From c9b232df705cfce820cf350c07e34a22b3d96ef0 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Wed, 18 Feb 2026 14:31:34 +0000 Subject: [PATCH 1/5] support multiple domains --- .../gcp/static-ct-staging/loadbalancer/terragrunt.hcl | 10 +++++----- deployment/modules/gcp/loadbalancer/external/main.tf | 4 ++-- .../modules/gcp/loadbalancer/external/variables.tf | 4 ++-- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl index 4ed68661..4ef5abb6 100644 --- a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl @@ -3,11 +3,11 @@ terraform { } locals { - env = "staging" - project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") - location = get_env("GOOGLE_REGION", "us-central1") - submission_host_suffix = ".staging.ct.transparency.dev" - enable_cloud_armor = true + env = "staging" + project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") + location = get_env("GOOGLE_REGION", "us-central1") + submission_host_suffixes = [".staging.ct.transparency.dev"] + enable_cloud_armor = true logs = { "arche2025h1" = "us-central1" "arche2025h2" = "us-central1" diff --git a/deployment/modules/gcp/loadbalancer/external/main.tf b/deployment/modules/gcp/loadbalancer/external/main.tf index 6f05471e..67c2ea8e 100644 --- a/deployment/modules/gcp/loadbalancer/external/main.tf +++ b/deployment/modules/gcp/loadbalancer/external/main.tf @@ -18,7 +18,7 @@ module "gce-lb-http" { ssl = true // Create one cert per log, wildcard certificates are not supported. // Put staging.ct.transparency.dev first for it be used as the Common Name. - managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], [for log_name, _ in var.logs: "${log_name}.staging.ct.transparency.dev"]) + managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], flatten([for sfx in var.submission_host_suffixes: [for log_name, _ in var.logs: "${log_name}${sfx}"]])) random_certificate_suffix = true // Firewalls are defined externally. @@ -89,7 +89,7 @@ resource "google_compute_url_map" "url_map" { for_each = var.logs iterator = log content { - hosts = ["${log.key}${var.submission_host_suffix}"] + hosts = [for sfx in var.submission_host_suffixes: "${log.key}${sfx}"] path_matcher = "${log.key}-path-matcher" } } diff --git a/deployment/modules/gcp/loadbalancer/external/variables.tf b/deployment/modules/gcp/loadbalancer/external/variables.tf index 2669ba93..14a544b7 100644 --- a/deployment/modules/gcp/loadbalancer/external/variables.tf +++ b/deployment/modules/gcp/loadbalancer/external/variables.tf @@ -8,8 +8,8 @@ variable "logs" { type = map(string) } -variable "submission_host_suffix" { - description = "Submission host suffix, appended to each log name." +variable "submission_host_suffixes" { + description = "Submission host suffixes, appended to each log name. MUST cover all log origin suffixes as per https://c2sp.org/static-ct-api." type = string } From 7ada0be26929ccb306e81411003c5afca5f73d59 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Wed, 18 Feb 2026 16:03:45 +0000 Subject: [PATCH 2/5] add TODO --- deployment/modules/gcp/loadbalancer/external/variables.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/deployment/modules/gcp/loadbalancer/external/variables.tf b/deployment/modules/gcp/loadbalancer/external/variables.tf index 14a544b7..d59ee0f8 100644 --- a/deployment/modules/gcp/loadbalancer/external/variables.tf +++ b/deployment/modules/gcp/loadbalancer/external/variables.tf @@ -8,6 +8,7 @@ variable "logs" { type = map(string) } +// TODO: this shouldn't be a list really, revert back to a single suffix. variable "submission_host_suffixes" { description = "Submission host suffixes, appended to each log name. MUST cover all log origin suffixes as per https://c2sp.org/static-ct-api." type = string From 7023705504b99392564c5cf28ac29dcf2fa00c6f Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Wed, 18 Feb 2026 16:17:35 +0000 Subject: [PATCH 3/5] use maps --- .../static-ct-staging/loadbalancer/terragrunt.hcl | 15 ++++++++++++--- .../modules/gcp/loadbalancer/external/main.tf | 8 ++++---- .../gcp/loadbalancer/external/variables.tf | 11 ++++------- 3 files changed, 20 insertions(+), 14 deletions(-) diff --git a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl index 4ef5abb6..1053d23d 100644 --- a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl @@ -9,9 +9,18 @@ locals { submission_host_suffixes = [".staging.ct.transparency.dev"] enable_cloud_armor = true logs = { - "arche2025h1" = "us-central1" - "arche2025h2" = "us-central1" - "arche2026h1" = "us-central1" + "arche2025h1" = { + region = "us-central1" + submission_host_suffix = ".staging.ct.transparency.dev" + } + "arche2025h2" = { + region = "us-central1" + submission_host_suffix = ".staging.ct.transparency.dev" + } + "arche2026h1" = { + region = "us-central1" + submission_host_suffix = ".staging.ct.transparency.dev" + } } } diff --git a/deployment/modules/gcp/loadbalancer/external/main.tf b/deployment/modules/gcp/loadbalancer/external/main.tf index 67c2ea8e..5c763865 100644 --- a/deployment/modules/gcp/loadbalancer/external/main.tf +++ b/deployment/modules/gcp/loadbalancer/external/main.tf @@ -18,7 +18,7 @@ module "gce-lb-http" { ssl = true // Create one cert per log, wildcard certificates are not supported. // Put staging.ct.transparency.dev first for it be used as the Common Name. - managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], flatten([for sfx in var.submission_host_suffixes: [for log_name, _ in var.logs: "${log_name}${sfx}"]])) + managed_ssl_certificate_domains = concat(["staging.ct.transparency.dev"], [for name, v in var.logs: "${name}${v.submission_host_suffix}"]) random_certificate_suffix = true // Firewalls are defined externally. @@ -30,7 +30,7 @@ module "gce-lb-http" { // Use the Cloud Armor policy, if it's enabled. security_policy = one(module.cloud_armor[*].policy.self_link) - backends = { for name, region in var.logs: + backends = { for name, v in var.logs: "${name}-backend" => { protocol = "HTTP" port = 80 @@ -55,7 +55,7 @@ module "gce-lb-http" { groups = [ { // A Backend group must have beed deployed independently at this URI. - group = "projects/${var.project_id}/regions/${region}/instanceGroups/${name}-instance-group-manager" + group = "projects/${var.project_id}/regions/${v.region}/instanceGroups/${name}-instance-group-manager" balancing_mode = "RATE" // Based on the most recent load tests /docs/performance.md // Caution: @@ -89,7 +89,7 @@ resource "google_compute_url_map" "url_map" { for_each = var.logs iterator = log content { - hosts = [for sfx in var.submission_host_suffixes: "${log.key}${sfx}"] + hosts = ["${log.key}${log.value.submission_host_suffix}"] path_matcher = "${log.key}-path-matcher" } } diff --git a/deployment/modules/gcp/loadbalancer/external/variables.tf b/deployment/modules/gcp/loadbalancer/external/variables.tf index d59ee0f8..c27df535 100644 --- a/deployment/modules/gcp/loadbalancer/external/variables.tf +++ b/deployment/modules/gcp/loadbalancer/external/variables.tf @@ -5,13 +5,10 @@ variable "project_id" { variable "logs" { description = "Map of log names to regions." - type = map(string) -} - -// TODO: this shouldn't be a list really, revert back to a single suffix. -variable "submission_host_suffixes" { - description = "Submission host suffixes, appended to each log name. MUST cover all log origin suffixes as per https://c2sp.org/static-ct-api." - type = string + type = map(object({ + region = string + submission_host_suffix = string + })) } variable "enable_cloud_armor" { From c120246faf58914f169ed9b8231417bcdacfd338 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Wed, 18 Feb 2026 16:30:53 +0000 Subject: [PATCH 4/5] remove old variable --- .../gcp/static-ct-staging/loadbalancer/terragrunt.hcl | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl index 1053d23d..66d080be 100644 --- a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl @@ -3,11 +3,10 @@ terraform { } locals { - env = "staging" - project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") - location = get_env("GOOGLE_REGION", "us-central1") - submission_host_suffixes = [".staging.ct.transparency.dev"] - enable_cloud_armor = true + env = "staging" + project_id = get_env("GOOGLE_PROJECT", "static-ct-staging") + location = get_env("GOOGLE_REGION", "us-central1") + enable_cloud_armor = true logs = { "arche2025h1" = { region = "us-central1" From 6e8857d64be94e098305770b055d14c510afb2b8 Mon Sep 17 00:00:00 2001 From: Philippe Boneff Date: Thu, 19 Feb 2026 17:04:59 +0000 Subject: [PATCH 5/5] comments --- .../gcp/static-ct-staging/loadbalancer/terragrunt.hcl | 6 +++--- .../modules/gcp/loadbalancer/external/variables.tf | 9 +++++++++ 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl index 66d080be..b24a91d8 100644 --- a/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl +++ b/deployment/live/gcp/static-ct-staging/loadbalancer/terragrunt.hcl @@ -10,15 +10,15 @@ locals { logs = { "arche2025h1" = { region = "us-central1" - submission_host_suffix = ".staging.ct.transparency.dev" + submission_host_suffix = "staging.ct.transparency.dev" } "arche2025h2" = { region = "us-central1" - submission_host_suffix = ".staging.ct.transparency.dev" + submission_host_suffix = "staging.ct.transparency.dev" } "arche2026h1" = { region = "us-central1" - submission_host_suffix = ".staging.ct.transparency.dev" + submission_host_suffix = "staging.ct.transparency.dev" } } } diff --git a/deployment/modules/gcp/loadbalancer/external/variables.tf b/deployment/modules/gcp/loadbalancer/external/variables.tf index c27df535..bfb235f1 100644 --- a/deployment/modules/gcp/loadbalancer/external/variables.tf +++ b/deployment/modules/gcp/loadbalancer/external/variables.tf @@ -6,9 +6,18 @@ variable "project_id" { variable "logs" { description = "Map of log names to regions." type = map(object({ + // Region in which the backends are region = string + // origin = [basename].[submission_host_suffix] submission_host_suffix = string })) + + validation { + condition = alltrue([ + for name, v in var.logs: v.region != "" && v.submission_host_suffix != "" && !startswith(v.submission_host_suffix, ".") + ]) + error_message = "Both the region and submission_host_suffix must be set for each log. submission_host_suffix must not start with a \".\"" + } } variable "enable_cloud_armor" {