Hi, I created a static web site on gcp with the te...
# google-cloud
Hi, I created a static web site on gcp with the template static-website-gcp-typescript and now I want to secure the HttpProxy with SSL. I found this doc (https://www.pulumi.com/registry/packages/gcp/api-docs/compute/sslcertificate) with a "SSL Certificate Target Https Proxies" section but it's empty (coming soon!). Do you know when this config would be available and would you have an example ? Thanks a lot.
Hi there 👋 I’m not sure about this particular example, but if you’re looking for a potential reference, you might want to check out the Google Cloud Static Website component. It uses a
, so not exactly the same thing as what you linked, but perhaps useful to refer to: https://www.pulumi.com/registry/packages/google-cloud-static-website/
If you have a Google-managed domain, you might be able to copy a bunch of this code verbatim — here’s the line that uses that domain if you provide one, and then uses it to create a managed SSL cert: https://github.com/pulumi/pulumi-google-cloud-static-website/blob/main/provider/cmd/pulumi-resource-google-cloud-static-website/website.ts#L118
Hope it helps, and thanks for asking!
Hey @incalculable-flag-48574 Slightly late to the party here. I saw your question and it peaked my interest around the use case with GCP Classic Provider. I have since created a working example that uses the GCP Static Hosting option, with a Google Managed SSL Certificate and Target Https Proxies. Now while It doesn’t use “Custom, User Provided SSL Certs (in my example) I am hoping ti might help a little bit if you are just trying to get HTTPS working on a Static Site. You will of course need a domain that you can manage the DNS for. This Example leverages heavily the already existing static site Template and the Work listed above by @miniature-musician-31262. I have raised a PR here to add the Example to the Repo should the Pulumi team see it as valuable. https://github.com/pulumi/examples/pull/1291 If you need a specific example with your own SSL Certs. Maybe I can work that out for you also? In addition I have made note to try and make a PR to update the docs where it says Coming Soon and provide some examples when I have time. Let me know if this is helpful. For FYI: @brash-alligator-49865
Hi, @refined-pilot-45584 @miniature-musician-31262 thanks for your help, Here is a tested code for creating a SSL certificat ressource for an HttpsProxy when you have a SSL certificate by your side. Don't forget that GCP only support 2048 RSA cert.
Copy code
// Create SSL certificat ressource
const myCertificate = new gcp.compute.SSLCertificate("defaultSSLCertificat", {
    namePrefix: "my-domain-",
    description: "certificates ressource for my-domain",
    privateKey: fs.readFileSync("/PATH/TO/privkey.pem", "utf8"),
    certificate: fs.readFileSync("/PATH/TO/fullchaincert.pem", "utf8")

// Create an HTTPS proxy to route requests to the URLMap.
const httpsProxy = new gcp.compute.TargetHttpsProxy("https-proxy", {
    urlMap: urlMap.selfLink,
    sslCertificates: [myCertificate.id]

// Create a GlobalForwardingRule rule to route requests to the HTTPS proxy.
const httpsForwardingRule = new gcp.compute.GlobalForwardingRule("https-forwarding-rule", {
    ipAddress: ip.address,
    ipProtocol: "TCP",
    portRange: "443",
    target: httpsProxy.selfLink,
But after that, as I have access to DNS manager, I also tested a ManagedSSLCertificate ressource using this two how-to: https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth https://blog.searce.com/gcp-certificate-manager-dns-authorization-4c582b4b8a20 Even if there is some scripting to configure DNS authorization and ManagedSSLCertificate, I think it's a better way as certificate is self renewed. Here is the code, "dns-auth-cert" is the name of ManagedSSLCertificate ressource created with "$ gcloud certificate-manager certificates create dns-auth-cert" :
Copy code
// Get certificate from Managed Certificate ressource 
const myCertificate = new gcp.compute.ManagedSslCertificate("dns-auth-cert", {
    managed: {
        domains: ['www.my.domain', 'my.domain']
Also, I defined an another httpProxy to redirect every http requests to httpsProxy :
Copy code
// Create HTTP to HTTPS redirect
const urlMapRedirect = new gcp.compute.URLMap("url-map-redirect", {
    defaultUrlRedirect: {
        stripQuery: false,
        httpsRedirect: true,
const httpProxy = new gcp.compute.TargetHttpProxy("http-proxy", {
    urlMap: urlMapRedirect.selfLink,
const httpForwardingRule = new gcp.compute.GlobalForwardingRule("http-forwarding-rule", {
    target: httpProxy.selfLink,
    ipAddress: ip.address,
    ipProtocol: "TCP",
    portRange: "80",
//    loadBalancingScheme: 'EXTERNAL', // default
All works fine, I can give you the complete sample if needed. PS. This static http serverless sample is the frontend of a onepage JS app that need to call a REST API for backend storage. I try to configure this backend with GC Functions (https://www.pulumi.com/blog/simple-serverless-programming-with-google-cloud-functions-and-pulumi/) but that doesn't work by now. If you can help me, let me know ;-)