Add HTTPS to load balancer, update instructions, ignore generated certs

.gitignore

@@ -8,3 +8,8 @@
 # Ignore GCP account keys
 keys.json
 account.json
+
+# Ignore SSL keys, CSRs and certs
+*.key
+*.csr
+*.crt

03-glb/glb.tf

@@ -2,8 +2,8 @@ resource "google_compute_global_address" "glb_demo" {
   name = "glb-demo"
 }
 
-resource "google_compute_global_forwarding_rule" "glb_demo" {
-  name                  = "glb-demo"
+resource "google_compute_global_forwarding_rule" "glb_demo_http" {
+  name                  = "glb-demo-http"
   ip_address            = google_compute_global_address.glb_demo.address
   port_range            = "80"
   target                = google_compute_target_http_proxy.glb_demo.self_link
@@ -16,6 +16,27 @@ resource "google_compute_target_http_proxy" "glb_demo" {
   url_map = google_compute_url_map.glb_demo.self_link
 }
 
+resource "google_compute_global_forwarding_rule" "glb_demo_https" {
+  name                  = "glb-demo-https"
+  ip_address            = google_compute_global_address.glb_demo.address
+  port_range            = "443"
+  target                = google_compute_target_https_proxy.glb_demo.self_link
+  load_balancing_scheme = "EXTERNAL"
+}
+
+resource "google_compute_ssl_certificate" "glb_demo" {
+  name_prefix = "glb-demo-"
+  private_key = file("example.key")
+  certificate = file("example.crt")
+}
+
+resource "google_compute_target_https_proxy" "glb_demo" {
+  name = "glb-demo"
+
+  ssl_certificates = [google_compute_ssl_certificate.glb_demo.self_link]
+  url_map          = google_compute_url_map.glb_demo.self_link
+}
+
 resource "google_compute_url_map" "glb_demo" {
   name            = "glb-demo"
   default_service = google_compute_backend_service.glb_demo_zone_printer.self_link
@@ -164,7 +185,7 @@ resource "google_compute_firewall" "glb_demo" {
 
 # This is a Cloud Armor policy
 resource "google_compute_security_policy" "glb_demo" {
-  name = "glb_demo"
+  name = "glb-demo"
 
   # Default rule, allow all traffic
   rule {

README.md

@@ -36,6 +36,8 @@ export GOOGLE_CLOUD_KEYFILE_JSON="/Users/wwwil/.config/gcloud/application_defaul
 
 ## Step 01 - Create the Clusters
 
+
+
 Enter the `01-clusters/` directory, initialise Terraform, and apply the project files.
 
 ```
@@ -115,6 +117,18 @@ sed -i.bak "s|HELLO_APP_NEG_US|$HELLO_APP_NEG_US|g" terraform.tfvars
 rm -f terraform.tfvars.bak
 ```
 
+To support HTTPS the load balancer needs an SSL certificate.
+This is provided to the load balancer HTTPS proxy using a GCP SSL certificate resource, created by Terraform from a certificate and key file.
+Generate a key and self signed certificate to use.
+
+```
+openssl genrsa -out example.key 2048
+openssl req -new -key example.key -out example.csr \
+    -subj "/CN=example.com"
+openssl x509 -req -days 365 -in example.csr -signkey example.key \
+    -out example.crt
+```
+
 Now initialise Terraform, and apply the project files.
 
 ```
@@ -134,7 +148,11 @@ The maximum rate for connections is set very low in the load balancer.
 this should mean that by aggressively refreshing the connection to the IP in the browser you should see the zone you connect to changes.
 This demonstrates the load balancing in effect.
 
-The region should not change, and should always be the region closest to where you connect from.
+To verify that HTTPS is working prefix the IP address with `https://`.
+This will likely show a warning that the certificate was not recognised as we are using a self signed certificate.
+Ignore the warning and proceed to the page anyway, it should show the `zone-printer` app.
+
+The region shown by `zone-printer` should not change, and should always be the region closest to where you connect from.
 To verify that the global load balancing is directing traffic correctly we can run `curl` from a remote machine in the other region.
 
 Connect to the cluster in the region you are not currently being served from.