Search code examples
google-cloud-platformterraform

How to use GCP Backend Bucket with regional subnet using terraform

I am trying to create a backend bucket to serve a website behind a regional subnet. However, it doesn't seem to be working. Here is my Terraform config.

resource "random_id" "bucket_prefix" {
  byte_length = 8
}

resource "google_storage_bucket" "static_site" {
  name                        = "${var.name}-${random_id.bucket_prefix.hex}-${var.environment}"
  project                     = var.project_id
  location                    = "us-east4"
  force_destroy               = true
  uniform_bucket_level_access = false
  public_access_prevention    = "enforced"
  storage_class               = "STANDARD"
  website {
    main_page_suffix = "index.html"
  }
  versioning {
    enabled = true
  }
  cors {
    origin          = ["*"]
    method          = ["GET"]
    response_header = ["*"]
    max_age_seconds = 3600
  }
}

resource "google_compute_global_address" "default" {
  project    = var.project_id
  name       = "${var.name}-address-${var.environment}"
  ip_version = "IPV4"
}

resource "google_dns_record_set" "default" {
  project      = var.project_id
  name         = "${var.name}.${var.zone}"
  type         = "A"
  ttl          = 300
  managed_zone = var.zone
  rrdatas      = [google_compute_global_address.default.address]
}


resource "google_compute_backend_bucket" "default" {
  project     = var.project_id
  name        = "${var.name}-backend-bucket-${var.environment}"
  description = "The back end bucket for the ${var.name} web app."
  bucket_name = google_storage_bucket.static_site.name
}

resource "google_compute_region_url_map" "default" {
  project         = var.project_id
  region          = "us-east4"
  name            = "${var.name}-url-map-${var.environment}"
  default_service = google_compute_backend_bucket.default.id
  depends_on      = [google_compute_backend_bucket.default]
}

resource "google_compute_region_target_https_proxy" "default" {
  project          = var.project_id
  name             = var.name
  region           = "us-east4"
  url_map          = google_compute_region_url_map.default.self_link
  ssl_certificates = ["https://www.googleapis.com/compute/v1/projects/${var.project_id}/regions/us-east4/sslCertificates/${var.ssl_certificate}"]
}

resource "google_compute_forwarding_rule" "default" {
  project               = var.project_id
  name                  = "${var.name}-forwarding-rule-${var.environment}"
  load_balancing_scheme = "INTERNAL_MANAGED"
  region                = "us-east4"
  ip_protocol           = "TCP"
  port_range            = "443"
  target                = google_compute_region_target_https_proxy.default.self_link
  network               = data.google_compute_network.gcp_network.self_link
  subnetwork            = "projects/NETWORK_PROJECT_ID/regions/us-east4/subnetworks/SUBNET_NAME"
}

When I look at the TF Plan, the path to the backend bucket seems to be correct:

  + resource "google_compute_region_url_map" "default" {
      + creation_timestamp = (known after apply)
      + default_service    = "projects/MY_PROJECT_ID/global/backendBuckets/${var.name}-backend-bucket-${var.environment}"
      + fingerprint        = (known after apply)
      + id                 = (known after apply)
      + map_id             = (known after apply)
      + name               = "NAME"
      + project            = "MY_PROJECT_ID"
      + region             = "us-east4"
      + self_link          = (known after apply)
    }

However, when I run TF Apply I get an error because the path to the backend bucket seems to change:

│ Error: Error creating RegionUrlMap: googleapi: Error 404: The resource 'projects/MY_PROJECT_ID/regions/us-east4/backendServices/${var.name}-backend-bucket-${var.environment}' was not found, notFound

All I want to do is host a static site behind a private subnet, so it is only accessible via my VPN. I did contact GCP support and the only thing they told me is this

This is because Backend buckets are not supported with Regional internal Application Load Balancer [1]. You can refer to the information on the backend features supported by internal Application Load Balancers in each mode here [2].

They won't help me beyond this.

To conclude I only have 2 questions:

  1. Can I get my Terraform to work so that I can host a static site in a bucket behind a regional subnet?
  2. If I can't, how can I host a static site behind my subnet?

As a quick note, I can't use Cloud Run or Cloud Functions because my company has locked those services down.

Thank you!

Solution

  • I have an answer for anyone else struggling with this, but not a great one. I got in touch with Google support, which boils down to GCP not supporting this. If you want a backend bucket, it must be global. There is no real way to serve traffic to a bucket in a single region. The workaround would be to host an Nginx proxy in a compute engine instance. Hopefully, GCP will support this workflow soon.