Implement ingress for easier services exposing (#1314)

Author: sitole

iac/provider-gcp/Makefile

@@ -42,6 +42,7 @@ tf_vars := 	TF_VAR_environment=$(TERRAFORM_ENVIRONMENT) \
 	$(call tfvar, ALLOW_SANDBOX_INTERNET) \
 	$(call tfvar, API_RESOURCES_CPU_COUNT) \
 	$(call tfvar, API_RESOURCES_MEMORY_MB) \
+	$(call tfvar, INGRESS_COUNT) \
 	$(call tfvar, CLIENT_PROXY_COUNT) \
 	$(call tfvar, CLIENT_PROXY_RESOURCES_CPU_COUNT) \
 	$(call tfvar, CLIENT_PROXY_RESOURCES_MEMORY_MB) \

iac/provider-gcp/init/main.tf

@@ -208,6 +208,27 @@ resource "google_secret_manager_secret_version" "analytics_collector_api_token"
   depends_on = [time_sleep.secrets_api_wait_60_seconds]
 }
 
+resource "google_secret_manager_secret" "routing_domains" {
+  secret_id = "${var.prefix}routing-domains"
+
+  replication {
+    auto {}
+  }
+
+  depends_on = [time_sleep.secrets_api_wait_60_seconds]
+}
+
+resource "google_secret_manager_secret_version" "routing_domains" {
+  secret      = google_secret_manager_secret.routing_domains.name
+  secret_data = jsonencode([])
+
+  lifecycle {
+    ignore_changes = [secret_data]
+  }
+
+  depends_on = [time_sleep.secrets_api_wait_60_seconds]
+}
+
 resource "google_artifact_registry_repository" "orchestration_repository" {
   format        = "DOCKER"
   repository_id = "e2b-orchestration"
@@ -222,7 +243,6 @@ resource "time_sleep" "artifact_registry_api_wait_90_seconds" {
   create_duration = "90s"
 }
 
-
 resource "google_artifact_registry_repository_iam_member" "orchestration_repository_member" {
   repository = google_artifact_registry_repository.orchestration_repository.name
   role       = "roles/artifactregistry.reader"

iac/provider-gcp/init/outputs.tf

@@ -30,6 +30,10 @@ output "analytics_collector_api_token_secret_name" {
   value = google_secret_manager_secret.analytics_collector_api_token.name
 }
 
+output "routing_domains_secret_name" {
+  value = google_secret_manager_secret.routing_domains.name
+}
+
 output "orchestration_repository_name" {
   value = google_artifact_registry_repository.orchestration_repository.name
 }

iac/provider-gcp/main.tf

@@ -54,6 +54,19 @@ provider "google" {
   zone    = var.gcp_zone
 }
 
+data "google_secret_manager_secret_version" "routing_domains" {
+  secret = module.init.routing_domains_secret_name
+}
+
+locals {
+  // Taking additional domains from local env is there just for backward compatibility
+  additional_domains_from_secret = nonsensitive(jsondecode(data.google_secret_manager_secret_version.routing_domains.secret_data))
+  additional_domains_from_env = (var.additional_domains != "" ?
+  [for item in split(",", var.additional_domains) : trimspace(item)] : [])
+
+  additional_domains = distinct(concat(local.additional_domains_from_env, local.additional_domains_from_secret))
+}
+
 module "init" {
   source = "./init"
 
@@ -108,16 +121,16 @@ module "cluster" {
   api_use_nat = var.api_use_nat
   api_nat_ips = var.api_nat_ips
 
+  ingress_port                 = var.ingress_port
   edge_api_port                = var.edge_api_port
   edge_proxy_port              = var.edge_proxy_port
   api_port                     = var.api_port
   docker_reverse_proxy_port    = var.docker_reverse_proxy_port
   nomad_port                   = var.nomad_port
   google_service_account_email = module.init.service_account_email
   domain_name                  = var.domain_name
-  additional_domains = (var.additional_domains != "" ?
-  [for item in split(",", var.additional_domains) : trimspace(item)] : [])
 
+  additional_domains = local.additional_domains
   additional_api_services = (var.additional_api_services_json != "" ?
     jsondecode(var.additional_api_services_json) :
   [])
@@ -172,6 +185,10 @@ module "nomad" {
   clickhouse_job_constraint_prefix = var.clickhouse_job_constraint_prefix
   clickhouse_node_pool             = var.clickhouse_node_pool
 
+  # Ingress
+  ingress_port  = var.ingress_port
+  ingress_count = var.ingress_count
+
   # API
   api_resources_cpu_count                   = var.api_resources_cpu_count
   api_resources_memory_mb                   = var.api_resources_memory_mb

iac/provider-gcp/nomad-cluster/main.tf

@@ -96,6 +96,7 @@ module "network" {
   api_use_nat = var.api_use_nat
   api_nat_ips = var.api_nat_ips
 
+  ingress_port              = var.ingress_port
   api_port                  = var.api_port
   docker_reverse_proxy_port = var.docker_reverse_proxy_port
   network_name              = var.network_name

iac/provider-gcp/nomad-cluster/network/ingress.tf

@@ -0,0 +1,58 @@
+resource "google_compute_health_check" "ingress" {
+  name = "${var.prefix}ingress"
+
+  timeout_sec         = 3
+  check_interval_sec  = 5
+  healthy_threshold   = 2
+  unhealthy_threshold = 2
+
+  http_health_check {
+    port         = var.ingress_port.port
+    request_path = var.ingress_port.health_path
+  }
+}
+
+resource "google_compute_backend_service" "ingress" {
+  name = "${var.prefix}ingress"
+
+  protocol  = "HTTP"
+  port_name = var.ingress_port.name
+
+  session_affinity = null
+  health_checks    = [google_compute_health_check.ingress.id]
+
+  timeout_sec = 65
+
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+  locality_lb_policy    = "ROUND_ROBIN"
+
+  backend {
+    group = var.api_instance_group
+  }
+}
+
+resource "google_compute_url_map" "ingress" {
+  name            = "${var.prefix}ingress"
+  default_service = google_compute_backend_service.ingress.self_link
+}
+
+resource "google_compute_global_forwarding_rule" "ingress" {
+  name                  = "${var.prefix}ingress-forward-http"
+  ip_protocol           = "TCP"
+  port_range            = "443"
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+  ip_address            = google_compute_global_address.ingress_ipv4.address
+  target                = google_compute_target_https_proxy.ingress.self_link
+}
+
+resource "google_compute_global_address" "ingress_ipv4" {
+  name       = "${var.prefix}ingress-ipv4"
+  ip_version = "IPV4"
+}
+
+resource "google_compute_target_https_proxy" "ingress" {
+  name    = "${var.prefix}ingress-https"
+  url_map = google_compute_url_map.ingress.self_link
+
+  certificate_map = "//certificatemanager.googleapis.com/${google_certificate_manager_certificate_map.certificate_map.id}"
+}

iac/provider-gcp/nomad-cluster/network/main.tf

@@ -455,6 +455,11 @@ resource "google_compute_firewall" "default-hc" {
     }
   }
 
+  allow {
+    protocol = "tcp"
+    ports    = [var.ingress_port.port]
+  }
+
   dynamic "allow" {
     for_each = toset(var.additional_ports)
 

iac/provider-gcp/nomad-cluster/network/variables.tf

@@ -51,6 +51,14 @@ variable "api_port" {
   })
 }
 
+variable "ingress_port" {
+  type = object({
+    name        = string
+    port        = number
+    health_path = string
+  })
+}
+
 variable "docker_reverse_proxy_port" {
   type = object({
     name        = string

iac/provider-gcp/nomad-cluster/nodepool-api.tf

@@ -71,6 +71,11 @@ resource "google_compute_instance_group_manager" "api_pool" {
     port = var.docker_reverse_proxy_port.port
   }
 
+  named_port {
+    name = var.ingress_port.name
+    port = var.ingress_port.port
+  }
+
   dynamic "named_port" {
     for_each = local.api_additional_ports
     content {

iac/provider-gcp/nomad-cluster/variables.tf

@@ -100,6 +100,14 @@ variable "api_port" {
   })
 }
 
+variable "ingress_port" {
+  type = object({
+    name        = string
+    port        = number
+    health_path = string
+  })
+}
+
 variable "docker_reverse_proxy_port" {
   type = object({
     name        = string