",
module.cloud-nat-group1.router_name
]
}
module "mig1" {
source = "terraform-google-modules/vm/google//modules/mig"
version = "~> 7.9"
instance_template = module.mig1_template.self_link
region = var.group1_region
hostname = "${var.network_name}-group1"
target_size = 2
named_ports = [{
name = "http",
port = 80
}]
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group1.self_link
}
module "mig2_template" {
source = "terraform-google-modules/vm/google//modules/instance_template"
version = "~> 7.9"
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group2.self_link
service_account = {
email = ""
scopes = ["cloud-platform"]
}
name_prefix = "${var.network_name}-group2"
startup_script = data.template_file.group2-startup-script.rendered
source_image_family = "ubuntu-2004-lts"
source_image_project = "ubuntu-os-cloud"
tags = [
"${var.network_name}-group2",
module.cloud-nat-group2.router_name
]
}
module "mig2" {
source = "terraform-google-modules/vm/google//modules/mig"
version = "~> 7.9"
instance_template = module.mig2_template.self_link
region = var.group2_region
hostname = "${var.network_name}-group2"
target_size = 2
named_ports = [{
name = "http",
port = 80
}]
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group2.self_link
}
module "mig3_template" {
source = "terraform-google-modules/vm/google//modules/instance_template"
version = "~> 7.9"
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group3.self_link
service_account = {
email = ""
scopes = ["cloud-platform"]
}
name_prefix = "${var.network_name}-group3"
startup_script = data.template_file.group3-startup-script.rendered
source_image_family = "ubuntu-2004-lts"
source_image_project = "ubuntu-os-cloud"
tags = [
"${var.network_name}-group3",
module.cloud-nat-group2.router_name
]
}
module "mig3" {
source = "terraform-google-modules/vm/google//modules/mig"
version = "~> 7.9"
instance_template = module.mig3_template.self_link
region = var.group3_region
hostname = "${var.network_name}-group3"
target_size = 2
named_ports = [{
name = "http",
port = 80
}]
network = google_compute_network.default.self_link
subnetwork = google_compute_subnetwork.group3.self_link
}
$ ls *.tf
main.tf mig.tf outputs.tf tls.tf variables.tf versions.tf
$ more outputs.tf
output "group1_region" {
value = var.group1_region
}
output "group2_region" {
value = var.group2_region
}
output "group3_region" {
value = var.group3_region
}
output "load-balancer-ip" {
value = module.gce-lb-https.external_ip
}
output "load-balancer-ipv6" {
value = module.gce-lb-https.ipv6_enabled ? module.gce-lb-https.external_ipv6_address : "undefined"
description = "The IPv6 address of the load-balancer, if enabled; else \"undefined\""
}
output "asset-url" {
value = "https://${module.gce-lb-https.external_ip}/assets/gcp-logo.svg"
}
output "asset-url-ipv6" {
value = module.gce-lb-https.ipv6_enabled ? "https://${module.gce-lb-https.external_ipv6_address}/assets/gcp-logo.svg" : "undefined"
description = "The asset url over IPv6 address of the load-balancer, if enabled; else \"undefined\""
}
$ ls *.tf
main.tf mig.tf outputs.tf tls.tf variables.tf versions.tf
$ more tls.tf
resource "tls_private_key" "example" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "example" {
private_key_pem = tls_private_key.example.private_key_pem
# Certificate expires after 12 hours.
validity_period_hours = 12
# Generate a new certificate if Terraform is run within three
# hours of the certificate's expiration time.
early_renewal_hours = 3
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
$ ls *.tf
main.tf mig.tf outputs.tf tls.tf variables.tf versions.tf
$ more variables.tf
variable "group1_region" {
default = "us-west1"
}
variable "group2_region" {
default = "us-central1"
}
variable "group3_region" {
default = "us-east1"
}
variable "network_name" {
default = "ml-bk-ml-mig-bkt-s-lb"
}
variable "project" {
type = string
}
2
terraform init
terraform plan -out=tfplan -var 'project=<PROJECT_ID>'
terraform apply tfplan
3
콘솔에서 LB 확인
4
IP확인
EXTERNAL_IP=$(terraform output | grep load-balancer-ip | cut -d = -f2 | xargs echo -n)
echo
https://${EXTERNAL_IP}
다음과정
https://brunch.co.kr/@topasvga/3392
전체 보기
https://brunch.co.kr/@topasvga/3394
감사합니다.
