Add support for per-tunnel routers to VPN dynamic and HA (#202)
* add optional per-tunnel router to vpn dynamic module * add support for per-tunnel router to VPN HA * fix onprem tests
This commit is contained in:
parent
38f85e65ce
commit
54955b3e6d
|
@ -23,6 +23,7 @@ module "vpn-dynamic" {
|
|||
bgp_session_range = "169.254.139.133/30"
|
||||
ike_version = 2
|
||||
peer_ip = "1.1.1.1"
|
||||
router = null
|
||||
shared_secret = null
|
||||
bgp_peer_options = {
|
||||
advertise_groups = ["ALL_SUBNETS"]
|
||||
|
@ -54,7 +55,7 @@ module "vpn-dynamic" {
|
|||
| *router_asn* | Router ASN used for auto-created router. | <code title="">number</code> | | <code title="">64514</code> |
|
||||
| *router_create* | Create router. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
| *router_name* | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | <code title="">string</code> | | <code title=""></code> |
|
||||
| *tunnels* | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_ip = string shared_secret = string }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *tunnels* | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_ip = string router = string shared_secret = string }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -83,7 +83,7 @@ resource "google_compute_router" "router" {
|
|||
: var.router_advertise_config.groups
|
||||
)
|
||||
)
|
||||
dynamic advertised_ip_ranges {
|
||||
dynamic "advertised_ip_ranges" {
|
||||
for_each = (
|
||||
var.router_advertise_config == null ? {} : (
|
||||
var.router_advertise_config.mode != "CUSTOM"
|
||||
|
@ -106,7 +106,7 @@ resource "google_compute_router_peer" "bgp_peer" {
|
|||
region = var.region
|
||||
project = var.project_id
|
||||
name = "${var.name}-${each.key}"
|
||||
router = local.router
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
peer_ip_address = each.value.bgp_peer.address
|
||||
peer_asn = each.value.bgp_peer.asn
|
||||
advertised_route_priority = (
|
||||
|
@ -126,7 +126,7 @@ resource "google_compute_router_peer" "bgp_peer" {
|
|||
: each.value.bgp_peer_options.advertise_groups
|
||||
)
|
||||
)
|
||||
dynamic advertised_ip_ranges {
|
||||
dynamic "advertised_ip_ranges" {
|
||||
for_each = (
|
||||
each.value.bgp_peer_options == null ? {} : (
|
||||
each.value.bgp_peer_options.advertise_mode != "CUSTOM"
|
||||
|
@ -148,7 +148,7 @@ resource "google_compute_router_interface" "router_interface" {
|
|||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = local.router
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
ip_range = each.value.bgp_session_range == "" ? null : each.value.bgp_session_range
|
||||
vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name
|
||||
}
|
||||
|
@ -165,7 +165,7 @@ resource "google_compute_vpn_tunnel" "tunnels" {
|
|||
project = var.project_id
|
||||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = local.router
|
||||
router = each.value.router == null ? local.router : each.value.router
|
||||
peer_ip = each.value.peer_ip
|
||||
ike_version = each.value.ike_version
|
||||
shared_secret = (
|
||||
|
|
|
@ -98,6 +98,7 @@ variable "tunnels" {
|
|||
bgp_session_range = string
|
||||
ike_version = number
|
||||
peer_ip = string
|
||||
router = string
|
||||
shared_secret = string
|
||||
}))
|
||||
default = {}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# Cloud VPN HA Module
|
||||
This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem [Cloud HA VPN](https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn).
|
||||
This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem [Cloud HA VPN](https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn).
|
||||
|
||||
## Examples
|
||||
|
||||
|
@ -29,9 +29,10 @@ module "vpn_ha-1" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.1.2/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = ""
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
remote-1 = {
|
||||
bgp_peer = {
|
||||
|
@ -41,9 +42,10 @@ module "vpn_ha-1" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.2.2/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = ""
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -65,9 +67,10 @@ module "vpn_ha-2" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.1.1/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.vpn_ha-1.random_secret
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
remote-1 = {
|
||||
bgp_peer = {
|
||||
|
@ -77,14 +80,16 @@ module "vpn_ha-2" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.2.1/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
peer_external_gateway_interface = null
|
||||
router = null
|
||||
shared_secret = module.vpn_ha-1.random_secret
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
# tftest:modules=2:resources=18
|
||||
```
|
||||
|
||||
### GCP to on-prem
|
||||
|
||||
```hcl
|
||||
|
@ -111,9 +116,10 @@ module "vpn_ha" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.1.2/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 0
|
||||
peer_external_gateway_interface = 0
|
||||
router = null
|
||||
shared_secret = "mySecret"
|
||||
vpn_gateway_interface = 0
|
||||
}
|
||||
remote-1 = {
|
||||
bgp_peer = {
|
||||
|
@ -123,9 +129,10 @@ module "vpn_ha" {
|
|||
bgp_peer_options = null
|
||||
bgp_session_range = "169.254.2.2/30"
|
||||
ike_version = 2
|
||||
vpn_gateway_interface = 1
|
||||
peer_external_gateway_interface = 0
|
||||
router = null
|
||||
shared_secret = "mySecret"
|
||||
vpn_gateway_interface = 1
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -148,7 +155,7 @@ module "vpn_ha" {
|
|||
| *router_asn* | Router ASN used for auto-created router. | <code title="">number</code> | | <code title="">64514</code> |
|
||||
| *router_create* | Create router. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
| *router_name* | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router. | <code title="">string</code> | | <code title=""></code> |
|
||||
| *tunnels* | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number vpn_gateway_interface = number peer_external_gateway_interface = number shared_secret = string }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *tunnels* | VPN tunnel configurations, bgp_peer_options is usually null. | <code title="map(object({ bgp_peer = object({ address = string asn = number }) bgp_peer_options = object({ advertise_groups = list(string) advertise_ip_ranges = map(string) advertise_mode = string route_priority = number }) bgp_session_range = string ike_version = number peer_external_gateway_interface = number router = string shared_secret = string vpn_gateway_interface = number }))">map(object({...}))</code> | | <code title="">{}</code> |
|
||||
| *vpn_gateway* | HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`. | <code title="">string</code> | | <code title="">null</code> |
|
||||
| *vpn_gateway_create* | Create HA VPN Gateway. | <code title="">bool</code> | | <code title="">true</code> |
|
||||
|
||||
|
|
|
@ -115,9 +115,10 @@ variable "tunnels" {
|
|||
# from the 169.254.0.0/16 block.
|
||||
bgp_session_range = string
|
||||
ike_version = number
|
||||
vpn_gateway_interface = number
|
||||
peer_external_gateway_interface = number
|
||||
router = string
|
||||
shared_secret = string
|
||||
vpn_gateway_interface = number
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
|
|
@ -79,6 +79,7 @@ module "vpn-hub-a" {
|
|||
bgp_session_range = "${cidrhost(var.bgp_interface_ranges.spoke-1, 1)}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-spoke-1.address
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
|
@ -108,6 +109,7 @@ module "vpn-hub-b" {
|
|||
bgp_session_range = "${cidrhost(var.bgp_interface_ranges.spoke-2, 1)}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-spoke-2.address
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
|
@ -162,6 +164,7 @@ module "vpn-spoke-1" {
|
|||
bgp_session_range = "${cidrhost(var.bgp_interface_ranges.spoke-1, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-hub-a.address
|
||||
router = null
|
||||
shared_secret = module.vpn-hub-a.random_secret
|
||||
}
|
||||
}
|
||||
|
@ -225,6 +228,7 @@ module "vpn-spoke-2" {
|
|||
bgp_session_range = "${cidrhost(var.bgp_interface_ranges.spoke-2, 2)}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vpn-hub-b.address
|
||||
router = null
|
||||
shared_secret = module.vpn-hub-b.random_secret
|
||||
}
|
||||
}
|
||||
|
|
|
@ -105,6 +105,7 @@ module "vpn1" {
|
|||
bgp_session_range = "${local.bgp_interface_gcp1}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ips.0
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
|
@ -136,6 +137,7 @@ module "vpn2" {
|
|||
bgp_session_range = "${local.bgp_interface_gcp2}/30"
|
||||
ike_version = 2
|
||||
peer_ip = module.vm-onprem.external_ips.0
|
||||
router = null
|
||||
shared_secret = ""
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue