diff --git a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl index 4ed68661..b24a91d8 100644 --- a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl @@ -3,15 +3,23 @@ terraform { } locals { - env = "staging" - project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") - location = get_env("GOOGLE_REGION", "us-central1") - submission_host_suffix = ".staging.ct.transparency.dev" - enable_cloud_armor = true + env = "staging" + project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") + location = get_env("GOOGLE_REGION", "us-central1") + enable_cloud_armor = true logs = { - "arche2025h1" = "us-central1" - "arche2025h2" = "us-central1" - "arche2026h1" = "us-central1" + "arche2025h1" = { + region = "us-central1" + submission_host_suffix = "staging.ct.transparency.dev" + } + "arche2025h2" = { + region = "us-central1" + submission_host_suffix = "staging.ct.transparency.dev" + } + "arche2026h1" = { + region = "us-central1" + submission_host_suffix = "staging.ct.transparency.dev" + } } } diff --git a/deployment/modules/gcp/loadbalancer/external/main.tf b/deployment/modules/gcp/loadbalancer/external/main.tf index 6f05471e..5c763865 100644 --- a/deployment/modules/gcp/loadbalancer/external/main.tf +++ b/deployment/modules/gcp/loadbalancer/external/main.tf @@ -18,7 +18,7 @@ module "gce-lb-http" { ssl = true // Create one cert per log, wildcard certificates are not supported. // Put staging.ct.transparency.dev first for it be used as the Common Name. - managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], [for log_name, _ in var.logs: "${log_name}.staging.ct.transparency.dev"]) + managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], [for name, v in var.logs: "${name}${v.submission_host_suffix}"]) random_certificate_suffix = true // Firewalls are defined externally. @@ -30,7 +30,7 @@ module "gce-lb-http" { // Use the Cloud Armor policy, if it's enabled. security_policy = one(module.cloud_armor[*].policy.self_link) - backends = { for name, region in var.logs: + backends = { for name, v in var.logs: "${name}-backend" => { protocol = "HTTP" port = 80 @@ -55,7 +55,7 @@ module "gce-lb-http" { groups = [ { // A Backend group must have beed deployed independently at this URI. - group = "projects/${var.project_id}/regions/${region}/instanceGroups/${name}-instance-group-manager" + group = "projects/${var.project_id}/regions/${v.region}/instanceGroups/${name}-instance-group-manager" balancing_mode = "RATE" // Based on the most recent load tests /docs/performance.md // Caution: @@ -89,7 +89,7 @@ resource "google_compute_url_map" "url_map" { for_each = var.logs iterator = log content { - hosts = ["${log.key}${var.submission_host_suffix}"] + hosts = ["${log.key}${log.value.submission_host_suffix}"] path_matcher = "${log.key}-path-matcher" } } diff --git a/deployment/modules/gcp/loadbalancer/external/variables.tf b/deployment/modules/gcp/loadbalancer/external/variables.tf index 2669ba93..bfb235f1 100644 --- a/deployment/modules/gcp/loadbalancer/external/variables.tf +++ b/deployment/modules/gcp/loadbalancer/external/variables.tf @@ -5,12 +5,19 @@ variable "project_id" { variable "logs" { description = "Map of log names to regions." - type = map(string) -} + type = map(object({ + // Region in which the backends are + region = string + // origin = [basename].[submission_host_suffix] + submission_host_suffix = string + })) -variable "submission_host_suffix" { - description = "Submission host suffix, appended to each log name." - type = string + validation { + condition = alltrue([ + for name, v in var.logs: v.region != "" && v.submission_host_suffix != "" && !startswith(v.submission_host_suffix, ".") + ]) + error_message = "Both the region and submission_host_suffix must be set for each log. submission_host_suffix must not start with a \".\"" + } } variable "enable_cloud_armor" {