Use terraform to config GCP proxy setup

With terraform (https://terraform.io) we can convert most of the infrastructure setup into code. This simplifies setting up a new proxy as well as providing reproducibility in the setup, eliminating human errors as much as possible. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=190634711
2025-04-30 03:57:51 +02:00 · 2018-03-27 10:29:44 -07:00 · 2018-03-27 10:29:44 -07:00 · 6dec95b980
commit 6dec95b980
parent 2bbde9d9a9
15 changed files with 641 additions and 30 deletions
--- a/docs/proxy-setup.md
+++ b/docs/proxy-setup.md
@ -28,6 +28,230 @@ service like [Spinnaker](https://www.spinnaker.io/) for release management.

 ## Detailed Instruction

+We use [`gcloud`](https://cloud.google.com/sdk/gcloud/) and
+[`terraform`](https://terraform.io) to configure the proxy project on GCP. We
+use [`kubectl`](https://kubernetes.io/docs/tasks/tools/install-kubectl/) to
+deploy the proxy to the project. Additionally,
+[`gsutil`](https://cloud.google.com/storage/docs/gsutil) is used to create GCS
+bucket for storing the terraform state file. These instructions assume that all
+four tools are installed.
+
+### Setup GCP project
+
+There are three projects involved:
+
+-   Nomulus project: the project that hosts Nomulus.
+-   Proxy project: the project that hosts this proxy.
+-   GCR ([Google Container
+    Registry](https://cloud.google.com/container-registry/)) project: the
+    project from which the proxy pulls its Docker image.
+
+We recommend using the same project for Nomulus and the proxy, so that logs for
+both are collected in the same place and easily accessible. If there are
+multiple Nomulus projects (environments), such as production, sandbox, alpha,
+etc, it is recommended to use just one as the GCR project. This way the same
+proxy images are deployed to each environment, and what is running in production
+is the same image tested in sandbox before.
+
+The following document outlines the procedure to setup the proxy for one
+environment.
+
+In the proxy project, create a GCS bucket to store the terraform state file:
+
+```bash
+$ gsutil config
+$ gsutil mb -p <proxy-project> gs://<bucket-name>/
+```
+
+### Obtain a domain and SSL certificate
+
+The proxy exposes two endpoints, whois.\<yourdomain.tld\> and
+epp.\<yourdomain.tld\>. The base domain \<yourdomain.tld\> needs to be obtained
+from a registrar ([Google Domains](https://domains.google) for example). Nomulus
+operators can also self-allocate a domain in the TLDs under management.
+
+[EPP protocol over TCP](https://tools.ietf.org/html/rfc5734) requires a
+client-authenticated SSL connection. The operator of the proxy needs to obtain
+an SSL certificate for domain epp.\<yourdomain.tld\>. [Let's
+Encrypt](https://letsencrypt.org) offers SSL certificate free of charge, but any
+other CA can fill the role.
+
+Concatenate the certificate and its private key into one file:
+
+```bash
+$ cat <certificate.pem> <private.key> > <combined_secret.pem>
+```
+
+The order between the certificate and the private key inside the combined file
+does not matter. However, if the certificate file is chained, i. e. it contains
+not only the certificate for your domain, but also certificates from
+intermediate CAs, these certificates must appear in order. The previous
+certificate's issuer must be the next certificate's subject.
+
+### Setup proxy project
+
+First setup the [Application Default
+Credential](https://cloud.google.com/docs/authentication/production) locally:
+
+```bash
+$ gcloud auth application-default login
+```
+
+Login with the account that has "Project Owner" role of all three projects
+mentioned above.
+
+Navigate to `java/google/registry/proxy/terraform`, create a folder called
+`envs`, and inside it, create a folder for the environment that proxy is
+deployed to ("alpha" for example). Copy `example_config.tf` to the environment
+folder.
+
+```bash
+$ cd java/google/registry/proxy/terraform
+$ mkdir -p envs/alpha
+$ cp example_config.tf envs/alpha/config.tf
+```
+
+Now go to the environment folder, edit the `config.tf` file and replace
+placeholders with actual project and domain names.
+
+Run terraform:
+
+```bash
+$ cd envs/alpha
+(edit config.tf)
+$ terraform init -upgrade
+$ terraform apply
+```
+
+Go over the proposed changes, and answer "yes". Terraform will start configuring
+the projects, including setting up clusters, keyrings, load balancer, etc. This
+takes a couple of minutes.
+
+### Setup Nomulus
+
+After terraform completes, it outputs some information, among which is the
+client id of the service account created for the proxy. This needs to be added
+to the Nomulus configuration file so that Nomulus accepts traffic from the
+proxy. Edit the following section in
+`java/google/registry/config/files/nomulus-config-<env>.yaml` and redeploy
+Nomulus:
+
+```yaml
+oAuth:
+  allowedOauthClientIds:
+    - <client_id>
+```
+
+### Setup nameservers
+
+The terraform output (run `terraform output` in the environment folder to show
+it again) also shows the nameservers of the proxy domain (\<yourdomain.tld\>).
+Delegate this domain to these nameservers (through your registrar). If the
+domain is self-allocated by Nomulus, run:
+
+```bash
+$ nomulus -e production update_domain <yourdomain.tld> \
+-c <registrar_client_name> -n <nameserver1>,<nameserver2>,...
+```
+
+### Setup named ports
+
+Unfortunately, terraform currently cannot add named ports on the instance groups
+of the GKE clusters it manages. [Named
+ports](https://cloud.google.com/compute/docs/load-balancing/http/backend-service#named_ports)
+are needed for the load balancer it sets up to route traffic to the proxy. To
+set named ports, in the environment folder, do:
+
+```bash
+$ bash ../../update_named_ports.sh
+```
+
+### Encrypt the certificate to Cloud KMS
+
+With the newly set up Cloud KMS key, encrypt the certificate/key combo file
+created earlier:
+
+```bash
+$ gcloud kms encrypt --plaintext-file <combined_secret.pem> \
+--ciphertext-file <combined_secret.pem.enc> \
+--key <key-name> --keyring <keyring-name> --location global
+```
+
+Place the encrypted file <combined_secret.pem.enc> to
+`java/google/registry/proxy/resources`.
+
+### Edit proxy config file
+
+Proxy configuration files are at `java/google/registry/proxy/config/`. There is
+a default config that provides most values needed to run the proxy, and several
+environment-specific configs for proxy instances that communicate to different
+Nomulus environments. The values specified in the environment-specific file
+override those in the default file.
+
+The values that need to be changed include the project name, the Nomulus
+endpoint, encrypted certificate/key combo filename, Cloud KMS keyring and key
+names, etc. Refer to the default file for detailed descriptions on each field.
+
+### Upload proxy docker image to GCR
+
+Edit the `proxy_push` rule in `java/google/registry/proxy/BUILD` to add the GCR
+project name and the image name to save to. Note that as currently set up, all
+images pushed to GCR will be tagged `bazel` and the GKE deployment object loads
+the image tagged as `bazel`. This is fine for testing, but for production one
+should give images unique tags (also configured in the `proxy_push` rule).
+
+To push to GCR, run:
+
+```bash
+$ bazel run java/google/registry/proxy:proxy_push
+```
+
+### Deploy proxy
+
+Terraform by default creates three clusters, in the Americas, EMEA, and APAC,
+respectively. We will have to deploy to each cluster separately. The cluster
+information is shown by `terraform output` as well.
+
+Deployment is defined in two files, `proxy-deployment-<env>.yaml` and
+`proxy-service.yaml`. Edit `proxy-deployment-<env>.yaml` for your environment,
+fill in the GCR project name and image name. You can also change the arguments
+in the file to turn on logging, for example. To deploy to a cluster:
+
+```bash
+# Get credentials to deploy to a cluster.
+$ gcloud container clusters get-credentials --project <proxy-project> \
+--zone <cluster-zone> <cluster-name>
+
+# Deploys environment specific kubernetes objects.
+$ kubectl create -f \
+java/google/registry/proxy/kubernetes/proxy-deployment-<env>.yaml
+
+# Deploys shared kubernetes objects.
+$ kubectl create -f \
+java/google/registry/proxy/kubernetes/proxy-service.yaml
+```
+
+Repeat this for all three clusters.
+
+### Afterwork
+
+Remember to turn on [Stackdriver
+Monitoring](https://cloud.google.com/monitoring/docs/) for the proxy project as
+we use it to collect metrics from the proxy.
+
+You are done! The proxy should be running now. You should store the private key
+safely, or delete it as you now have the encrypted file shipped with the proxy.
+See "Additional Steps" in the appendix for other things to check.
+
+## Appendix
+
+Here we give detailed instructions on how to configure a GCP project to host the
+proxy manually. We strongly recommend against doing so because it is tedious and
+error-prone. Using Terraform is much easier. The following instructions are for
+educational purpose for readers to understand why we set up the infrastructure
+this way. The Terraform config is essentially a translation of the following
+procedure.
+
 ### Set default project

 The proxy can run on its own GCP project, or use the existing project that also
@ -93,6 +317,15 @@ $ gcloud projects add-iam-policy-binding <project-id> \
 --member serviceAccount:<service-account-email> --role roles/viewer
 ```

+Also bind the "Logs Writer" and role to the proxy service account so that it can
+write logs to [Stackdriver Logging](https://cloud.google.com/logging/).
+
+```bash
+$ gcloud projects add-iam-policy-binding <project-id> \
+--member serviceAccount:<service-accounte-email> \
+--role roles/logging.logWriter
+```
+
 ### Obtain a domain and SSL certificate

 A domain is needed (if you do not want to rely on IP addresses) for clients to
@ -202,9 +435,17 @@ immediately after.
 ```bash
 $ gcloud container clusters create proxy-americas-cluster --enable-autorepair \
 --enable-autoupgrade --enable-autoscaling --max-nodes=3 --min-nodes=1 \
--zone=us-east1-c --cluster-version=1.9.4-gke.1 --tags=proxy-cluster
+--zone=us-east1-c --cluster-version=1.9.4-gke.1 --tags=proxy-cluster \
+--service-account=<service-account-email>
 ```

+We give the GCE instances inside the cluster the same credential as the proxy
+service account, which makes it easier to limit permissions granted to service
+accounts. If we use the default GCE service account, we'd have to grant the
+default GCE service account permission to read from GCR in order to download
+images of the proxy to create pods, which gives *any* GCE instance with the
+default service account that permission.
+
 Note the `--tags` flag: it will apply the tag to all GCE instances running in
 the cluster, making it easier to set up firewall rules later on. Use the same
 tag for all clusters.
@ -239,29 +480,13 @@ To push to GCR, run:
 $ bazel run java/google/registry/proxy:proxy_push
 ```

-If the GCP project to host pull images (image project) is different from the
-project that the proxy runs in (proxy project), the default compute engine
-service account from the proxy project needs to be granted the ["Storage Object
-Viewer"](https://cloud.google.com/container-registry/docs/access-control) role
-in the image project. Kubernetes clusters in the proxy project use GCE VMs as
-nodes and the nodes by default use the default compute engine service account
-credential to pull images. This account is different from the proxy service
-account created earlier, which represents the credentials that the proxy itself
-has.
-
-To find the default compute engine service account:
-
-```bash
-$ gcloud iam service-accounts list \
-| grep "Compute Engine default service account"
-```
-
-To add the account with "Storage Object Viewer" role to the project hosting the
-images:
+If the GCP project to host images (gcr project) is different from the project
+that the proxy runs in (proxy project), give the service account "Storage Object
+Viewer" role of the gcr project.

 ```bash
 $ gcloud projects add-iam-policy-binding <image-project> \
--member serviceAccount:<gce-default-service-account> \
+--member serviceAccount:<service-account-email> \
 --role roles/storage.objectViewer
 ```

--- a/java/google/registry/proxy/kubernetes/proxy-deployment-alpha.yaml
+++ b/java/google/registry/proxy/kubernetes/proxy-deployment-alpha.yaml
@ -14,10 +14,6 @@ spec:
      labels:
        app: proxy
    spec:
-      volumes:
-      - name: service-account-key
-        secret:
-          secretName: service-account
      containers:
      - name: proxy
        image: gcr.io/GCP_PROJECT/IMAGE_NAME:bazel
@ -38,14 +34,9 @@ spec:
            port: health-check
          initialDelaySeconds: 15
          periodSeconds: 20
-        volumeMounts:
-        - name: service-account-key
-          mountPath: /var/secrets/google
        imagePullPolicy: Always
        args: ["--env", "alpha", "--log"]
        env:
-        - name: GOOGLE_APPLICATION_CREDENTIALS
-          value: /var/secrets/google/service-account-key.json
        - name: POD_ID
          valueFrom:
            fieldRef:
--- a/java/google/registry/proxy/terraform/example_config.tf
+++ b/java/google/registry/proxy/terraform/example_config.tf
@ -0,0 +1,35 @@
+terraform {
+  backend "gcs" {
+    # The name of the GCS bucket that stores the terraform.tfstate file.
+    bucket = "YOUR_GCS_BUCKET"
+    prefix = "terraform/state"
+  }
+}
+
+module "proxy" {
+  source = "../../modules"
+  proxy_project_name = "YOUR_PROXY_PROJECT"
+  nomulus_project_name = "YOUR_NOMULUS_GPROJECT"
+  gcr_project_name = "YOUR_GCR_PROJECT"
+  proxy_domain_name = "YOUR_PROXY_DOMAIN"
+}
+
+output "proxy_service_account_client_id" {
+  value = "${module.proxy.proxy_service_account_client_id}"
+}
+
+output "proxy_name_servers" {
+  value = "${module.proxy.proxy_name_servers}"
+}
+
+output "proxy_instance_groups" {
+  value = "${module.proxy.proxy_instance_groups}"
+}
+
+output "proxy_ip_addresses" {
+  value = {
+    ipv4 = "${module.proxy.proxy_ipv4_address}",
+    ipv6 = "${module.proxy.proxy_ipv6_address}"
+  }
+}
+
--- a/java/google/registry/proxy/terraform/modules/common.tf
+++ b/java/google/registry/proxy/terraform/modules/common.tf
@ -0,0 +1,3 @@
+provider "google" {
+  project = "${var.proxy_project_name}"
+}
--- a/java/google/registry/proxy/terraform/modules/dns.tf
+++ b/java/google/registry/proxy/terraform/modules/dns.tf
@ -0,0 +1,36 @@
+resource "google_dns_managed_zone" "proxy_domain" {
+  name = "proxy-domain"
+  dns_name = "${var.proxy_domain_name}."
+}
+
+resource "google_dns_record_set" "proxy_epp_a_record" {
+  name = "epp.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "A"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv4_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_epp_aaaa_record" {
+  name = "epp.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "AAAA"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv6_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_whois_a_record" {
+  name = "whois.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "A"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv4_address.address}"]
+}
+
+resource "google_dns_record_set" "proxy_whois_aaaa_record" {
+  name = "whois.${google_dns_managed_zone.proxy_domain.dns_name}"
+  type = "AAAA"
+  ttl  = 300
+  managed_zone = "${google_dns_managed_zone.proxy_domain.name}"
+  rrdatas = ["${google_compute_global_address.proxy_ipv6_address.address}"]
+}
--- a/java/google/registry/proxy/terraform/modules/gke.tf
+++ b/java/google/registry/proxy/terraform/modules/gke.tf
@ -0,0 +1,32 @@
+module "proxy_gke_americas" {
+  source = "./gke"
+  proxy_cluster_region = "americas"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+module "proxy_gke_emea" {
+  source = "./gke"
+  proxy_cluster_region = "emea"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+module "proxy_gke_apac" {
+  source = "./gke"
+  proxy_cluster_region = "apac"
+  proxy_service_account_email = "${google_service_account.proxy_service_account.email}"
+  proxy_ports = "${var.proxy_ports}"
+}
+
+locals {
+  "proxy_instance_groups" = {
+    americas = "${module.proxy_gke_americas.proxy_instance_group}",
+    emea = "${module.proxy_gke_emea.proxy_instance_group}",
+    apac = "${module.proxy_gke_apac.proxy_instance_group}",
+  }
+}
+
+output "proxy_instance_groups" {
+  value = "${local.proxy_instance_groups}"
+}
--- a/java/google/registry/proxy/terraform/modules/gke/cluster.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/cluster.tf
@ -0,0 +1,37 @@
+locals {
+  proxy_cluster_zone = "${lookup(var.proxy_cluster_zones, var.proxy_cluster_region)}"
+}
+
+data "google_container_engine_versions" "gke_version" {
+  zone = "${local.proxy_cluster_zone}"
+}
+
+resource "google_container_cluster" "proxy_cluster" {
+  name = "proxy-cluster-${var.proxy_cluster_region}"
+  zone = "${local.proxy_cluster_zone}"
+  node_version = "${data.google_container_engine_versions.gke_version.latest_node_version}"
+  min_master_version = "${data.google_container_engine_versions.gke_version.latest_master_version}"
+
+  node_pool {
+    name = "proxy-node-pool"
+    initial_node_count = 1
+    node_config {
+      tags = [
+        "proxy-cluster"]
+      service_account = "${var.proxy_service_account_email}"
+      oauth_scopes = [
+        "https://www.googleapis.com/auth/cloud-platform",
+        "https://www.googleapis.com/auth/userinfo.email"
+      ]
+    }
+    autoscaling {
+      max_node_count = 5
+      min_node_count = 1
+    }
+    management {
+      auto_repair = true
+      auto_upgrade = true
+    }
+  }
+}
+
--- a/java/google/registry/proxy/terraform/modules/gke/input.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/input.tf
@ -0,0 +1,16 @@
+variable "proxy_service_account_email" {}
+
+variable "proxy_cluster_region" {}
+
+variable "proxy_cluster_zones" {
+  type = "map"
+  default = {
+    americas = "us-east4-a"
+    emea = "europe-west4-b"
+    apac = "asia-northeast1-c"
+  }
+}
+
+variable "proxy_ports" {
+  type = "map"
+}
--- a/java/google/registry/proxy/terraform/modules/gke/output.tf
+++ b/java/google/registry/proxy/terraform/modules/gke/output.tf
@ -0,0 +1,3 @@
+output "proxy_instance_group" {
+  value = "${google_container_cluster.proxy_cluster.instance_group_urls[0]}"
+}
--- a/java/google/registry/proxy/terraform/modules/iam.tf
+++ b/java/google/registry/proxy/terraform/modules/iam.tf
@ -0,0 +1,26 @@
+resource "google_service_account" "proxy_service_account" {
+  account_id = "proxy-service-account"
+  display_name = "Nomulus proxy service account"
+}
+
+resource "google_project_iam_member" "nomulus_project_viewer" {
+  project = "${var.nomulus_project_name}"
+  role = "roles/viewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "gcr_storage_viewer" {
+  project = "${var.gcr_project_name}"
+  role = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "metric_writer" {
+  role = "roles/monitoring.metricWriter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
+resource "google_project_iam_member" "log_writer" {
+  role = "roles/logging.logWriter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
--- a/java/google/registry/proxy/terraform/modules/input.tf
+++ b/java/google/registry/proxy/terraform/modules/input.tf
@ -0,0 +1,31 @@
+# GCP project in which the proxy runs.
+variable "proxy_project_name" {}
+
+# GCP project in which Nomulus runs.
+variable "nomulus_project_name" {}
+
+# GCP project from which the proxy image is pulled.
+variable "gcr_project_name" {}
+
+# The base domain name of the proxy, without the whois. or epp. part.
+variable "proxy_domain_name" {}
+
+# Cloud KMS keyring name
+variable "proxy_key_ring" {
+  default = "proxy-key-ring"
+}
+
+# Cloud KMS key name
+variable "proxy_key" {
+  default = "proxy-key"
+}
+
+# Node ports exposed by the proxy.
+variable "proxy_ports" {
+  type = "map"
+  default = {
+    health_check = 30000
+    whois = 30001
+    epp = 30002
+  }
+}
--- a/java/google/registry/proxy/terraform/modules/kms.tf
+++ b/java/google/registry/proxy/terraform/modules/kms.tf
@ -0,0 +1,16 @@
+resource "google_kms_key_ring" "proxy_key_ring" {
+  name = "${var.proxy_key_ring}"
+  location = "global"
+}
+
+resource "google_kms_crypto_key" "proxy_key" {
+  name = "${var.proxy_key}"
+  key_ring = "${google_kms_key_ring.proxy_key_ring.id}"
+}
+
+resource "google_kms_crypto_key_iam_member" "ssl_key_decrypter" {
+  crypto_key_id = "${google_kms_crypto_key.proxy_key.id}"
+  role = "roles/cloudkms.cryptoKeyDecrypter"
+  member = "serviceAccount:${google_service_account.proxy_service_account.email}"
+}
+
--- a/java/google/registry/proxy/terraform/modules/networking.tf
+++ b/java/google/registry/proxy/terraform/modules/networking.tf
@ -0,0 +1,116 @@
+resource "google_compute_global_address" "proxy_ipv4_address" {
+  name = "proxy-ipv4-address"
+  ip_version = "IPV4"
+}
+
+resource "google_compute_global_address" "proxy_ipv6_address" {
+  name = "proxy-ipv6-address"
+  ip_version = "IPV6"
+}
+
+resource "google_compute_firewall" "proxy_firewall" {
+  name = "proxy-firewall"
+  network = "default"
+
+  allow {
+    protocol = "tcp"
+    ports = [
+      "${var.proxy_ports["epp"]}",
+      "${var.proxy_ports["whois"]}",
+      "${var.proxy_ports["health_check"]}"]
+  }
+
+  source_ranges = [
+    "130.211.0.0/22",
+    "35.191.0.0/16"]
+
+  target_tags = [
+    "proxy-cluster"
+  ]
+}
+
+resource "google_compute_health_check" "proxy_health_check" {
+  name = "proxy-health-check"
+
+  tcp_health_check {
+    port = "${var.proxy_ports["health_check"]}"
+    request = "HEALTH_CHECK_REQUEST"
+    response = "HEALTH_CHECK_RESPONSE"
+  }
+}
+
+resource "google_compute_backend_service" "epp_backend_service" {
+  name = "epp-backend-service"
+  protocol = "TCP"
+  timeout_sec = 3600
+  port_name = "epp"
+  backend {
+    group = "${local.proxy_instance_groups["americas"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["emea"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["apac"]}"
+  }
+  health_checks = [
+    "${google_compute_health_check.proxy_health_check.self_link}"]
+}
+
+resource "google_compute_backend_service" "whois_backend_service" {
+  name = "whois-backend-service"
+  protocol = "TCP"
+  timeout_sec = 60
+  port_name = "whois"
+  backend {
+    group = "${local.proxy_instance_groups["americas"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["emea"]}"
+  }
+  backend {
+    group = "${local.proxy_instance_groups["apac"]}"
+  }
+  health_checks = [
+    "${google_compute_health_check.proxy_health_check.self_link}"]
+}
+
+resource "google_compute_target_tcp_proxy" "epp_tcp_proxy" {
+  name = "epp-tcp-proxy"
+  proxy_header = "PROXY_V1"
+  backend_service = "${google_compute_backend_service.epp_backend_service.self_link}"
+}
+
+resource "google_compute_target_tcp_proxy" "whois_tcp_proxy" {
+  name = "whois-tcp-proxy"
+  proxy_header = "PROXY_V1"
+  backend_service = "${google_compute_backend_service.whois_backend_service.self_link}"
+}
+
+resource "google_compute_global_forwarding_rule" "epp_ipv4_forwarding_rule" {
+  name = "epp-ipv4-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv4_address.address}"
+  target = "${google_compute_target_tcp_proxy.epp_tcp_proxy.self_link}"
+  port_range = "700"
+}
+
+resource "google_compute_global_forwarding_rule" "epp_ipv6_forwarding_rule" {
+  name = "epp-ipv6-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv6_address.address}"
+  target = "${google_compute_target_tcp_proxy.epp_tcp_proxy.self_link}"
+  port_range = "700"
+}
+
+resource "google_compute_global_forwarding_rule" "whois_ipv4_forwarding_rule" {
+  name = "whois-ipv4-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv4_address.address}"
+  target = "${google_compute_target_tcp_proxy.whois_tcp_proxy.self_link}"
+  port_range = "43"
+}
+
+resource "google_compute_global_forwarding_rule" "whois_ipv6_forwarding_rule" {
+  name = "whois-ipv6-forwarding-rule"
+  ip_address = "${google_compute_global_address.proxy_ipv6_address.address}"
+  target = "${google_compute_target_tcp_proxy.whois_tcp_proxy.self_link}"
+  port_range = "43"
+}
--- a/java/google/registry/proxy/terraform/modules/output.tf
+++ b/java/google/registry/proxy/terraform/modules/output.tf
@ -0,0 +1,15 @@
+output "proxy_name_servers" {
+  value = "${google_dns_managed_zone.proxy_domain.name_servers}"
+}
+
+output "proxy_service_account_client_id" {
+  value = "${google_service_account.proxy_service_account.unique_id}"
+}
+
+output "proxy_ipv4_address" {
+  value = "${google_compute_global_address.proxy_ipv4_address.address}"
+}
+
+output "proxy_ipv6_address" {
+  value = "${google_compute_global_address.proxy_ipv6_address.address}"
+}
--- a/java/google/registry/proxy/terraform/update_named_ports.sh
+++ b/java/google/registry/proxy/terraform/update_named_ports.sh
@ -0,0 +1,29 @@
+#!/bin/bash
+# Copyright 2018 The Nomulus Authors. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Terraform currently cannot set named ports on the instance groups underlying
+# the gke instances it creates. Here we output the instance group URL, extract
+# the project, zone and instance group names, and then call gcloud to add the
+# named ports.
+
+terraform output proxy_instance_groups | awk '{print $3}' | \
+  awk -F '/' '{print "--project", $7, "--zone", $9, $11}' |
+{
+  while read line
+  do
+    gcloud compute instance-groups set-named-ports \
+      --named-ports whois:30001,epp:30002 $line
+  done
+}