Skip to content

Latest commit

 

History

History
69 lines (56 loc) · 5.22 KB

README.md

File metadata and controls

69 lines (56 loc) · 5.22 KB

Managed Instance Group with Client Authentication (mTLS)

An managed instance group (MIG) that runs an Envoy proxy to terminate mTLS before the traffic is sent to Apigee via one-way TLS.

Note that by default Envoy doesn't send the client certificate to the backend service. To enable this you could define an x-header in the envoy config.

route_config:
    name: local_route
    request_headers_to_add:
    - header:
        key: "x-raw-client-cert"
        value: "%DOWNSTREAM_PEER_CERT%"

Providers

Name Version
google >= 4.20.0
random n/a

Modules

Name Source Version
apigee-mtls-proxy-mig github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-mig v28.0.0
apigee-mtls-proxy-template github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-vm v28.0.0
config-bucket github.com/terraform-google-modules/cloud-foundation-fabric//modules/gcs v28.0.0
mtls-proxy-sa github.com/terraform-google-modules/cloud-foundation-fabric//modules/iam-service-account v28.0.0
nat github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-cloudnat v28.0.0

Resources

Name Type
google_storage_bucket_object.ca_cert resource
google_storage_bucket_object.envoy_config resource
google_storage_bucket_object.setup_script resource
google_storage_bucket_object.tls_cert resource
google_storage_bucket_object.tls_key resource
random_id.bucket resource

Inputs

Name Description Type Default Required
autoscaler_config Optional autoscaler configuration. Only one of 'cpu_utilization_target' 'load_balancing_utilization_target' or 'metric' can be not null. 
object({
    max_replicas                      = number
    min_replicas                      = number
    cooldown_period                   = number
    cpu_utilization_target            = number
    load_balancing_utilization_target = number
    metric = object({
      name                       = string
      single_instance_assignment = number
      target                     = number
      type                       = string # GAUGE, DELTA_PER_SECOND, DELTA_PER_MINUTE
      filter                     = string
    })
  })
 null no
ca_cert_path local CA Cert File Path for Client Authenication. string n/a yes
endpoint_ip Apigee X Instance Endpoint IP. string n/a yes
machine_type GCE Machine type. string "e2-small" no
network VPC network for running the MIGs (needs to be peered with the Apigee tenant project). string n/a yes
network_tags network tags for the mTLS mig list(string) n/a yes
project_id GCP Project id. string n/a yes
region GCP Region for the MIGs. string n/a yes
subnet VPC subnet for running the MIGs string n/a yes
target_size Group target size, leave null when using an autoscaler. number 2 no
tls_cert_path local TLS Cert File Path for Client Authenication. string n/a yes
tls_key_path local TLS Cert File Path for Client Authenication. string n/a yes

Outputs

Name Description
instance_group Proxy MIGs for mTLS termination