Contact UsGet started

Terminating TLS connections using Terraform

Written by
Updated at May 7, 2025

To create the infrastructure for terminating TLS connections using Terraform:

  1. Prepare your cloud.
  2. Create an infrastructure.
  3. Test the hosting.

We will use the my-site.com domain name as an example.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The cost of supporting the infrastructure for terminating TLS connections includes:

Create an infrastructure

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or mirror website.

To create an infrastructure using Terraform:

  1. Install Terraform, get the authentication credentials, and specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).

  2. Prepare files with the infrastructure description:

    1. Clone the repository with configuration files.

      git clone https://github.com/yandex-cloud-examples/yc-alb-tls-termination.git

    2. Go to the directory with the repository. Make sure it contains the following files:

      • tls-termination-config.tf: Configuration of the infrastructure you create.
      • tls-terminationg.auto.tfvars: User data file.
    1. Create a directory for configuration files.
    2. In the directory, create:

      1. tls-termination-config.tf configuration file:

        tls-termination-config.tf
        # Declaring variables with sensitive data

variable "folder_id" {
  type = string
}

variable "vm_user" {
  type = string
}

variable "ssh_key_path" {
  type = string
}

variable "domain" {
  type = string
}

variable "certificate" {
  type = string
}

variable "private_key" {
  type = string
}

# Declaring other variables

locals {
  sa_name          = "ig-sa"
  network_name     = "network-1"
  subnet_name_a    = "subnet-a"
  subnet_name_b    = "subnet-b"
  sg_name_balancer = "sg-balancer"
  sg_name_vms      = "sg-vms"
  cert_name        = "imported-cert"
  site_ig_name     = "site-ig"
  alb_bg_name      = "alb-bg"
  alb_host_name    = "alb-host"
  alb_router_name  = "alb-router"
  alb_name         = "alb"
  alb_zone_name    = "alb-zone"
}

# Configuring a provider

terraform {
  required_providers {
    yandex = {
      source  = "yandex-cloud/yandex"
      version = ">= 0.47.0"
    }
  }
}

provider "yandex" {
  folder_id = var.folder_id
}

# Creating a service account for an instance group

resource "yandex_iam_service_account" "ig-sa" {
  name        = local.sa_name
  description = "service account to manage IG"
}

resource "yandex_resourcemanager_folder_iam_member" "editor" {
  folder_id = var.folder_id
  role      = "editor"
  member    = "serviceAccount:${yandex_iam_service_account.ig-sa.id}"
}

# Creating a cloud network

resource "yandex_vpc_network" "network-1" {
  name = local.network_name
}

resource "yandex_vpc_subnet" "subnet-a" {
  name           = local.subnet_name_a
  zone           = "ru-central1-a"
  v4_cidr_blocks = ["192.168.1.0/24"]
  network_id     = yandex_vpc_network.network-1.id
}

resource "yandex_vpc_subnet" "subnet-b" {
  name           = local.subnet_name_b
  zone           = "ru-central1-b"
  v4_cidr_blocks = ["192.168.2.0/24"]
  network_id     = yandex_vpc_network.network-1.id
}

# Creating a static public IP address

resource "yandex_vpc_address" "stat_address" {
  name = "alb-static-address"
  external_ipv4_address {
    zone_id = "ru-central1-a"
  }
}

# Creating security groups

resource "yandex_vpc_security_group" "sg-balancer" {
  name        = local.sg_name_balancer
  network_id  = yandex_vpc_network.network-1.id

  egress {
    protocol       = "ANY"
    description    = "any"
    v4_cidr_blocks = ["0.0.0.0/0"]
    from_port = 0
    to_port = 65535
  }

  ingress {
    protocol       = "TCP"
    description    = "ext-http"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 80
  }

  ingress {
    protocol       = "TCP"
    description    = "ext-https"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 443
  }

  ingress {
    protocol          = "TCP"
    description       = "healthchecks"
    predefined_target = "loadbalancer_healthchecks"
    port              = 30080
 }
}

resource "yandex_vpc_security_group" "sg-vms" {
  name        = local.sg_name_vms
  network_id  = yandex_vpc_network.network-1.id

  ingress {
    protocol          = "TCP"
    description       = "balancer"
    security_group_id = yandex_vpc_security_group.sg-balancer.id
    port              = 80
    }

  ingress {
    protocol       = "TCP"
    description    = "ssh"
    v4_cidr_blocks = ["0.0.0.0/0"]
    port           = 22
  }
}

# Importing the website’s TLS certificate

resource "yandex_cm_certificate" "imported-cert" {
  name    = local.cert_name

  self_managed {
    certificate = "${file("${var.certificate}")}"
    private_key = "${file("${var.private_key}")}"
  }
}

# Creating an instance group for a website

resource "yandex_compute_image" "lemp-image" {
  source_family = "lemp"
}

resource "yandex_compute_instance_group" "site-ig" {
  name                = local.site_ig_name
  folder_id           = var.folder_id
  service_account_id  = "${yandex_iam_service_account.ig-sa.id}"
  instance_template {
    platform_id = "standard-v2"
    resources {
      memory        = 1
      cores         = 2
      core_fraction = 5
    }

    boot_disk {
      mode = "READ_WRITE"
      initialize_params {
        image_id = yandex_compute_image.lemp-image.id
      }
    }

    network_interface {
      network_id         = yandex_vpc_network.network-1.id
      subnet_ids         = [yandex_vpc_subnet.subnet-a.id,yandex_vpc_subnet.subnet-b.id]
      security_group_ids = [yandex_vpc_security_group.sg-vms.id]
      nat                = true
    }

    metadata = {
      user-data = "#cloud-config\nusers:\n  - name: ${var.vm_user}\n    groups: sudo\n    shell: /bin/bash\n    sudo: 'ALL=(ALL) NOPASSWD:ALL'\n    ssh_authorized_keys:\n      - ${file("${var.ssh_key_path}")}"
    }
  }

  scale_policy {
    fixed_scale {
      size = 2
    }
  }

  allocation_policy {
    zones = ["ru-central1-a","ru-central1-b"]
  }

  deploy_policy {
    max_unavailable = 1
    max_expansion   = 0
  }

  application_load_balancer {
    target_group_name        = "alb-tg"
  }
}

# Creating a backend group

resource "yandex_alb_backend_group" "alb-bg" {
  name                     = local.alb_bg_name

  http_backend {
    name                   = "alb-backend"
    weight                 = 1
    port                   = 80
    target_group_ids       = [yandex_compute_instance_group.site-ig.application_load_balancer[0].target_group_id]
    healthcheck {
      timeout              = "10s"
      interval             = "2s"
      healthcheck_port     = 80
      http_healthcheck {
        path               = "/"
      }
    }
  }
}

# Creating an HTTP router

resource "yandex_alb_http_router" "alb-router" {
  name          = local.alb_router_name
}

resource "yandex_alb_virtual_host" "alb-host" {
  name                    = local.alb_host_name
  authority               = ["${var.domain}"]
  http_router_id          = yandex_alb_http_router.alb-router.id
  route {
    name                  = "alb-route"
    http_route {
      http_route_action {
        backend_group_id  = yandex_alb_backend_group.alb-bg.id
        timeout           = "60s"
      }
    }
  }
}    

# Creating an L7 load balancer

resource "yandex_alb_load_balancer" "alb" {
  name        = local.alb_name
  network_id  = yandex_vpc_network.network-1.id
  security_group_ids = [yandex_vpc_security_group.sg-balancer.id]

  allocation_policy {
    location {
      zone_id   = "ru-central1-a"
      subnet_id = yandex_vpc_subnet.subnet-a.id
    }
    location {
      zone_id   = "ru-central1-b"
      subnet_id = yandex_vpc_subnet.subnet-b.id
    }
  }

  listener {
    name = "list-http"
    endpoint {
      address {
        external_ipv4_address {
          address = yandex_vpc_address.stat_address.external_ipv4_address[0].address
        }
      }
    ports = [ 80 ]
    }
    http {
      redirects {
        http_to_https = true
      }
    }
  }

  listener {
    name = "listener-http"
    endpoint {
      address {
        external_ipv4_address {
          address = yandex_vpc_address.stat_address.external_ipv4_address[0].address
        }
      }
      ports = [ 443 ]
    }
    tls {
      default_handler {
        http_handler {
          http_router_id = yandex_alb_http_router.alb-router.id
        }
        certificate_ids = [yandex_cm_certificate.imported-cert.id]
      }
      sni_handler {
        name         = "mysite-sni"
        server_names = ["${var.domain}"]
        handler {
          http_handler {
            http_router_id = yandex_alb_http_router.alb-router.id
          }
          certificate_ids = [yandex_cm_certificate.imported-cert.id]
        }
      }
    }
  }
}

# Creating a DNS zone

resource "yandex_dns_zone" "alb-zone" {
  name        = local.alb_zone_name
  description = "Public zone"
  zone        = "${var.domain}."
  public      = true
}

# Creating a DNS zone resource record

resource "yandex_dns_recordset" "alb-record" {
  zone_id = yandex_dns_zone.alb-zone.id
  name    = "${var.domain}."
  ttl     = 600
  type    = "A"
  data    = [yandex_alb_load_balancer.alb.listener[0].endpoint[0].address[0].external_ipv4_address[0].address]
}

      2. tls-termination.auto.tfvars user data file:

        tls-termination.auto.tfvars
        folder_id    = "<folder_ID>"
vm_user      = "<VM_user_name>"
ssh_key_path = "<path_to_public_SSH_key>"
domain       = "<domain>"
certificate  = "<path_to_certificate_file>"
private_key  = "<path_to_file_with_private_key"

    For more information about the parameters of resources used in Terraform, see the provider documentation:

  3. In the tls-termination.auto.tfvars file, set the user-defined parameters:

    • folder_id: Folder ID.
    • vm_user: VM username.
    • ssh_key_path: Path to the file with the public SSH key. For more information, see Creating an SSH key pair.
    • domain: Domain to host the site.
      To get access to public zone domain names, you need to delegate the domain. Specify the addresses of the ns1.yandexcloud.net and ns2.yandexcloud.net servers in your personal dashboard at your registrar.
    • certificate: Path to the file with the user certificate.
    • private_key: Path to the file with the user certificate's private key.

  4. Create resources:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

  5. Get the public IP addresses: you will need them later to test the hosting.

After creating the infrastructure, test the hosting.

Test the hosting

To test the hosting:

  1. Create the website home page, i.e., the index.html file.

    Example of the index.html file
    <!DOCTYPE html>
<html>
  <head>
    <title>My site</title>
  </head>
  <body>
    <h1>This is my site</h1>
  </body>
</html>

  2. Upload the index.html file to each VM:

    1. Go to the VM page in the management console. In the Network section, find the VM's public IP address.

    2. Connect to the VM over SSH.

    3. Grant your user write permissions for the /var/www/html directory:

      sudo chown -R "$USER":www-data /var/www/html

      sudo chown -R "$USER":apache /var/www/html

    4. Upload the website files to the VM via SCP.

      Use the scp command line utility:

      scp -r <path_to_directory_with_files> <VM_user_name>@<VM_IP_address>:/var/www/html

      Use WinSCP to copy the local file directory to /var/www/html on the VM.

  3. Open the website at http://my-site.com in your browser. A redirect to https://my-site.com should occur with the TLS certificate from Certificate Manager already enabled.

How to delete the resources you created

To stop paying for the resources you created:

  1. Open the tls-termination-config.tf configuration file and delete from it the description of the infrastructure you created.

  2. Apply the changes:

    1. In the terminal, change to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using the command:

      terraform validate

      If the configuration is correct, the following message is returned:

      Success! The configuration is valid.

    3. Run the command:

      terraform plan

      The terminal will display a list of resources with parameters. No changes are made at this step. If the configuration contains errors, Terraform will point them out.

    4. Apply the configuration changes:

      terraform apply

    5. Confirm the changes: type yes in the terminal and press Enter.

See also

Previous
Management console
Next
Overview