From fad682c10055bb74bc78fc50857aff8d5aaee066 Mon Sep 17 00:00:00 2001
From: Gus Brodman <gbrodman@google.com>
Date: Tue, 3 Mar 2026 16:29:52 -0500
Subject: [PATCH] Remove whois networking from the proxy

---
 proxy/terraform/example_config.tf             |   3 -
 proxy/terraform/modules/networking.tf         |   2 -
 proxy/terraform/modules/networking/dns.tf     |  16 --
 .../modules/networking/loadbalancer.tf        | 149 ------------------
 .../terraform/modules/networking/variables.tf |  10 --
 proxy/terraform/modules/variables.tf          |  19 +--
 proxy/terraform/update_named_ports.sh         |   5 +-
 7 files changed, 3 insertions(+), 201 deletions(-)

diff --git a/proxy/terraform/example_config.tf b/proxy/terraform/example_config.tf
index a08247f6332..5f672028279 100644
--- a/proxy/terraform/example_config.tf
+++ b/proxy/terraform/example_config.tf
@@ -12,7 +12,4 @@ module "proxy" {
   gcr_project_name         = "YOUR_GCR_PROJECT"
   proxy_domain_name        = "YOUR_PROXY_DOMAIN"
   proxy_certificate_bucket = "YOUR_CERTIFICATE_BUCKET"
-
-  # Uncomment to disable forwarding of whois HTTP interfaces.
-  # public_web_whois         = 0
 }
diff --git a/proxy/terraform/modules/networking.tf b/proxy/terraform/modules/networking.tf
index b40d17169b8..151ba7929e7 100644
--- a/proxy/terraform/modules/networking.tf
+++ b/proxy/terraform/modules/networking.tf
@@ -9,7 +9,6 @@ module "proxy_networking" {
   proxy_ports           = var.proxy_ports
   proxy_domain          = google_dns_managed_zone.proxy_domain.name
   proxy_domain_name     = google_dns_managed_zone.proxy_domain.dns_name
-  public_web_whois      = var.public_web_whois
 }
 
 module "proxy_networking_canary" {
@@ -19,5 +18,4 @@ module "proxy_networking_canary" {
   proxy_ports           = var.proxy_ports_canary
   proxy_domain          = google_dns_managed_zone.proxy_domain.name
   proxy_domain_name     = google_dns_managed_zone.proxy_domain.dns_name
-  public_web_whois      = var.public_web_whois
 }
diff --git a/proxy/terraform/modules/networking/dns.tf b/proxy/terraform/modules/networking/dns.tf
index 48ac6e9f336..18ca00f93e9 100644
--- a/proxy/terraform/modules/networking/dns.tf
+++ b/proxy/terraform/modules/networking/dns.tf
@@ -13,19 +13,3 @@ resource "google_dns_record_set" "proxy_epp_aaaa_record" {
   managed_zone = var.proxy_domain
   rrdatas      = [google_compute_global_address.proxy_ipv6_address.address]
 }
-
-resource "google_dns_record_set" "proxy_whois_a_record" {
-  name         = "whois${var.suffix}.${var.proxy_domain_name}"
-  type         = "A"
-  ttl          = 300
-  managed_zone = var.proxy_domain
-  rrdatas      = [google_compute_global_address.proxy_ipv4_address.address]
-}
-
-resource "google_dns_record_set" "proxy_whois_aaaa_record" {
-  name         = "whois${var.suffix}.${var.proxy_domain_name}"
-  type         = "AAAA"
-  ttl          = 300
-  managed_zone = var.proxy_domain
-  rrdatas      = [google_compute_global_address.proxy_ipv6_address.address]
-}
diff --git a/proxy/terraform/modules/networking/loadbalancer.tf b/proxy/terraform/modules/networking/loadbalancer.tf
index f43c8b56b12..3d63842956c 100644
--- a/proxy/terraform/modules/networking/loadbalancer.tf
+++ b/proxy/terraform/modules/networking/loadbalancer.tf
@@ -17,10 +17,7 @@ resource "google_compute_firewall" "proxy_firewall" {
 
     ports = [
       var.proxy_ports["epp"],
-      var.proxy_ports["whois"],
       var.proxy_ports["health_check"],
-      var.proxy_ports["http-whois"],
-      var.proxy_ports["https-whois"],
     ]
   }
 
@@ -44,21 +41,6 @@ resource "google_compute_health_check" "proxy_health_check" {
   }
 }
 
-resource "google_compute_health_check" "proxy_http_health_check" {
-  name = "proxy-http-health-check${var.suffix}"
-
-  http_health_check {
-    host         = "health-check.invalid"
-    port         = var.proxy_ports["http-whois"]
-    request_path = "/"
-  }
-}
-
-resource "google_compute_url_map" "proxy_url_map" {
-  name            = "proxy-url-map${var.suffix}"
-  default_service = google_compute_backend_service.http_whois_backend_service.self_link
-}
-
 resource "google_compute_backend_service" "epp_backend_service" {
   name        = "epp-backend-service${var.suffix}"
   protocol    = "TCP"
@@ -82,97 +64,12 @@ resource "google_compute_backend_service" "epp_backend_service" {
   ]
 }
 
-resource "google_compute_backend_service" "whois_backend_service" {
-  name        = "whois-backend-service${var.suffix}"
-  protocol    = "TCP"
-  timeout_sec = 60
-  port_name   = "whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_health_check.self_link,
-  ]
-}
-
-resource "google_compute_backend_service" "https_whois_backend_service" {
-  name        = "https-whois-backend-service${var.suffix}"
-  protocol    = "TCP"
-  timeout_sec = 60
-  port_name   = "https-whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_health_check.self_link,
-  ]
-}
-
-resource "google_compute_backend_service" "http_whois_backend_service" {
-  name        = "http-whois-backend-service${var.suffix}"
-  protocol    = "HTTP"
-  timeout_sec = 60
-  port_name   = "http-whois${var.suffix}"
-
-  backend {
-    group = var.proxy_instance_groups["americas"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["emea"]
-  }
-
-  backend {
-    group = var.proxy_instance_groups["apac"]
-  }
-
-  health_checks = [
-    google_compute_health_check.proxy_http_health_check.self_link,
-  ]
-}
-
 resource "google_compute_target_tcp_proxy" "epp_tcp_proxy" {
   name            = "epp-tcp-proxy${var.suffix}"
   proxy_header    = "PROXY_V1"
   backend_service = google_compute_backend_service.epp_backend_service.self_link
 }
 
-resource "google_compute_target_tcp_proxy" "whois_tcp_proxy" {
-  name            = "whois-tcp-proxy${var.suffix}"
-  proxy_header    = "PROXY_V1"
-  backend_service = google_compute_backend_service.whois_backend_service.self_link
-}
-
-resource "google_compute_target_tcp_proxy" "https_whois_tcp_proxy" {
-  name            = "https-whois-tcp-proxy${var.suffix}"
-  backend_service = google_compute_backend_service.https_whois_backend_service.self_link
-}
-
-resource "google_compute_target_http_proxy" "http_whois_http_proxy" {
-  name    = "http-whois-tcp-proxy${var.suffix}"
-  url_map = google_compute_url_map.proxy_url_map.self_link
-}
-
 resource "google_compute_global_forwarding_rule" "epp_ipv4_forwarding_rule" {
   name       = "epp-ipv4-forwarding-rule${var.suffix}"
   ip_address = google_compute_global_address.proxy_ipv4_address.address
@@ -186,49 +83,3 @@ resource "google_compute_global_forwarding_rule" "epp_ipv6_forwarding_rule" {
   target     = google_compute_target_tcp_proxy.epp_tcp_proxy.self_link
   port_range = "700"
 }
-
-resource "google_compute_global_forwarding_rule" "whois_ipv4_forwarding_rule" {
-  name       = "whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_tcp_proxy.whois_tcp_proxy.self_link
-  port_range = "43"
-}
-
-resource "google_compute_global_forwarding_rule" "whois_ipv6_forwarding_rule" {
-  name       = "whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_tcp_proxy.whois_tcp_proxy.self_link
-  port_range = "43"
-}
-
-resource "google_compute_global_forwarding_rule" "https_whois_ipv4_forwarding_rule" {
-  name       = "https-whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_tcp_proxy.https_whois_tcp_proxy.self_link
-  port_range = "443"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "https_whois_ipv6_forwarding_rule" {
-  name       = "https-whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_tcp_proxy.https_whois_tcp_proxy.self_link
-  port_range = "443"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "http_whois_ipv4_forwarding_rule" {
-  name       = "http-whois-ipv4-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv4_address.address
-  target     = google_compute_target_http_proxy.http_whois_http_proxy.self_link
-  port_range = "80"
-  count      = var.public_web_whois
-}
-
-resource "google_compute_global_forwarding_rule" "http_whois_ipv6_forwarding_rule" {
-  name       = "http-whois-ipv6-forwarding-rule${var.suffix}"
-  ip_address = google_compute_global_address.proxy_ipv6_address.address
-  target     = google_compute_target_http_proxy.http_whois_http_proxy.self_link
-  port_range = "80"
-  count      = var.public_web_whois
-}
diff --git a/proxy/terraform/modules/networking/variables.tf b/proxy/terraform/modules/networking/variables.tf
index bb20e3e73d1..d4b54c13934 100644
--- a/proxy/terraform/modules/networking/variables.tf
+++ b/proxy/terraform/modules/networking/variables.tf
@@ -20,13 +20,3 @@ variable "proxy_domain" {
 variable "proxy_domain_name" {
   description = "Domain name of the zone."
 }
-
-variable "public_web_whois" {
-  type        = number
-  description = <<EOF
-    Set to 1 if the whois HTTP ports are external, 0 if not.  This is necessary
-    because our test projects are configured with
-    constraints/compute.restrictLoadBalancerCreationForTypes, which prohibits
-    forwarding external HTTP(s) connections.
-    EOF
-}
diff --git a/proxy/terraform/modules/variables.tf b/proxy/terraform/modules/variables.tf
index 5d23d462c67..fa1cf87febe 100644
--- a/proxy/terraform/modules/variables.tf
+++ b/proxy/terraform/modules/variables.tf
@@ -8,7 +8,7 @@ variable "gcr_project_name" {
 
 variable "proxy_domain_name" {
   description = <<EOF
-    The base domain name of the proxy, without the whois. or epp. part.
+    The base domain name of the proxy, without the epp. part.
     EOF
 }
 
@@ -35,10 +35,7 @@ variable "proxy_ports" {
 
   default = {
     health_check = 30000
-    whois        = 30001
     epp          = 30002
-    http-whois   = 30010
-    https-whois  = 30011
   }
 }
 
@@ -48,20 +45,6 @@ variable "proxy_ports_canary" {
 
   default = {
     health_check = 31000
-    whois        = 31001
     epp          = 31002
-    http-whois   = 31010
-    https-whois  = 31011
   }
 }
-
-variable "public_web_whois" {
-  type        = number
-  default     = 1
-  description = <<EOF
-    Set to 1 if the whois HTTP ports are external, 0 if not.  This is necessary
-    because our test projects are configured with
-    constraints/compute.restrictLoadBalancerCreationForTypes, which prohibits
-    forwarding external HTTP(s) connections.
-    EOF
-}
diff --git a/proxy/terraform/update_named_ports.sh b/proxy/terraform/update_named_ports.sh
index f24e869cb31..601c04b0f3e 100755
--- a/proxy/terraform/update_named_ports.sh
+++ b/proxy/terraform/update_named_ports.sh
@@ -18,9 +18,8 @@
 # the project, zone and instance group names, and then call gcloud to add the
 # named ports.
 
-PROD_PORTS="whois:30001,epp:30002,http-whois:30010,https-whois:30011"
-CANARY_PORTS="whois-canary:31001,epp-canary:31002,"\
-"http-whois-canary:31010,https-whois-canary:31011"
+PROD_PORTS="epp:30002"
+CANARY_PORTS="epp-canary:31002"
 
 while read line
 do