-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathhttps.tf
More file actions
66 lines (55 loc) · 2.4 KB
/
https.tf
File metadata and controls
66 lines (55 loc) · 2.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# HTTPS Load Balancer Resources
# GKE Ingress controller doesn't reliably create HTTPS resources when using
# Certificate Manager certificate maps, so we create them explicitly.
# Wait for GKE Ingress controller to create the URL map
resource "time_sleep" "wait_for_ingress" {
depends_on = [kubernetes_ingress_v1.bitbucket]
create_duration = "120s"
triggers = {
ingress_name = kubernetes_ingress_v1.bitbucket.metadata[0].name
}
}
# Get the URL map name from GKE Ingress controller annotations
# Waits and retries until the annotation is available
data "external" "ingress_url_map" {
program = ["bash", "-c", <<-EOT
# Use gcloud to get credentials for the correct cluster
gcloud container clusters get-credentials "${var.cluster_name}" --region "${var.region}" --project "${var.project_id}" 2>/dev/null
for i in {1..30}; do
URL_MAP=$(kubectl get ingress bitbucket-ingress -n bitbucket -o jsonpath='{.metadata.annotations.ingress\.kubernetes\.io/url-map}' 2>/dev/null)
if [ -n "$URL_MAP" ]; then
echo "{\"url_map\": \"$URL_MAP\"}"
exit 0
fi
sleep 10
done
echo '{"error": "URL map annotation not found after 5 minutes"}' >&2
exit 1
EOT
]
depends_on = [time_sleep.wait_for_ingress]
}
# HTTPS Target Proxy using Certificate Manager certificate map
# References the URL map created by GKE Ingress controller
resource "google_compute_target_https_proxy" "bitbucket" {
name = "${var.cluster_name}-bitbucket-https-proxy"
url_map = "https://www.googleapis.com/compute/v1/projects/${var.project_id}/global/urlMaps/${data.external.ingress_url_map.result.url_map}"
certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.bitbucket.id}"
depends_on = [
time_sleep.wait_for_ingress,
google_certificate_manager_certificate_map_entry.bitbucket
]
lifecycle {
# URL map name may change if Ingress is recreated
create_before_destroy = true
}
}
# HTTPS Forwarding Rule (port 443)
resource "google_compute_global_forwarding_rule" "bitbucket_https" {
name = "${var.cluster_name}-bitbucket-https"
target = google_compute_target_https_proxy.bitbucket.id
ip_address = google_compute_global_address.bitbucket_ip.id
port_range = "443"
load_balancing_scheme = "EXTERNAL"
depends_on = [google_compute_target_https_proxy.bitbucket]
}