From 7916cd20817c9cd2f9de14b8781717278077e412 Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Mon, 4 Dec 2023 23:38:41 +0100 Subject: [PATCH] Add IPv6 to HA VPN module + test inventories (#1901) --------- Co-authored-by: Luca Prete --- modules/net-vpn-ha/README.md | 64 +++++- modules/net-vpn-ha/main.tf | 17 +- modules/net-vpn-ha/variables.tf | 5 + tests/modules/net_vpn_ha/__init__.py | 13 ++ .../net_vpn_ha/examples/gcp-to-gcp.yaml | 216 ++++++++++++++++++ .../net_vpn_ha/examples/gcp-to-onprem.yaml | 130 +++++++++++ tests/modules/net_vpn_ha/examples/ipv6.yaml | 135 +++++++++++ 7 files changed, 569 insertions(+), 11 deletions(-) create mode 100644 tests/modules/net_vpn_ha/__init__.py create mode 100644 tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml create mode 100644 tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml create mode 100644 tests/modules/net_vpn_ha/examples/ipv6.yaml diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index d2769cd0..46e39b3f 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -76,7 +76,7 @@ module "vpn-2" { } } } -# tftest modules=2 resources=18 +# tftest modules=2 resources=18 inventory=gcp-to-gcp.yaml ``` Note: When using the `for_each` meta-argument you might experience a Cycle Error due to the multiple `net-vpn-ha` modules referencing each other. To fix this you can create the [google_compute_ha_vpn_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ha_vpn_gateway) resources separately and reference them in the `net-vpn-ha` module via the `vpn_gateway` and `peer_gcp_gateway` variables. @@ -122,7 +122,61 @@ module "vpn_ha" { } } } -# tftest modules=1 resources=10 +# tftest modules=1 resources=10 inventory=gcp-to-onprem.yaml +``` + +### IPv6 (dual-stack) + +You can optionally set your HA VPN gateway (and BGP sessions) to carry both IPv4 and IPv6 traffic. IPv6 only is not supported. + +```hcl +module "vpn_ha" { + source = "./fabric/modules/net-vpn-ha" + project_id = var.project_id + region = var.region + name = "mynet-to-onprem" + network = var.vpc.self_link + peer_gateways = { + default = { + external = { + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + interfaces = ["8.8.8.8"] # on-prem router ip address + } + } + } + router_config = { asn = 64514 } + tunnels = { + remote-0 = { + bgp_peer = { + address = "169.254.1.1" + asn = 64513 + ipv6 = {} + } + bgp_session_range = "169.254.1.2/30" + peer_external_gateway_interface = 0 + shared_secret = "mySecret" + vpn_gateway_interface = 0 + } + remote-1 = { + bgp_peer = { + address = "169.254.2.1" + asn = 64513 + ipv6 = { + nexthop_address = "2600:2d00:0:2::1" + peer_nexthop_address = "2600:2d00:0:3::1" + } + } + bgp_session_range = "169.254.2.2/30" + peer_external_gateway_interface = 0 + shared_secret = "mySecret" + vpn_gateway_interface = 1 + } + } + vpn_gateway_create = { + stack_type = "IPV4_IPV6" + } +} +# tftest modules=1 resources=10 intentory=ipv6.yaml ``` ## Variables @@ -135,9 +189,9 @@ module "vpn_ha" { | [region](variables.tf#L52) | Region used for resources. | string | ✓ | | | [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | | [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} | -| [tunnels](variables.tf#L72) | VPN tunnel configurations. | map(object({…})) | | {} | -| [vpn_gateway](variables.tf#L100) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | -| [vpn_gateway_create](variables.tf#L106) | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) | | {} | +| [tunnels](variables.tf#L72) | VPN tunnel configurations. | map(object({…})) | | {} | +| [vpn_gateway](variables.tf#L104) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | +| [vpn_gateway_create](variables.tf#L110) | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) | | {} | ## Outputs diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index d1a555ec..cc7bc584 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -36,11 +36,13 @@ locals { } resource "google_compute_ha_vpn_gateway" "ha_gateway" { - count = var.vpn_gateway_create != null ? 1 : 0 - name = var.name - project = var.project_id - region = var.region - network = var.network + count = var.vpn_gateway_create != null ? 1 : 0 + name = var.name + description = var.vpn_gateway_create.description + project = var.project_id + region = var.region + network = var.network + stack_type = var.vpn_gateway_create.ipv6 ? "IPV4_IPV6" : "IPV4_ONLY" } resource "google_compute_external_vpn_gateway" "external_gateway" { @@ -115,7 +117,10 @@ resource "google_compute_router_peer" "bgp_peer" { description = range.value } } - interface = google_compute_router_interface.router_interface[each.key].name + enable_ipv6 = try(each.value.bgp_peer.ipv6, null) == null ? false : true + interface = google_compute_router_interface.router_interface[each.key].name + ipv6_nexthop_address = try(each.value.bgp_peer.ipv6.nexthop_address, null) + peer_ipv6_nexthop_address = try(each.value.bgp_peer.ipv6.peer_nexthop_address, null) } resource "google_compute_router_interface" "router_interface" { diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index 50a123a7..d0f8710f 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -82,6 +82,10 @@ variable "tunnels" { all_peer_vpc_subnets = bool ip_ranges = map(string) })) + ipv6 = optional(object({ + nexthop_address = optional(string) + peer_nexthop_address = optional(string) + })) }) # each BGP session on the same Cloud Router must use a unique /30 CIDR # from the 169.254.0.0/16 block. @@ -107,6 +111,7 @@ variable "vpn_gateway_create" { description = "Create HA VPN Gateway. Set to null to avoid creation." type = object({ description = optional(string, "Terraform managed external VPN gateway") + ipv6 = optional(bool, false) }) default = {} } diff --git a/tests/modules/net_vpn_ha/__init__.py b/tests/modules/net_vpn_ha/__init__.py new file mode 100644 index 00000000..7ba50f93 --- /dev/null +++ b/tests/modules/net_vpn_ha/__init__.py @@ -0,0 +1,13 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml b/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml new file mode 100644 index 00000000..fd6b90be --- /dev/null +++ b/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml @@ -0,0 +1,216 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpn-1.google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: net1-to-net-2 + network: projects/xxx/global/networks/bbb + project: project-id + region: europe-west4 + stack_type: IPV4_ONLY + module.vpn-1.google_compute_router.router[0]: + bgp: + - advertise_mode: CUSTOM + advertised_groups: + - ALL_SUBNETS + advertised_ip_ranges: + - description: default + range: 10.0.0.0/8 + asn: 64514 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-net1-to-net-2 + network: projects/xxx/global/networks/bbb + project: project-id + region: europe-west4 + module.vpn-1.google_compute_router_interface.router_interface["remote-0"]: + interconnect_attachment: null + ip_range: 169.254.1.2/30 + name: net1-to-net-2-remote-0 + private_ip_address: null + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + subnetwork: null + vpn_tunnel: net1-to-net-2-remote-0 + module.vpn-1.google_compute_router_interface.router_interface["remote-1"]: + interconnect_attachment: null + ip_range: 169.254.2.2/30 + name: net1-to-net-2-remote-1 + private_ip_address: null + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + subnetwork: null + vpn_tunnel: net1-to-net-2-remote-1 + module.vpn-1.google_compute_router_peer.bgp_peer["remote-0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: net1-to-net-2-remote-0 + name: net1-to-net-2-remote-0 + peer_asn: 64513 + peer_ip_address: 169.254.1.1 + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + router_appliance_instance: null + module.vpn-1.google_compute_router_peer.bgp_peer["remote-1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: net1-to-net-2-remote-1 + name: net1-to-net-2-remote-1 + peer_asn: 64513 + peer_ip_address: 169.254.2.1 + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + router_appliance_instance: null + module.vpn-1.google_compute_vpn_tunnel.tunnels["remote-0"]: + description: null + ike_version: 2 + name: net1-to-net-2-remote-0 + peer_external_gateway: null + peer_external_gateway_interface: null + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + target_vpn_gateway: null + vpn_gateway_interface: 0 + module.vpn-1.google_compute_vpn_tunnel.tunnels["remote-1"]: + description: null + ike_version: 2 + name: net1-to-net-2-remote-1 + peer_external_gateway: null + peer_external_gateway_interface: null + project: project-id + region: europe-west4 + router: vpn-net1-to-net-2 + target_vpn_gateway: null + vpn_gateway_interface: 1 + module.vpn-1.random_id.secret: + byte_length: 8 + module.vpn-2.google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: net2-to-net1 + network: projects/xxx/global/networks/ccc + project: project-id + region: europe-west4 + stack_type: IPV4_ONLY + module.vpn-2.google_compute_router.router[0]: + bgp: + - advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + asn: 64513 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-net2-to-net1 + network: projects/xxx/global/networks/ccc + project: project-id + region: europe-west4 + module.vpn-2.google_compute_router_interface.router_interface["remote-0"]: + interconnect_attachment: null + ip_range: 169.254.1.1/30 + name: net2-to-net1-remote-0 + private_ip_address: null + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + subnetwork: null + vpn_tunnel: net2-to-net1-remote-0 + module.vpn-2.google_compute_router_interface.router_interface["remote-1"]: + interconnect_attachment: null + ip_range: 169.254.2.1/30 + name: net2-to-net1-remote-1 + private_ip_address: null + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + subnetwork: null + vpn_tunnel: net2-to-net1-remote-1 + module.vpn-2.google_compute_router_peer.bgp_peer["remote-0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: net2-to-net1-remote-0 + name: net2-to-net1-remote-0 + peer_asn: 64514 + peer_ip_address: 169.254.1.2 + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + router_appliance_instance: null + module.vpn-2.google_compute_router_peer.bgp_peer["remote-1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: net2-to-net1-remote-1 + name: net2-to-net1-remote-1 + peer_asn: 64514 + peer_ip_address: 169.254.2.2 + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + router_appliance_instance: null + module.vpn-2.google_compute_vpn_tunnel.tunnels["remote-0"]: + description: null + ike_version: 2 + name: net2-to-net1-remote-0 + peer_external_gateway: null + peer_external_gateway_interface: null + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + target_vpn_gateway: null + vpn_gateway_interface: 0 + module.vpn-2.google_compute_vpn_tunnel.tunnels["remote-1"]: + description: null + ike_version: 2 + name: net2-to-net1-remote-1 + peer_external_gateway: null + peer_external_gateway_interface: null + project: project-id + region: europe-west4 + router: vpn-net2-to-net1 + target_vpn_gateway: null + vpn_gateway_interface: 1 + module.vpn-2.random_id.secret: + byte_length: 8 + +counts: + google_compute_ha_vpn_gateway: 2 + google_compute_router: 2 + google_compute_router_interface: 4 + google_compute_router_peer: 4 + google_compute_vpn_tunnel: 4 + modules: 2 + random_id: 2 + resources: 18 diff --git a/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml b/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml new file mode 100644 index 00000000..5554b39a --- /dev/null +++ b/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml @@ -0,0 +1,130 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpn_ha.google_compute_external_vpn_gateway.external_gateway["default"]: + description: Terraform managed external VPN gateway + interface: + - id: 0 + ip_address: 8.8.8.8 + name: mynet-to-onprem-default + project: project-id + redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT + module.vpn_ha.google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: mynet-to-onprem + network: projects/xxx/global/networks/aaa + project: project-id + region: region + stack_type: IPV4_ONLY + module.vpn_ha.google_compute_router.router[0]: + bgp: + - advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + asn: 64514 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-mynet-to-onprem + network: projects/xxx/global/networks/aaa + project: project-id + region: region + module.vpn_ha.google_compute_router_interface.router_interface["remote-0"]: + interconnect_attachment: null + ip_range: 169.254.1.2/30 + name: mynet-to-onprem-remote-0 + private_ip_address: null + project: project-id + region: region + router: vpn-mynet-to-onprem + subnetwork: null + vpn_tunnel: mynet-to-onprem-remote-0 + module.vpn_ha.google_compute_router_interface.router_interface["remote-1"]: + interconnect_attachment: null + ip_range: 169.254.2.2/30 + name: mynet-to-onprem-remote-1 + private_ip_address: null + project: project-id + region: region + router: vpn-mynet-to-onprem + subnetwork: null + vpn_tunnel: mynet-to-onprem-remote-1 + module.vpn_ha.google_compute_router_peer.bgp_peer["remote-0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: mynet-to-onprem-remote-0 + name: mynet-to-onprem-remote-0 + peer_asn: 64513 + peer_ip_address: 169.254.1.1 + project: project-id + region: region + router: vpn-mynet-to-onprem + router_appliance_instance: null + module.vpn_ha.google_compute_router_peer.bgp_peer["remote-1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: false + interface: mynet-to-onprem-remote-1 + name: mynet-to-onprem-remote-1 + peer_asn: 64513 + peer_ip_address: 169.254.2.1 + project: project-id + region: region + router: vpn-mynet-to-onprem + router_appliance_instance: null + module.vpn_ha.google_compute_vpn_tunnel.tunnels["remote-0"]: + description: null + ike_version: 2 + name: mynet-to-onprem-remote-0 + peer_external_gateway_interface: 0 + peer_gcp_gateway: null + project: project-id + region: region + router: vpn-mynet-to-onprem + shared_secret: mySecret + target_vpn_gateway: null + vpn_gateway_interface: 0 + module.vpn_ha.google_compute_vpn_tunnel.tunnels["remote-1"]: + description: null + ike_version: 2 + name: mynet-to-onprem-remote-1 + peer_external_gateway_interface: 0 + peer_gcp_gateway: null + project: project-id + region: region + router: vpn-mynet-to-onprem + shared_secret: mySecret + target_vpn_gateway: null + vpn_gateway_interface: 1 + module.vpn_ha.random_id.secret: + byte_length: 8 + +counts: + google_compute_external_vpn_gateway: 1 + google_compute_ha_vpn_gateway: 1 + google_compute_router: 1 + google_compute_router_interface: 2 + google_compute_router_peer: 2 + google_compute_vpn_tunnel: 2 + modules: 1 + random_id: 1 + resources: 10 diff --git a/tests/modules/net_vpn_ha/examples/ipv6.yaml b/tests/modules/net_vpn_ha/examples/ipv6.yaml new file mode 100644 index 00000000..48cb3de1 --- /dev/null +++ b/tests/modules/net_vpn_ha/examples/ipv6.yaml @@ -0,0 +1,135 @@ +# Copyright 2023 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +values: + module.vpn_ha.google_compute_external_vpn_gateway.external_gateway["default"]: + description: Terraform managed external VPN gateway + interface: + - id: 0 + ip_address: 8.8.8.8 + labels: null + name: mynet-to-onprem-default + project: project-id + redundancy_type: SINGLE_IP_INTERNALLY_REDUNDANT + module.vpn_ha.google_compute_ha_vpn_gateway.ha_gateway[0]: + description: Terraform managed external VPN gateway + name: mynet-to-onprem + network: projects/xxx/global/networks/aaa + project: project-id + region: region + stack_type: IPV4_IPV6 + module.vpn_ha.google_compute_router.router[0]: + bgp: + - advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + asn: 64514 + keepalive_interval: 20 + description: null + encrypted_interconnect_router: null + name: vpn-mynet-to-onprem + network: projects/xxx/global/networks/aaa + project: project-id + region: region + module.vpn_ha.google_compute_router_interface.router_interface["remote-0"]: + interconnect_attachment: null + ip_range: 169.254.1.2/30 + name: mynet-to-onprem-remote-0 + private_ip_address: null + project: project-id + region: region + router: vpn-mynet-to-onprem + subnetwork: null + vpn_tunnel: mynet-to-onprem-remote-0 + module.vpn_ha.google_compute_router_interface.router_interface["remote-1"]: + interconnect_attachment: null + ip_range: 169.254.2.2/30 + name: mynet-to-onprem-remote-1 + private_ip_address: null + project: project-id + region: region + router: vpn-mynet-to-onprem + subnetwork: null + vpn_tunnel: mynet-to-onprem-remote-1 + module.vpn_ha.google_compute_router_peer.bgp_peer["remote-0"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: true + interface: mynet-to-onprem-remote-0 + name: mynet-to-onprem-remote-0 + peer_asn: 64513 + peer_ip_address: 169.254.1.1 + project: project-id + region: region + router: vpn-mynet-to-onprem + router_appliance_instance: null + module.vpn_ha.google_compute_router_peer.bgp_peer["remote-1"]: + advertise_mode: DEFAULT + advertised_groups: [] + advertised_ip_ranges: [] + advertised_route_priority: 1000 + enable: true + enable_ipv6: true + interface: mynet-to-onprem-remote-1 + ipv6_nexthop_address: 2600:2d00:0:2::1 + name: mynet-to-onprem-remote-1 + peer_asn: 64513 + peer_ip_address: 169.254.2.1 + peer_ipv6_nexthop_address: 2600:2d00:0:3::1 + project: project-id + region: region + router: vpn-mynet-to-onprem + router_appliance_instance: null + module.vpn_ha.google_compute_vpn_tunnel.tunnels["remote-0"]: + description: null + ike_version: 2 + name: mynet-to-onprem-remote-0 + peer_external_gateway_interface: 0 + peer_gcp_gateway: null + project: project-id + region: region + router: vpn-mynet-to-onprem + shared_secret: mySecret + target_vpn_gateway: null + vpn_gateway_interface: 0 + module.vpn_ha.google_compute_vpn_tunnel.tunnels["remote-1"]: + description: null + ike_version: 2 + name: mynet-to-onprem-remote-1 + peer_external_gateway_interface: 0 + peer_gcp_gateway: null + project: project-id + region: region + router: vpn-mynet-to-onprem + shared_secret: mySecret + target_vpn_gateway: null + vpn_gateway_interface: 1 + module.vpn_ha.random_id.secret: + byte_length: 8 + keepers: null + prefix: null + +counts: + google_compute_external_vpn_gateway: 1 + google_compute_ha_vpn_gateway: 1 + google_compute_router: 1 + google_compute_router_interface: 2 + google_compute_router_peer: 2 + google_compute_vpn_tunnel: 2 + modules: 1 + random_id: 1 + resources: 10