Use terraform to config GCP proxy setup

With terraform (https://terraform.io) we can convert most of the infrastructure setup into code. This simplifies setting up a new proxy as well as providing reproducibility in the setup, eliminating human errors as much as possible. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=190634711
2025-05-15 00:47:11 +02:00 · 2018-03-27 10:29:44 -07:00 · 2018-03-27 10:29:44 -07:00 · 6dec95b980
commit 6dec95b980
parent 2bbde9d9a9
15 changed files with 641 additions and 30 deletions
--- a/java/google/registry/proxy/terraform/modules/common.tf
+++ b/java/google/registry/proxy/terraform/modules/common.tf
@ -0,0 +1,3 @@
+provider "google" {
+  project = "${var.proxy_project_name}"
+}
--- a/java/google/registry/proxy/terraform/modules/dns.tf
+++ b/java/google/registry/proxy/terraform/modules/dns.tf
@ -0,0 +1,36 @@
+resource "google_dns_managed_zone" "proxy_domain" {
+  name = "proxy-domain"
+  dns_name = "${var.proxy_domain_name}."
+}
+
+resource "google_dns_record_set" "proxy_epp_a_record" {
+  name = "epp.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "A"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv4_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_epp_aaaa_record" {
+  name = "epp.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "AAAA"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv6_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_whois_a_record" {
+  name = "whois.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "A"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv4_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_whois_aaaa_record" {
+  name = "whois.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "AAAA"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv6_address.address}"]
+}
--- a/java/google/registry/proxy/terraform/modules/gke.tf
+++ b/java/google/registry/proxy/terraform/modules/gke.tf
@ -0,0 +1,32 @@
+module "proxy_gke_americas" {
+  source = "./gke"
+  proxy_cluster_region = "americas"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+module "proxy_gke_emea" {
+  source = "./gke"
+  proxy_cluster_region = "emea"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+module "proxy_gke_apac" {
+  source = "./gke"
+  proxy_cluster_region = "apac"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+locals {
+  "proxy_instance_groups" = {
+    americas = "${module.proxy_gke_americas.proxy_instance_group}",
+    emea = "${module.proxy_gke_emea.proxy_instance_group}",
+    apac = "${module.proxy_gke_apac.proxy_instance_group}",
+  }
+}
+
+output "proxy_instance_groups" {
+  value = "${local.proxy_instance_groups}"
+}
--- a/java/google/registry/proxy/terraform/modules/gke/cluster.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/cluster.tf
@ -0,0 +1,37 @@
+locals {
+  proxy_cluster_zone = "${lookup(var.proxy_cluster_zones, var.proxy_cluster_region)}"
+}
+
+data "google_container_engine_versions" "gke_version" {
+  zone = "${local.proxy_cluster_zone}"
+}
+
+resource "google_container_cluster" "proxy_cluster" {
+  name = "proxy-cluster-${var.proxy_cluster_region}"
+  zone = "${local.proxy_cluster_zone}"
+  node_version = "${data.google_container_engine_versions.gke_version.latest_node_version}"
+  min_master_version = "${data.google_container_engine_versions.gke_version.latest_master_version}"
+
+  node_pool {
+    name = "proxy-node-pool"
+    initial_node_count = 1
+    node_config {
+      tags = [
+        "proxy-cluster"]
+      service_account = "${var.proxy_service_account_email}"
+      oauth_scopes = [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ]
+    }
+    autoscaling {
+      max_node_count = 5
+      min_node_count = 1
+    }
+    management {
+      auto_repair = true
+      auto_upgrade = true
+    }
+  }
+}
+
--- a/java/google/registry/proxy/terraform/modules/gke/input.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/input.tf
@ -0,0 +1,16 @@
+variable "proxy_service_account_email" {}
+
+variable "proxy_cluster_region" {}
+
+variable "proxy_cluster_zones" {
+  type = "map"
+  default = {
+    americas = "us-east4-a"
+    emea = "europe-west4-b"
+    apac = "asia-northeast1-c"
+  }
+}
+
+variable "proxy_ports" {
+  type = "map"
+}
--- a/java/google/registry/proxy/terraform/modules/gke/output.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/output.tf
@ -0,0 +1,3 @@
+output "proxy_instance_group" {
+  value = "${google_container_cluster.proxy_cluster.instance_group_urls[0]}"
+}
--- a/java/google/registry/proxy/terraform/modules/iam.tf
+++ b/java/google/registry/proxy/terraform/modules/iam.tf
@ -0,0 +1,26 @@
+resource "google_service_account" "proxy_service_account" {
+  account_id = "proxy-service-account"
+  display_name = "Nomulus proxy service account"
+}
+
+resource "google_project_iam_member" "nomulus_project_viewer" {
+  project = "${var.nomulus_project_name}"
+  role = "roles/viewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "gcr_storage_viewer" {
+  project = "${var.gcr_project_name}"
+  role = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "metric_writer" {
+  role = "roles/monitoring.metricWriter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "log_writer" {
+  role = "roles/logging.logWriter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
--- a/java/google/registry/proxy/terraform/modules/input.tf
+++ b/java/google/registry/proxy/terraform/modules/input.tf
@ -0,0 +1,31 @@
+# GCP project in which the proxy runs.
+variable "proxy_project_name" {}
+
+# GCP project in which Nomulus runs.
+variable "nomulus_project_name" {}
+
+# GCP project from which the proxy image is pulled.
+variable "gcr_project_name" {}
+
+# The base domain name of the proxy, without the whois. or epp. part.
+variable "proxy_domain_name" {}
+
+# Cloud KMS keyring name
+variable "proxy_key_ring" {
+  default = "proxy-key-ring"
+}
+
+# Cloud KMS key name
+variable "proxy_key" {
+  default = "proxy-key"
+}
+
+# Node ports exposed by the proxy.
+variable "proxy_ports" {
+  type = "map"
+  default = {
+    health_check = 30000
+    whois = 30001
+    epp = 30002
+  }
+}
--- a/java/google/registry/proxy/terraform/modules/kms.tf
+++ b/java/google/registry/proxy/terraform/modules/kms.tf
@ -0,0 +1,16 @@
+resource "google_kms_key_ring" "proxy_key_ring" {
+  name = "${var.proxy_key_ring}"
+  location = "global"
+}
+
+resource "google_kms_crypto_key" "proxy_key" {
+  name = "${var.proxy_key}"
+  key_ring = "${google_kms_key_ring.proxy_key_ring.id}"
+}
+
+resource "google_kms_crypto_key_iam_member" "ssl_key_decrypter" {
+  crypto_key_id = "${google_kms_crypto_key.proxy_key.id}"
+  role = "roles/cloudkms.cryptoKeyDecrypter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
--- a/java/google/registry/proxy/terraform/modules/networking.tf
+++ b/java/google/registry/proxy/terraform/modules/networking.tf
@ -0,0 +1,116 @@
+resource "google_compute_global_address" "proxy_ipv4_address" {
+  name = "proxy-ipv4-address"
+  ip_version = "IPV4"
+}
+
+resource "google_compute_global_address" "proxy_ipv6_address" {
+  name = "proxy-ipv6-address"
+  ip_version = "IPV6"
+}
+
+resource "google_compute_firewall" "proxy_firewall" {
+  name = "proxy-firewall"
+  network = "default"
+
+  allow {
+    protocol = "tcp"
+    ports = [
+      "${var.proxy_ports["epp"]}",
+      "${var.proxy_ports["whois"]}",
+      "${var.proxy_ports["health_check"]}"]
+  }
+
+  source_ranges = [
+    "130.211.0.0/22",
+    "35.191.0.0/16"]
+
+  target_tags = [
+    "proxy-cluster"
+  ]
+}
+
+resource "google_compute_health_check" "proxy_health_check" {
+  name = "proxy-health-check"
+
+  tcp_health_check {
+    port = "${var.proxy_ports["health_check"]}"
+    request = "HEALTH_CHECK_REQUEST"
+    response = "HEALTH_CHECK_RESPONSE"
+  }
+}
+
+resource "google_compute_backend_service" "epp_backend_service" {
+  name = "epp-backend-service"
+  protocol = "TCP"
+  timeout_sec = 3600
+  port_name = "epp"
+  backend {
+    group = "${local.proxy_instance_groups["americas"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["emea"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["apac"]}"
+  }
+  health_checks = [
+    "${google_compute_health_check.proxy_health_check.self_link}"]
+}
+
+resource "google_compute_backend_service" "whois_backend_service" {
+  name = "whois-backend-service"
+  protocol = "TCP"
+  timeout_sec = 60
+  port_name = "whois"
+  backend {
+    group = "${local.proxy_instance_groups["americas"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["emea"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["apac"]}"
+  }
+  health_checks = [
+    "${google_compute_health_check.proxy_health_check.self_link}"]
+}
+
+resource "google_compute_target_tcp_proxy" "epp_tcp_proxy" {
+  name = "epp-tcp-proxy"
+  proxy_header = "PROXY_V1"
+  backend_service = "${google_compute_backend_service.epp_backend_service.self_link}"
+}
+
+resource "google_compute_target_tcp_proxy" "whois_tcp_proxy" {
+  name = "whois-tcp-proxy"
+  proxy_header = "PROXY_V1"
+  backend_service = "${google_compute_backend_service.whois_backend_service.self_link}"
+}
+
+resource "google_compute_global_forwarding_rule" "epp_ipv4_forwarding_rule" {
+  name = "epp-ipv4-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv4_address.address}"
+  target = "${google_compute_target_tcp_proxy.epp_tcp_proxy.self_link}"
+  port_range = "700"
+}
+
+resource "google_compute_global_forwarding_rule" "epp_ipv6_forwarding_rule" {
+  name = "epp-ipv6-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv6_address.address}"
+  target = "${google_compute_target_tcp_proxy.epp_tcp_proxy.self_link}"
+  port_range = "700"
+}
+
+resource "google_compute_global_forwarding_rule" "whois_ipv4_forwarding_rule" {
+  name = "whois-ipv4-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv4_address.address}"
+  target = "${google_compute_target_tcp_proxy.whois_tcp_proxy.self_link}"
+  port_range = "43"
+}
+
+resource "google_compute_global_forwarding_rule" "whois_ipv6_forwarding_rule" {
+  name = "whois-ipv6-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv6_address.address}"
+  target = "${google_compute_target_tcp_proxy.whois_tcp_proxy.self_link}"
+  port_range = "43"
+}
--- a/java/google/registry/proxy/terraform/modules/output.tf
+++ b/java/google/registry/proxy/terraform/modules/output.tf
@ -0,0 +1,15 @@
+output "proxy_name_servers" {
+  value = "${google_dns_managed_zone.proxy_domain.name_servers}"
+}
+
+output "proxy_service_account_client_id" {
+  value = "${google_service_account.proxy_service_account.unique_id}"
+}
+
+output "proxy_ipv4_address" {
+  value = "${google_compute_global_address.proxy_ipv4_address.address}"
+}
+
+output "proxy_ipv6_address" {
+  value = "${google_compute_global_address.proxy_ipv6_address.address}"
+}