How can I use terraform with the google provider to setup an HTTP/2 load balancer in GCP with MutualTLS Auth enabled?

Question

I'm hoping someone can point me in the right direction with a question on the google provider. I'm trying to setup an HTTPS Load balancer which routes to compute engine MIG running a gRPC endpoint. I've got traffic flowing to the endpoint now, but I can't find a terraform way to implement Mutual TLS.

I'm trying to follow this document from Google Cloud, but when I get to the step Create a TrustConfig Resource I become a bit uncertain. Would that be this one?

resource "google_certificate_manager_certificate" "default" {
  count       = local.create_grpc_load_balancer
  name        = "${local.grpc_load_balancer_name}-cert"
  description = "Mutual-TLS Enabled Cert"
  scope       = "DEFAULT"
  self_managed {
    pem_certificate = var.tcp_lb_cert
    pem_private_key = var.tcp_lb_private_key
  }
}

Then the next step is Create the Network Security Resources. Here I'm even more uncertain on what the correct resource is. Would google_network_security_client_tls_policy be correct? And if so, what's the correct setup for setting clientValidationMode and clientValidationTrustConfig as detailed in Create the Network Security Resources?

Answer 1

I got an answer from elsewhere:

To implement Mutual TLS (mTLS) for your HTTPS Load Balancer with the Google Terraform provider, the google_certificate_manager_certificate resource is the correct resource to use.

resource "google_compute_ssl_certificate" "self_signed" {
  name        = "self-signed-certificate"
  private_key = tls_private_key.self_signed.private_key_pem
  certificate = tls_self_signed_cert.self_signed.cert_pem
}

This configuration uses a self-signed certificate generated using the Terraform TLS provider and then creates a Google Compute Engine SSL certificate resource using the generated private key and certificate.

As for the Network Security Resources, you should use the google_network_security_client_tls_policy resource to define the client TLS policy and configure the clientValidationMode and clientValidationTrustConfig.

Here's an example configuration for the google_network_security_client_tls_policy resource:

resource "google_network_security_client_tls_policy" "example" {
  name                  = "example-policy"
  description           = "Mutual TLS Policy"
  client_validation_ca  = google_compute_ssl_certificate.self_signed.self_link
  client_validation_crl = null  # Optional, specify if you have a Certificate Revocation List (CRL)

  # The following settings control how clients are validated
  client_validation_mode = "MODE_MUTUAL"

  client_validation_trust_config {
    certificate_provider_instance = "projects/YOUR_PROJECT_ID/locations/YOUR_LOCATION/certificateProviderInstances/YOUR_CERT_PROVIDER_INSTANCE"
  }
}

In this configuration, you set the client_validation_ca parameter to the self-signed certificate you created earlier. You can also specify a Certificate Revocation List (CRL) if needed.

The client_validation_trust_config block is where you configure the trust for the client certificate. You need to specify the certificate_provider_instance for the appropriate certificate provider instance in your project.

Make sure to replace the placeholder values (YOUR_PROJECT_ID, YOUR_LOCATION, YOUR_CERT_PROVIDER_INSTANCE) with your actual values.

Remember to adjust these configurations to fit your specific setup and requirements.

Last (but not least), to attach this policy to your load balancer, you can provide it via the backend service resource in the security_policy argument like this:

"google_compute_backend_service" "example" {
  name              = "example-backend-service"
  port              = 8080  # Update with the appropriate port for your gRPC endpoint
  protocol          = "GRPC"

  backend {
    group = google_compute_instance_group.example.self_link
  }

  security_policy = google_network_security_client_tls_policy.example.self_link
}