Commit c69a773b authored by John Jarvis's avatar John Jarvis

Add an internal lb to both gstg and gprd.

parent db1a5e24
###########################################################
# This is specific to the gprd environment
# and defines the mapping from web-iap hosts to backend
# services. This lb is used for allowing access to the gprd
# site with oauth.
variable "oauth2_client_id_web_iap" {}
variable "oauth2_client_secret_web_iap" {}
resource "google_compute_backend_service" "web-iap" {
name = "gprd-web-iap"
protocol = "HTTPS"
port_name = "https"
backend {
group = "${module.fe-lb.instance_groups_self_link[0]}"
}
backend {
group = "${module.fe-lb.instance_groups_self_link[1]}"
}
backend {
group = "${module.fe-lb.instance_groups_self_link[2]}"
}
health_checks = ["${google_compute_health_check.web-iap.self_link}"]
iap {
oauth2_client_id = "${var.oauth2_client_id_web_iap}"
oauth2_client_secret = "${var.oauth2_client_secret_web_iap}"
}
}
resource "google_compute_health_check" "web-iap" {
name = "web-iap"
http_health_check {
port = "8002"
request_path = "/-/available-https"
}
}
resource "google_compute_url_map" "web-iap" {
name = "${format("%v-web-iap-lb", var.environment)}"
default_service = "${google_compute_backend_service.web-iap.self_link}"
host_rule {
hosts = ["gprd.gitlab.com"]
path_matcher = "web-iap"
}
path_matcher {
name = "web-iap"
default_service = "${google_compute_backend_service.web-iap.self_link}"
path_rule {
paths = ["/*"]
service = "${google_compute_backend_service.web-iap.self_link}"
}
}
}
......@@ -538,25 +538,26 @@ module "artifacts" {
##################################
module "fe-lb" {
bootstrap_version = 3
chef_provision = "${var.chef_provision}"
chef_run_list = "\"role[${var.environment}-base-lb-fe]\""
dns_zone_name = "${var.dns_zone_name}"
environment = "${var.environment}"
ip_cidr_range = "${var.subnetworks["fe-lb"]}"
machine_type = "${var.machine_types["fe-lb"]}"
name = "fe"
node_count = "${var.node_count["fe-lb"]}"
project = "${var.project}"
public_ports = "${var.public_ports["fe-lb"]}"
region = "${var.region}"
service_account_email = "${var.service_account_email}"
source = "../../modules/google/generic-sv-with-group"
health_check = "http"
service_port = 8002
service_path = "/-/available-https"
tier = "lb"
vpc = "${module.network.self_link}"
bootstrap_version = 3
chef_provision = "${var.chef_provision}"
chef_run_list = "\"role[${var.environment}-base-lb-fe]\""
dns_zone_name = "${var.dns_zone_name}"
environment = "${var.environment}"
ip_cidr_range = "${var.subnetworks["fe-lb"]}"
machine_type = "${var.machine_types["fe-lb"]}"
name = "fe"
node_count = "${var.node_count["fe-lb"]}"
project = "${var.project}"
public_ports = "${var.public_ports["fe-lb"]}"
region = "${var.region}"
service_account_email = "${var.service_account_email}"
source = "../../modules/google/generic-sv-with-group"
health_check = "http"
service_port = 8002
service_path = "/-/available-https"
tier = "lb"
vpc = "${module.network.self_link}"
create_backend_service = false
}
##################################
......@@ -613,27 +614,6 @@ module "fe-lb-altssh" {
vpc = "${module.network.self_link}"
}
#######################
#
# Load balancer to IAP on web front end
#
#######################
module "web-iap" {
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
environment = "${var.environment}"
source = "../../modules/google/web-iap"
name = "web-iap"
gitlab_zone_id = "${var.gitlab_com_zone_id}"
project = "${var.project}"
region = "${var.region}"
cert_link = "${var.monitoring_cert_link}"
service_ports = ["443"]
url_map = "${google_compute_url_map.web-iap.self_link}"
hosts = ["web"]
web_ip_fqdn = "gprd.gitlab.com"
}
##################################
#
# GCP TCP LoadBalancers
......@@ -657,6 +637,45 @@ module "gcp-tcp-lb" {
instances = ["${module.fe-lb.instances_self_link}"]
}
### The regional backend service that is required for the internal
### load balancer. Unlike global backend services every instance
### group _must_ contain at least one instance. Also you cannot
### have both a global and a regional backend service.
resource "google_compute_region_backend_service" "internal-lb" {
name = "${format("%v-internal-lb", var.environment)}"
protocol = "TCP"
backend {
group = "${module.fe-lb.instance_groups_self_link[1]}"
}
health_checks = ["${module.fe-lb.http_health_check_self_link}"]
}
###### Internal Load balancer for the main site
module "gcp-tcp-lb-internal" {
name = "gcp-tcp-lb-internal"
lb_count = "${length(var.tcp_lbs_internal["names"])}"
names = "${var.tcp_lbs_internal["names"]}"
fqdn = "${var.lb_fqdn_internal}"
gitlab_zone_id = "${var.gitlab_com_zone_id}"
environment = "${var.environment}"
region = "${var.region}"
project = "${var.project}"
source = "../../modules/google/tcp-lb"
targets = ["fe"]
forwarding_port_ranges = "${var.tcp_lbs_internal["forwarding_port_ranges"]}"
health_check_ports = "${var.tcp_lbs_internal["health_check_ports"]}"
instances = ["${module.fe-lb.instances_self_link}"]
### Additional options only for internal lb
external = false
vpc = "${module.network.self_link}"
subnetwork_self_link = "${module.fe-lb.google_compute_subnetwork_self_link}"
backend_service = "${google_compute_region_backend_service.internal-lb.self_link}"
}
#### Load balancer for pages
module "gcp-tcp-lb-pages" {
name = "gcp-tcp-lb-pages"
......
......@@ -16,10 +16,6 @@ variable "monitoring_hosts" {
# The top level domain record for the GitLab deployment.
# For production this should be set to "gitlab.com"
# Switch these entries to turn off iap
variable "web_iap_fqdn" {
default = "web.gprd.gitlab.com"
}
variable "lb_fqdn" {
default = "gprd.gitlab.com"
......@@ -38,6 +34,10 @@ variable "lb_fqdn_bastion" {
default = "lb-bastion.gprd.gitlab.com"
}
variable "lb_fqdn_internal" {
default = "internal.gprd.gitlab.com"
}
#
# For every name there must be a corresponding
# forwarding port range and health check port
......@@ -53,6 +53,16 @@ variable "tcp_lbs" {
}
}
variable "tcp_lbs_internal" {
type = "map"
default = {
"names" = ["http-internal", "https-internal", "ssh-internal"]
"forwarding_port_ranges" = ["80", "443", "22"]
"health_check_ports" = ["8001", "8002", "8003"]
}
}
variable "tcp_lbs_pages" {
type = "map"
......
###########################################################
# This is specific to the gstg environment
# and defines the mapping from web-iap hosts to backend
# services. This lb is used for allowing access to the gstg
# site with oauth.
variable "oauth2_client_id_web_iap" {}
variable "oauth2_client_secret_web_iap" {}
resource "google_compute_backend_service" "web-iap" {
name = "gstg-web-iap"
protocol = "HTTPS"
port_name = "https"
backend {
group = "${module.fe-lb.instance_groups_self_link[0]}"
}
backend {
group = "${module.fe-lb.instance_groups_self_link[1]}"
}
backend {
group = "${module.fe-lb.instance_groups_self_link[2]}"
}
health_checks = ["${google_compute_health_check.web-iap.self_link}"]
# IAP disabled for staging
# iap {
# oauth2_client_id = "${var.oauth2_client_id_web_iap}"
# oauth2_client_secret = "${var.oauth2_client_secret_web_iap}"
# }
}
resource "google_compute_health_check" "web-iap" {
name = "web-iap"
http_health_check {
port = "8002"
request_path = "/-/available-https"
}
}
resource "google_compute_url_map" "web-iap" {
name = "${format("%v-web-iap-lb", var.environment)}"
default_service = "${google_compute_backend_service.web-iap.self_link}"
host_rule {
hosts = ["${var.web_iap_fqdn}"]
path_matcher = "web-iap"
}
path_matcher {
name = "web-iap"
default_service = "${google_compute_backend_service.web-iap.self_link}"
path_rule {
paths = ["/*"]
service = "${google_compute_backend_service.web-iap.self_link}"
}
}
}
......@@ -517,25 +517,26 @@ module "artifacts" {
##################################
module "fe-lb" {
bootstrap_version = 4
chef_provision = "${var.chef_provision}"
chef_run_list = "\"role[${var.environment}-base-lb-fe]\""
dns_zone_name = "${var.dns_zone_name}"
environment = "${var.environment}"
ip_cidr_range = "${var.subnetworks["fe-lb"]}"
machine_type = "${var.machine_types["fe-lb"]}"
name = "fe"
node_count = "${var.node_count["fe-lb"]}"
project = "${var.project}"
public_ports = "${var.public_ports["fe-lb"]}"
region = "${var.region}"
service_account_email = "${var.service_account_email}"
source = "../../modules/google/generic-sv-with-group"
health_check = "http"
service_port = 8002
service_path = "/-/available-https"
tier = "lb"
vpc = "${module.network.self_link}"
bootstrap_version = 4
chef_provision = "${var.chef_provision}"
chef_run_list = "\"role[${var.environment}-base-lb-fe]\""
dns_zone_name = "${var.dns_zone_name}"
environment = "${var.environment}"
ip_cidr_range = "${var.subnetworks["fe-lb"]}"
machine_type = "${var.machine_types["fe-lb"]}"
name = "fe"
node_count = "${var.node_count["fe-lb"]}"
project = "${var.project}"
public_ports = "${var.public_ports["fe-lb"]}"
region = "${var.region}"
service_account_email = "${var.service_account_email}"
source = "../../modules/google/generic-sv-with-group"
health_check = "http"
service_port = 8002
service_path = "/-/available-https"
tier = "lb"
vpc = "${module.network.self_link}"
create_backend_service = false
}
##################################
......@@ -592,27 +593,6 @@ module "fe-lb-altssh" {
vpc = "${module.network.self_link}"
}
#######################
#
# Load balancer to IAP on web front end
#
#######################
module "web-iap" {
subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
environment = "${var.environment}"
source = "../../modules/google/web-iap"
name = "web-iap"
gitlab_zone_id = "${var.gitlab_com_zone_id}"
project = "${var.project}"
region = "${var.region}"
cert_link = "${var.monitoring_cert_link}"
service_ports = ["443"]
url_map = "${google_compute_url_map.web-iap.self_link}"
hosts = ["web"]
web_ip_fqdn = "${var.web_iap_fqdn}"
}
##################################
#
# GCP TCP LoadBalancers
......@@ -636,6 +616,45 @@ module "gcp-tcp-lb" {
instances = ["${module.fe-lb.instances_self_link}"]
}
### The regional backend service that is required for the internal
### load balancer. Unlike global backend services every instance
### group _must_ contain at least one instance. Also you cannot
### have both a global and a regional backend service.
resource "google_compute_region_backend_service" "internal-lb" {
name = "${format("%v-internal-lb", var.environment)}"
protocol = "TCP"
backend {
group = "${module.fe-lb.instance_groups_self_link[1]}"
}
health_checks = ["${module.fe-lb.http_health_check_self_link}"]
}
###### Internal Load balancer for the main site
module "gcp-tcp-lb-internal" {
name = "gcp-tcp-lb-internal"
lb_count = "${length(var.tcp_lbs_internal["names"])}"
names = "${var.tcp_lbs_internal["names"]}"
fqdn = "${var.lb_fqdn_internal}"
gitlab_zone_id = "${var.gitlab_com_zone_id}"
environment = "${var.environment}"
region = "${var.region}"
project = "${var.project}"
source = "../../modules/google/tcp-lb"
targets = ["fe"]
forwarding_port_ranges = "${var.tcp_lbs_internal["forwarding_port_ranges"]}"
health_check_ports = "${var.tcp_lbs_internal["health_check_ports"]}"
instances = ["${module.fe-lb.instances_self_link}"]
### Additional options only for internal lb
external = false
vpc = "${module.network.self_link}"
subnetwork_self_link = "${module.fe-lb.google_compute_subnetwork_self_link}"
backend_service = "${google_compute_region_backend_service.internal-lb.self_link}"
}
#### Load balancer for pages
module "gcp-tcp-lb-pages" {
name = "gcp-tcp-lb-pages"
......
......@@ -56,15 +56,8 @@ variable "monitoring_hosts" {
#### GCP load balancing
#### GCP load balancing
# The top level domain record for the GitLab deployment.
# For production this should be set to "gitlab.com"
# Switch these entries if you want to enable IAP for
# the main site.
variable "web_iap_fqdn" {
default = "web.gstg.gitlab.com"
}
variable "lb_fqdn" {
default = "gstg.gitlab.com"
......@@ -84,6 +77,10 @@ variable "lb_fqdn_bastion" {
default = "lb-bastion.gstg.gitlab.com"
}
variable "lb_fqdn_internal" {
default = "internal.gstg.gitlab.com"
}
#
# For every name there must be a corresponding
# forwarding port range and health check port
......@@ -99,6 +96,16 @@ variable "tcp_lbs" {
}
}
variable "tcp_lbs_internal" {
type = "map"
default = {
"names" = ["http-internal", "https-internal", "ssh-internal"]
"forwarding_port_ranges" = ["80", "443", "22"]
"health_check_ports" = ["8001", "8002", "8003"]
}
}
variable "tcp_lbs_pages" {
type = "map"
......
resource "google_compute_backend_service" "default" {
count = "${var.enable_iap ? 0 : 1}"
count = "${var.enable_iap || !var.create_backend_service ? 0 : 1}"
name = "${format("%v-%v", var.environment, var.name)}"
protocol = "${var.backend_protocol}"
port_name = "${var.name}"
backend {
group = "${google_compute_instance_group.default.*.self_link[0]}"
balancing_mode = "UTILIZATION"
group = "${google_compute_instance_group.default.*.self_link[0]}"
}
backend {
group = "${google_compute_instance_group.default.*.self_link[1]}"
balancing_mode = "UTILIZATION"
group = "${google_compute_instance_group.default.*.self_link[1]}"
}
backend {
group = "${google_compute_instance_group.default.*.self_link[2]}"
balancing_mode = "UTILIZATION"
group = "${google_compute_instance_group.default.*.self_link[2]}"
}
health_checks = ["${var.health_check == "http" ? google_compute_health_check.http.self_link : google_compute_health_check.tcp.self_link }"]
}
resource "google_compute_backend_service" "iap" {
count = "${var.enable_iap ? 1 : 0}"
count = "${var.enable_iap && var.create_backend_service ? 1 : 0}"
name = "${format("%v-%v", var.environment, var.name)}"
protocol = "${var.backend_protocol}"
port_name = "${var.name}"
......
......@@ -31,3 +31,7 @@ output "google_compute_backend_service_iap_self_link" {
output "google_compute_subnetwork_name" {
value = "${element(concat(google_compute_subnetwork.subnetwork.*.name, list("")), 0)}"
}
output "google_compute_subnetwork_self_link" {
value = "${element(concat(google_compute_subnetwork.subnetwork.*.self_link, list("")), 0)}"
}
variable "create_backend_service" {
default = true
}
variable "enable_iap" {
default = false
}
......
data "google_compute_lb_ip_ranges" "ranges" {}
resource "aws_route53_record" "default" {
count = "${var.external ? 1 : 0}"
zone_id = "${var.gitlab_zone_id}"
name = "${var.fqdn}"
type = "A"
......@@ -8,11 +9,20 @@ resource "aws_route53_record" "default" {
records = ["${google_compute_address.default.address}"]
}
resource "aws_route53_record" "internal" {
count = "${var.external ? 0 : 1}"
zone_id = "${var.gitlab_zone_id}"
name = "${var.fqdn}"
type = "A"
ttl = "300"
records = ["${google_compute_forwarding_rule.internal.ip_address}"]
}
resource "google_compute_address" "default" {
name = "${format("%v-%v", var.environment, var.name)}"
project = "${var.project}"
region = "${var.region}"
address_type = "EXTERNAL"
address_type = "${var.external ? "EXTERNAL" : "INTERNAL"}"
}
resource "google_compute_firewall" "default" {
......@@ -29,18 +39,30 @@ resource "google_compute_firewall" "default" {
}
resource "google_compute_forwarding_rule" "default" {
count = "${var.lb_count}"
count = "${var.external ? var.lb_count : 0}"
name = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
project = "${var.project}"
region = "${var.region}"
target = "${google_compute_target_pool.default.*.self_link[count.index]}"
load_balancing_scheme = "EXTERNAL"
load_balancing_scheme = "${var.external ? "EXTERNAL" : "INTERNAL"}"
port_range = "${var.forwarding_port_ranges[count.index]}"
ip_address = "${google_compute_address.default.address}"
}
resource "google_compute_forwarding_rule" "internal" {
count = "${var.external ? 0 : 1}"
name = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
project = "${var.project}"
region = "${var.region}"
backend_service = "${var.backend_service}"
load_balancing_scheme = "${var.external ? "EXTERNAL" : "INTERNAL"}"
ports = ["${var.forwarding_port_ranges}"]
network = "${var.environment}"
subnetwork = "${var.subnetwork_self_link}"
}
resource "google_compute_target_pool" "default" {
count = "${var.lb_count}"
count = "${var.external ? var.lb_count : 0}"
name = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
project = "${var.project}"
region = "${var.region}"
......
variable "lb_count" {}
variable "fqdn" {}
# These should be set for an internal load balancer
variable "subnetwork_self_link" {
default = ""
}
variable "ip_cidr_range" {
default = "10.0.0.0/18"
}
variable "vpc" {
default = ""
}
variable "backend_service" {
default = ""
}
#####################################
variable "external" {
default = true
}
variable "health_check_ports" {
type = "list"
}
......
  • John Jarvis @jarv

    mentioned in issue migration#495

    By John Jarvis on 2018-05-26T12:31:41 (imported from GitLab project)

    ·

    mentioned in issue migration#495

    By John Jarvis on 2018-05-26T12:31:41 (imported from GitLab project)

    Toggle commit list
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment