GoogleCloud: Signed Cookie terraform recipe

Apr 2, 2023 22:59 · 250 words · 2 minute read

※ ところどころマスクしてあります。

locals {
  asset-domain = "${local.domain}."
}

resource "google_storage_bucket" "asset" {
  name                        = "xxx-asset"
  location                    = "ASIA-NORTHEAST1"
  uniform_bucket_level_access = true
  public_access_prevention    = "enforced"
}

resource "google_compute_backend_bucket" "asset" {
  name                 = "xxx-asset-bucket"
  bucket_name          = google_storage_bucket.asset.name
  edge_security_policy = google_compute_security_policy.asset-cdn.id
  enable_cdn           = true
}

resource "google_compute_url_map" "asset" {
  name            = "xxx-asset-bucket"
  default_service = google_compute_backend_bucket.asset.self_link
}

resource "google_compute_global_address" "asset" {
  name = "xxx-asset"
}

resource "google_dns_record_set" "asset" {
  name = local.asset-domain
  type = "A"
  ttl  = 1

  managed_zone = google_dns_managed_zone.xxx.name
  rrdatas      = [google_compute_global_address.asset.address]
}

resource "google_compute_managed_ssl_certificate" "asset" {
  name = "xxx-asset-managed-cert"
  managed {
    domains = [local.asset-domain]
  }
}

resource "google_compute_ssl_policy" "asset-ssl-policy" {
  name            = "asset-ssl-policy"
  profile         = "MODERN"
  min_tls_version = "TLS_1_2"
}

resource "google_compute_target_https_proxy" "asset" {
  name             = "xxx-asset"
  url_map          = google_compute_url_map.asset.id
  ssl_certificates = [google_compute_managed_ssl_certificate.asset.id]
  ssl_policy       = google_compute_ssl_policy.asset-ssl-policy.id
}

resource "google_compute_global_forwarding_rule" "asset" {
  name       = "xxx-asset"
  target     = google_compute_target_https_proxy.asset.self_link
  port_range = "443"
  ip_address = google_compute_global_address.asset.address
}

resource "random_id" "asset_sign_key" {
  byte_length = 16
}

resource "google_compute_backend_bucket_signed_url_key" "asset" {
  name           = "asset-key"
  key_value      = random_id.asset_sign_key.b64_url
  backend_bucket = google_compute_backend_bucket.asset.name
}

resource "google_storage_bucket_iam_binding" "asset-cdn" {
  bucket  = google_storage_bucket.asset.name
  role    = "roles/storage.objectViewer"
  members = ["serviceAccount:service-${data.google_project.project.number}@cloud-cdn-fill.iam.gserviceaccount.com"]
}

resource "google_compute_security_policy" "asset-cdn" {
  name = "xxx-asset-cdn"
  type = "CLOUD_ARMOR_EDGE"
  rule {
    action      = "deny(403)"
    description = "default: deny any access"
    priority    = "2147483647"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = ["*"]
      }
    }
  }

  rule {
    action      = "allow"
    description = "allow VPN"
    priority    = "1000"
    match {
      versioned_expr = "SRC_IPS_V1"
      config {
        src_ip_ranges = [
          # My VPN
          "0.0.0.0/0"
        ]
      }
    }
  }
}

署名付き Cookie は、 リファレンス 通りに実装すればよい。