Skip to content

Add GCP external LB terraform config #489

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AlCutter merged 1 commit into from
Feb 13, 2026
Merged

Add GCP external LB terraform config #489

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
139 changes: 139 additions & 0 deletions deployment/modules/gcp/loadbalancer/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,139 @@
# Project data
provider "google" {
project = var.project_id
}

terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "6.50.0"
}
}

backend "gcs" {}
}

module "gce-lb-http" {
source = "terraform-google-modules/lb-http/google"
version = "~> 12.0"
name = "witness-lb-http"
project = var.project_id
load_balancing_scheme = "EXTERNAL"
ssl = true
Copy link

@phbnf phbnf Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you verified ownership of the domain already?

Copy link
Contributor Author

@AlCutter AlCutter Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which domain? This is just a module 😁 (no, but I will start)

managed_ssl_certificate_domains = [var.domain]
random_certificate_suffix = true

http_forward = false // HTTPS only

// Firewalls are defined externally.
firewall_networks = []

create_url_map = false
url_map = google_compute_url_map.url_map.id

// Use the Cloud Armor policy, if it's enabled.
security_policy = one(module.cloud_armor[*].policy.self_link)

backends = { for witness_name, witness in var.witnesses :
"${witness_name}-backend" => {
protocol = "HTTP"
port = 80
port_name = "http"
enable_cdn = false

// TODO(al): Decrease/remove this once it's working.
log_config = {
enable = true
sample_rate = 1.0
}

groups = [
{
group = google_compute_region_network_endpoint_group.serverless_neg[witness_name].self_link
},
]

iap_config = {
enable = false
}

}
}
}

resource "google_compute_region_network_endpoint_group" "serverless_neg" {
# One NEG group per witness Cloud Run service.
for_each = var.witnesses

#provider = google-beta
name = "serverless-neg-${each.key}"
network_endpoint_type = "SERVERLESS"
region = each.value.region
cloud_run {
service = each.value.service_name
}
}


resource "google_compute_url_map" "url_map" {
name = "witness-url-map"
description = "URL map of witnesses"

# Redirect requests to invalid endpoints to the witnesses page on transparency.dev
default_url_redirect {
host_redirect = "transparency.dev"
path_redirect = "/witnesses"
https_redirect = true
redirect_response_code = "FOUND" # Temporary redirect for now.
strip_query = true
}

dynamic "host_rule" {
for_each = var.witnesses
iterator = each

content {
hosts = [var.domain]
path_matcher = "${each.key}-path-matcher"
}
}

dynamic "path_matcher" {
for_each = var.witnesses
iterator = each

content {
name = "${each.key}-path-matcher"

# Redirect requests to invalid endpoints to the witnesses page on t.dev
Copy link

@phbnf phbnf Feb 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, transparency.dev

default_url_redirect {
host_redirect = "transparency.dev"
path_redirect = "/witnesses"
redirect_response_code = "FOUND" # Temporary redirect for now.
strip_query = true
}

path_rule {
paths = ["/${each.key}/add-checkpoint"]
service = module.gce-lb-http.backend_services["${each.key}-backend"].self_link
}
}
}
}

module "cloud_armor" {
source = "GoogleCloudPlatform/cloud-armor/google"
version = "~> 6.0"

count = var.enable_cloud_armor ? 1 : 0
project_id = var.project_id
name = "witness-security-policy"
description = "Witness LB Security Policy"
default_rule_action = "allow"
type = "CLOUD_ARMOR"
layer_7_ddos_defense_enable = true
layer_7_ddos_defense_rule_visibility = "STANDARD"
}


23 changes: 23 additions & 0 deletions deployment/modules/gcp/loadbalancer/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
variable "project_id" {
description = "GCP project ID where the loadbalancer is hosted."
type = string
}

variable "domain" {
description = "Domain mapped to the load balancer."
type = string
}

variable "witnesses" {
description = "Map of witnesses by name. This name will be used as the path component of the URL under 'domain' when mapping the provided witness service_name"
type = map(object({
service_name = string,
region = string,
}))
}

variable "enable_cloud_armor" {
description = "Whether or not to enable Cloud Armor for the load balancer."
type = bool
default = false
}
Loading