Adjusting second region for on-prem-in-a-box for testing more use cases
This commit is contained in:
parent
5baed553aa
commit
2c71835965
|
@ -64,13 +64,13 @@ module "on-prem" {
|
||||||
|
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string })">object({...})</code> | ✓ | |
|
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string peer_ip2 = string shared_secret2 = string })">object({...})</code> | ✓ | |
|
||||||
| *config_variables* | Additional variables used to render the cloud-config and CoreDNS templates. | <code title="map(any)">map(any)</code> | | <code title="">{}</code> |
|
| *config_variables* | Additional variables used to render the cloud-config and CoreDNS templates. | <code title="map(any)">map(any)</code> | | <code title="">{}</code> |
|
||||||
| *coredns_config* | CoreDNS configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
|
| *coredns_config* | CoreDNS configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
|
||||||
| *local_ip_cidr_range* | IP CIDR range used for the Docker onprem network. | <code title="">string</code> | | <code title="">192.168.192.0/24</code> |
|
| *local_ip_cidr_range* | IP CIDR range used for the Docker onprem network. | <code title="">string</code> | | <code title="">192.168.192.0/24</code> |
|
||||||
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({...})</code> | | <code title="">null</code> |
|
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({...})</code> | | <code title="">null</code> |
|
||||||
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({...})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">...</code> |
|
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({...})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">...</code> |
|
||||||
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string })">object({...})</code> | | <code title="{ local_bgp_asn = 65002 local_bgp_address = "169.254.0.2" peer_bgp_asn = 65001 peer_bgp_address = "169.254.0.1" }">...</code> |
|
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string local_bgp_asn2 = number local_bgp_address2 = string peer_bgp_asn2 = number peer_bgp_address2 = string })">object({...})</code> | | <code title="{ local_bgp_asn = 64514 local_bgp_address = "169.254.1.2" peer_bgp_asn = 64513 peer_bgp_address = "169.254.1.1" local_bgp_asn2 = 64514 local_bgp_address2 = "169.254.2.2" peer_bgp_asn2 = 64520 peer_bgp_address2 = "169.254.2.1" }">...</code> |
|
||||||
| *vpn_static_ranges* | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code title="list(string)">list(string)</code> | | <code title="">["10.0.0.0/8"]</code> |
|
| *vpn_static_ranges* | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code title="list(string)">list(string)</code> | | <code title="">["10.0.0.0/8"]</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
|
|
@ -172,7 +172,8 @@ write_files:
|
||||||
owner: root:root
|
owner: root:root
|
||||||
permissions: '0600'
|
permissions: '0600'
|
||||||
content: |
|
content: |
|
||||||
: PSK "${vpn_config.shared_secret}"
|
${vpn_config.peer_ip} : PSK "${vpn_config.shared_secret}"
|
||||||
|
${vpn_config.peer_ip2} : PSK "${vpn_config.shared_secret2}"
|
||||||
|
|
||||||
# IPSEC tunnel configuration
|
# IPSEC tunnel configuration
|
||||||
- path: /var/lib/docker-compose/onprem/ipsec/ipsec.conf
|
- path: /var/lib/docker-compose/onprem/ipsec/ipsec.conf
|
||||||
|
@ -216,6 +217,37 @@ write_files:
|
||||||
closeaction=restart
|
closeaction=restart
|
||||||
%{~ if vpn_config.type == "dynamic" ~}
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
mark=%unique
|
mark=%unique
|
||||||
|
%{~ endif ~}
|
||||||
|
|
||||||
|
conn gcp2
|
||||||
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
|
leftupdown="/var/lib/strongswan/ipsec-vti.sh 1 ${vpn_dynamic_config.peer_bgp_address2}/30 ${vpn_dynamic_config.local_bgp_address2}/30"
|
||||||
|
%{~ endif ~}
|
||||||
|
left=%any
|
||||||
|
leftid=%any
|
||||||
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
|
leftsubnet=0.0.0.0/0
|
||||||
|
%{~ else ~}
|
||||||
|
leftsubnet=${ip_cidr_ranges.local}
|
||||||
|
%{~ endif ~}
|
||||||
|
leftauth=psk
|
||||||
|
right=${vpn_config.peer_ip_wildcard2}
|
||||||
|
rightid=${vpn_config.peer_ip2}
|
||||||
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
|
rightsubnet=0.0.0.0/0
|
||||||
|
%{~ else ~}
|
||||||
|
rightsubnet=${ip_cidr_ranges.remote}
|
||||||
|
%{~ endif ~}
|
||||||
|
rightauth=psk
|
||||||
|
type=tunnel
|
||||||
|
auto=start
|
||||||
|
dpdaction=restart
|
||||||
|
closeaction=restart
|
||||||
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
|
mark=%unique
|
||||||
|
%{~ endif ~}
|
||||||
|
|
||||||
|
%{~ if vpn_config.type == "dynamic" ~}
|
||||||
|
|
||||||
# Charon configuration
|
# Charon configuration
|
||||||
- path: /var/lib/docker-compose/onprem/ipsec/vti.conf
|
- path: /var/lib/docker-compose/onprem/ipsec/vti.conf
|
||||||
|
@ -292,6 +324,10 @@ write_files:
|
||||||
local ${vpn_dynamic_config.local_bgp_address} as ${vpn_dynamic_config.local_bgp_asn};
|
local ${vpn_dynamic_config.local_bgp_address} as ${vpn_dynamic_config.local_bgp_asn};
|
||||||
neighbor ${vpn_dynamic_config.peer_bgp_address} as ${vpn_dynamic_config.peer_bgp_asn};
|
neighbor ${vpn_dynamic_config.peer_bgp_address} as ${vpn_dynamic_config.peer_bgp_asn};
|
||||||
}
|
}
|
||||||
|
protocol bgp gcp_vpc_a_tun2 from gcp_vpc_a {
|
||||||
|
local ${vpn_dynamic_config.local_bgp_address2} as ${vpn_dynamic_config.local_bgp_asn2};
|
||||||
|
neighbor ${vpn_dynamic_config.peer_bgp_address2} as ${vpn_dynamic_config.peer_bgp_asn2};
|
||||||
|
}
|
||||||
|
|
||||||
%{~ endif ~}
|
%{~ endif ~}
|
||||||
|
|
||||||
|
|
|
@ -38,6 +38,7 @@ locals {
|
||||||
dns = cidrhost(var.local_ip_cidr_range, 3)
|
dns = cidrhost(var.local_ip_cidr_range, 3)
|
||||||
www = cidrhost(var.local_ip_cidr_range, 4)
|
www = cidrhost(var.local_ip_cidr_range, 4)
|
||||||
shell = cidrhost(var.local_ip_cidr_range, 5)
|
shell = cidrhost(var.local_ip_cidr_range, 5)
|
||||||
|
vpn2 = cidrhost(var.local_ip_cidr_range, 6)
|
||||||
}
|
}
|
||||||
netblocks = local.netblocks
|
netblocks = local.netblocks
|
||||||
vpn_config = local.vpn_config
|
vpn_config = local.vpn_config
|
||||||
|
@ -50,6 +51,7 @@ locals {
|
||||||
)
|
)
|
||||||
vpn_config = merge(var.vpn_config, {
|
vpn_config = merge(var.vpn_config, {
|
||||||
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
|
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
|
||||||
|
peer_ip_wildcard2 = "%${var.vpn_config.peer_ip2}"
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -38,6 +38,8 @@ variable "vpn_config" {
|
||||||
peer_ip = string
|
peer_ip = string
|
||||||
shared_secret = string
|
shared_secret = string
|
||||||
type = string
|
type = string
|
||||||
|
peer_ip2 = string
|
||||||
|
shared_secret2 = string
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -48,12 +50,20 @@ variable "vpn_dynamic_config" {
|
||||||
local_bgp_address = string
|
local_bgp_address = string
|
||||||
peer_bgp_asn = number
|
peer_bgp_asn = number
|
||||||
peer_bgp_address = string
|
peer_bgp_address = string
|
||||||
|
local_bgp_asn2 = number
|
||||||
|
local_bgp_address2 = string
|
||||||
|
peer_bgp_asn2 = number
|
||||||
|
peer_bgp_address2 = string
|
||||||
})
|
})
|
||||||
default = {
|
default = {
|
||||||
local_bgp_asn = 65002
|
local_bgp_asn = 64514
|
||||||
local_bgp_address = "169.254.0.2"
|
local_bgp_address = "169.254.1.2"
|
||||||
peer_bgp_asn = 65001
|
peer_bgp_asn = 64513
|
||||||
peer_bgp_address = "169.254.0.1"
|
peer_bgp_address = "169.254.1.1"
|
||||||
|
local_bgp_asn2 = 64514
|
||||||
|
local_bgp_address2 = "169.254.2.2"
|
||||||
|
peer_bgp_asn2 = 64520
|
||||||
|
peer_bgp_address2 = "169.254.2.1"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -14,13 +14,13 @@ The example has been purposefully kept simple to show how to use and wire the on
|
||||||
|
|
||||||
This sample creates several distinct groups of resources:
|
This sample creates several distinct groups of resources:
|
||||||
|
|
||||||
- one VPC
|
- one VPC with two regions
|
||||||
- one set of firewall rules
|
- one set of firewall rules
|
||||||
- one Cloud NAT configuration
|
- one Cloud NAT configuration per region
|
||||||
- one test instance
|
- one test instance on each region
|
||||||
- one service account for the test instance
|
- one service account for the test instances
|
||||||
- one service account for the onprem instance
|
- one service account for the onprem instance
|
||||||
- one dynamic VPN gateway with a single tunnel
|
- two dynamic VPN gateways in each of the regions with a single tunnel
|
||||||
- two DNS zones (private and forwarding) and a DNS inbound policy
|
- two DNS zones (private and forwarding) and a DNS inbound policy
|
||||||
- one emulated on-premises environment in a single GCP instance
|
- one emulated on-premises environment in a single GCP instance
|
||||||
|
|
||||||
|
@ -88,28 +88,84 @@ google.internal {
|
||||||
### Onprem to cloud
|
### Onprem to cloud
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
# check containers are running
|
||||||
|
sudo docker ps
|
||||||
|
|
||||||
# connect to the onprem instance
|
# connect to the onprem instance
|
||||||
gcloud compute ssh onprem-1
|
gcloud compute ssh onprem-1
|
||||||
|
|
||||||
# check that the BGP session works and the advertised routes are set
|
# check that the VPN tunnels are up
|
||||||
sudo docker exec -it onprem_bird_1 ip route |grep bird
|
sudo docker exec -it onprem_vpn_1 ipsec statusall
|
||||||
10.0.0.0/24 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
|
||||||
35.199.192.0/19 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
Status of IKE charon daemon (strongSwan 5.8.1, Linux 5.4.0-1029-gcp, x86_64):
|
||||||
199.36.153.4/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
uptime: 6 minutes, since Nov 30 08:42:08 2020
|
||||||
199.36.153.8/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
|
||||||
|
loaded plugins: charon aesni mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity counters
|
||||||
|
Listening IP addresses:
|
||||||
|
10.0.16.2
|
||||||
|
169.254.1.2
|
||||||
|
169.254.2.2
|
||||||
|
Connections:
|
||||||
|
gcp: %any...35.233.104.67,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
|
||||||
|
gcp: local: uses pre-shared key authentication
|
||||||
|
gcp: remote: [35.233.104.67] uses pre-shared key authentication
|
||||||
|
gcp: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
|
||||||
|
gcp2: %any...35.246.101.51,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
|
||||||
|
gcp2: local: uses pre-shared key authentication
|
||||||
|
gcp2: remote: [35.246.101.51] uses pre-shared key authentication
|
||||||
|
gcp2: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
|
||||||
|
Security Associations (2 up, 0 connecting):
|
||||||
|
gcp2[4]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.246.101.51[35.246.101.51]
|
||||||
|
gcp2[4]: IKEv2 SPIs: 227cb2c52085a743_i 13b18b0ad5d4de2b_r*, pre-shared key reauthentication in 9 hours
|
||||||
|
gcp2[4]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
|
||||||
|
gcp2{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cb6fdb84_i eea28dee_o
|
||||||
|
gcp2{4}: AES_GCM_16_256, 3298 bytes_i, 3051 bytes_o (48 pkts, 3s ago), rekeying in 2 hours
|
||||||
|
gcp2{4}: 0.0.0.0/0 === 0.0.0.0/0
|
||||||
|
gcp[3]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.233.104.67[35.233.104.67]
|
||||||
|
gcp[3]: IKEv2 SPIs: e2cffed5395b63dd_i 99f343468625507c_r*, pre-shared key reauthentication in 9 hours
|
||||||
|
gcp[3]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
|
||||||
|
gcp{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f09701_i 4e8cc8d5_o
|
||||||
|
gcp{3}: AES_GCM_16_256, 3438 bytes_i, 3135 bytes_o (49 pkts, 8s ago), rekeying in 2 hours
|
||||||
|
gcp{3}: 0.0.0.0/0 === 0.0.0.0/0
|
||||||
|
|
||||||
|
# check that the BGP sessions works and the advertised routes are set
|
||||||
|
sudo docker exec -it onprem_bird_1 ip route
|
||||||
|
default via 10.0.16.1 dev eth0
|
||||||
|
10.0.0.0/24 proto bird src 10.0.16.2
|
||||||
|
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||||
|
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||||
|
10.0.16.0/24 dev eth0 proto kernel scope link src 10.0.16.2
|
||||||
|
10.10.0.0/24 proto bird src 10.0.16.2
|
||||||
|
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||||
|
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||||
|
35.199.192.0/19 proto bird src 10.0.16.2
|
||||||
|
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||||
|
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||||
|
169.254.1.0/30 dev vti0 proto kernel scope link src 169.254.1.2
|
||||||
|
169.254.2.0/30 dev vti1 proto kernel scope link src 169.254.2.2
|
||||||
|
199.36.153.4/30 proto bird src 10.0.16.2
|
||||||
|
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||||
|
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||||
|
199.36.153.8/30 proto bird src 10.0.16.2
|
||||||
|
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||||
|
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||||
|
|
||||||
|
|
||||||
# get a shell on the toolbox container
|
# get a shell on the toolbox container
|
||||||
sudo docker exec -it onprem_toolbox_1 sh
|
sudo docker exec -it onprem_toolbox_1 sh
|
||||||
|
|
||||||
# test pinging the IP address of the test instance (check outputs for it)
|
# test pinging the IP address of the test instances (check outputs for it)
|
||||||
ping 10.0.0.3
|
ping 10.0.0.3
|
||||||
|
ping 10.10.0.3
|
||||||
|
|
||||||
# note: if you are able to ping the IP but the DNS tests below do not work,
|
# note: if you are able to ping the IP but the DNS tests below do not work,
|
||||||
# refer to the sections above on configuring the DNS inbound fwd IP
|
# refer to the sections above on configuring the DNS inbound fwd IP
|
||||||
|
|
||||||
# test forwarding from CoreDNS via the Cloud DNS inbound policy
|
# test forwarding from CoreDNS via the Cloud DNS inbound policy
|
||||||
dig test-1.gcp.example.org +short
|
dig test-1-1.gcp.example.org +short
|
||||||
10.0.0.3
|
10.0.0.3
|
||||||
|
dig test-2-1.gcp.example.org +short
|
||||||
|
10.10.0.3
|
||||||
|
|
||||||
# test that Private Access is configured correctly
|
# test that Private Access is configured correctly
|
||||||
dig compute.googleapis.com +short
|
dig compute.googleapis.com +short
|
||||||
|
@ -143,7 +199,7 @@ curl www.onprem.example.org -s |grep h1
|
||||||
|
|
||||||
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
|
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
|
||||||
|
|
||||||
The VPN used to connect to the on-premises environment does not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
|
The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
|
||||||
|
|
||||||
<!-- BEGIN TFDOC -->
|
<!-- BEGIN TFDOC -->
|
||||||
## Variables
|
## Variables
|
||||||
|
@ -151,12 +207,12 @@ The VPN used to connect to the on-premises environment does not account for HA,
|
||||||
| name | description | type | required | default |
|
| name | description | type | required | default |
|
||||||
|---|---|:---: |:---:|:---:|
|
|---|---|:---: |:---:|:---:|
|
||||||
| project_id | Project id for all resources. | <code title="">string</code> | ✓ | |
|
| project_id | Project id for all resources. | <code title="">string</code> | ✓ | |
|
||||||
| *bgp_asn* | BGP ASNs. | <code title="map(number)">map(number)</code> | | <code title="{ gcp = 64513 onprem = 64514 }">...</code> |
|
| *bgp_asn* | BGP ASNs. | <code title="map(number)">map(number)</code> | | <code title="{ gcp1 = 64513 gcp2 = 64520 onprem1 = 64514 onprem2 = 64514 }">...</code> |
|
||||||
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "169.254.1.0/30" }">...</code> |
|
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "169.254.1.0/30" gcp2 = "169.254.2.0/30" }">...</code> |
|
||||||
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||||
| *forwarder_address* | GCP DNS inbound policy forwarder address. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
| *forwarder_address* | GCP DNS inbound policy forwarder address. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||||
| *ip_ranges* | IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "10.0.0.0/24" onprem = "10.0.16.0/24" }">...</code> |
|
| *ip_ranges* | IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "10.0.0.0/24" gcp2 = "10.10.0.0/24" onprem = "10.0.16.0/24" }">...</code> |
|
||||||
| *region* | VPC region. | <code title="">string</code> | | <code title="">europe-west1</code> |
|
| *region* | VPC region. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "europe-west1" gcp2 = "europe-west2" }">...</code> |
|
||||||
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list(string)">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
|
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list(string)">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
|
||||||
|
|
||||||
## Outputs
|
## Outputs
|
||||||
|
@ -164,5 +220,6 @@ The VPN used to connect to the on-premises environment does not account for HA,
|
||||||
| name | description | sensitive |
|
| name | description | sensitive |
|
||||||
|---|---|:---:|
|
|---|---|:---:|
|
||||||
| onprem-instance | Onprem instance details. | |
|
| onprem-instance | Onprem instance details. | |
|
||||||
| test-instance | Test instance details. | |
|
| test-instance1 | Test instance details. | |
|
||||||
|
| test-instance2 | Test instance details. | |
|
||||||
<!-- END TFDOC -->
|
<!-- END TFDOC -->
|
||||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 140 KiB After Width: | Height: | Size: 154 KiB |
|
@ -15,8 +15,10 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
bgp_interface_gcp = "${cidrhost(var.bgp_interface_ranges.gcp, 1)}"
|
bgp_interface_gcp1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 1)}"
|
||||||
bgp_interface_onprem = "${cidrhost(var.bgp_interface_ranges.gcp, 2)}"
|
bgp_interface_onprem1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 2)}"
|
||||||
|
bgp_interface_gcp2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 1)}"
|
||||||
|
bgp_interface_onprem2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 2)}"
|
||||||
netblocks = {
|
netblocks = {
|
||||||
dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
|
dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
|
||||||
private = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
|
private = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
|
||||||
|
@ -54,9 +56,15 @@ module "vpc" {
|
||||||
name = "to-onprem"
|
name = "to-onprem"
|
||||||
subnets = [
|
subnets = [
|
||||||
{
|
{
|
||||||
ip_cidr_range = var.ip_ranges.gcp
|
ip_cidr_range = var.ip_ranges.gcp1
|
||||||
name = "subnet"
|
name = "subnet1"
|
||||||
region = var.region
|
region = var.region.gcp1
|
||||||
|
secondary_ip_range = {}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
ip_cidr_range = var.ip_ranges.gcp2
|
||||||
|
name = "subnet2"
|
||||||
|
region = var.region.gcp2
|
||||||
secondary_ip_range = {}
|
secondary_ip_range = {}
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
@ -71,18 +79,18 @@ module "vpc-firewall" {
|
||||||
ssh_source_ranges = var.ssh_source_ranges
|
ssh_source_ranges = var.ssh_source_ranges
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vpn" {
|
module "vpn1" {
|
||||||
source = "../../modules/net-vpn-dynamic"
|
source = "../../modules/net-vpn-dynamic"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
region = module.vpc.subnet_regions["${var.region}/subnet"]
|
region = var.region.gcp1
|
||||||
network = module.vpc.name
|
network = module.vpc.name
|
||||||
name = "to-onprem"
|
name = "to-onprem1"
|
||||||
router_asn = var.bgp_asn.gcp
|
router_asn = var.bgp_asn.gcp1
|
||||||
tunnels = {
|
tunnels = {
|
||||||
onprem = {
|
onprem = {
|
||||||
bgp_peer = {
|
bgp_peer = {
|
||||||
address = local.bgp_interface_onprem
|
address = local.bgp_interface_onprem1
|
||||||
asn = var.bgp_asn.onprem
|
asn = var.bgp_asn.onprem1
|
||||||
}
|
}
|
||||||
bgp_peer_options = {
|
bgp_peer_options = {
|
||||||
advertise_groups = ["ALL_SUBNETS"]
|
advertise_groups = ["ALL_SUBNETS"]
|
||||||
|
@ -94,7 +102,7 @@ module "vpn" {
|
||||||
advertise_mode = "CUSTOM"
|
advertise_mode = "CUSTOM"
|
||||||
route_priority = 1000
|
route_priority = 1000
|
||||||
}
|
}
|
||||||
bgp_session_range = "${local.bgp_interface_gcp}/30"
|
bgp_session_range = "${local.bgp_interface_gcp1}/30"
|
||||||
ike_version = 2
|
ike_version = 2
|
||||||
peer_ip = module.vm-onprem.external_ips.0
|
peer_ip = module.vm-onprem.external_ips.0
|
||||||
shared_secret = ""
|
shared_secret = ""
|
||||||
|
@ -102,13 +110,52 @@ module "vpn" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "nat" {
|
module "vpn2" {
|
||||||
|
source = "../../modules/net-vpn-dynamic"
|
||||||
|
project_id = var.project_id
|
||||||
|
region = var.region.gcp2
|
||||||
|
network = module.vpc.name
|
||||||
|
name = "to-onprem2"
|
||||||
|
router_asn = var.bgp_asn.gcp2
|
||||||
|
tunnels = {
|
||||||
|
onprem = {
|
||||||
|
bgp_peer = {
|
||||||
|
address = local.bgp_interface_onprem2
|
||||||
|
asn = var.bgp_asn.onprem2
|
||||||
|
}
|
||||||
|
bgp_peer_options = {
|
||||||
|
advertise_groups = ["ALL_SUBNETS"]
|
||||||
|
advertise_ip_ranges = {
|
||||||
|
(local.netblocks.dns) = "DNS resolvers"
|
||||||
|
(local.netblocks.private) = "private.gooogleapis.com"
|
||||||
|
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||||
|
}
|
||||||
|
advertise_mode = "CUSTOM"
|
||||||
|
route_priority = 1000
|
||||||
|
}
|
||||||
|
bgp_session_range = "${local.bgp_interface_gcp2}/30"
|
||||||
|
ike_version = 2
|
||||||
|
peer_ip = module.vm-onprem.external_ips.0
|
||||||
|
shared_secret = ""
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
module "nat1" {
|
||||||
source = "../../modules/net-cloudnat"
|
source = "../../modules/net-cloudnat"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
region = var.region
|
region = var.region.gcp1
|
||||||
name = "default"
|
name = "default"
|
||||||
router_create = false
|
router_create = false
|
||||||
router_name = module.vpn.router_name
|
router_name = module.vpn1.router_name
|
||||||
|
}
|
||||||
|
module "nat2" {
|
||||||
|
source = "../../modules/net-cloudnat"
|
||||||
|
project_id = var.project_id
|
||||||
|
region = var.region.gcp2
|
||||||
|
name = "default"
|
||||||
|
router_create = false
|
||||||
|
router_name = module.vpn2.router_name
|
||||||
}
|
}
|
||||||
|
|
||||||
################################################################################
|
################################################################################
|
||||||
|
@ -125,7 +172,11 @@ module "dns-gcp" {
|
||||||
recordsets = concat(
|
recordsets = concat(
|
||||||
[{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
|
[{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
|
||||||
[
|
[
|
||||||
for name, ip in zipmap(module.vm-test.names, module.vm-test.internal_ips) :
|
for name, ip in zipmap(module.vm-test1.names, module.vm-test1.internal_ips) :
|
||||||
|
{ name = name, type = "A", ttl = 300, records = [ip] }
|
||||||
|
],
|
||||||
|
[
|
||||||
|
for name, ip in zipmap(module.vm-test2.names, module.vm-test2.internal_ips) :
|
||||||
{ name = name, type = "A", ttl = 300, records = [ip] }
|
{ name = name, type = "A", ttl = 300, records = [ip] }
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
@ -152,7 +203,7 @@ module "dns-onprem" {
|
||||||
name = "onprem-example"
|
name = "onprem-example"
|
||||||
domain = "onprem.example.org."
|
domain = "onprem.example.org."
|
||||||
client_networks = [module.vpc.self_link]
|
client_networks = [module.vpc.self_link]
|
||||||
forwarders = { cidrhost(var.ip_ranges.onprem, 3) = null }
|
forwarders = [cidrhost(var.ip_ranges.onprem, 3)]
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "google_dns_policy" "inbound" {
|
resource "google_dns_policy" "inbound" {
|
||||||
|
@ -170,9 +221,9 @@ resource "google_dns_policy" "inbound" {
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
module "service-account-gce" {
|
module "service-account-gce" {
|
||||||
source = "../../modules/iam-service-account"
|
source = "../../modules/iam-service-accounts"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
name = "gce-test"
|
names = ["gce-test"]
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/logging.logWriter",
|
"roles/logging.logWriter",
|
||||||
|
@ -181,14 +232,32 @@ module "service-account-gce" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "vm-test" {
|
module "vm-test1" {
|
||||||
source = "../../modules/compute-vm"
|
source = "../../modules/compute-vm"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
region = var.region
|
region = var.region.gcp1
|
||||||
name = "test"
|
name = "test-1"
|
||||||
network_interfaces = [{
|
network_interfaces = [{
|
||||||
network = module.vpc.self_link
|
network = module.vpc.self_link
|
||||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
|
||||||
|
nat = false
|
||||||
|
addresses = null
|
||||||
|
alias_ips = null
|
||||||
|
}]
|
||||||
|
metadata = { startup-script = local.vm-startup-script }
|
||||||
|
service_account = module.service-account-gce.email
|
||||||
|
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||||
|
tags = ["ssh"]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "vm-test2" {
|
||||||
|
source = "../../modules/compute-vm"
|
||||||
|
project_id = var.project_id
|
||||||
|
region = var.region.gcp2
|
||||||
|
name = "test-2"
|
||||||
|
network_interfaces = [{
|
||||||
|
network = module.vpc.self_link
|
||||||
|
subnetwork = module.vpc.subnet_self_links["${var.region.gcp2}/subnet2"]
|
||||||
nat = false
|
nat = false
|
||||||
addresses = null
|
addresses = null
|
||||||
alias_ips = null
|
alias_ips = null
|
||||||
|
@ -209,22 +278,28 @@ module "config-onprem" {
|
||||||
coredns_config = "${path.module}/assets/Corefile"
|
coredns_config = "${path.module}/assets/Corefile"
|
||||||
local_ip_cidr_range = var.ip_ranges.onprem
|
local_ip_cidr_range = var.ip_ranges.onprem
|
||||||
vpn_config = {
|
vpn_config = {
|
||||||
peer_ip = module.vpn.address
|
peer_ip = module.vpn1.address
|
||||||
shared_secret = module.vpn.random_secret
|
peer_ip2 = module.vpn2.address
|
||||||
|
shared_secret = module.vpn1.random_secret
|
||||||
|
shared_secret2 = module.vpn2.random_secret
|
||||||
type = "dynamic"
|
type = "dynamic"
|
||||||
}
|
}
|
||||||
vpn_dynamic_config = {
|
vpn_dynamic_config = {
|
||||||
local_bgp_asn = var.bgp_asn.onprem
|
local_bgp_asn = var.bgp_asn.onprem1
|
||||||
local_bgp_address = local.bgp_interface_onprem
|
local_bgp_address = local.bgp_interface_onprem1
|
||||||
peer_bgp_asn = var.bgp_asn.gcp
|
peer_bgp_asn = var.bgp_asn.gcp1
|
||||||
peer_bgp_address = local.bgp_interface_gcp
|
peer_bgp_address = local.bgp_interface_gcp1
|
||||||
|
local_bgp_asn2 = var.bgp_asn.onprem2
|
||||||
|
local_bgp_address2 = local.bgp_interface_onprem2
|
||||||
|
peer_bgp_asn2 = var.bgp_asn.gcp2
|
||||||
|
peer_bgp_address2 = local.bgp_interface_gcp2
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module "service-account-onprem" {
|
module "service-account-onprem" {
|
||||||
source = "../../modules/iam-service-account"
|
source = "../../modules/iam-service-accounts"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
name = "gce-onprem"
|
names = ["gce-onprem"]
|
||||||
iam_project_roles = {
|
iam_project_roles = {
|
||||||
(var.project_id) = [
|
(var.project_id) = [
|
||||||
"roles/compute.viewer",
|
"roles/compute.viewer",
|
||||||
|
@ -237,7 +312,7 @@ module "service-account-onprem" {
|
||||||
module "vm-onprem" {
|
module "vm-onprem" {
|
||||||
source = "../../modules/compute-vm"
|
source = "../../modules/compute-vm"
|
||||||
project_id = var.project_id
|
project_id = var.project_id
|
||||||
region = var.region
|
region = var.region.gcp1
|
||||||
instance_type = "f1-micro"
|
instance_type = "f1-micro"
|
||||||
name = "onprem"
|
name = "onprem"
|
||||||
boot_disk = {
|
boot_disk = {
|
||||||
|
@ -250,7 +325,7 @@ module "vm-onprem" {
|
||||||
}
|
}
|
||||||
network_interfaces = [{
|
network_interfaces = [{
|
||||||
network = module.vpc.name
|
network = module.vpc.name
|
||||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
|
||||||
nat = true
|
nat = true
|
||||||
addresses = null
|
addresses = null
|
||||||
alias_ips = null
|
alias_ips = null
|
||||||
|
|
|
@ -23,10 +23,17 @@ output "onprem-instance" {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
output "test-instance" {
|
output "test-instance1" {
|
||||||
description = "Test instance details."
|
description = "Test instance details."
|
||||||
value = join(" ", [
|
value = join(" ", [
|
||||||
module.vm-test.names[0],
|
module.vm-test1.names[0],
|
||||||
module.vm-test.internal_ips[0]
|
module.vm-test1.internal_ips[0]
|
||||||
|
])
|
||||||
|
}
|
||||||
|
output "test-instance2" {
|
||||||
|
description = "Test instance details."
|
||||||
|
value = join(" ", [
|
||||||
|
module.vm-test2.names[0],
|
||||||
|
module.vm-test2.internal_ips[0]
|
||||||
])
|
])
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,8 +18,10 @@ variable "bgp_asn" {
|
||||||
description = "BGP ASNs."
|
description = "BGP ASNs."
|
||||||
type = map(number)
|
type = map(number)
|
||||||
default = {
|
default = {
|
||||||
gcp = 64513
|
gcp1 = 64513
|
||||||
onprem = 64514
|
gcp2 = 64520
|
||||||
|
onprem1 = 64514
|
||||||
|
onprem2 = 64514
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -27,7 +29,8 @@ variable "bgp_interface_ranges" {
|
||||||
description = "BGP interface IP CIDR ranges."
|
description = "BGP interface IP CIDR ranges."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
default = {
|
default = {
|
||||||
gcp = "169.254.1.0/30"
|
gcp1 = "169.254.1.0/30"
|
||||||
|
gcp2 = "169.254.2.0/30"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -41,7 +44,8 @@ variable "ip_ranges" {
|
||||||
description = "IP CIDR ranges."
|
description = "IP CIDR ranges."
|
||||||
type = map(string)
|
type = map(string)
|
||||||
default = {
|
default = {
|
||||||
gcp = "10.0.0.0/24"
|
gcp1 = "10.0.0.0/24"
|
||||||
|
gcp2 = "10.10.0.0/24"
|
||||||
onprem = "10.0.16.0/24"
|
onprem = "10.0.16.0/24"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -53,8 +57,11 @@ variable "project_id" {
|
||||||
|
|
||||||
variable "region" {
|
variable "region" {
|
||||||
description = "VPC region."
|
description = "VPC region."
|
||||||
type = string
|
type = map(string)
|
||||||
default = "europe-west1"
|
default = {
|
||||||
|
gcp1 = "europe-west1"
|
||||||
|
gcp2 = "europe-west2"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "forwarder_address" {
|
variable "forwarder_address" {
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Copyright 2020 Google LLC
|
||||||
|
#
|
||||||
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
# you may not use this file except in compliance with the License.
|
||||||
|
# You may obtain a copy of the License at
|
||||||
|
#
|
||||||
|
# https://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
#
|
||||||
|
# Unless required by applicable law or agreed to in writing, software
|
||||||
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
# See the License for the specific language governing permissions and
|
||||||
|
# limitations under the License.
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
required_version = ">= 0.12.6"
|
||||||
|
}
|
Loading…
Reference in New Issue