Merge pull request #1028 from GoogleCloudPlatform/jccb/vpn-static-and-dynamic-tf13
Align rest of vpn modules with #1027
This commit is contained in:
commit
4441fd0c63
|
@ -304,7 +304,6 @@ module "vpn-hub" {
|
|||
remote_ranges = values(var.private_service_ranges)
|
||||
tunnels = {
|
||||
spoke-2 = {
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-spoke-2.address
|
||||
shared_secret = ""
|
||||
traffic_selectors = { local = ["0.0.0.0/0"], remote = null }
|
||||
|
@ -323,7 +322,6 @@ module "vpn-spoke-2" {
|
|||
remote_ranges = ["10.0.0.0/8"]
|
||||
tunnels = {
|
||||
hub = {
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-hub.address
|
||||
shared_secret = module.vpn-hub.random_secret
|
||||
traffic_selectors = { local = ["0.0.0.0/0"], remote = null }
|
||||
|
|
|
@ -35,7 +35,6 @@ module "landing-to-dev-vpn-r1" {
|
|||
asn = var.vpn_configs.dev-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.2.1/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
|
@ -44,7 +43,6 @@ module "landing-to-dev-vpn-r1" {
|
|||
asn = var.vpn_configs.dev-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.2.5/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -73,7 +71,6 @@ module "dev-to-landing-vpn-r1" {
|
|||
asn = var.vpn_configs.land-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.2.2/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-dev-vpn-r1.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
|
@ -83,7 +80,6 @@ module "dev-to-landing-vpn-r1" {
|
|||
asn = var.vpn_configs.land-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.2.6/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-dev-vpn-r1.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
|
|
|
@ -36,7 +36,6 @@ module "landing-to-prod-vpn-r1" {
|
|||
asn = var.vpn_configs.prod-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.0.1/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
|
@ -45,7 +44,6 @@ module "landing-to-prod-vpn-r1" {
|
|||
asn = var.vpn_configs.prod-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.0.5/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -74,7 +72,6 @@ module "prod-to-landing-vpn-r1" {
|
|||
asn = var.vpn_configs.land-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.0.2/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-prod-vpn-r1.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
|
@ -84,7 +81,6 @@ module "prod-to-landing-vpn-r1" {
|
|||
asn = var.vpn_configs.land-r1.asn
|
||||
}
|
||||
bgp_session_range = "169.254.0.6/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-prod-vpn-r1.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
|
|
|
@ -79,65 +79,58 @@ module "vpc-firewall" {
|
|||
}
|
||||
|
||||
module "vpn1" {
|
||||
source = "../../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp1
|
||||
network = module.vpc.name
|
||||
name = "to-onprem1"
|
||||
router_asn = var.bgp_asn.gcp1
|
||||
source = "../../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp1
|
||||
network = module.vpc.name
|
||||
name = "to-onprem1"
|
||||
router_config = { asn = var.bgp_asn.gcp1 }
|
||||
tunnels = {
|
||||
onprem = {
|
||||
bgp_peer = {
|
||||
address = local.bgp_interface_onprem1
|
||||
asn = var.bgp_asn.onprem1
|
||||
}
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
advertise_ip_ranges = {
|
||||
(local.netblocks.dns) = "DNS resolvers"
|
||||
(local.netblocks.private) = "private.gooogleapis.com"
|
||||
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||
}
|
||||
advertise_mode = "CUSTOM"
|
||||
route_priority = 1000
|
||||
custom_advertise = {
|
||||
all_subnets = true
|
||||
all_vpc_subnets = false
|
||||
all_peer_vpc_subnets = false
|
||||
ip_ranges = {
|
||||
(local.netblocks.dns) = "DNS resolvers"
|
||||
(local.netblocks.private) = "private.gooogleapis.com"
|
||||
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||
} }
|
||||
}
|
||||
bgp_session_range = "${local.bgp_interface_gcp1}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ip
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "vpn2" {
|
||||
source = "../../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp2
|
||||
network = module.vpc.name
|
||||
name = "to-onprem2"
|
||||
router_asn = var.bgp_asn.gcp2
|
||||
source = "../../../modules/net-vpn-dynamic"
|
||||
project_id = var.project_id
|
||||
region = var.region.gcp2
|
||||
network = module.vpc.name
|
||||
name = "to-onprem2"
|
||||
router_config = { asn = var.bgp_asn.gcp2 }
|
||||
tunnels = {
|
||||
onprem = {
|
||||
bgp_peer = {
|
||||
address = local.bgp_interface_onprem2
|
||||
asn = var.bgp_asn.onprem2
|
||||
}
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
advertise_ip_ranges = {
|
||||
(local.netblocks.dns) = "DNS resolvers"
|
||||
(local.netblocks.private) = "private.gooogleapis.com"
|
||||
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||
custom_advertise = {
|
||||
all_subnets = true
|
||||
all_vpc_subnets = false
|
||||
all_peer_vpc_subnets = false
|
||||
ip_ranges = {
|
||||
(local.netblocks.dns) = "DNS resolvers"
|
||||
(local.netblocks.private) = "private.gooogleapis.com"
|
||||
(local.netblocks.restricted) = "restricted.gooogleapis.com"
|
||||
}
|
||||
}
|
||||
advertise_mode = "CUSTOM"
|
||||
route_priority = 1000
|
||||
}
|
||||
bgp_session_range = "${local.bgp_interface_gcp2}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ip
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -94,7 +94,6 @@ module "vpn-onprem" {
|
|||
asn = 65002
|
||||
}
|
||||
bgp_session_range = "169.254.0.1/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
tunnel-1 = {
|
||||
|
@ -103,7 +102,6 @@ module "vpn-onprem" {
|
|||
asn = 65002
|
||||
}
|
||||
bgp_session_range = "169.254.0.5/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -132,26 +130,18 @@ module "vpn-hub" {
|
|||
address = "169.254.0.1"
|
||||
asn = 65001
|
||||
}
|
||||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.0.2/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.vpn-onprem.random_secret
|
||||
bgp_session_range = "169.254.0.2/30"
|
||||
vpn_gateway_interface = 0
|
||||
shared_secret = module.vpn-onprem.random_secret
|
||||
}
|
||||
tunnel-1 = {
|
||||
bgp_peer = {
|
||||
address = "169.254.0.5"
|
||||
asn = 65001
|
||||
}
|
||||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.0.6/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.vpn-onprem.random_secret
|
||||
bgp_session_range = "169.254.0.6/30"
|
||||
vpn_gateway_interface = 1
|
||||
shared_secret = module.vpn-onprem.random_secret
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -55,9 +55,7 @@ module "landing-to-onprem-ew1-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.landing-trusted-ew1
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
router = null
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
}
|
||||
|
@ -87,9 +85,7 @@ module "landing-to-onprem-ew4-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.landing-trusted-ew4
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
router = null
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
}
|
||||
|
|
|
@ -55,7 +55,6 @@ module "landing-to-onprem-ew1-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.landing-ew1
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
|
|
|
@ -55,7 +55,6 @@ module "dev-to-onprem-ew1-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.dev-ew1
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
|
|
|
@ -39,7 +39,6 @@ module "prod-to-onprem-ew1-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.prod-ew1
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
|
|
|
@ -55,7 +55,6 @@ module "landing-to-onprem-ew1-vpn" {
|
|||
}
|
||||
bgp_peer_options = local.bgp_peer_options_onprem.landing-ew1
|
||||
bgp_session_range = "${cidrhost(t.session_range, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = t.peer_external_gateway_interface
|
||||
shared_secret = t.secret
|
||||
vpn_gateway_interface = t.vpn_gateway_interface
|
||||
|
|
|
@ -56,7 +56,6 @@ module "landing-to-dev-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.0/27", 2)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
|
@ -68,7 +67,6 @@ module "landing-to-dev-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.0/27", 6)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -98,7 +96,6 @@ module "dev-to-landing-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.0/27", 1)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-dev-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
|
@ -111,7 +108,6 @@ module "dev-to-landing-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.0/27", 5)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-dev-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
|
|
|
@ -39,7 +39,6 @@ module "landing-to-prod-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.64/27", 2)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
|
@ -51,7 +50,6 @@ module "landing-to-prod-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.64/27", 6)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -78,11 +76,8 @@ module "prod-to-landing-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.64/27", 1)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
bgp_peer = {
|
||||
|
@ -93,11 +88,8 @@ module "prod-to-landing-ew1-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.64/27", 5)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -39,7 +39,6 @@ module "landing-to-prod-ew4-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.96/27", 2)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
1 = {
|
||||
|
@ -51,7 +50,6 @@ module "landing-to-prod-ew4-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.96/27", 6)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
|
@ -78,7 +76,6 @@ module "prod-to-landing-ew4-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.96/27", 1)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-prod-ew4-vpn.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
|
@ -91,7 +88,6 @@ module "prod-to-landing-ew4-vpn" {
|
|||
bgp_session_range = "${
|
||||
cidrhost("169.254.0.96/27", 5)
|
||||
}/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.landing-to-prod-ew4-vpn.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
|
|
|
@ -24,17 +24,15 @@ The test instance is optional, as described above.
|
|||
|
||||
```hcl
|
||||
module "cloud-vpn" {
|
||||
source = "./fabric/modules/net-vpn-static"
|
||||
project_id = "my-project"
|
||||
region = "europe-west1"
|
||||
network = "my-vpc"
|
||||
name = "to-on-prem"
|
||||
source = "./fabric/modules/net-vpn-static"
|
||||
project_id = "my-project"
|
||||
region = "europe-west1"
|
||||
network = "my-vpc"
|
||||
name = "to-on-prem"
|
||||
remote_ranges = ["192.168.192.0/24"]
|
||||
tunnels = {
|
||||
remote-0 = {
|
||||
ike_version = 2
|
||||
peer_ip = module.on-prem.external_address
|
||||
shared_secret = ""
|
||||
traffic_selectors = { local = ["0.0.0.0/0"], remote = null }
|
||||
}
|
||||
}
|
||||
|
|
|
@ -8,35 +8,50 @@ This example shows how to configure a single VPN tunnel using a couple of extra
|
|||
- internally generated shared secret, which can be fetched from the module's `random_secret` output for reuse; a predefined secret can be used instead by assigning it to the `shared_secret` attribute
|
||||
|
||||
```hcl
|
||||
module "vm" {
|
||||
source = "./fabric/modules/compute-vm"
|
||||
project_id = "my-project"
|
||||
zone = "europe-west1-b"
|
||||
name = "my-vm"
|
||||
network_interfaces = [{
|
||||
nat = true
|
||||
network = var.vpc.self_link
|
||||
subnetwork = var.subnet.self_link
|
||||
}]
|
||||
service_account_create = true
|
||||
}
|
||||
|
||||
|
||||
module "vpn-dynamic" {
|
||||
source = "./fabric/modules/net-vpn-dynamic"
|
||||
project_id = "my-project"
|
||||
region = "europe-west1"
|
||||
network = "my-vpc"
|
||||
network = var.vpc.name
|
||||
name = "gateway-1"
|
||||
router_config = {
|
||||
asn = 64514
|
||||
}
|
||||
|
||||
tunnels = {
|
||||
remote-1 = {
|
||||
bgp_peer = {
|
||||
address = "169.254.139.134"
|
||||
asn = 64513
|
||||
custom_advertise = {
|
||||
all_subnets = true
|
||||
all_vpc_subnets = false
|
||||
all_peer_vpc_subnets = false
|
||||
ip_ranges = {
|
||||
"192.168.0.0/24" = "Advertised range description"
|
||||
}
|
||||
}
|
||||
}
|
||||
bgp_session_range = "169.254.139.133/30"
|
||||
ike_version = 2
|
||||
peer_ip = "1.1.1.1"
|
||||
router = null
|
||||
shared_secret = null
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
advertise_ip_ranges = {
|
||||
"192.168.0.0/24" = "Advertised range description"
|
||||
}
|
||||
advertise_mode = "CUSTOM"
|
||||
route_priority = 1000
|
||||
}
|
||||
peer_ip = module.vm.external_ip
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest modules=1 resources=10
|
||||
# tftest modules=2 resources=12
|
||||
```
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
|
@ -48,14 +63,10 @@ module "vpn-dynamic" {
|
|||
| [network](variables.tf#L34) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L39) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L44) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| [router_config](variables.tf#L49) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>null</code> |
|
||||
| [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| [route_priority](variables.tf#L49) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [router_advertise_config](variables.tf#L55) | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | <code title="object({ groups = list(string) ip_ranges = map(string) mode = string })">object({…})</code> | | <code>null</code> |
|
||||
| [router_asn](variables.tf#L65) | Router ASN used for auto-created router. | <code>number</code> | | <code>64514</code> |
|
||||
| [router_create](variables.tf#L71) | Create router. | <code>bool</code> | | <code>true</code> |
|
||||
| [router_name](variables.tf#L77) | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | <code>string</code> | | <code>""</code> |
|
||||
| [tunnels](variables.tf#L83) | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_ip = string router = string shared_secret = string }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tunnels](variables.tf#L64) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_ip = string router = optional(string) shared_secret = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -21,9 +21,9 @@ locals {
|
|||
: var.gateway_address
|
||||
)
|
||||
router = (
|
||||
var.router_create
|
||||
? google_compute_router.router[0].name
|
||||
: var.router_name
|
||||
var.router_config.create
|
||||
? try(google_compute_router.router[0].name, null)
|
||||
: var.router_config.name
|
||||
)
|
||||
secret = random_id.secret.b64_url
|
||||
}
|
||||
|
@ -65,75 +65,56 @@ resource "google_compute_forwarding_rule" "udp-4500" {
|
|||
}
|
||||
|
||||
resource "google_compute_router" "router" {
|
||||
count = var.router_create ? 1 : 0
|
||||
name = var.router_name == "" ? "vpn-${var.name}" : var.router_name
|
||||
count = var.router_config.create ? 1 : 0
|
||||
name = coalesce(var.router_config.name, "vpn-${var.name}")
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
network = var.network
|
||||
bgp {
|
||||
advertise_mode = (
|
||||
var.router_advertise_config == null
|
||||
? null
|
||||
: var.router_advertise_config.mode
|
||||
var.router_config.custom_advertise != null
|
||||
? "CUSTOM"
|
||||
: "DEFAULT"
|
||||
)
|
||||
advertised_groups = (
|
||||
var.router_advertise_config == null ? null : (
|
||||
var.router_advertise_config.mode != "CUSTOM"
|
||||
? null
|
||||
: var.router_advertise_config.groups
|
||||
)
|
||||
try(var.router_config.custom_advertise.all_subnets, false)
|
||||
? ["ALL_SUBNETS"]
|
||||
: []
|
||||
)
|
||||
dynamic "advertised_ip_ranges" {
|
||||
for_each = (
|
||||
var.router_advertise_config == null ? {} : (
|
||||
var.router_advertise_config.mode != "CUSTOM"
|
||||
? null
|
||||
: var.router_advertise_config.ip_ranges
|
||||
)
|
||||
)
|
||||
for_each = try(var.router_config.custom_advertise.ip_ranges, {})
|
||||
iterator = range
|
||||
content {
|
||||
range = range.key
|
||||
description = range.value
|
||||
}
|
||||
}
|
||||
asn = var.router_asn
|
||||
keepalive_interval = try(var.router_config.keepalive, null)
|
||||
asn = var.router_config.asn
|
||||
}
|
||||
}
|
||||
|
||||
resource "google_compute_router_peer" "bgp_peer" {
|
||||
for_each = var.tunnels
|
||||
region = var.region
|
||||
project = var.project_id
|
||||
name = "${var.name}-${each.key}"
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
peer_ip_address = each.value.bgp_peer.address
|
||||
peer_asn = each.value.bgp_peer.asn
|
||||
advertised_route_priority = (
|
||||
each.value.bgp_peer_options == null ? var.route_priority : (
|
||||
each.value.bgp_peer_options.route_priority == null
|
||||
? var.route_priority
|
||||
: each.value.bgp_peer_options.route_priority
|
||||
)
|
||||
)
|
||||
for_each = var.tunnels
|
||||
region = var.region
|
||||
project = var.project_id
|
||||
name = "${var.name}-${each.key}"
|
||||
router = coalesce(each.value.router, local.router)
|
||||
peer_ip_address = each.value.bgp_peer.address
|
||||
peer_asn = each.value.bgp_peer.asn
|
||||
advertised_route_priority = each.value.bgp_peer.route_priority
|
||||
advertise_mode = (
|
||||
each.value.bgp_peer_options == null ? null : each.value.bgp_peer_options.advertise_mode
|
||||
try(each.value.bgp_peer.custom_advertise, null) != null
|
||||
? "CUSTOM"
|
||||
: "DEFAULT"
|
||||
)
|
||||
advertised_groups = (
|
||||
each.value.bgp_peer_options == null ? null : (
|
||||
each.value.bgp_peer_options.advertise_mode != "CUSTOM"
|
||||
? null
|
||||
: each.value.bgp_peer_options.advertise_groups
|
||||
)
|
||||
advertised_groups = concat(
|
||||
try(each.value.bgp_peer.custom_advertise.all_subnets, false) ? ["ALL_SUBNETS"] : [],
|
||||
try(each.value.bgp_peer.custom_advertise.all_vpc_subnets, false) ? ["ALL_VPC_SUBNETS"] : [],
|
||||
try(each.value.bgp_peer.custom_advertise.all_peer_vpc_subnets, false) ? ["ALL_PEER_VPC_SUBNETS"] : []
|
||||
)
|
||||
dynamic "advertised_ip_ranges" {
|
||||
for_each = (
|
||||
each.value.bgp_peer_options == null ? {} : (
|
||||
each.value.bgp_peer_options.advertise_mode != "CUSTOM"
|
||||
? {}
|
||||
: each.value.bgp_peer_options.advertise_ip_ranges
|
||||
)
|
||||
)
|
||||
for_each = try(each.value.bgp_peer.custom_advertise.ip_ranges, {})
|
||||
iterator = range
|
||||
content {
|
||||
range = range.key
|
||||
|
@ -144,11 +125,12 @@ resource "google_compute_router_peer" "bgp_peer" {
|
|||
}
|
||||
|
||||
resource "google_compute_router_interface" "router_interface" {
|
||||
for_each = var.tunnels
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
for_each = var.tunnels
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = coalesce(each.value.router, local.router)
|
||||
# FIXME: can bgp_session_range be null?
|
||||
ip_range = each.value.bgp_session_range == "" ? null : each.value.bgp_session_range
|
||||
vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name
|
||||
}
|
||||
|
@ -161,18 +143,14 @@ resource "google_compute_vpn_gateway" "gateway" {
|
|||
}
|
||||
|
||||
resource "google_compute_vpn_tunnel" "tunnels" {
|
||||
for_each = var.tunnels
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
peer_ip = each.value.peer_ip
|
||||
ike_version = each.value.ike_version
|
||||
shared_secret = (
|
||||
each.value.shared_secret == "" || each.value.shared_secret == null
|
||||
? local.secret
|
||||
: each.value.shared_secret
|
||||
)
|
||||
for_each = var.tunnels
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = coalesce(each.value.router, local.router)
|
||||
peer_ip = each.value.peer_ip
|
||||
ike_version = each.value.ike_version
|
||||
shared_secret = coalesce(each.value.shared_secret, local.secret)
|
||||
target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link
|
||||
depends_on = [google_compute_forwarding_rule.esp]
|
||||
}
|
||||
|
|
|
@ -37,7 +37,7 @@ output "random_secret" {
|
|||
|
||||
output "router" {
|
||||
description = "Router resource (only if auto-created)."
|
||||
value = var.router_create ? google_compute_router.router[0] : null
|
||||
value = one(google_compute_router.router[*])
|
||||
}
|
||||
|
||||
output "router_name" {
|
||||
|
@ -54,7 +54,7 @@ output "tunnel_names" {
|
|||
description = "VPN tunnel names."
|
||||
value = {
|
||||
for name in keys(var.tunnels) :
|
||||
name => google_compute_vpn_tunnel.tunnels[name].name
|
||||
name => try(google_compute_vpn_tunnel.tunnels[name].name, null)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -62,7 +62,7 @@ output "tunnel_self_links" {
|
|||
description = "VPN tunnel self links."
|
||||
value = {
|
||||
for name in keys(var.tunnels) :
|
||||
name => google_compute_vpn_tunnel.tunnels[name].self_link
|
||||
name => try(google_compute_vpn_tunnel.tunnels[name].self_link, null)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -70,6 +70,6 @@ output "tunnels" {
|
|||
description = "VPN tunnel resources."
|
||||
value = {
|
||||
for name in keys(var.tunnels) :
|
||||
name => google_compute_vpn_tunnel.tunnels[name]
|
||||
name => try(google_compute_vpn_tunnel.tunnels[name], null)
|
||||
}
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
variable "gateway_address" {
|
||||
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
|
||||
type = string
|
||||
default = ""
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "gateway_address_create" {
|
||||
|
@ -46,60 +46,43 @@ variable "region" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "route_priority" {
|
||||
description = "Route priority, defaults to 1000."
|
||||
type = number
|
||||
default = 1000
|
||||
}
|
||||
|
||||
variable "router_advertise_config" {
|
||||
description = "Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions."
|
||||
variable "router_config" {
|
||||
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
|
||||
type = object({
|
||||
groups = list(string)
|
||||
ip_ranges = map(string)
|
||||
mode = string
|
||||
create = optional(bool, true)
|
||||
asn = number
|
||||
name = optional(string)
|
||||
keepalive = optional(number)
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
})
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "router_asn" {
|
||||
description = "Router ASN used for auto-created router."
|
||||
type = number
|
||||
default = 64514
|
||||
}
|
||||
|
||||
variable "router_create" {
|
||||
description = "Create router."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "router_name" {
|
||||
description = "Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router."
|
||||
type = string
|
||||
default = ""
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "tunnels" {
|
||||
description = "VPN tunnel configurations, bgp_peer_options is usually null."
|
||||
description = "VPN tunnel configurations."
|
||||
type = map(object({
|
||||
bgp_peer = object({
|
||||
address = string
|
||||
asn = number
|
||||
})
|
||||
bgp_peer_options = object({
|
||||
advertise_groups = list(string)
|
||||
advertise_ip_ranges = map(string)
|
||||
advertise_mode = string
|
||||
route_priority = number
|
||||
address = string
|
||||
asn = number
|
||||
route_priority = optional(number, 1000)
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
all_vpc_subnets = bool
|
||||
all_peer_vpc_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
})
|
||||
# each BGP session on the same Cloud Router must use a unique /30 CIDR
|
||||
# from the 169.254.0.0/16 block.
|
||||
bgp_session_range = string
|
||||
ike_version = number
|
||||
ike_version = optional(number, 2)
|
||||
peer_ip = string
|
||||
router = string
|
||||
shared_secret = string
|
||||
router = optional(string)
|
||||
shared_secret = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
|
|
@ -56,7 +56,6 @@ module "vpn-2" {
|
|||
asn = 64514
|
||||
}
|
||||
bgp_session_range = "169.254.1.1/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.vpn-1.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
|
@ -66,7 +65,6 @@ module "vpn-2" {
|
|||
asn = 64514
|
||||
}
|
||||
bgp_session_range = "169.254.2.1/30"
|
||||
ike_version = 2
|
||||
shared_secret = module.vpn-1.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
|
@ -130,8 +128,9 @@ module "vpn_ha" {
|
|||
| [project_id](variables.tf#L43) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L48) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L53) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [tunnels](variables.tf#L68) | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L95) | Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway. | <code>string</code> | | <code>null</code> |
|
||||
| [tunnels](variables.tf#L68) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L95) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L101) | Create HA VPN Gateway. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ locals {
|
|||
: var.router_config.name
|
||||
)
|
||||
vpn_gateway = (
|
||||
var.vpn_gateway == null
|
||||
var.vpn_gateway_create
|
||||
? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null)
|
||||
: var.vpn_gateway
|
||||
)
|
||||
|
@ -30,7 +30,7 @@ locals {
|
|||
}
|
||||
|
||||
resource "google_compute_ha_vpn_gateway" "ha_gateway" {
|
||||
count = var.vpn_gateway == null ? 1 : 0
|
||||
count = var.vpn_gateway_create ? 1 : 0
|
||||
name = var.name
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
|
@ -54,7 +54,7 @@ resource "google_compute_external_vpn_gateway" "external_gateway" {
|
|||
|
||||
resource "google_compute_router" "router" {
|
||||
count = var.router_config.create ? 1 : 0
|
||||
name = var.router_config.name == null ? "vpn-${var.name}" : var.router_config.name
|
||||
name = coalesce(var.router_config.name, "vpn-${var.name}")
|
||||
project = var.project_id
|
||||
region = var.region
|
||||
network = var.network
|
||||
|
@ -87,7 +87,7 @@ resource "google_compute_router_peer" "bgp_peer" {
|
|||
region = var.region
|
||||
project = var.project_id
|
||||
name = "${var.name}-${each.key}"
|
||||
router = local.router
|
||||
router = coalesce(each.value.router, local.router)
|
||||
peer_ip_address = each.value.bgp_peer.address
|
||||
peer_asn = each.value.bgp_peer.asn
|
||||
advertised_route_priority = each.value.bgp_peer.route_priority
|
||||
|
|
|
@ -66,7 +66,7 @@ variable "router_config" {
|
|||
}
|
||||
|
||||
variable "tunnels" {
|
||||
description = "VPN tunnel configurations, bgp_peer_options is usually null."
|
||||
description = "VPN tunnel configurations."
|
||||
type = map(object({
|
||||
bgp_peer = object({
|
||||
address = string
|
||||
|
@ -93,7 +93,13 @@ variable "tunnels" {
|
|||
}
|
||||
|
||||
variable "vpn_gateway" {
|
||||
description = "Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway."
|
||||
description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`."
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "vpn_gateway_create" {
|
||||
description = "Create HA VPN Gateway."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
|
|
@ -12,17 +12,16 @@ module "addresses" {
|
|||
}
|
||||
|
||||
module "vpn" {
|
||||
source = "./fabric/modules/net-vpn-static"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
network = var.vpc.self_link
|
||||
name = "remote"
|
||||
source = "./fabric/modules/net-vpn-static"
|
||||
project_id = var.project_id
|
||||
region = var.region
|
||||
network = var.vpc.self_link
|
||||
name = "remote"
|
||||
gateway_address_create = false
|
||||
gateway_address = module.addresses.external_addresses["vpn"].address
|
||||
remote_ranges = ["10.10.0.0/24"]
|
||||
remote_ranges = ["10.10.0.0/24"]
|
||||
tunnels = {
|
||||
remote-0 = {
|
||||
ike_version = 2
|
||||
peer_ip = "1.1.1.1"
|
||||
shared_secret = "mysecret"
|
||||
traffic_selectors = { local = ["0.0.0.0/0"], remote = ["0.0.0.0/0"] }
|
||||
|
@ -41,11 +40,11 @@ module "vpn" {
|
|||
| [network](variables.tf#L34) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L39) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L44) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>""</code> |
|
||||
| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | <code>string</code> | | <code>null</code> |
|
||||
| [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | <code>bool</code> | | <code>true</code> |
|
||||
| [remote_ranges](variables.tf#L49) | Remote IP CIDR ranges. | <code>list(string)</code> | | <code>[]</code> |
|
||||
| [route_priority](variables.tf#L55) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [tunnels](variables.tf#L61) | VPN tunnel configurations. | <code title="map(object({ ike_version = number peer_ip = string shared_secret = string traffic_selectors = object({ local = list(string) remote = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [route_priority](variables.tf#L56) | Route priority, defaults to 1000. | <code>number</code> | | <code>1000</code> |
|
||||
| [tunnels](variables.tf#L62) | VPN tunnel configurations. | <code title="map(object({ ike_version = optional(number, 2) peer_ip = string shared_secret = optional(string) traffic_selectors = object({ local = list(string) remote = list(string) }) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -91,7 +91,7 @@ resource "google_compute_vpn_tunnel" "tunnels" {
|
|||
local_traffic_selector = each.value.traffic_selectors.local
|
||||
remote_traffic_selector = each.value.traffic_selectors.remote
|
||||
ike_version = each.value.ike_version
|
||||
shared_secret = each.value.shared_secret == "" ? local.secret : each.value.shared_secret
|
||||
shared_secret = coalesce(each.value.shared_secret, local.secret)
|
||||
target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link
|
||||
depends_on = [google_compute_forwarding_rule.esp]
|
||||
}
|
||||
|
|
|
@ -17,7 +17,7 @@
|
|||
variable "gateway_address" {
|
||||
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
|
||||
type = string
|
||||
default = ""
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "gateway_address_create" {
|
||||
|
@ -50,6 +50,7 @@ variable "remote_ranges" {
|
|||
description = "Remote IP CIDR ranges."
|
||||
type = list(string)
|
||||
default = []
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "route_priority" {
|
||||
|
@ -61,13 +62,14 @@ variable "route_priority" {
|
|||
variable "tunnels" {
|
||||
description = "VPN tunnel configurations."
|
||||
type = map(object({
|
||||
ike_version = number
|
||||
ike_version = optional(number, 2)
|
||||
peer_ip = string
|
||||
shared_secret = string
|
||||
shared_secret = optional(string)
|
||||
traffic_selectors = object({
|
||||
local = list(string)
|
||||
remote = list(string)
|
||||
})
|
||||
}))
|
||||
default = {}
|
||||
default = {}
|
||||
nullable = false
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue