Skip to content

Instantly share code, notes, and snippets.

@atward

atward/example-gcp-lb-http2.tf

Last active April 1, 2021 00:38
Show Gist options
  • Save atward/21fb09a0a3d7df991b0e54670f436d7d to your computer and use it in GitHub Desktop.
Save atward/21fb09a0a3d7df991b0e54670f436d7d to your computer and use it in GitHub Desktop.
Download ZIP
Example Terraform GCP Global HTTP LB with HTTP/2 backend instance group
Raw
example-gcp-lb-http2.tf
module "http_lb" {
source = "GoogleCloudPlatform/lb-http/google"
version = "~> 4.5"
project = var.project_id
name = "demo"
http_forward = false
ssl = true
private_key = tls_private_key.example.private_key_pem
certificate = tls_self_signed_cert.example.cert_pem
target_tags = [
"mig-group1"
]
backends = {
default = {
description = null
protocol = "HTTP2"
port = 443
port_name = "http2"
timeout_sec = 10
enable_cdn = false
custom_request_headers = null
security_policy = null
connection_draining_timeout_sec = null
session_affinity = null
affinity_cookie_ttl_sec = null
health_check = {
check_interval_sec = null
timeout_sec = null
healthy_threshold = null
unhealthy_threshold = null
request_path = "/"
port = 443
host = null
logging = null
}
log_config = {
enable = true
sample_rate = 1.0
}
groups = [
{
# Each node pool instance group should be added to the backend.
group = module.mig.instance_group
balancing_mode = null
capacity_scaler = null
description = null
max_connections = null
max_connections_per_instance = null
max_connections_per_endpoint = null
max_rate = null
max_rate_per_instance = null
max_rate_per_endpoint = null
max_utilization = null
},
]
iap_config = {
enable = false
oauth2_client_id = null
oauth2_client_secret = null
}
}
}
}
Raw
example-mig-http2.tf
# https://registry.terraform.io/modules/terraform-google-modules/vm/google/latest/submodules/mig
module "mig" {
source = "terraform-google-modules/vm/google//modules/mig"
version = "6.2.0"
hostname = "demo"
project_id = var.project_id
region = var.region
instance_template = module.instance_template.self_link
target_size = 2
named_ports = [{
name = "http2",
port = 443
}]
update_policy = [{
type = "PROACTIVE"
minimal_action = "REPLACE"
replacement_method = "SUBSTITUTE"
instance_redistribution_type = "PROACTIVE"
max_surge_fixed = 4
max_unavailable_fixed = 3
min_ready_sec = 0
max_surge_percent = null
max_unavailable_percent = null
}]
}
# https://registry.terraform.io/modules/terraform-google-modules/vm/google/latest/submodules/instance_template
module "instance_template" {
source = "terraform-google-modules/vm/google//modules/instance_template"
version = "6.2.0"
project_id = var.project_id
subnetwork = var.subnetwork
subnetwork_project = var.project_id
service_account = var.service_account
source_image_family = "debian-10"
source_image_project = "debian-cloud"
machine_type = "g1-small"
disk_size_gb = 10
startup_script = file("${path.module}/startup_apache.sh")
tags = [
"mig-group1"
]
}
Raw
main.tf
terraform {
required_version = ">= 0.12.6"
}
provider "google" {
region = var.region
}
provider "google-beta" {
region = var.region
}
Raw
self-signed-tls.tf
resource "tls_private_key" "example" {
algorithm = "RSA"
rsa_bits = 2048
}
resource "tls_self_signed_cert" "example" {
key_algorithm = tls_private_key.example.algorithm
private_key_pem = tls_private_key.example.private_key_pem
# Certificate expires after 7 days
validity_period_hours = 168
# Generate a new certificate if Terraform is run within one
# day of the certificate's expiration time.
early_renewal_hours = 24
# Reasonable set of uses for a server SSL certificate.
allowed_uses = [
"key_encipherment",
"digital_signature",
"server_auth",
]
dns_names = ["example.com", "example.net"]
subject {
common_name = "example.com"
organization = "ACME Examples, Inc"
}
}
Raw
startup.sh
#!/bin/bash
set -x
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq upgrade
apt-get install -y nginx ssl-cert
# ssl-cert package generates self signed certs
# /etc/ssl/certs/ssl-cert-snakeoil.pem
# /etc/ssl/private/ssl-cert-snakeoil.key
# make-ssl-cert generate-default-snakeoil --force-overwrite
cat > /etc/nginx/sites-available/default <<HTTP2_CONF
server {
server_name _;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
listen 443 ssl http2;
access_log /var/log/nginx/example.com_access.log;
error_log /var/log/nginx/example.com_error.log;
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
}
HTTP2_CONF
nginx -t && service nginx restart
Raw
startup_apache.sh
#!/bin/bash
set -x
export DEBIAN_FRONTEND=noninteractive
apt-get -yq update
apt-get -yq upgrade
apt-get install -y apache2 ssl-cert
# ssl-cert package generates self signed certs
# /etc/ssl/certs/ssl-cert-snakeoil.pem
# /etc/ssl/private/ssl-cert-snakeoil.key
# make-ssl-cert generate-default-snakeoil --force-overwrite
a2enmod ssl
a2enmod http2
cat > /etc/apache2/sites-available/http2.conf <<HTTP2_CONF
<VirtualHost *:443>
#ServerName example.com
#ServerAlias www.example.com
DocumentRoot /var/www/html/
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
Protocols h2
</VirtualHost>
HTTP2_CONF
cat > /etc/apache2/ports.conf <<PORTS_CONF
Listen 443
PORTS_CONF
a2dissite 000-default
a2ensite http2
apachectl configtest && service apache2 restart
Raw
variables.tf
variable "region" {
default = "australia-southeast1"
}
variable "project_id" {
default = ""
}
variable "subnetwork" {
default = "default"
}
variable "service_account" {
default = {
email = null
scopes = []
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment