I've been working on this issue for a while now. I'm using terraform code to deploy a static website in GCS. The domain is registered in Cloud Domains and the DNS records are handled in Cloud DNS. I am using terraform to deploy everything I need. The issue here is that the SSL certificate never finishes provisioning, because the domains (kade-bc.com and www.kade-bc.com) both have the status FAILED_NOT_VISIBLE.
It's worth noting that my HTTP connection works fine, it's just the HTTPS certificate generation that is the issue. I'm fairly new to this so I could be overlooking something but I've looked at similar questions here and was not able to resolve my issue. Any help would be appreciated. Here is my relevant terraform code:
resource "google_storage_bucket" "my_bucket" {
name = "the-site-bucket"
location = "US"
force_destroy = true
website {
main_page_suffix = "index.html"
not_found_page = "404.html"
}
uniform_bucket_level_access = true
versioning {
enabled = true
}
}
resource "google_storage_bucket_object" "html_file" {
name = "index.html"
bucket = google_storage_bucket.my_bucket.name
source = "../site/index.html"
}
resource "google_storage_bucket_object" "css_file" {
name = "styles.css"
bucket = google_storage_bucket.my_bucket.name
source = "../site/styles.css"
content_type = "text/css"
metadata = {
"Cache-Control" = "no-cache"
}
}
resource "google_compute_global_address" "website" {
provider = google
name = "website-lb-ip"
}
resource "google_dns_managed_zone" "my_dns_zone" {
name = "my-zone"
dns_name = "kade-bc.com."
}
resource "google_dns_record_set" "website" {
provider = google
name = google_dns_managed_zone.my_dns_zone.dns_name
type = "A"
ttl = 300
managed_zone = google_dns_managed_zone.my_dns_zone.name
rrdatas = [google_compute_global_address.website.address]
}
resource "google_dns_record_set" "www_record" {
provider = google
name = "www.${google_dns_managed_zone.my_dns_zone.dns_name}"
type = "A"
ttl = 300
managed_zone = google_dns_managed_zone.my_dns_zone.name
rrdatas = [google_compute_global_address.website.address]
}
# Create HTTPS certificate
resource "google_compute_managed_ssl_certificate" "website" {
provider = google
name = "website-cert"
managed {
domains = [google_dns_record_set.website.name, google_dns_record_set.www_record.name]
}
}
# Add the bucket as a CDN backend
resource "google_compute_backend_bucket" "website" {
provider = google
name = "website-backend"
description = "Contains files needed by the website"
bucket_name = google_storage_bucket.my_bucket.name
enable_cdn = true
}
# GCP URL MAP
resource "google_compute_url_map" "website" {
provider = google
name = "website-url-map"
default_service = google_compute_backend_bucket.website.self_link
}
# HTTPS access
resource "google_compute_target_https_proxy" "website" {
provider = google
name = "website-target-proxy"
url_map = google_compute_url_map.website.self_link
ssl_certificates = [google_compute_managed_ssl_certificate.website.self_link]
}
# GCP forwarding rule for HTTPS
resource "google_compute_global_forwarding_rule" "default" {
provider = google
name = "website-forwarding-rule"
load_balancing_scheme = "EXTERNAL"
ip_address = google_compute_global_address.website.address
ip_protocol = "TCP"
port_range = "443"
target = google_compute_target_https_proxy.website.self_link
}
#HTTP access
resource "google_compute_target_http_proxy" "website_http" {
provider = google
name = "website-target-http-proxy"
url_map = google_compute_url_map.website.self_link
}
# GCP forwarding rule for HTTP
resource "google_compute_global_forwarding_rule" "http" {
provider = google
name = "website-forwarding-rule-http"
load_balancing_scheme = "EXTERNAL"
ip_address = google_compute_global_address.website.address
ip_protocol = "TCP"
port_range = "80"
target = google_compute_target_http_proxy.website_http.self_link
}
I've waited for the DNS records to propagate, I've checked that the domain resolves to the correct IP using nslookup, I changed my CNAME record (www.kade-bc.com) to be an A record pointing to the load balancer, I tested using HTTP (connection works fine). I expect the certificate to provision without issues, but nothing changed and the status is still FAILED_NOT_VISIBLE for the domains.
You have a DNS problem.
Neither kade-bc.com or www.kade-bc.com are configured correctly or work.
Your Terraform is creating an empty zone for kade-bc.com.
Step 1: Verify the Registrar Settings. Go to whois and verify the Name Servers.
Output:
ns-cloud-d1.googledomains.com
ns-cloud-d2.googledomains.com
ns-cloud-d3.googledomains.com
ns-cloud-d4.googledomains.com
Go to Google Cloud DNS, and find the DNS name kade-bc.com. Click on that record and view the Routing data. The servers listed should match the Registrar settings above.
If the Registrar configuration does not match the Google Cloud DNS servers allocated to your hosted zone, then update the Registrar settings at Squarespace Domains. You must wait about 24 hours before testing again.
If the zone does not exist, you will need to create it and then update the Registrar with the correct name server entries. Then wait before testing.
The following link is an excellent tool for testing DNS resource records:
Problem #2.
Your Terraform HCL is creating the hosted zone. Instead of using the Resource google_dns_managed_zone, you should use the Data Source google_dns_managed_zone. link
data "google_dns_managed_zone" "env_dns_zone" {
name = "name-of-zone"
}