堆棧內存溢出
  簡體   English   中英

無法將 GCP 的外部負載平衡器設置為與 Terraform 一起正常工作

[英]Can't set up the GCP's external load balancer to work correctly with Terraform

 原文  2023-01-08 13:23:48       google-cloud-platform/ terraform/ terraform-provider-gcp/ gcp-load-balancer

問題描述

我想使用 Terraform 構建一個由外部負載均衡器 (LB) 和具有 3 個虛擬機的 MIG 組成的基礎架構。 LB 只能從我的 IP(通過端口8022 )訪問。 MIG 中的每個 VM 都應該運行一個偵聽8080的服務器。 此外,我想為 MIG 設置健康檢查。 為了實現這個目標,我使用了以下 Terraform 模塊: "GoogleCloudPlatform/lb-http/google""terraform-google-modules/vm/google//modules/mig” 。不幸的是,在運行terraform apply命令后,所有健康檢查都失敗,LB 不可訪問。

我將把我的代碼放在這篇文章的后面部分,但首先,我想了解我之前引用的模塊的不同屬性:

  1. MIG 模塊的屬性named_ports是否指我的服務器運行的端口? 就我而言, 8080
  2. MIG 模塊的health_check屬性是否引用 MIG 中的虛擬機? 如果是,那么我假設health_check屬性的port屬性應該引用服務器運行的端口,同樣是8080
  3. LB 模塊的backends屬性是否引用 MIG 中的虛擬機? default的屬性port應該再次指向8080嗎?
  4. 最后,LB 的模塊health_check屬性與 MIG 的相同,對吧? 再一次,指定的端口應該是8080
  5. 允許健康檢查的防火牆規則(見下文)應該應用於 LB 還是 MIG?

這是main.tf文件:

data "external" "my_ip_addr" {
  program = ["/bin/bash", "${path.module}/getip.sh"]
}


resource "google_project_service" "project" {
  // ...
}

resource "google_service_account" "service-acc" {
  // ...
}

resource "google_compute_network" "vpc-network" {
  project = var.pro
  name = var.network_name
  auto_create_subnetworks = false
}

resource "google_compute_subnetwork" "subnetwork" {
  name = "subnetwork"
  ip_cidr_range = "10.0.101.0/24"
  region = var.region
  project = var.pro
  stack_type = "IPV4_ONLY"
  network = google_compute_network.vpc-network.self_link
}

resource "google_compute_firewall" "allow-internal" {
  name    = "allow-internal"
  project = var.pro
  network = google_compute_network.vpc-network.self_link
  allow {
    protocol = "tcp"
    ports = ["80"]
  }
  source_ranges = ["10.0.101.0/24"]
}

resource "google_compute_firewall" "allow-ssh" {
  project = var.pro
  name          = "allow-ssh"
  direction     = "INGRESS"
  network       = google_compute_network.vpc-network.self_link
  allow {
    protocol = "tcp"
    ports = ["22"]
  }
  target_tags   = ["allow-ssh"] 
  source_ranges = [format("%s/%s", data.external.my_ip_addr.result["internet_ip"], 32)]
}

resource "google_compute_address" "static" {
  project = var.pro
  region = var.region
  name = "ipv4-address"
}

resource "google_compute_instance" "ssh-vm" {
  name = "ssh-vm"
  machine_type = "e2-standard-2"
  project = var.pro
  tags = ["allow-ssh"]
  zone = "europe-west1-b"

  boot_disk {
    initialize_params {
      image = "ubuntu-2004-focal-v20221213"
    }
  }

  network_interface {
    subnetwork = google_compute_subnetwork.subnetwork.self_link
    access_config {
      nat_ip = google_compute_address.static.address
    }
  }

  metadata = {
    startup-script = <<-EOF
        #!/bin/bash
        sudo snap install docker
        sudo docker version > file1.txt
        sleep 5
        sudo docker run -d --rm -p ${var.server_port}:${var.server_port} \
        busybox sh -c "while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; \
        echo 'yo'; } | nc -l -p ${var.server_port}; done"
        EOF
  }

}

module "instance_template" {
  source = "terraform-google-modules/vm/google//modules/instance_template"
  version = "7.9.0"
  region = var.region
  project_id = var.pro
  network = google_compute_network.vpc-network.self_link
  subnetwork = google_compute_subnetwork.subnetwork.self_link
  service_account = {
    email = google_service_account.service-acc.email
    scopes = ["cloud-platform"]
  }

  name_prefix = "webserver"
  tags = ["template-vm", "allow-ssh"]
  machine_type = "e2-standard-2"
  startup_script = <<-EOF
  #!/bin/bash
  sudo snap install docker
  sudo docker version > docker_version.txt
  sleep 5
  sudo docker run -d --rm -p ${var.server_port}:${var.server_port} \
  busybox sh -c "while true; do { echo -e 'HTTP/1.1 200 OK\r\n'; \
  echo 'yo'; } | nc -l -p ${var.server_port}; done"
  EOF
  source_image = "https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/images/ubuntu-2004-focal-v20221213"
  disk_size_gb = 10
  disk_type = "pd-balanced"
  preemptible = true

}

module "vm_mig" {
  source  = "terraform-google-modules/vm/google//modules/mig"
  version = "7.9.0"
  project_id = var.pro
  region = var.region
  target_size = 3
  instance_template = module.instance_template.self_link
  // a load balancer sends incoming traffic to the group via the named ports
  // if a req comes to the LB, send it to the port named http on the vms
  named_ports = [{
    name = "http"
    port = 80
  }]
  health_check = {
    type = "http"
    initial_delay_sec = 30
    check_interval_sec = 30
    healthy_threshold = 1
    timeout_sec = 10
    unhealthy_threshold = 5
    response = ""
    proxy_header = "NONE"
    port = 80
    request = ""
    request_path = "/"
    host = ""
  }
  network = google_compute_network.vpc-network.self_link
  subnetwork = google_compute_subnetwork.subnetwork.self_link
}

module "gce-lb-http" {
  source            = "GoogleCloudPlatform/lb-http/google"
  version           = "~> 4.4"
  project           = var.pro
  name              = "group-http-lb"
  // This tag must match the tag from the instance template
  // This will create the default health check firewall rule
  // and apply it to the machines tagged with the "template-vm" tag
  target_tags       = ["template-vm"]
  // the name of the network where the default health check will be created
  firewall_networks = [google_compute_network.vpc-network.name]
  backends = {
    default = {
      description                     = null
      port                            = 80
      protocol                        = "HTTP"
      port_name                       = "http"
      timeout_sec                     = 10
      enable_cdn                      = false
      custom_request_headers          = null
      custom_response_headers         = null
      security_policy                 = null
      connection_draining_timeout_sec = null
      session_affinity                = null
      affinity_cookie_ttl_sec         = null

      health_check = {
        check_interval_sec  = null
        timeout_sec         = null
        healthy_threshold   = null
        unhealthy_threshold = null
        request_path        = "/"
        port                = 80
        host                = null
        logging             = null
      }

      log_config = {
        enable = true
        sample_rate = 1.0
      }

      groups = [
        {
          # Each node pool instance group should be added to the backend.
          group                        = module.vm_mig.instance_group
          balancing_mode               = null
          capacity_scaler              = null
          description                  = null
          max_connections              = null
          max_connections_per_instance = null
          max_connections_per_endpoint = null
          max_rate                     = null
          max_rate_per_instance        = null
          max_rate_per_endpoint        = null
          max_utilization              = null
        },
      ]

      iap_config = {
        enable               = false
        oauth2_client_id     = null
        oauth2_client_secret = null
      }
    }
  }
}

1 個解決方案

解決方案1
 0  2023-01-13 06:57:39

我可以看到您使用標記 var.network_name 創建了防火牆規則,但沒有看到您將此標記添加到您的 VM/MIG。 要使 healthcheck 防火牆正常工作,您需要將此標記添加到您的 MIG。

暫無
暫無

聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.

相關問題 了解 GCP 負載均衡器 Terraform 模塊的 target_tags 和 firewall.networks api 網關的 GCP 負載平衡器 terraform 配方返回 404 GCP HTTP(s) 第 7 層負載均衡器中的動態 SSL 分配 GCP 負載均衡器不會將它自己的 ip 重定向到域 如何在 Terraform 中設置基於 GCP 監控日志的警報? GCP - 我們可以為負載均衡器/CDN 創建服務帳戶嗎? GCP - 全局負載均衡器沒有標簽 GCP:負載均衡器重寫路徑 GCP API 網關通過在前面添加外部負載均衡器對 JWT 感到困惑 如何通過 GCP 外部 HTTPS 負載均衡器發送 103 個早期提示?
相關標簽
 
粵ICP備18138465號  © 2020-2024 STACKOOM.COM