Skip to content

Latest commit

 

History

History
 
 

apigee-x-mtls-mig

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
envoy-config-template.yaml
envoy-config-template.yaml
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
setup.sh
setup.sh
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Managed Instance Group with Client Authentication (mTLS)

An managed instance group (MIG) that runs an Envoy proxy to terminate mTLS before the traffic is sent to Apigee via one-way TLS.

Note that by default Envoy doesn't send the client certificate to the backend service. To enable this you could define an x-header in the envoy config.

route_config:
    name: local_route
    request_headers_to_add:
    - header:
        key: "x-raw-client-cert"
        value: "%DOWNSTREAM_PEER_CERT%"

Providers

Name Version
google >= 4.20.0
random n/a

Modules

Name Source Version
apigee-mtls-proxy-mig github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-mig v28.0.0
apigee-mtls-proxy-template github.com/terraform-google-modules/cloud-foundation-fabric//modules/compute-vm v28.0.0
config-bucket github.com/terraform-google-modules/cloud-foundation-fabric//modules/gcs v28.0.0
mtls-proxy-sa github.com/terraform-google-modules/cloud-foundation-fabric//modules/iam-service-account v28.0.0
nat github.com/terraform-google-modules/cloud-foundation-fabric//modules/net-cloudnat v28.0.0

Resources

Name Type
google_storage_bucket_object.ca_cert resource
google_storage_bucket_object.envoy_config resource
google_storage_bucket_object.setup_script resource
google_storage_bucket_object.tls_cert resource
google_storage_bucket_object.tls_key resource
random_id.bucket resource

Inputs

Name Description Type Default Required
autoscaler_config Optional autoscaler configuration. Only one of 'cpu_utilization_target' 'load_balancing_utilization_target' or 'metric' can be not null. 
object({
    max_replicas                      = number
    min_replicas                      = number
    cooldown_period                   = number
    cpu_utilization_target            = number
    load_balancing_utilization_target = number
    metric = object({
      name                       = string
      single_instance_assignment = number
      target                     = number
      type                       = string # GAUGE, DELTA_PER_SECOND, DELTA_PER_MINUTE
      filter                     = string
    })
  })
 null no
ca_cert_path local CA Cert File Path for Client Authenication. string n/a yes
endpoint_ip Apigee X Instance Endpoint IP. string n/a yes
machine_type GCE Machine type. string "e2-small" no
network VPC network for running the MIGs (needs to be peered with the Apigee tenant project). string n/a yes
network_tags network tags for the mTLS mig list(string) n/a yes
project_id GCP Project id. string n/a yes
region GCP Region for the MIGs. string n/a yes
subnet VPC subnet for running the MIGs string n/a yes
target_size Group target size, leave null when using an autoscaler. number 2 no
tls_cert_path local TLS Cert File Path for Client Authenication. string n/a yes
tls_key_path local TLS Cert File Path for Client Authenication. string n/a yes

Outputs

Name Description
instance_group Proxy MIGs for mTLS termination