Adjusting second region for on-prem-in-a-box for testing more use cases
This commit is contained in:
parent
5baed553aa
commit
2c71835965
|
@ -64,13 +64,13 @@ module "on-prem" {
|
|||
|
||||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string })">object({...})</code> | ✓ | |
|
||||
| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | <code title="object({ peer_ip = string shared_secret = string type = string peer_ip2 = string shared_secret2 = string })">object({...})</code> | ✓ | |
|
||||
| *config_variables* | Additional variables used to render the cloud-config and CoreDNS templates. | <code title="map(any)">map(any)</code> | | <code title="">{}</code> |
|
||||
| *coredns_config* | CoreDNS configuration path, if null default will be used. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *local_ip_cidr_range* | IP CIDR range used for the Docker onprem network. | <code title="">string</code> | | <code title="">192.168.192.0/24</code> |
|
||||
| *test_instance* | Test/development instance attributes, leave null to skip creation. | <code title="object({ project_id = string zone = string name = string type = string network = string subnetwork = string })">object({...})</code> | | <code title="">null</code> |
|
||||
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | <code title="object({ disks = map(object({ read_only = bool size = number })) image = string metadata = map(string) nat = bool service_account_roles = list(string) tags = list(string) })">object({...})</code> | | <code title="{ disks = {} image = null metadata = {} nat = false service_account_roles = [ "roles/logging.logWriter", "roles/monitoring.metricWriter" ] tags = ["ssh"] }">...</code> |
|
||||
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string })">object({...})</code> | | <code title="{ local_bgp_asn = 65002 local_bgp_address = "169.254.0.2" peer_bgp_asn = 65001 peer_bgp_address = "169.254.0.1" }">...</code> |
|
||||
| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | <code title="object({ local_bgp_asn = number local_bgp_address = string peer_bgp_asn = number peer_bgp_address = string local_bgp_asn2 = number local_bgp_address2 = string peer_bgp_asn2 = number peer_bgp_address2 = string })">object({...})</code> | | <code title="{ local_bgp_asn = 64514 local_bgp_address = "169.254.1.2" peer_bgp_asn = 64513 peer_bgp_address = "169.254.1.1" local_bgp_asn2 = 64514 local_bgp_address2 = "169.254.2.2" peer_bgp_asn2 = 64520 peer_bgp_address2 = "169.254.2.1" }">...</code> |
|
||||
| *vpn_static_ranges* | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | <code title="list(string)">list(string)</code> | | <code title="">["10.0.0.0/8"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
|
|
@ -172,7 +172,8 @@ write_files:
|
|||
owner: root:root
|
||||
permissions: '0600'
|
||||
content: |
|
||||
: PSK "${vpn_config.shared_secret}"
|
||||
${vpn_config.peer_ip} : PSK "${vpn_config.shared_secret}"
|
||||
${vpn_config.peer_ip2} : PSK "${vpn_config.shared_secret2}"
|
||||
|
||||
# IPSEC tunnel configuration
|
||||
- path: /var/lib/docker-compose/onprem/ipsec/ipsec.conf
|
||||
|
@ -216,6 +217,37 @@ write_files:
|
|||
closeaction=restart
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
mark=%unique
|
||||
%{~ endif ~}
|
||||
|
||||
conn gcp2
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
leftupdown="/var/lib/strongswan/ipsec-vti.sh 1 ${vpn_dynamic_config.peer_bgp_address2}/30 ${vpn_dynamic_config.local_bgp_address2}/30"
|
||||
%{~ endif ~}
|
||||
left=%any
|
||||
leftid=%any
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
leftsubnet=0.0.0.0/0
|
||||
%{~ else ~}
|
||||
leftsubnet=${ip_cidr_ranges.local}
|
||||
%{~ endif ~}
|
||||
leftauth=psk
|
||||
right=${vpn_config.peer_ip_wildcard2}
|
||||
rightid=${vpn_config.peer_ip2}
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
rightsubnet=0.0.0.0/0
|
||||
%{~ else ~}
|
||||
rightsubnet=${ip_cidr_ranges.remote}
|
||||
%{~ endif ~}
|
||||
rightauth=psk
|
||||
type=tunnel
|
||||
auto=start
|
||||
dpdaction=restart
|
||||
closeaction=restart
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
mark=%unique
|
||||
%{~ endif ~}
|
||||
|
||||
%{~ if vpn_config.type == "dynamic" ~}
|
||||
|
||||
# Charon configuration
|
||||
- path: /var/lib/docker-compose/onprem/ipsec/vti.conf
|
||||
|
@ -292,6 +324,10 @@ write_files:
|
|||
local ${vpn_dynamic_config.local_bgp_address} as ${vpn_dynamic_config.local_bgp_asn};
|
||||
neighbor ${vpn_dynamic_config.peer_bgp_address} as ${vpn_dynamic_config.peer_bgp_asn};
|
||||
}
|
||||
protocol bgp gcp_vpc_a_tun2 from gcp_vpc_a {
|
||||
local ${vpn_dynamic_config.local_bgp_address2} as ${vpn_dynamic_config.local_bgp_asn2};
|
||||
neighbor ${vpn_dynamic_config.peer_bgp_address2} as ${vpn_dynamic_config.peer_bgp_asn2};
|
||||
}
|
||||
|
||||
%{~ endif ~}
|
||||
|
||||
|
|
|
@ -38,6 +38,7 @@ locals {
|
|||
dns = cidrhost(var.local_ip_cidr_range, 3)
|
||||
www = cidrhost(var.local_ip_cidr_range, 4)
|
||||
shell = cidrhost(var.local_ip_cidr_range, 5)
|
||||
vpn2 = cidrhost(var.local_ip_cidr_range, 6)
|
||||
}
|
||||
netblocks = local.netblocks
|
||||
vpn_config = local.vpn_config
|
||||
|
@ -49,7 +50,8 @@ locals {
|
|||
data.google_netblock_ip_ranges.restricted-googleapis.cidr_blocks_ipv4
|
||||
)
|
||||
vpn_config = merge(var.vpn_config, {
|
||||
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
|
||||
peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
|
||||
peer_ip_wildcard2 = "%${var.vpn_config.peer_ip2}"
|
||||
})
|
||||
}
|
||||
|
||||
|
|
|
@ -35,25 +35,35 @@ variable "local_ip_cidr_range" {
|
|||
variable "vpn_config" {
|
||||
description = "VPN configuration, type must be one of 'dynamic' or 'static'."
|
||||
type = object({
|
||||
peer_ip = string
|
||||
shared_secret = string
|
||||
type = string
|
||||
peer_ip = string
|
||||
shared_secret = string
|
||||
type = string
|
||||
peer_ip2 = string
|
||||
shared_secret2 = string
|
||||
})
|
||||
}
|
||||
|
||||
variable "vpn_dynamic_config" {
|
||||
description = "BGP configuration for dynamic VPN, ignored if VPN type is 'static'."
|
||||
type = object({
|
||||
local_bgp_asn = number
|
||||
local_bgp_address = string
|
||||
peer_bgp_asn = number
|
||||
peer_bgp_address = string
|
||||
local_bgp_asn = number
|
||||
local_bgp_address = string
|
||||
peer_bgp_asn = number
|
||||
peer_bgp_address = string
|
||||
local_bgp_asn2 = number
|
||||
local_bgp_address2 = string
|
||||
peer_bgp_asn2 = number
|
||||
peer_bgp_address2 = string
|
||||
})
|
||||
default = {
|
||||
local_bgp_asn = 65002
|
||||
local_bgp_address = "169.254.0.2"
|
||||
peer_bgp_asn = 65001
|
||||
peer_bgp_address = "169.254.0.1"
|
||||
local_bgp_asn = 64514
|
||||
local_bgp_address = "169.254.1.2"
|
||||
peer_bgp_asn = 64513
|
||||
peer_bgp_address = "169.254.1.1"
|
||||
local_bgp_asn2 = 64514
|
||||
local_bgp_address2 = "169.254.2.2"
|
||||
peer_bgp_asn2 = 64520
|
||||
peer_bgp_address2 = "169.254.2.1"
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -14,13 +14,13 @@ The example has been purposefully kept simple to show how to use and wire the on
|
|||
|
||||
This sample creates several distinct groups of resources:
|
||||
|
||||
- one VPC
|
||||
- one VPC with two regions
|
||||
- one set of firewall rules
|
||||
- one Cloud NAT configuration
|
||||
- one test instance
|
||||
- one service account for the test instance
|
||||
- one Cloud NAT configuration per region
|
||||
- one test instance on each region
|
||||
- one service account for the test instances
|
||||
- one service account for the onprem instance
|
||||
- one dynamic VPN gateway with a single tunnel
|
||||
- two dynamic VPN gateways in each of the regions with a single tunnel
|
||||
- two DNS zones (private and forwarding) and a DNS inbound policy
|
||||
- one emulated on-premises environment in a single GCP instance
|
||||
|
||||
|
@ -88,28 +88,84 @@ google.internal {
|
|||
### Onprem to cloud
|
||||
|
||||
```bash
|
||||
# check containers are running
|
||||
sudo docker ps
|
||||
|
||||
# connect to the onprem instance
|
||||
gcloud compute ssh onprem-1
|
||||
|
||||
# check that the BGP session works and the advertised routes are set
|
||||
sudo docker exec -it onprem_bird_1 ip route |grep bird
|
||||
10.0.0.0/24 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
||||
35.199.192.0/19 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
||||
199.36.153.4/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
||||
199.36.153.8/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
|
||||
# check that the VPN tunnels are up
|
||||
sudo docker exec -it onprem_vpn_1 ipsec statusall
|
||||
|
||||
Status of IKE charon daemon (strongSwan 5.8.1, Linux 5.4.0-1029-gcp, x86_64):
|
||||
uptime: 6 minutes, since Nov 30 08:42:08 2020
|
||||
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
|
||||
loaded plugins: charon aesni mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity counters
|
||||
Listening IP addresses:
|
||||
10.0.16.2
|
||||
169.254.1.2
|
||||
169.254.2.2
|
||||
Connections:
|
||||
gcp: %any...35.233.104.67,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
|
||||
gcp: local: uses pre-shared key authentication
|
||||
gcp: remote: [35.233.104.67] uses pre-shared key authentication
|
||||
gcp: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
|
||||
gcp2: %any...35.246.101.51,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
|
||||
gcp2: local: uses pre-shared key authentication
|
||||
gcp2: remote: [35.246.101.51] uses pre-shared key authentication
|
||||
gcp2: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
|
||||
Security Associations (2 up, 0 connecting):
|
||||
gcp2[4]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.246.101.51[35.246.101.51]
|
||||
gcp2[4]: IKEv2 SPIs: 227cb2c52085a743_i 13b18b0ad5d4de2b_r*, pre-shared key reauthentication in 9 hours
|
||||
gcp2[4]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
|
||||
gcp2{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cb6fdb84_i eea28dee_o
|
||||
gcp2{4}: AES_GCM_16_256, 3298 bytes_i, 3051 bytes_o (48 pkts, 3s ago), rekeying in 2 hours
|
||||
gcp2{4}: 0.0.0.0/0 === 0.0.0.0/0
|
||||
gcp[3]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.233.104.67[35.233.104.67]
|
||||
gcp[3]: IKEv2 SPIs: e2cffed5395b63dd_i 99f343468625507c_r*, pre-shared key reauthentication in 9 hours
|
||||
gcp[3]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
|
||||
gcp{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f09701_i 4e8cc8d5_o
|
||||
gcp{3}: AES_GCM_16_256, 3438 bytes_i, 3135 bytes_o (49 pkts, 8s ago), rekeying in 2 hours
|
||||
gcp{3}: 0.0.0.0/0 === 0.0.0.0/0
|
||||
|
||||
# check that the BGP sessions works and the advertised routes are set
|
||||
sudo docker exec -it onprem_bird_1 ip route
|
||||
default via 10.0.16.1 dev eth0
|
||||
10.0.0.0/24 proto bird src 10.0.16.2
|
||||
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||
10.0.16.0/24 dev eth0 proto kernel scope link src 10.0.16.2
|
||||
10.10.0.0/24 proto bird src 10.0.16.2
|
||||
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||
35.199.192.0/19 proto bird src 10.0.16.2
|
||||
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||
169.254.1.0/30 dev vti0 proto kernel scope link src 169.254.1.2
|
||||
169.254.2.0/30 dev vti1 proto kernel scope link src 169.254.2.2
|
||||
199.36.153.4/30 proto bird src 10.0.16.2
|
||||
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||
199.36.153.8/30 proto bird src 10.0.16.2
|
||||
nexthop via 169.254.1.1 dev vti0 weight 1
|
||||
nexthop via 169.254.2.1 dev vti1 weight 1
|
||||
|
||||
|
||||
# get a shell on the toolbox container
|
||||
sudo docker exec -it onprem_toolbox_1 sh
|
||||
|
||||
# test pinging the IP address of the test instance (check outputs for it)
|
||||
# test pinging the IP address of the test instances (check outputs for it)
|
||||
ping 10.0.0.3
|
||||
ping 10.10.0.3
|
||||
|
||||
# note: if you are able to ping the IP but the DNS tests below do not work,
|
||||
# refer to the sections above on configuring the DNS inbound fwd IP
|
||||
|
||||
# test forwarding from CoreDNS via the Cloud DNS inbound policy
|
||||
dig test-1.gcp.example.org +short
|
||||
dig test-1-1.gcp.example.org +short
|
||||
10.0.0.3
|
||||
dig test-2-1.gcp.example.org +short
|
||||
10.10.0.3
|
||||
|
||||
# test that Private Access is configured correctly
|
||||
dig compute.googleapis.com +short
|
||||
|
@ -143,7 +199,7 @@ curl www.onprem.example.org -s |grep h1
|
|||
|
||||
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
|
||||
|
||||
The VPN used to connect to the on-premises environment does not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
|
||||
The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
## Variables
|
||||
|
@ -151,12 +207,12 @@ The VPN used to connect to the on-premises environment does not account for HA,
|
|||
| name | description | type | required | default |
|
||||
|---|---|:---: |:---:|:---:|
|
||||
| project_id | Project id for all resources. | <code title="">string</code> | ✓ | |
|
||||
| *bgp_asn* | BGP ASNs. | <code title="map(number)">map(number)</code> | | <code title="{ gcp = 64513 onprem = 64514 }">...</code> |
|
||||
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "169.254.1.0/30" }">...</code> |
|
||||
| *bgp_asn* | BGP ASNs. | <code title="map(number)">map(number)</code> | | <code title="{ gcp1 = 64513 gcp2 = 64520 onprem1 = 64514 onprem2 = 64514 }">...</code> |
|
||||
| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "169.254.1.0/30" gcp2 = "169.254.2.0/30" }">...</code> |
|
||||
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||
| *forwarder_address* | GCP DNS inbound policy forwarder address. | <code title="">string</code> | | <code title="">10.0.0.2</code> |
|
||||
| *ip_ranges* | IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp = "10.0.0.0/24" onprem = "10.0.16.0/24" }">...</code> |
|
||||
| *region* | VPC region. | <code title="">string</code> | | <code title="">europe-west1</code> |
|
||||
| *ip_ranges* | IP CIDR ranges. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "10.0.0.0/24" gcp2 = "10.10.0.0/24" onprem = "10.0.16.0/24" }">...</code> |
|
||||
| *region* | VPC region. | <code title="map(string)">map(string)</code> | | <code title="{ gcp1 = "europe-west1" gcp2 = "europe-west2" }">...</code> |
|
||||
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | <code title="list(string)">list(string)</code> | | <code title="">["0.0.0.0/0"]</code> |
|
||||
|
||||
## Outputs
|
||||
|
@ -164,5 +220,6 @@ The VPN used to connect to the on-premises environment does not account for HA,
|
|||
| name | description | sensitive |
|
||||
|---|---|:---:|
|
||||
| onprem-instance | Onprem instance details. | |
|
||||
| test-instance | Test instance details. | |
|
||||
| test-instance1 | Test instance details. | |
|
||||
| test-instance2 | Test instance details. | |
|
||||
<!-- END TFDOC -->
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 140 KiB After Width: | Height: | Size: 154 KiB |
|
@ -15,8 +15,10 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
bgp_interface_gcp = "${cidrhost(var.bgp_interface_ranges.gcp, 1)}"
|
||||
bgp_interface_onprem = "${cidrhost(var.bgp_interface_ranges.gcp, 2)}"
|
||||
bgp_interface_gcp1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 1)}"
|
||||
bgp_interface_onprem1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 2)}"
|
||||
bgp_interface_gcp2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 1)}"
|
||||
bgp_interface_onprem2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 2)}"
|
||||
netblocks = {
|
||||
dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
|
||||
private = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
|
||||
|
@ -54,9 +56,15 @@ module "vpc" {
|
|||
name = "to-onprem"
|
||||
subnets = [
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gcp
|
||||
name = "subnet"
|
||||
region = var.region
|
||||
ip_cidr_range = var.ip_ranges.gcp1
|
||||
name = "subnet1"
|
||||
region = var.region.gcp1
|
||||
secondary_ip_range = {}
|
||||
},
|
||||
{
|
||||
ip_cidr_range = var.ip_ranges.gcp2
|
||||
name = "subnet2"
|
||||
region = var.region.gcp2
|
||||
secondary_ip_range = {}
|
||||
}
|
||||
]
|
||||
|
@ -71,18 +79,18 @@ module "vpc-firewall" {
|
|||
ssh_source_ranges = var.ssh_source_ranges
|
||||
}
|
||||
|
||||
module "vpn" {
|
||||
module "vpn1" {
|
||||
source = "../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = module.vpc.subnet_regions["${var.region}/subnet"]
|
||||
region = var.region.gcp1
|
||||
network = module.vpc.name
|
||||
name = "to-onprem"
|
||||
router_asn = var.bgp_asn.gcp
|
||||
name = "to-onprem1"
|
||||
router_asn = var.bgp_asn.gcp1
|
||||
tunnels = {
|
||||
onprem = {
|
||||
bgp_peer = {
|
||||
address = local.bgp_interface_onprem
|
||||
asn = var.bgp_asn.onprem
|
||||
address = local.bgp_interface_onprem1
|
||||
asn = var.bgp_asn.onprem1
|
||||
}
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
|
@ -94,7 +102,7 @@ module "vpn" {
|
|||
advertise_mode = "CUSTOM"
|
||||
route_priority = 1000
|
||||
}
|
||||
bgp_session_range = "${local.bgp_interface_gcp}/30"
|
||||
bgp_session_range = "${local.bgp_interface_gcp1}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ips.0
|
||||
shared_secret = ""
|
||||
|
@ -102,13 +110,52 @@ module "vpn" {
|
|||
}
|
||||
}
|
||||
|
||||
module "nat" {
|
||||
module "vpn2" {
|
||||
source = "../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp2
|
||||
network = module.vpc.name
|
||||
name = "to-onprem2"
|
||||
router_asn = var.bgp_asn.gcp2
|
||||
tunnels = {
|
||||
onprem = {
|
||||
bgp_peer = {
|
||||
address = local.bgp_interface_onprem2
|
||||
asn = var.bgp_asn.onprem2
|
||||
}
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
advertise_ip_ranges = {
|
||||
(local.netblocks.dns) = "DNS resolvers"
|
||||
(local.netblocks.private) = "private.gooogleapis.com"
|
||||
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||
}
|
||||
advertise_mode = "CUSTOM"
|
||||
route_priority = 1000
|
||||
}
|
||||
bgp_session_range = "${local.bgp_interface_gcp2}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ips.0
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "nat1" {
|
||||
source = "../../modules/net-cloudnat"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
region = var.region.gcp1
|
||||
name = "default"
|
||||
router_create = false
|
||||
router_name = module.vpn.router_name
|
||||
router_name = module.vpn1.router_name
|
||||
}
|
||||
module "nat2" {
|
||||
source = "../../modules/net-cloudnat"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp2
|
||||
name = "default"
|
||||
router_create = false
|
||||
router_name = module.vpn2.router_name
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
@ -125,7 +172,11 @@ module "dns-gcp" {
|
|||
recordsets = concat(
|
||||
[{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
|
||||
[
|
||||
for name, ip in zipmap(module.vm-test.names, module.vm-test.internal_ips) :
|
||||
for name, ip in zipmap(module.vm-test1.names, module.vm-test1.internal_ips) :
|
||||
{ name = name, type = "A", ttl = 300, records = [ip] }
|
||||
],
|
||||
[
|
||||
for name, ip in zipmap(module.vm-test2.names, module.vm-test2.internal_ips) :
|
||||
{ name = name, type = "A", ttl = 300, records = [ip] }
|
||||
]
|
||||
)
|
||||
|
@ -152,7 +203,7 @@ module "dns-onprem" {
|
|||
name = "onprem-example"
|
||||
domain = "onprem.example.org."
|
||||
client_networks = [module.vpc.self_link]
|
||||
forwarders = { cidrhost(var.ip_ranges.onprem, 3) = null }
|
||||
forwarders = [cidrhost(var.ip_ranges.onprem, 3)]
|
||||
}
|
||||
|
||||
resource "google_dns_policy" "inbound" {
|
||||
|
@ -170,9 +221,9 @@ resource "google_dns_policy" "inbound" {
|
|||
################################################################################
|
||||
|
||||
module "service-account-gce" {
|
||||
source = "../../modules/iam-service-account"
|
||||
source = "../../modules/iam-service-accounts"
|
||||
project_id = var.project_id
|
||||
name = "gce-test"
|
||||
names = ["gce-test"]
|
||||
iam_project_roles = {
|
||||
(var.project_id) = [
|
||||
"roles/logging.logWriter",
|
||||
|
@ -181,14 +232,32 @@ module "service-account-gce" {
|
|||
}
|
||||
}
|
||||
|
||||
module "vm-test" {
|
||||
module "vm-test1" {
|
||||
source = "../../modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
name = "test"
|
||||
region = var.region.gcp1
|
||||
name = "test-1"
|
||||
network_interfaces = [{
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
|
||||
nat = false
|
||||
addresses = null
|
||||
alias_ips = null
|
||||
}]
|
||||
metadata = { startup-script = local.vm-startup-script }
|
||||
service_account = module.service-account-gce.email
|
||||
service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
|
||||
tags = ["ssh"]
|
||||
}
|
||||
|
||||
module "vm-test2" {
|
||||
source = "../../modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp2
|
||||
name = "test-2"
|
||||
network_interfaces = [{
|
||||
network = module.vpc.self_link
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region.gcp2}/subnet2"]
|
||||
nat = false
|
||||
addresses = null
|
||||
alias_ips = null
|
||||
|
@ -209,22 +278,28 @@ module "config-onprem" {
|
|||
coredns_config = "${path.module}/assets/Corefile"
|
||||
local_ip_cidr_range = var.ip_ranges.onprem
|
||||
vpn_config = {
|
||||
peer_ip = module.vpn.address
|
||||
shared_secret = module.vpn.random_secret
|
||||
type = "dynamic"
|
||||
peer_ip = module.vpn1.address
|
||||
peer_ip2 = module.vpn2.address
|
||||
shared_secret = module.vpn1.random_secret
|
||||
shared_secret2 = module.vpn2.random_secret
|
||||
type = "dynamic"
|
||||
}
|
||||
vpn_dynamic_config = {
|
||||
local_bgp_asn = var.bgp_asn.onprem
|
||||
local_bgp_address = local.bgp_interface_onprem
|
||||
peer_bgp_asn = var.bgp_asn.gcp
|
||||
peer_bgp_address = local.bgp_interface_gcp
|
||||
local_bgp_asn = var.bgp_asn.onprem1
|
||||
local_bgp_address = local.bgp_interface_onprem1
|
||||
peer_bgp_asn = var.bgp_asn.gcp1
|
||||
peer_bgp_address = local.bgp_interface_gcp1
|
||||
local_bgp_asn2 = var.bgp_asn.onprem2
|
||||
local_bgp_address2 = local.bgp_interface_onprem2
|
||||
peer_bgp_asn2 = var.bgp_asn.gcp2
|
||||
peer_bgp_address2 = local.bgp_interface_gcp2
|
||||
}
|
||||
}
|
||||
|
||||
module "service-account-onprem" {
|
||||
source = "../../modules/iam-service-account"
|
||||
source = "../../modules/iam-service-accounts"
|
||||
project_id = var.project_id
|
||||
name = "gce-onprem"
|
||||
names = ["gce-onprem"]
|
||||
iam_project_roles = {
|
||||
(var.project_id) = [
|
||||
"roles/compute.viewer",
|
||||
|
@ -237,7 +312,7 @@ module "service-account-onprem" {
|
|||
module "vm-onprem" {
|
||||
source = "../../modules/compute-vm"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
region = var.region.gcp1
|
||||
instance_type = "f1-micro"
|
||||
name = "onprem"
|
||||
boot_disk = {
|
||||
|
@ -250,7 +325,7 @@ module "vm-onprem" {
|
|||
}
|
||||
network_interfaces = [{
|
||||
network = module.vpc.name
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
|
||||
subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
|
||||
nat = true
|
||||
addresses = null
|
||||
alias_ips = null
|
||||
|
|
|
@ -23,10 +23,17 @@ output "onprem-instance" {
|
|||
}
|
||||
}
|
||||
|
||||
output "test-instance" {
|
||||
output "test-instance1" {
|
||||
description = "Test instance details."
|
||||
value = join(" ", [
|
||||
module.vm-test.names[0],
|
||||
module.vm-test.internal_ips[0]
|
||||
module.vm-test1.names[0],
|
||||
module.vm-test1.internal_ips[0]
|
||||
])
|
||||
}
|
||||
output "test-instance2" {
|
||||
description = "Test instance details."
|
||||
value = join(" ", [
|
||||
module.vm-test2.names[0],
|
||||
module.vm-test2.internal_ips[0]
|
||||
])
|
||||
}
|
||||
|
|
|
@ -18,8 +18,10 @@ variable "bgp_asn" {
|
|||
description = "BGP ASNs."
|
||||
type = map(number)
|
||||
default = {
|
||||
gcp = 64513
|
||||
onprem = 64514
|
||||
gcp1 = 64513
|
||||
gcp2 = 64520
|
||||
onprem1 = 64514
|
||||
onprem2 = 64514
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -27,7 +29,8 @@ variable "bgp_interface_ranges" {
|
|||
description = "BGP interface IP CIDR ranges."
|
||||
type = map(string)
|
||||
default = {
|
||||
gcp = "169.254.1.0/30"
|
||||
gcp1 = "169.254.1.0/30"
|
||||
gcp2 = "169.254.2.0/30"
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -41,7 +44,8 @@ variable "ip_ranges" {
|
|||
description = "IP CIDR ranges."
|
||||
type = map(string)
|
||||
default = {
|
||||
gcp = "10.0.0.0/24"
|
||||
gcp1 = "10.0.0.0/24"
|
||||
gcp2 = "10.10.0.0/24"
|
||||
onprem = "10.0.16.0/24"
|
||||
}
|
||||
}
|
||||
|
@ -53,8 +57,11 @@ variable "project_id" {
|
|||
|
||||
variable "region" {
|
||||
description = "VPC region."
|
||||
type = string
|
||||
default = "europe-west1"
|
||||
type = map(string)
|
||||
default = {
|
||||
gcp1 = "europe-west1"
|
||||
gcp2 = "europe-west2"
|
||||
}
|
||||
}
|
||||
|
||||
variable "forwarder_address" {
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Copyright 2020 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
terraform {
|
||||
required_version = ">= 0.12.6"
|
||||
}
|
Loading…
Reference in New Issue