https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs?hl=ja
https://beyondjapan.com/blog/2019/04/free-certificate-on-gcp-lb/
https://cloud.google.com/load-balancing/docs/https/setup-global-ext-https-compute?hl=ja
pip01 --> rule02 --> proxy02 --> map01 --> backend01 --> group01
-- 1. GCPログイン
gcloud init
gcloud auth list
gcloud --version
gcloud projects create project01-9999999 \
--name="project01"
gcloud config list
gcloud config set project project01-9999999
gcloud config set compute/region asia-northeast1 --quiet
gcloud config set compute/zone asia-northeast1-a --quiet
gcloud beta billing accounts list
gcloud beta billing projects link project01-9999999 --billing-account=111111-111111-111111
gcloud services enable compute.googleapis.com --project project01-9999999
-- 2. ロードバランサ作成
cat <<-'EOF' > a.sh
#!/bin/bash
sudo apt-get update
sudo apt-get install apache2 -y
sudo hostname > /var/www/html/index.html
sudo systemctl restart apache2
EOF
cat <<-'EOF' > variables.tf
locals {
project = "project01-9999999"
}
EOF
cat <<-'EOF' > main.tf
provider "google" {
project = local.project
region = "asia-northeast1"
}
resource "google_service_account" "sa20240105" {
account_id = "sa20240105"
display_name = "sa20240105"
}
data "google_compute_image" "image01" {
family = "debian-12"
project = "debian-cloud"
}
resource "google_compute_instance_template" "template01" {
name = "template01"
description = "template01"
tags = ["tag01"]
machine_type = "e2-micro"
scheduling {
automatic_restart = true
}
disk {
source_image = data.google_compute_image.image01.self_link
auto_delete = true
boot = true
}
network_interface {
network = "default"
subnetwork = "default"
access_config {
network_tier ="PREMIUM"
}
}
service_account {
email = google_service_account.sa20240105.email
scopes = ["cloud-platform"]
}
metadata_startup_script = file("./a.sh")
}
resource "google_compute_instance_group_manager" "group01" {
name = "group01"
base_instance_name = "group01"
zone = "asia-northeast1-a"
target_size = 2
named_port {
name = "http"
port = 80
}
version {
instance_template = google_compute_instance_template.template01.id
}
}
resource "google_compute_firewall" "fw01" {
name = "fw01"
network = "default"
direction = "INGRESS"
allow {
protocol = "tcp"
ports = ["80"]
}
source_ranges = [
"130.211.0.0/22",
"35.191.0.0/16"
]
target_tags = ["tag01"]
}
resource "google_compute_global_address" "pip01" {
name = "pip01"
ip_version = "IPV4"
}
resource "google_compute_health_check" "hc01" {
name = "hc01"
http_health_check {
port = 80
}
}
resource "google_compute_backend_service" "backend01" {
name = "backend01"
load_balancing_scheme = "EXTERNAL_MANAGED"
protocol = "HTTP"
timeout_sec = 10
port_name = "http"
health_checks = [google_compute_health_check.hc01.id]
backend {
group = google_compute_instance_group_manager.group01.instance_group
}
}
resource "google_compute_url_map" "map01" {
name = "map01"
default_service = google_compute_backend_service.backend01.id
}
resource "google_compute_target_http_proxy" "proxy01" {
name = "proxy01"
url_map = google_compute_url_map.map01.id
}
resource "google_compute_global_forwarding_rule" "rule01" {
name = "rule01"
load_balancing_scheme = "EXTERNAL_MANAGED"
ip_protocol = "TCP"
port_range = "80"
target = google_compute_target_http_proxy.proxy01.id
ip_address = google_compute_global_address.pip01.id
}
EOF
terraform init -upgrade
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
gcloud compute addresses describe pip01 \
--format="get(address)" \
--global
while true;do curl http://192.0.2.1; sleep 1;done
gcloud compute ssl-certificates create cer01 \
--description=cer01 \
--domains=example.com \
--global
gcloud compute ssl-certificates list \
--global
gcloud compute ssl-certificates describe cer01 \
--global \
--format="get(name,managed.status, managed.domainStatus)"
この時点で、証明書のステータスとドメインのステータスは PROVISIONING です
-- 4. フロントエンド変更
HTTPフロントエンド削除
gcloud compute forwarding-rules list
gcloud compute forwarding-rules delete rule01 \
--global
gcloud compute target-http-proxies list
gcloud compute target-http-proxies delete proxy01
HTTPSフロントエンド追加
gcloud compute target-https-proxies list
gcloud compute target-https-proxies create proxy02 \
--url-map map01 \
--ssl-certificates cer01
gcloud compute target-https-proxies describe proxy02
gcloud compute forwarding-rules list
gcloud compute forwarding-rules create rule02 \
--load-balancing-scheme=EXTERNAL_MANAGED \
--address pip01 \
--target-https-proxy proxy02 \
--ports 443 \
--global
gcloud compute target-https-proxies describe proxy02 \
--global \
--format="get(sslCertificates)"
--5. DNS設定
SSL 証明書をプロビジョニングするには、
A レコードがパブリック DNS でロードバランサの IP アドレスを参照するようにします。
dig example.com
gcloud compute ssl-certificates describe cer01 \
--format="get(managed.domainStatus)"
Google Cloud は認証局と連携して証明書を発行します。Google マネージド証明書のプロビジョニングには最長で 60 分かかります。
echo | openssl s_client -showcerts -servername example.com -connect 192.0.2.1:443 -verify 99 -verify_return_error
出力に証明書チェーンと Verify return code: 0 (ok) が含まれていることを確認します。
証明書とドメインのステータスがアクティブになった後、
ロードバランサが Google マネージド SSL 証明書の使用を開始するまでに 30 分ほどかかる場合があります。
while true;do curl -k https://example.com; sleep 1;done
-- 6. 動作確認
-- 7. クリーンアップ
-- 7.1 Aレコード削除
-- 7.2 HTTPSフロントエンド削除
gcloud compute forwarding-rules list
gcloud compute forwarding-rules delete rule02 \
--global
gcloud compute target-https-proxies list
gcloud compute target-https-proxies delete proxy02
-- 7.3 SSL 証明書削除
gcloud compute ssl-certificates list \
--global
gcloud compute ssl-certificates delete cer01 \
--global
-- 7.4 ロードバランサ削除
terraform destroy -auto-approve
-- 7.5 プロジェクト削除
gcloud projects list
gcloud projects delete project01-9999999 \
--quiet
gcloud beta billing projects unlink project01-9999999
