Terraform 으로 GCS 생성후 Cloud CDN 생성(GCP)

Overview

Terraform 으로 Google Cloud Storage 생성 후 Cloud CDN 생성하는 방법에 대해서 알아본다.

 

출처 : https://www.pulumi.com/templates/static-website/gcp/

 

---

Google Cloud Storage 생성 후 Cloud CDN

 

---

 

1. Zone 생성

resource "google_dns_managed_zone" "somaz.link_zone" {
  name     = "somaz.link"
  dns_name = "somaz.link."
}

• dns_name에 마지막에 `.`을 꼭 붙여줘야 한다.

 

2. hosting.kr과 유사한 도메인을 관리 및 구매할 수 있게 해주는 사이트에서 네임서버를 위에 만든 zone과 동일하게 변경

NS 확인

 

hosting.kr에 NS 등록

 

 

아래의 사이트에서 도메인 전파를 확인하면 편하다.

https://www.whatsmydns.net/#NS/

 

 

3. 소유권 설정 및 TXT 레코드 등록

 

resource "google_dns_record_set" "somaz.link_google_verification" {
  name         = "somaz.link."
  type         = "TXT"
  ttl          = 300
  managed_zone = google_dns_managed_zone.somaz.link_zone.name
  rrdatas      = ["google-site-verification=...."]

  depends_on = [google_dns_managed_zone.somaz.link_zone]
}

• 소유권 설정을 하지 않으면, Google Cloud bucket을 생성할 수 없다.

 

아래의 사이트에서 소유권 설정을 위한 TXT 레코드를 제공받을 수 있다.

https://search.google.com/search-console

 

 

소유권 인증 후에 `설정 - 사용자 및 권한` 에서 테라폼에서 사용하고 있는 서비스 계정을 등록해준다.

Service Account 등록

 

 

4. bucket 생성

 

`variables.tf`

variable "somaz.link" {}
variable "somaz_link_lb_ip_name" {}

 

`somaz.tfvars`

somaz_link = "somaz.link"
somaz_link_lb_ip_name = "somaz-link-cdn-lb-ip"

 

`cloud-storage.tf`

resource "google_storage_bucket" "somaz_link" {
  name                        = var.somaz_link
  location                    = var.region
  uniform_bucket_level_access = true
  storage_class               = "STANDARD"
  labels                      = local.default_labels
  // delete bucket and contents on destroy.
  force_destroy = true
  // Assign specialty files
  website {
    main_page_suffix = "index.html"
    not_found_page   = "404.html"
  }

}

resource "google_storage_bucket_iam_member" "public_read_somaz_link" {
  bucket = google_storage_bucket.somaz_link.name
  role   = "roles/storage.objectViewer"
  member = "allUsers"
}

 

 

5. cdn 설정

 

`cloud-dns-lb.tf`

resource "google_compute_global_address" "somaz_link_lb_ip" {
  name = var.somaz_link_lb_ip_name
}

resource "google_dns_record_set" "somaz_link_record" {
  name         = "somaz.link." # Notice the trailing dot, it's necessary
  type         = "A"
  ttl          = 300
  managed_zone = google_dns_managed_zone.somaz_link_zone.name
  rrdatas      = [google_compute_global_address.somaz_link_lb_ip.address] # Replace with your IP address

  depends_on = [google_dns_managed_zone.somaz_link_zone, google_compute_global_address.somaz_link_lb_ip]
}

 

`cloud-cdn.tf`

## CDN(somaz_link) ##
resource "google_compute_managed_ssl_certificate" "cdn_lb_certificate" {
  name = "somaz-link-ssl-cert"
  managed {
    domains = [var.somaz_link]
  }
}

resource "google_compute_backend_bucket" "somaz_link_bucket_backend" {
  name                 = "somaz-link-backend"
  bucket_name          = var.somaz_link
  enable_cdn           = true
  edge_security_policy = module.cloud_armor_region_block.policy_self_link
  compression_mode     = "AUTOMATIC"
  custom_response_headers = [
    "Access-Control-Allow-Origin: *",
    "Access-Control-Allow-Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE",
    "Access-Control-Allow-Headers: *",
    "Strict-Transport-Security: max-age=31536000",
    "X-Content-Type-Options: nosniff",
    "X-XSS-Protection: 1; mode=block",
    "Referrer-Policy: strict-origin-when-cross-origin"
  ]
  depends_on = [google_storage_bucket.somaz_link, module.cloud_armor_ip_allow]
}

resource "google_compute_url_map" "somaz_link_http_url_map" {
  name = "somaz-link-http-url-map"
  default_url_redirect {
    https_redirect = true
    strip_query    = false
  }
  depends_on = [google_storage_bucket.somaz_link, google_compute_backend_bucket.somaz_link_bucket_backend]
}

resource "google_compute_url_map" "somaz_link_https_url_map" {
  name            = "somaz-link-https-url-map"
  default_service = google_compute_backend_bucket.somaz_link_bucket_backend.id
  depends_on      = [google_storage_bucket.somaz_link, google_compute_backend_bucket.somaz_link_bucket_backend]
}

resource "google_compute_target_http_proxy" "somaz_link_http_proxy" {
  name    = "somaz-link-http-proxy"
  url_map = google_compute_url_map.somaz_link_http_url_map.self_link
}

resource "google_compute_global_forwarding_rule" "somaz_link_http_forwarding_rule" {
  name       = "somaz-link-http-forwarding-rule"
  target     = google_compute_target_http_proxy.somaz_link_http_proxy.self_link
  port_range = "80"
  ip_address = google_compute_global_address.somaz_link_lb_ip.address
}

resource "google_compute_target_https_proxy" "somaz_link_https_proxy" {
  name             = "somaz-link-https-proxy"
  url_map          = google_compute_url_map.somaz_link_https_url_map.self_link
  ssl_certificates = [google_compute_managed_ssl_certificate.cdn_lb_certificate.self_link]
}

resource "google_compute_global_forwarding_rule" "somaz_link_https_forwarding_rule" {
  name       = "somaz-link-https-forwarding-rule"
  target     = google_compute_target_https_proxy.somaz_link_https_proxy.self_link
  port_range = "443"
  ip_address = google_compute_global_address.somaz_link_lb_ip.address
}

 

 

---

Reference

none