In order to authenticate to a private GCS bucket, we need to connect the Cloud CDN load balancer through a Backend Service, instead of a Backend Bucket. See Configure private origin authentication for more details.
Kudos to Navya Dwarakanath for her great article https://medium.com/@thetechbytes/private-gcs-bucket-access-through-google-cloud-cdn-430d940ebad9.
| # Variables | |
| locals { | |
| domain = "cdn.yourcdndomain.com" | |
| managed_zone = "yourcdndomain-com" | |
| bucket_name = "private-cdn-test" | |
| } | |
| # Private GCS bucket | |
| resource "google_storage_bucket" "cdn_bucket" { | |
| name = local.bucket_name | |
| location = "US" | |
| storage_class = "MULTI_REGIONAL" | |
| force_destroy = false | |
| uniform_bucket_level_access = true | |
| public_access_prevention = "enforced" | |
| versioning { | |
| enabled = false | |
| } | |
| } | |
| # IP and certificate (will take minutes to hours to provision) | |
| resource "google_compute_global_address" "cdn_ip" { | |
| name = "cdn-ip" | |
| ip_version = "IPV4" | |
| address_type = "EXTERNAL" | |
| } | |
| resource "google_dns_record_set" "cdn_dns_record" { | |
| name = "${local.domain}." | |
| managed_zone = local.managed_zone | |
| rrdatas = [ | |
| google_compute_global_address.cdn_ip.address | |
| ] | |
| ttl = 300 | |
| type = "A" | |
| } | |
| resource "google_compute_managed_ssl_certificate" "cdn_certificate" { | |
| name = "cdn-certificate" | |
| managed { | |
| domains = [ | |
| local.domain, | |
| ] | |
| } | |
| } | |
| # Load Balancer | |
| resource "google_compute_global_network_endpoint_group" "cdn_network_endpoint_group" { | |
| name = "cdn-network-endpoint-group" | |
| network_endpoint_type = "INTERNET_FQDN_PORT" | |
| default_port = 443 | |
| } | |
| resource "google_compute_global_network_endpoint" "cdn_network_endpoint" { | |
| global_network_endpoint_group = google_compute_global_network_endpoint_group.cdn_network_endpoint_group.id | |
| fqdn = "${google_storage_bucket.cdn_bucket.name}.storage.googleapis.com" | |
| port = google_compute_global_network_endpoint_group.cdn_network_endpoint_group.default_port | |
| } | |
| resource "google_compute_backend_service" "cdn_backend_service" { | |
| name = "cdn-backend-service" | |
| description = "Backend service for Google Cloud CDN" | |
| load_balancing_scheme = "EXTERNAL_MANAGED" | |
| compression_mode = "AUTOMATIC" | |
| protocol = "HTTPS" | |
| enable_cdn = true | |
| backend { | |
| group = google_compute_global_network_endpoint_group.cdn_network_endpoint_group.id | |
| } | |
| custom_request_headers = [ | |
| "Host:${google_storage_bucket.cdn_bucket.name}.storage.googleapis.com", | |
| "Cookie:", # unset cookies to avoid HMAC authentication failure | |
| ] | |
| custom_response_headers = [ | |
| "X-Cache-Hit:{cdn_cache_status}" | |
| ] | |
| cdn_policy { | |
| cache_mode = "FORCE_CACHE_ALL" | |
| negative_caching = false | |
| cache_key_policy { | |
| include_host = true | |
| include_query_string = true | |
| } | |
| bypass_cache_on_request_headers { | |
| header_name = "X-Bypass-Cache" | |
| } | |
| } | |
| security_settings { | |
| aws_v4_authentication { | |
| access_key_id = google_storage_hmac_key.cdn_hmac_key.access_id | |
| access_key = google_storage_hmac_key.cdn_hmac_key.secret | |
| origin_region = "us-central1" # dummy region | |
| } | |
| } | |
| } | |
| resource "google_compute_url_map" "cdn_lb" { | |
| name = "cdn-lb" | |
| description = "Load Balancer to redirect requests to bucket backend" | |
| default_service = google_compute_backend_service.cdn_backend_service.id | |
| } | |
| resource "google_compute_target_https_proxy" "cdn_https_proxy" { | |
| name = "cdn-https-proxy" | |
| url_map = google_compute_url_map.cdn_lb.self_link | |
| ssl_certificates = [google_compute_managed_ssl_certificate.cdn_certificate.self_link] | |
| } | |
| resource "google_compute_global_forwarding_rule" "cdn_https_forwarding_rule" { | |
| name = "cdn-https-forwarding-rule" | |
| target = google_compute_target_https_proxy.cdn_https_proxy.self_link | |
| ip_address = google_compute_global_address.cdn_ip.address | |
| load_balancing_scheme = "EXTERNAL_MANAGED" | |
| port_range = "443" | |
| } | |
| # Partial load balancer for https redirects | |
| resource "google_compute_url_map" "cdn_lb_https_redirect" { | |
| name = "cdn-lb-https-redirect" | |
| description = "Partial Load Balancer for HTTPS Redirects" | |
| default_url_redirect { | |
| https_redirect = true | |
| strip_query = false | |
| } | |
| } | |
| resource "google_compute_target_http_proxy" "cdn_http_proxy" { | |
| name = "cdn-http-proxy" | |
| url_map = google_compute_url_map.cdn_lb_https_redirect.id | |
| } | |
| resource "google_compute_global_forwarding_rule" "cdn_http_forwarding_rule" { | |
| name = "cdn-http-forwarding-rule" | |
| target = google_compute_target_http_proxy.cdn_http_proxy.id | |
| ip_address = google_compute_global_address.cdn_ip.id | |
| load_balancing_scheme = "EXTERNAL_MANAGED" | |
| port_range = "80" | |
| } | |
| # Service Account | |
| resource "google_service_account" "cdn_bucket_service_account" { | |
| account_id = "cdn-service-account" | |
| display_name = "CDN Service Account" | |
| } | |
| resource "google_storage_bucket_iam_member" "cdn_bucket_object_reader" { | |
| bucket = google_storage_bucket.cdn_bucket.name | |
| role = "roles/storage.legacyObjectReader" | |
| member = "serviceAccount:${google_service_account.cdn_bucket_service_account.email}" | |
| } | |
| resource "google_storage_hmac_key" "cdn_hmac_key" { | |
| service_account_email = google_service_account.cdn_bucket_service_account.email | |
| } |
Thanks @DingGGu , I've tried it and it's indeed working now 🎉 I've updated the gist based on your snippet!
You can set security_settings via terraform now. (Terraform Google Provider 6.14.1)