[A-00164]TerraformでCloud Armor×Compute Engine×外部Loadbalancerを作成してみる
Google Cloud上にCloudArmorでDDoS攻撃用の防御壁を作って、Loadbalancerで負荷分散するComputeEngineを作成してみたいと思います。
・Architecture
・Terraformの作成/実行
resource "google_compute_security_policy" "default" {
name = "security-policy"
description = "basic security policy"
type = "CLOUD_ARMOR"
adaptive_protection_config {
layer_7_ddos_defense_config {
enable = true
}
}
recaptcha_options_config {
redirect_site_key = google_recaptcha_enterprise_key.default.name
}
}
resource "google_recaptcha_enterprise_key" "default" {
display_name = "recaptcha"
labels = {
label-one = "value-one"
}
project = var.project_id
web_settings {
integration_type = "INVISIBLE"
allow_all_domains = true
allowed_domains = [ "localhost" ]
}
}resource "google_compute_firewall" "default" {
name = "firewall"
direction = "INGRESS"
network = google_compute_network.default.id
source_ranges = [ "130.211.0.0/22","35.191.0.0/16" ]
allow {
protocol = "tcp"
}
target_tags = [ "allow-health-check" ]
}resource "google_compute_health_check" "default" {
name = "health-check"
http_health_check {
port_specification = "USE_SERVING_PORT"
}
}resource "google_compute_global_address" "default" {
name = "global-address"
}
resource "google_compute_global_forwarding_rule" "default" {
name = "forwarding-rule"
ip_protocol = "TCP"
load_balancing_scheme = "EXTERNAL"
port_range = "80"
target = google_compute_target_http_proxy.default.id
ip_address = google_compute_global_address.default.id
}
resource "google_compute_target_http_proxy" "default" {
name = "http-proxy"
url_map = google_compute_url_map.default.id
}
resource "google_compute_url_map" "default" {
name = "url-map"
default_service = google_compute_backend_service.default.id
}
resource "google_compute_backend_service" "default" {
name = "backend-service"
protocol = "HTTP"
port_name = "my-port"
load_balancing_scheme = "EXTERNAL"
timeout_sec = 10
enable_cdn = true
custom_request_headers = ["X-Client-Geo-Location: {client_region_subdivision}, {client_city}"]
custom_response_headers = ["X-Cache-Hit: {cdn_cache_status}"]
health_checks = [ google_compute_health_check.default.id ]
backend {
group = google_compute_instance_group_manager.default.instance_group
balancing_mode = "UTILIZATION"
capacity_scaler = 1.0
}
}resource "google_compute_instance_group_manager" "default" {
name = "mig"
zone = "${var.region}-a"
named_port {
name = "http"
port = 8080
}
version {
instance_template = google_compute_instance_template.default.id
name = "primary"
}
base_instance_name = "vm"
target_size = 2
}
resource "google_compute_instance_template" "default" {
name = "instance-template"
machine_type = "e2-micro"
tags = ["allow-health-check"]
network_interface {
network = google_compute_network.default.id
subnetwork = google_compute_subnetwork.default.id
}
disk {
source_image = "debian-cloud/debian-10"
auto_delete = true
boot = true
}
lifecycle {
create_before_destroy = true
}
}resource "google_compute_network" "default" {
name = "default-vpc"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "default" {
name = "default-subnet"
network = google_compute_network.default.id
ip_cidr_range = "10.1.0.0/16"
region = var.region
}terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "4.79.0"
}
}
}
provider "google" {
project = var.project_id
region = var.region
}variable "project_id" {
type = string
default = "xxxx"
}
variable "region" {
type = string
default = "asia-northeast1"
}上記を作成したら下記のコマンドを実行します。
terraform init
terraform plan
terraform apply実行後、下記のようにCloud Armorが作成されます。
確認ができたら下記のコマンドで後片付けします。
terraform destroy・Appendix
公式ドキュメントはこちら
https://cloud.google.com/armor/docs/cloud-armor-overview?hl=ja
https://cloud.google.com/armor/docs/waf-rules?hl=ja
https://cloud.google.com/armor/docs/rule-tuning?hl=ja
参考文献はこちら
https://book.st-hakky.com/docs/terraform-cloud-armor/
https://runble1.com/gcp-terraform-cloud-armor/
https://qiita.com/pyuta/items/64a2654a0e6e17a71c2e
https://zenn.dev/cloud_ace/articles/0ea808072f6f0b
コメントを残す