Allow multiple peer gateways in vpn ha module (#1184)
* allow multiple peer gateways in vpn ha module * align blueprints * fast
This commit is contained in:
parent
067ca37e50
commit
6320c53baf
|
@ -32,8 +32,8 @@ module "apigee_vpn" {
|
|||
mode = "CUSTOM"
|
||||
}
|
||||
}
|
||||
peer_gateway = {
|
||||
gcp = module.onprem_vpn.self_link
|
||||
peer_gateways = {
|
||||
default = { gcp = module.onprem_vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
|
@ -82,8 +82,8 @@ module "onprem_vpn" {
|
|||
mode = "CUSTOM"
|
||||
}
|
||||
}
|
||||
peer_gateway = {
|
||||
gcp = module.apigee_vpn.self_link
|
||||
peer_gateways = {
|
||||
default = { gcp = module.apigee_vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
|
|
|
@ -27,7 +27,9 @@ module "landing-to-dev-vpn-r1" {
|
|||
name = "${var.prefix}-lnd-vpn-r1"
|
||||
asn = 64514
|
||||
}
|
||||
peer_gateway = { gcp = module.dev-to-landing-vpn-r1.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.dev-to-landing-vpn-r1.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
@ -63,7 +65,9 @@ module "dev-to-landing-vpn-r1" {
|
|||
mode = "CUSTOM"
|
||||
}
|
||||
}
|
||||
peer_gateway = { gcp = module.landing-to-dev-vpn-r1.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.landing-to-dev-vpn-r1.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
|
|
@ -28,7 +28,9 @@ module "landing-to-prod-vpn-r1" {
|
|||
ip_ranges = coalesce(var.vpn_configs.land-r1.custom_ranges, {})
|
||||
}
|
||||
}
|
||||
peer_gateway = { gcp = module.prod-to-landing-vpn-r1.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.prod-to-landing-vpn-r1.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
@ -64,7 +66,9 @@ module "prod-to-landing-vpn-r1" {
|
|||
ip_ranges = coalesce(var.vpn_configs.prod-r1.custom_ranges, {})
|
||||
}
|
||||
}
|
||||
peer_gateway = { gcp = module.landing-to-prod-vpn-r1.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.landing-to-prod-vpn-r1.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
|
|
@ -86,7 +86,9 @@ module "vpn-onprem" {
|
|||
ip_ranges = {}
|
||||
}
|
||||
}
|
||||
peer_gateway = { gcp = module.vpn-hub.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn-hub.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
tunnel-0 = {
|
||||
bgp_peer = {
|
||||
|
@ -122,7 +124,9 @@ module "vpn-hub" {
|
|||
}
|
||||
}
|
||||
}
|
||||
peer_gateway = { gcp = module.vpn-onprem.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn-onprem.self_link }
|
||||
}
|
||||
|
||||
tunnels = {
|
||||
tunnel-0 = {
|
||||
|
|
|
@ -546,7 +546,9 @@ module "vpn_main" {
|
|||
region = var.region
|
||||
network = module.vpc_main.self_link
|
||||
name = "vpn-main-to-onprem"
|
||||
peer_gateway = { gcp = module.vpn_onprem[0].self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn_onprem[0].self_link }
|
||||
}
|
||||
router_config = {
|
||||
asn = 65001
|
||||
custom_advertise = {
|
||||
|
@ -583,7 +585,9 @@ module "vpn_onprem" {
|
|||
region = var.region
|
||||
network = module.vpc_onprem[0].self_link
|
||||
name = "vpn-onprem-to-main"
|
||||
peer_gateway = { gcp = module.vpn_main[0].self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn_main[0].self_link }
|
||||
}
|
||||
router_config = { asn = 65002 }
|
||||
tunnels = {
|
||||
tunnel-0 = {
|
||||
|
|
|
@ -48,9 +48,11 @@ module "landing-to-onprem-primary-vpn" {
|
|||
name = "landing-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_onprem_configs.landing-primary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.landing-primary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.landing-primary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
|
|
@ -48,9 +48,11 @@ module "landing-to-onprem-primary-vpn" {
|
|||
name = "landing-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_onprem_configs.landing-primary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.landing-primary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.landing-primary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
|
|
@ -50,7 +50,9 @@ module "landing-to-dev-primary-vpn" {
|
|||
name = "landing-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_spoke_configs.landing-primary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.dev-to-landing-primary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.dev-to-landing-primary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
@ -95,7 +97,9 @@ module "dev-to-landing-primary-vpn" {
|
|||
name = "dev-spoke-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_spoke_configs.spoke-dev-primary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.landing-to-dev-primary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.landing-to-dev-primary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
|
|
@ -33,7 +33,9 @@ module "landing-to-prod-primary-vpn" {
|
|||
name = "landing-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_spoke_configs.landing-primary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.prod-to-landing-primary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.prod-to-landing-primary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
@ -75,7 +77,9 @@ module "prod-to-landing-primary-vpn" {
|
|||
name = "prod-spoke-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_spoke_configs.spoke-prod-primary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.landing-to-prod-primary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.landing-to-prod-primary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
|
|
@ -33,7 +33,9 @@ module "landing-to-prod-secondary-vpn" {
|
|||
name = "landing-vpn-${local.region_shortnames[var.regions.secondary]}"
|
||||
asn = var.router_spoke_configs.landing-secondary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.prod-to-landing-secondary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.prod-to-landing-secondary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
@ -75,7 +77,9 @@ module "prod-to-landing-secondary-vpn" {
|
|||
name = "prod-spoke-vpn-${local.region_shortnames[var.regions.secondary]}"
|
||||
asn = var.router_spoke_configs.spoke-prod-secondary.asn
|
||||
}
|
||||
peer_gateway = { gcp = module.landing-to-prod-secondary-vpn.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.landing-to-prod-secondary-vpn.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
0 = {
|
||||
bgp_peer = {
|
||||
|
|
|
@ -51,9 +51,11 @@ module "landing-to-onprem-primary-vpn" {
|
|||
name = "landing-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_configs.landing-trusted-primary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.landing-trusted-primary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.landing-trusted-primary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
@ -85,9 +87,11 @@ module "landing-to-onprem-secondary-vpn" {
|
|||
name = "landing-onprem-vpn-${local.region_shortnames[var.regions.secondary]}"
|
||||
asn = var.router_configs.landing-trusted-secondary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.landing-trusted-secondary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.landing-trusted-secondary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
|
|
@ -48,9 +48,11 @@ module "dev-to-onprem-primary-vpn" {
|
|||
name = "dev-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_onprem_configs.dev-primary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.dev-primary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.dev-primary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
|
|
@ -32,9 +32,11 @@ module "prod-to-onprem-primary-vpn" {
|
|||
name = "prod-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
|
||||
asn = var.router_onprem_configs.prod-primary.asn
|
||||
}
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = var.vpn_onprem_configs.prod-primary.peer_external_gateway
|
||||
}
|
||||
}
|
||||
tunnels = {
|
||||
for t in var.vpn_onprem_configs.prod-primary.tunnels :
|
||||
"remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
|
||||
|
|
|
@ -1,9 +1,11 @@
|
|||
# Cloud HA VPN Module
|
||||
|
||||
This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem [Cloud HA VPN](https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn).
|
||||
|
||||
## Examples
|
||||
|
||||
### GCP to GCP
|
||||
|
||||
```hcl
|
||||
module "vpn-1" {
|
||||
source = "./fabric/modules/net-vpn-ha"
|
||||
|
@ -11,7 +13,9 @@ module "vpn-1" {
|
|||
region = "europe-west4"
|
||||
network = var.vpc1.self_link
|
||||
name = "net1-to-net-2"
|
||||
peer_gateway = { gcp = module.vpn-2.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn-2.self_link }
|
||||
}
|
||||
router_config = {
|
||||
asn = 64514
|
||||
custom_advertise = {
|
||||
|
@ -48,7 +52,9 @@ module "vpn-2" {
|
|||
network = var.vpc2.self_link
|
||||
name = "net2-to-net1"
|
||||
router_config = { asn = 64513 }
|
||||
peer_gateway = { gcp = module.vpn-1.self_link }
|
||||
peer_gateways = {
|
||||
default = { gcp = module.vpn-1.self_link }
|
||||
}
|
||||
tunnels = {
|
||||
remote-0 = {
|
||||
bgp_peer = {
|
||||
|
@ -84,12 +90,14 @@ module "vpn_ha" {
|
|||
region = var.region
|
||||
network = var.vpc.self_link
|
||||
name = "mynet-to-onprem"
|
||||
peer_gateway = {
|
||||
peer_gateways = {
|
||||
default = {
|
||||
external = {
|
||||
redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
|
||||
interfaces = ["8.8.8.8"] # on-prem router ip address
|
||||
}
|
||||
}
|
||||
}
|
||||
router_config = { asn = 64514 }
|
||||
tunnels = {
|
||||
remote-0 = {
|
||||
|
@ -124,13 +132,13 @@ module "vpn_ha" {
|
|||
|---|---|:---:|:---:|:---:|
|
||||
| [name](variables.tf#L17) | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | <code>string</code> | ✓ | |
|
||||
| [network](variables.tf#L22) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [peer_gateway](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="object({ external = optional(object({ redundancy_type = string interfaces = list(string) })) gcp = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [project_id](variables.tf#L43) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L48) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L53) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [tunnels](variables.tf#L68) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L95) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L101) | Create HA VPN Gateway. | <code>bool</code> | | <code>true</code> |
|
||||
| [project_id](variables.tf#L46) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L51) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L56) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="map(object({ external = optional(object({ redundancy_type = string interfaces = list(string) })) gcp = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tunnels](variables.tf#L71) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L99) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L105) | Create HA VPN Gateway. | <code>bool</code> | | <code>true</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -16,6 +16,12 @@
|
|||
*/
|
||||
|
||||
locals {
|
||||
peer_gateways_external = {
|
||||
for k, v in var.peer_gateways : k => v.external if v.external != null
|
||||
}
|
||||
peer_gateways_gcp = {
|
||||
for k, v in var.peer_gateways : k => v.gcp if v.gcp != null
|
||||
}
|
||||
router = (
|
||||
var.router_config.create
|
||||
? try(google_compute_router.router[0].name, null)
|
||||
|
@ -38,13 +44,13 @@ resource "google_compute_ha_vpn_gateway" "ha_gateway" {
|
|||
}
|
||||
|
||||
resource "google_compute_external_vpn_gateway" "external_gateway" {
|
||||
count = var.peer_gateway.external != null ? 1 : 0
|
||||
name = "external-${var.name}"
|
||||
for_each = local.peer_gateways_external
|
||||
name = "${var.name}-${each.key}"
|
||||
project = var.project_id
|
||||
redundancy_type = var.peer_gateway.external.redundancy_type
|
||||
redundancy_type = each.value.redundancy_type
|
||||
description = "Terraform managed external VPN gateway"
|
||||
dynamic "interface" {
|
||||
for_each = var.peer_gateway.external.interfaces
|
||||
for_each = each.value.interfaces
|
||||
content {
|
||||
id = interface.key
|
||||
ip_address = interface.value
|
||||
|
@ -129,9 +135,14 @@ resource "google_compute_vpn_tunnel" "tunnels" {
|
|||
region = var.region
|
||||
name = "${var.name}-${each.key}"
|
||||
router = local.router
|
||||
peer_external_gateway = one(google_compute_external_vpn_gateway.external_gateway[*].self_link)
|
||||
peer_external_gateway = try(
|
||||
google_compute_external_vpn_gateway.external_gateway[each.value.peer_gateway],
|
||||
null
|
||||
)
|
||||
peer_external_gateway_interface = each.value.peer_external_gateway_interface
|
||||
peer_gcp_gateway = var.peer_gateway.gcp
|
||||
peer_gcp_gateway = lookup(
|
||||
local.peer_gateways_gcp, each.value.peer_gateway, null
|
||||
)
|
||||
vpn_gateway_interface = each.value.vpn_gateway_interface
|
||||
ike_version = each.value.ike_version
|
||||
shared_secret = coalesce(each.value.shared_secret, local.secret)
|
||||
|
|
|
@ -24,18 +24,21 @@ variable "network" {
|
|||
type = string
|
||||
}
|
||||
|
||||
variable "peer_gateway" {
|
||||
variable "peer_gateways" {
|
||||
description = "Configuration of the (external or GCP) peer gateway."
|
||||
type = object({
|
||||
type = map(object({
|
||||
external = optional(object({
|
||||
redundancy_type = string
|
||||
interfaces = list(string)
|
||||
}))
|
||||
gcp = optional(string)
|
||||
})
|
||||
}))
|
||||
nullable = false
|
||||
default = {}
|
||||
validation {
|
||||
condition = (var.peer_gateway.external != null) != (var.peer_gateway.gcp != null)
|
||||
condition = alltrue([
|
||||
for k, v in var.peer_gateways : (v.external != null) != (v.gcp != null)
|
||||
])
|
||||
error_message = "Peer gateway configuration must define exactly one between `external` and `gcp`."
|
||||
}
|
||||
}
|
||||
|
@ -84,6 +87,7 @@ variable "tunnels" {
|
|||
bgp_session_range = string
|
||||
ike_version = optional(number, 2)
|
||||
peer_external_gateway_interface = optional(number)
|
||||
peer_gateway = optional(string, "default")
|
||||
router = optional(string)
|
||||
shared_secret = optional(string)
|
||||
vpn_gateway_interface = number
|
||||
|
|
Loading…
Reference in New Issue