Add an internal lb to both gstg and gprd.

environments/gprd/gprd-web-iap-url-map.tf

-###########################################################
-# This is specific to the gprd environment
-# and defines the mapping from web-iap hosts to backend
-# services. This lb is used for allowing access to the gprd
-# site with oauth.
-variable "oauth2_client_id_web_iap" {}
-
-variable "oauth2_client_secret_web_iap" {}
-
-resource "google_compute_backend_service" "web-iap" {
-  name      = "gprd-web-iap"
-  protocol  = "HTTPS"
-  port_name = "https"
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[0]}"
-  }
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[1]}"
-  }
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[2]}"
-  }
-
-  health_checks = ["${google_compute_health_check.web-iap.self_link}"]
-
-  iap {
-    oauth2_client_id     = "${var.oauth2_client_id_web_iap}"
-    oauth2_client_secret = "${var.oauth2_client_secret_web_iap}"
-  }
-}
-
-resource "google_compute_health_check" "web-iap" {
-  name = "web-iap"
-
-  http_health_check {
-    port         = "8002"
-    request_path = "/-/available-https"
-  }
-}
-
-resource "google_compute_url_map" "web-iap" {
-  name            = "${format("%v-web-iap-lb", var.environment)}"
-  default_service = "${google_compute_backend_service.web-iap.self_link}"
-
-  host_rule {
-    hosts        = ["gprd.gitlab.com"]
-    path_matcher = "web-iap"
-  }
-
-  path_matcher {
-    name            = "web-iap"
-    default_service = "${google_compute_backend_service.web-iap.self_link}"
-
-    path_rule {
-      paths   = ["/*"]
-      service = "${google_compute_backend_service.web-iap.self_link}"
-    }
-  }
-}

environments/gprd/main.tf

@@ -538,25 +538,26 @@ module "artifacts" {
 ##################################
 
 module "fe-lb" {
-  bootstrap_version     = 3
-  chef_provision        = "${var.chef_provision}"
-  chef_run_list         = "\"role[${var.environment}-base-lb-fe]\""
-  dns_zone_name         = "${var.dns_zone_name}"
-  environment           = "${var.environment}"
-  ip_cidr_range         = "${var.subnetworks["fe-lb"]}"
-  machine_type          = "${var.machine_types["fe-lb"]}"
-  name                  = "fe"
-  node_count            = "${var.node_count["fe-lb"]}"
-  project               = "${var.project}"
-  public_ports          = "${var.public_ports["fe-lb"]}"
-  region                = "${var.region}"
-  service_account_email = "${var.service_account_email}"
-  source                = "../../modules/google/generic-sv-with-group"
-  health_check          = "http"
-  service_port          = 8002
-  service_path          = "/-/available-https"
-  tier                  = "lb"
-  vpc                   = "${module.network.self_link}"
+  bootstrap_version      = 3
+  chef_provision         = "${var.chef_provision}"
+  chef_run_list          = "\"role[${var.environment}-base-lb-fe]\""
+  dns_zone_name          = "${var.dns_zone_name}"
+  environment            = "${var.environment}"
+  ip_cidr_range          = "${var.subnetworks["fe-lb"]}"
+  machine_type           = "${var.machine_types["fe-lb"]}"
+  name                   = "fe"
+  node_count             = "${var.node_count["fe-lb"]}"
+  project                = "${var.project}"
+  public_ports           = "${var.public_ports["fe-lb"]}"
+  region                 = "${var.region}"
+  service_account_email  = "${var.service_account_email}"
+  source                 = "../../modules/google/generic-sv-with-group"
+  health_check           = "http"
+  service_port           = 8002
+  service_path           = "/-/available-https"
+  tier                   = "lb"
+  vpc                    = "${module.network.self_link}"
+  create_backend_service = false
 }
 
 ##################################
@@ -613,27 +614,6 @@ module "fe-lb-altssh" {
   vpc                   = "${module.network.self_link}"
 }
 
-#######################
-#
-# Load balancer to IAP on web front end
-#
-#######################
-
-module "web-iap" {
-  subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
-  environment     = "${var.environment}"
-  source          = "../../modules/google/web-iap"
-  name            = "web-iap"
-  gitlab_zone_id  = "${var.gitlab_com_zone_id}"
-  project         = "${var.project}"
-  region          = "${var.region}"
-  cert_link       = "${var.monitoring_cert_link}"
-  service_ports   = ["443"]
-  url_map         = "${google_compute_url_map.web-iap.self_link}"
-  hosts           = ["web"]
-  web_ip_fqdn     = "gprd.gitlab.com"
-}
-
 ##################################
 #
 #  GCP TCP LoadBalancers
@@ -657,6 +637,45 @@ module "gcp-tcp-lb" {
   instances              = ["${module.fe-lb.instances_self_link}"]
 }
 
+### The regional backend service that is required for the internal
+### load balancer. Unlike global backend services every instance
+### group _must_ contain at least one instance. Also you cannot
+### have both a global and a regional backend service.
+
+resource "google_compute_region_backend_service" "internal-lb" {
+  name     = "${format("%v-internal-lb", var.environment)}"
+  protocol = "TCP"
+
+  backend {
+    group = "${module.fe-lb.instance_groups_self_link[1]}"
+  }
+
+  health_checks = ["${module.fe-lb.http_health_check_self_link}"]
+}
+
+###### Internal Load balancer for the main site
+module "gcp-tcp-lb-internal" {
+  name                   = "gcp-tcp-lb-internal"
+  lb_count               = "${length(var.tcp_lbs_internal["names"])}"
+  names                  = "${var.tcp_lbs_internal["names"]}"
+  fqdn                   = "${var.lb_fqdn_internal}"
+  gitlab_zone_id         = "${var.gitlab_com_zone_id}"
+  environment            = "${var.environment}"
+  region                 = "${var.region}"
+  project                = "${var.project}"
+  source                 = "../../modules/google/tcp-lb"
+  targets                = ["fe"]
+  forwarding_port_ranges = "${var.tcp_lbs_internal["forwarding_port_ranges"]}"
+  health_check_ports     = "${var.tcp_lbs_internal["health_check_ports"]}"
+  instances              = ["${module.fe-lb.instances_self_link}"]
+
+  ### Additional options only for internal lb
+  external             = false
+  vpc                  = "${module.network.self_link}"
+  subnetwork_self_link = "${module.fe-lb.google_compute_subnetwork_self_link}"
+  backend_service      = "${google_compute_region_backend_service.internal-lb.self_link}"
+}
+
 #### Load balancer for pages
 module "gcp-tcp-lb-pages" {
   name                   = "gcp-tcp-lb-pages"

environments/gprd/variables.tf

@@ -16,10 +16,6 @@ variable "monitoring_hosts" {
 
 # The top level domain record for the GitLab deployment.
 # For production this should be set to "gitlab.com"
-# Switch these entries to turn off iap
-variable "web_iap_fqdn" {
-  default = "web.gprd.gitlab.com"
-}
 
 variable "lb_fqdn" {
   default = "gprd.gitlab.com"
@@ -38,6 +34,10 @@ variable "lb_fqdn_bastion" {
   default = "lb-bastion.gprd.gitlab.com"
 }
 
+variable "lb_fqdn_internal" {
+  default = "internal.gprd.gitlab.com"
+}
+
 #
 # For every name there must be a corresponding
 # forwarding port range and health check port
@@ -53,6 +53,16 @@ variable "tcp_lbs" {
   }
 }
 
+variable "tcp_lbs_internal" {
+  type = "map"
+
+  default = {
+    "names"                  = ["http-internal", "https-internal", "ssh-internal"]
+    "forwarding_port_ranges" = ["80", "443", "22"]
+    "health_check_ports"     = ["8001", "8002", "8003"]
+  }
+}
+
 variable "tcp_lbs_pages" {
   type = "map"
 

environments/gstg/gstg-web-iap-url-map.tf

-###########################################################
-# This is specific to the gstg environment
-# and defines the mapping from web-iap hosts to backend
-# services. This lb is used for allowing access to the gstg
-# site with oauth.
-variable "oauth2_client_id_web_iap" {}
-
-variable "oauth2_client_secret_web_iap" {}
-
-resource "google_compute_backend_service" "web-iap" {
-  name      = "gstg-web-iap"
-  protocol  = "HTTPS"
-  port_name = "https"
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[0]}"
-  }
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[1]}"
-  }
-
-  backend {
-    group = "${module.fe-lb.instance_groups_self_link[2]}"
-  }
-
-  health_checks = ["${google_compute_health_check.web-iap.self_link}"]
-
-  # IAP disabled for staging
-  # iap {
-  #   oauth2_client_id     = "${var.oauth2_client_id_web_iap}"
-  #   oauth2_client_secret = "${var.oauth2_client_secret_web_iap}"
-  # }
-}
-
-resource "google_compute_health_check" "web-iap" {
-  name = "web-iap"
-
-  http_health_check {
-    port         = "8002"
-    request_path = "/-/available-https"
-  }
-}
-
-resource "google_compute_url_map" "web-iap" {
-  name            = "${format("%v-web-iap-lb", var.environment)}"
-  default_service = "${google_compute_backend_service.web-iap.self_link}"
-
-  host_rule {
-    hosts        = ["${var.web_iap_fqdn}"]
-    path_matcher = "web-iap"
-  }
-
-  path_matcher {
-    name            = "web-iap"
-    default_service = "${google_compute_backend_service.web-iap.self_link}"
-
-    path_rule {
-      paths   = ["/*"]
-      service = "${google_compute_backend_service.web-iap.self_link}"
-    }
-  }
-}

environments/gstg/main.tf

@@ -517,25 +517,26 @@ module "artifacts" {
 ##################################
 
 module "fe-lb" {
-  bootstrap_version     = 4
-  chef_provision        = "${var.chef_provision}"
-  chef_run_list         = "\"role[${var.environment}-base-lb-fe]\""
-  dns_zone_name         = "${var.dns_zone_name}"
-  environment           = "${var.environment}"
-  ip_cidr_range         = "${var.subnetworks["fe-lb"]}"
-  machine_type          = "${var.machine_types["fe-lb"]}"
-  name                  = "fe"
-  node_count            = "${var.node_count["fe-lb"]}"
-  project               = "${var.project}"
-  public_ports          = "${var.public_ports["fe-lb"]}"
-  region                = "${var.region}"
-  service_account_email = "${var.service_account_email}"
-  source                = "../../modules/google/generic-sv-with-group"
-  health_check          = "http"
-  service_port          = 8002
-  service_path          = "/-/available-https"
-  tier                  = "lb"
-  vpc                   = "${module.network.self_link}"
+  bootstrap_version      = 4
+  chef_provision         = "${var.chef_provision}"
+  chef_run_list          = "\"role[${var.environment}-base-lb-fe]\""
+  dns_zone_name          = "${var.dns_zone_name}"
+  environment            = "${var.environment}"
+  ip_cidr_range          = "${var.subnetworks["fe-lb"]}"
+  machine_type           = "${var.machine_types["fe-lb"]}"
+  name                   = "fe"
+  node_count             = "${var.node_count["fe-lb"]}"
+  project                = "${var.project}"
+  public_ports           = "${var.public_ports["fe-lb"]}"
+  region                 = "${var.region}"
+  service_account_email  = "${var.service_account_email}"
+  source                 = "../../modules/google/generic-sv-with-group"
+  health_check           = "http"
+  service_port           = 8002
+  service_path           = "/-/available-https"
+  tier                   = "lb"
+  vpc                    = "${module.network.self_link}"
+  create_backend_service = false
 }
 
 ##################################
@@ -592,27 +593,6 @@ module "fe-lb-altssh" {
   vpc                   = "${module.network.self_link}"
 }
 
-#######################
-#
-# Load balancer to IAP on web front end
-#
-#######################
-
-module "web-iap" {
-  subnetwork_name = "${google_compute_subnetwork.monitoring.name}"
-  environment     = "${var.environment}"
-  source          = "../../modules/google/web-iap"
-  name            = "web-iap"
-  gitlab_zone_id  = "${var.gitlab_com_zone_id}"
-  project         = "${var.project}"
-  region          = "${var.region}"
-  cert_link       = "${var.monitoring_cert_link}"
-  service_ports   = ["443"]
-  url_map         = "${google_compute_url_map.web-iap.self_link}"
-  hosts           = ["web"]
-  web_ip_fqdn     = "${var.web_iap_fqdn}"
-}
-
 ##################################
 #
 #  GCP TCP LoadBalancers
@@ -636,6 +616,45 @@ module "gcp-tcp-lb" {
   instances              = ["${module.fe-lb.instances_self_link}"]
 }
 
+### The regional backend service that is required for the internal
+### load balancer. Unlike global backend services every instance
+### group _must_ contain at least one instance. Also you cannot
+### have both a global and a regional backend service.
+
+resource "google_compute_region_backend_service" "internal-lb" {
+  name     = "${format("%v-internal-lb", var.environment)}"
+  protocol = "TCP"
+
+  backend {
+    group = "${module.fe-lb.instance_groups_self_link[1]}"
+  }
+
+  health_checks = ["${module.fe-lb.http_health_check_self_link}"]
+}
+
+###### Internal Load balancer for the main site
+module "gcp-tcp-lb-internal" {
+  name                   = "gcp-tcp-lb-internal"
+  lb_count               = "${length(var.tcp_lbs_internal["names"])}"
+  names                  = "${var.tcp_lbs_internal["names"]}"
+  fqdn                   = "${var.lb_fqdn_internal}"
+  gitlab_zone_id         = "${var.gitlab_com_zone_id}"
+  environment            = "${var.environment}"
+  region                 = "${var.region}"
+  project                = "${var.project}"
+  source                 = "../../modules/google/tcp-lb"
+  targets                = ["fe"]
+  forwarding_port_ranges = "${var.tcp_lbs_internal["forwarding_port_ranges"]}"
+  health_check_ports     = "${var.tcp_lbs_internal["health_check_ports"]}"
+  instances              = ["${module.fe-lb.instances_self_link}"]
+
+  ### Additional options only for internal lb
+  external             = false
+  vpc                  = "${module.network.self_link}"
+  subnetwork_self_link = "${module.fe-lb.google_compute_subnetwork_self_link}"
+  backend_service      = "${google_compute_region_backend_service.internal-lb.self_link}"
+}
+
 #### Load balancer for pages
 module "gcp-tcp-lb-pages" {
   name                   = "gcp-tcp-lb-pages"

environments/gstg/variables.tf

@@ -56,15 +56,8 @@ variable "monitoring_hosts" {
 
 #### GCP load balancing
 
-#### GCP load balancing
-
 # The top level domain record for the GitLab deployment.
 # For production this should be set to "gitlab.com"
-# Switch these entries if you want to enable IAP for
-# the main site.
-variable "web_iap_fqdn" {
-  default = "web.gstg.gitlab.com"
-}
 
 variable "lb_fqdn" {
   default = "gstg.gitlab.com"
@@ -84,6 +77,10 @@ variable "lb_fqdn_bastion" {
   default = "lb-bastion.gstg.gitlab.com"
 }
 
+variable "lb_fqdn_internal" {
+  default = "internal.gstg.gitlab.com"
+}
+
 #
 # For every name there must be a corresponding
 # forwarding port range and health check port
@@ -99,6 +96,16 @@ variable "tcp_lbs" {
   }
 }
 
+variable "tcp_lbs_internal" {
+  type = "map"
+
+  default = {
+    "names"                  = ["http-internal", "https-internal", "ssh-internal"]
+    "forwarding_port_ranges" = ["80", "443", "22"]
+    "health_check_ports"     = ["8001", "8002", "8003"]
+  }
+}
+
 variable "tcp_lbs_pages" {
   type = "map"
 

modules/google/generic-sv-with-group/instance.tf

 resource "google_compute_backend_service" "default" {
-  count     = "${var.enable_iap ? 0 : 1}"
+  count     = "${var.enable_iap || !var.create_backend_service ? 0 : 1}"
   name      = "${format("%v-%v", var.environment, var.name)}"
   protocol  = "${var.backend_protocol}"
   port_name = "${var.name}"
 
   backend {
-    group = "${google_compute_instance_group.default.*.self_link[0]}"
+    balancing_mode = "UTILIZATION"
+    group          = "${google_compute_instance_group.default.*.self_link[0]}"
   }
 
   backend {
-    group = "${google_compute_instance_group.default.*.self_link[1]}"
+    balancing_mode = "UTILIZATION"
+    group          = "${google_compute_instance_group.default.*.self_link[1]}"
   }
 
   backend {
-    group = "${google_compute_instance_group.default.*.self_link[2]}"
+    balancing_mode = "UTILIZATION"
+    group          = "${google_compute_instance_group.default.*.self_link[2]}"
   }
 
   health_checks = ["${var.health_check == "http" ? google_compute_health_check.http.self_link : google_compute_health_check.tcp.self_link }"]
 }
 
 resource "google_compute_backend_service" "iap" {
-  count     = "${var.enable_iap ? 1 : 0}"
+  count     = "${var.enable_iap && var.create_backend_service ? 1 : 0}"
   name      = "${format("%v-%v", var.environment, var.name)}"
   protocol  = "${var.backend_protocol}"
   port_name = "${var.name}"

modules/google/generic-sv-with-group/outputs.tf

@@ -31,3 +31,7 @@ output "google_compute_backend_service_iap_self_link" {
 output "google_compute_subnetwork_name" {
   value = "${element(concat(google_compute_subnetwork.subnetwork.*.name, list("")), 0)}"
 }
+
+output "google_compute_subnetwork_self_link" {
+  value = "${element(concat(google_compute_subnetwork.subnetwork.*.self_link, list("")), 0)}"
+}

modules/google/generic-sv-with-group/variables.tf

+variable "create_backend_service" {
+  default = true
+}
+
 variable "enable_iap" {
   default = false
 }

modules/google/tcp-lb/loadbalancing.tf

 data "google_compute_lb_ip_ranges" "ranges" {}
 
 resource "aws_route53_record" "default" {
+  count   = "${var.external ? 1 : 0}"
   zone_id = "${var.gitlab_zone_id}"
   name    = "${var.fqdn}"
   type    = "A"
@@ -8,11 +9,20 @@ resource "aws_route53_record" "default" {
   records = ["${google_compute_address.default.address}"]
 }
 
+resource "aws_route53_record" "internal" {
+  count   = "${var.external ? 0 : 1}"
+  zone_id = "${var.gitlab_zone_id}"
+  name    = "${var.fqdn}"
+  type    = "A"
+  ttl     = "300"
+  records = ["${google_compute_forwarding_rule.internal.ip_address}"]
+}
+
 resource "google_compute_address" "default" {
   name         = "${format("%v-%v", var.environment, var.name)}"
   project      = "${var.project}"
   region       = "${var.region}"
-  address_type = "EXTERNAL"
+  address_type = "${var.external ? "EXTERNAL" : "INTERNAL"}"
 }
 
 resource "google_compute_firewall" "default" {
@@ -29,18 +39,30 @@ resource "google_compute_firewall" "default" {
 }
 
 resource "google_compute_forwarding_rule" "default" {
-  count                 = "${var.lb_count}"
+  count                 = "${var.external ? var.lb_count : 0}"
   name                  = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
   project               = "${var.project}"
   region                = "${var.region}"
   target                = "${google_compute_target_pool.default.*.self_link[count.index]}"
-  load_balancing_scheme = "EXTERNAL"
+  load_balancing_scheme = "${var.external ? "EXTERNAL" : "INTERNAL"}"
   port_range            = "${var.forwarding_port_ranges[count.index]}"
   ip_address            = "${google_compute_address.default.address}"
 }
 
+resource "google_compute_forwarding_rule" "internal" {
+  count                 = "${var.external ? 0 : 1}"
+  name                  = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
+  project               = "${var.project}"
+  region                = "${var.region}"
+  backend_service       = "${var.backend_service}"
+  load_balancing_scheme = "${var.external ? "EXTERNAL" : "INTERNAL"}"
+  ports                 = ["${var.forwarding_port_ranges}"]
+  network               = "${var.environment}"
+  subnetwork            = "${var.subnetwork_self_link}"
+}
+
 resource "google_compute_target_pool" "default" {
-  count            = "${var.lb_count}"
+  count            = "${var.external ? var.lb_count : 0}"
   name             = "${format("%v-%v-%v", var.environment, var.name, var.names[count.index])}"
   project          = "${var.project}"
   region           = "${var.region}"

modules/google/tcp-lb/variables.tf

 variable "lb_count" {}
 variable "fqdn" {}
 
+# These should be set for an internal load balancer
+variable "subnetwork_self_link" {
+  default = ""
+}
+
+variable "ip_cidr_range" {
+  default = "10.0.0.0/18"
+}
+
+variable "vpc" {
+  default = ""
+}
+
+variable "backend_service" {
+  default = ""
+}
+
+#####################################
+
+variable "external" {
+  default = true
+}
+
 variable "health_check_ports" {
   type = "list"
 }