How to set up a wildcard cert with Google Load Balancer (GLB) using Pulumi

Question

I've been using certs with Google load balancers deployed with Pulumi but it seems the certificates need to be FQDN addresses and doesn't support wildcard subdomains. Ideally, if I could get example Pulumi code that would be great.

I tried searching for solutions but couldn't find any example code.

Answer 1

after finding these articles

1. How to generate Google-managed certificates for wildcard hostnames in GCP?
2. https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth#gcloud

I was able to craft the equivalent Pulumi code as follows (Posting to share with others):

// DNS authorization cert
const ingressDnsAuthorization = new gcp.certificatemanager.DnsAuthorization(
  `prod-ingress-dns-auth`,
  {
    description: `prod wildcard ingress dns authorization`,
    domain: `foo-prod.exampledomain.com`, // root subdomain to be wildcard-ed
  }
);
export const ingressDnsAuth = ingressDnsAuthorization.dnsResourceRecords;
const ingressCert = new gcp.certificatemanager.Certificate(
  `prod-ingress-cert`,
  {
    description: `prod wildcard ingress cert`,
    scope: "DEFAULT",
    managed: {
      domains: [
        pulumi.interpolate`*.${ingressDnsAuthorization.domain}`, // wildcard subdomain
        ingressDnsAuthorization.domain, // root subdomain
      ],
      dnsAuthorizations: [ingressDnsAuthorization.id],
    },
  }
);
const ingressCertMap = new gcp.certificatemanager.CertificateMap(
  `prod-ingress-cert-map`,
  {
    description: `prod cert map`,
  }
);
const ingressCertMapEntry = new gcp.certificatemanager.CertificateMapEntry(
  `prod-ingress-cert-map-entry`,
  {
    description: `prod cert map entry`,
    map: ingressCertMap.name,
    certificates: [ingressCert.id],
    matcher: "PRIMARY",
  }
);

// ingress Https Proxy
const ingressHttpsProxy = new gcp.compute.TargetHttpsProxy(
  `prod-example-domain-ingress-https-proxy`,
  {
    urlMap: ingressLbUrlmap.id,
    certificateMap: pulumi.interpolate`//certificatemanager.googleapis.com/${ingressCertMap.id}`,
  }
);

// ingress GLB Fwd Rule (FrontEnd)
const ingressIP = new gcp.compute.GlobalAddress(
  `${env}-example-domain-ingress-lb-ip`,
  {}
);
const ingressGlbFwdRule = new gcp.compute.GlobalForwardingRule(
  `${env}-example-domain-ingress-glb-fwd-rule`,
  {
    target: ingressHttpsProxy.id,
    portRange: "443",
    ipAddress: ingressIP.address,
    ipProtocol: "TCP",
    loadBalancingScheme: "EXTERNAL",
  }
);