Configure GCLB in terraform

deployment/terraform/environments/oss-vdb-test/main.tf

@@ -13,8 +13,14 @@ module "osv_test" {
   affected_commits_backups_bucket                = "osv-test-affected-commits"
   affected_commits_backups_bucket_retention_days = 2
 
-  api_url     = "api.test.osv.dev"
-  esp_version = "2.47.0"
+  website_domain = "test.osv.dev"
+  api_url        = "api.test.osv.dev"
+  esp_version    = "2.47.0"
+}
+
+output "website_dns_records" {
+  description = "DNS records that need to be created for the osv.dev website"
+  value       = module.osv_test.website_dns_records
 }
 
 

deployment/terraform/environments/oss-vdb/main.tf

@@ -13,10 +13,15 @@ module "osv" {
   affected_commits_backups_bucket                = "osv-affected-commits"
   affected_commits_backups_bucket_retention_days = 3
 
-  api_url     = "api.osv.dev"
-  esp_version = "2.47.0"
+  website_domain = "osv.dev"
+  api_url        = "api.osv.dev"
+  esp_version    = "2.47.0"
 }
 
+output "website_dns_records" {
+  description = "DNS records that need to be created for the osv.dev website"
+  value       = module.osv.website_dns_records
+}
 
 terraform {
   backend "gcs" {

deployment/terraform/modules/osv/variables.tf

@@ -57,3 +57,8 @@ variable "esp_version" {
   type        = string
   description = "ESP version to use for OSV API frontend image."
 }
+
+variable "website_domain" {
+  type        = string
+  description = "Domain to serve the OSV website on. Domain ownership and DNS settings must be manually configured."
+}

deployment/terraform/modules/osv/website.tf

@@ -1,3 +1,4 @@
+# Website Cloud Run service
 resource "google_cloud_run_v2_service" "website" {
   project  = var.project_id
   name     = "osv-website"
@@ -32,4 +33,122 @@ resource "google_cloud_run_service_iam_binding" "website" {
   ]
 }
 
-# TODO: Set up Google Cloud Load Balancing + Network Endpoint Group (NEG)
+# SSL Certificates
+resource "google_certificate_manager_dns_authorization" "website" {
+  project     = var.project_id
+  name        = "website-dnsauth"
+  description = "The dns auth for the osv.dev website"
+  domain      = var.website_domain
+}
+
+resource "google_certificate_manager_certificate" "website" {
+  project     = var.project_id
+  name        = "website-cert"
+  description = "The osv.dev website cert"
+  managed {
+    domains = [var.website_domain, "*.${var.website_domain}"]
+    dns_authorizations = [
+      google_certificate_manager_dns_authorization.website.id
+    ]
+  }
+  lifecycle {
+    replace_triggered_by = [google_certificate_manager_dns_authorization.website.id]
+  }
+}
+
+resource "google_certificate_manager_certificate_map" "website" {
+  project     = var.project_id
+  name        = "website-certmap"
+  description = "osv.dev website certificate map"
+}
+
+resource "google_certificate_manager_certificate_map_entry" "website" {
+  project      = var.project_id
+  name         = "website-certmap-entry"
+  description  = "osv.dev website certificate map entry"
+  map          = google_certificate_manager_certificate_map.website.name
+  certificates = [google_certificate_manager_certificate.website.id]
+  hostname     = var.website_domain
+
+  lifecycle {
+    replace_triggered_by = [google_certificate_manager_certificate_map.website.id, google_certificate_manager_certificate.website.id]
+  }
+}
+
+# Load Balancer
+module "gclb" {
+  source  = "terraform-google-modules/lb-http/google//modules/serverless_negs"
+  version = "~> 10.0"
+
+  name    = "website"
+  project = var.project_id
+
+  enable_ipv6         = true
+  create_ipv6_address = true
+  ssl                 = true
+  certificate_map     = google_certificate_manager_certificate_map.website.id
+
+  load_balancing_scheme = "EXTERNAL_MANAGED"
+
+  backends = {
+    default = {
+      groups = [
+        {
+          # TODO(michaelkedar): Replace with Cloud Run when ready
+          group = google_compute_region_network_endpoint_group.appengine_neg.id
+        }
+      ]
+      protocol   = "HTTPS"
+      enable_cdn = true
+      cdn_policy = {
+        cache_key_policy = {
+          include_host         = true
+          include_protocol     = true
+          include_query_string = true
+        }
+        signed_url_cache_max_age_sec = 0
+      }
+
+      iap_config = {
+        enable = false
+      }
+      log_config = {
+        enable = false
+      }
+    }
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "serverless_neg" {
+  project               = var.project_id
+  name                  = "serverless-neg"
+  network_endpoint_type = "SERVERLESS"
+  region                = google_cloud_run_v2_service.website.location
+  cloud_run {
+    service = google_cloud_run_v2_service.website.name
+  }
+}
+
+resource "google_compute_region_network_endpoint_group" "appengine_neg" {
+  project               = var.project_id
+  name                  = "appengine-neg"
+  network_endpoint_type = "SERVERLESS"
+  region                = google_app_engine_application.app.location_id
+  app_engine {}
+}
+
+# Output all the DNS records required for the website in one place. 
+output "website_dns_records" {
+  description = "DNS records that need to be created for the osv.dev website"
+  value = concat([
+    {
+      data = module.gclb.external_ip
+      name = "${var.website_domain}."
+      type = "A"
+    },
+    {
+      data = module.gclb.external_ipv6_address
+      name = "${var.website_domain}."
+      type = "AAAA"
+  }], google_certificate_manager_dns_authorization.website.dns_resource_record)
+}