diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf index 02b58e67..96190b7f 100644 --- a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf +++ b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf @@ -15,93 +15,77 @@ # tfdoc:file:description Landing to Development VPN for region 1. module "landing-to-dev-vpn-r1" { - source = "../../../modules/net-vpn-ha" - project_id = var.project_id - network = module.landing-vpc.self_link - region = var.regions.r1 - name = "${var.prefix}-lnd-to-dev-r1" - router_create = false - router_name = "${var.prefix}-lnd-vpn-r1" + source = "../../../modules/net-vpn-ha" + project_id = var.project_id + network = module.landing-vpc.self_link + region = var.regions.r1 + name = "${var.prefix}-lnd-to-dev-r1" # router is created and managed by the production VPN module # so we don't configure advertisements here - peer_gcp_gateway = module.dev-to-landing-vpn-r1.self_link + router_config = { + create = false + name = "${var.prefix}-lnd-vpn-r1" + asn = 64514 + } + peer_gateway = { gcp = module.dev-to-landing-vpn-r1.self_link } tunnels = { 0 = { bgp_peer = { address = "169.254.2.2" asn = var.vpn_configs.dev-r1.asn } - # use this attribute to configure different advertisements for dev - bgp_peer_options = null - bgp_session_range = "169.254.2.1/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 0 + bgp_session_range = "169.254.2.1/30" + ike_version = 2 + vpn_gateway_interface = 0 } 1 = { bgp_peer = { address = "169.254.2.6" asn = var.vpn_configs.dev-r1.asn } - # use this attribute to configure different advertisements for dev - bgp_peer_options = null - bgp_session_range = "169.254.2.5/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 1 + bgp_session_range = "169.254.2.5/30" + ike_version = 2 + vpn_gateway_interface = 1 } } } module "dev-to-landing-vpn-r1" { - source = "../../../modules/net-vpn-ha" - project_id = var.project_id - network = module.dev-vpc.self_link - region = var.regions.r1 - name = "${var.prefix}-dev-to-lnd-r1" - router_create = true - router_name = "${var.prefix}-dev-vpn-r1" - router_asn = var.vpn_configs.dev-r1.asn - router_advertise_config = ( - var.vpn_configs.dev-r1.custom_ranges == null - ? null - : { - groups = null - ip_ranges = coalesce(var.vpn_configs.dev-r1.custom_ranges, {}) - mode = "CUSTOM" + source = "../../../modules/net-vpn-ha" + project_id = var.project_id + network = module.dev-vpc.self_link + region = var.regions.r1 + name = "${var.prefix}-dev-to-lnd-r1" + router_config = { + name = "${var.prefix}-dev-vpn-r1" + asn = var.vpn_configs.dev-r1.asn + router_advertise_config = { + all_subnets = false + ip_ranges = coalesce(var.vpn_configs.dev-r1.custom_ranges, {}) + mode = "CUSTOM" } - ) - peer_gcp_gateway = module.landing-to-dev-vpn-r1.self_link + } + peer_gateway = { gcp = module.landing-to-dev-vpn-r1.self_link } tunnels = { 0 = { bgp_peer = { address = "169.254.2.1" asn = var.vpn_configs.land-r1.asn } - bgp_peer_options = null - bgp_session_range = "169.254.2.2/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-dev-vpn-r1.random_secret - vpn_gateway_interface = 0 + bgp_session_range = "169.254.2.2/30" + ike_version = 2 + shared_secret = module.landing-to-dev-vpn-r1.random_secret + vpn_gateway_interface = 0 } 1 = { bgp_peer = { address = "169.254.2.5" asn = var.vpn_configs.land-r1.asn } - bgp_peer_options = null - bgp_session_range = "169.254.2.6/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-dev-vpn-r1.random_secret - vpn_gateway_interface = 1 + bgp_session_range = "169.254.2.6/30" + ike_version = 2 + shared_secret = module.landing-to-dev-vpn-r1.random_secret + vpn_gateway_interface = 1 } } } diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf index dc964850..f76c2234 100644 --- a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf +++ b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf @@ -15,102 +15,78 @@ # tfdoc:file:description Landing to Production VPN for region 1. module "landing-to-prod-vpn-r1" { - source = "../../../modules/net-vpn-ha" - project_id = var.project_id - network = module.landing-vpc.self_link - region = var.regions.r1 - name = "${var.prefix}-lnd-to-prd-r1" - router_create = true - router_name = "${var.prefix}-lnd-vpn-r1" - router_asn = var.vpn_configs.land-r1.asn - router_advertise_config = ( - var.vpn_configs.land-r1.custom_ranges == null - ? null - : { - groups = null - ip_ranges = coalesce(var.vpn_configs.land-r1.custom_ranges, {}) - mode = "CUSTOM" + source = "../../../modules/net-vpn-ha" + project_id = var.project_id + network = module.landing-vpc.self_link + region = var.regions.r1 + name = "${var.prefix}-lnd-to-prd-r1" + router_config = { + name = "${var.prefix}-lnd-vpn-r1" + asn = var.vpn_configs.land-r1.asn + custom_advertise = { + all_subnets = false + ip_ranges = coalesce(var.vpn_configs.land-r1.custom_ranges, {}) } - ) - peer_gcp_gateway = module.prod-to-landing-vpn-r1.self_link + } + peer_gateway = { gcp = module.prod-to-landing-vpn-r1.self_link } tunnels = { 0 = { bgp_peer = { address = "169.254.0.2" asn = var.vpn_configs.prod-r1.asn } - bgp_peer_options = null - bgp_session_range = "169.254.0.1/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 0 + bgp_session_range = "169.254.0.1/30" + ike_version = 2 + vpn_gateway_interface = 0 } 1 = { bgp_peer = { address = "169.254.0.6" asn = var.vpn_configs.prod-r1.asn } - bgp_peer_options = null - bgp_session_range = "169.254.0.5/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 1 + bgp_session_range = "169.254.0.5/30" + ike_version = 2 + vpn_gateway_interface = 1 } } } module "prod-to-landing-vpn-r1" { - source = "../../../modules/net-vpn-ha" - project_id = var.project_id - network = module.prod-vpc.self_link - region = var.regions.r1 - name = "${var.prefix}-prd-to-lnd-r1" - router_create = true - router_name = "${var.prefix}-prd-vpn-r1" - router_asn = var.vpn_configs.prod-r1.asn - # the router is managed here but shared with the dev VPN - router_advertise_config = ( - var.vpn_configs.prod-r1.custom_ranges == null - ? null - : { - groups = null - ip_ranges = coalesce(var.vpn_configs.prod-r1.custom_ranges, {}) - mode = "CUSTOM" + source = "../../../modules/net-vpn-ha" + project_id = var.project_id + network = module.prod-vpc.self_link + region = var.regions.r1 + name = "${var.prefix}-prd-to-lnd-r1" + router_config = { + name = "${var.prefix}-prd-vpn-r1" + asn = var.vpn_configs.prod-r1.asn + # the router is managed here but shared with the dev VPN + custom_advertise = { + all_subnets = false + ip_ranges = coalesce(var.vpn_configs.prod-r1.custom_ranges, {}) } - ) - peer_gcp_gateway = module.landing-to-prod-vpn-r1.self_link + } + peer_gateway = { gcp = module.landing-to-prod-vpn-r1.self_link } tunnels = { 0 = { bgp_peer = { address = "169.254.0.1" asn = var.vpn_configs.land-r1.asn } - # use this attribute to configure different advertisements for prod - bgp_peer_options = null - bgp_session_range = "169.254.0.2/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-vpn-r1.random_secret - vpn_gateway_interface = 0 + bgp_session_range = "169.254.0.2/30" + ike_version = 2 + shared_secret = module.landing-to-prod-vpn-r1.random_secret + vpn_gateway_interface = 0 } 1 = { bgp_peer = { address = "169.254.0.5" asn = var.vpn_configs.land-r1.asn } - # use this attribute to configure different advertisements for prod - bgp_peer_options = null - bgp_session_range = "169.254.0.6/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-vpn-r1.random_secret - vpn_gateway_interface = 1 + bgp_session_range = "169.254.0.6/30" + ike_version = 2 + shared_secret = module.landing-to-prod-vpn-r1.random_secret + vpn_gateway_interface = 1 } } } diff --git a/blueprints/networking/private-cloud-function-from-onprem/main.tf b/blueprints/networking/private-cloud-function-from-onprem/main.tf index 5824c319..5775c66f 100644 --- a/blueprints/networking/private-cloud-function-from-onprem/main.tf +++ b/blueprints/networking/private-cloud-function-from-onprem/main.tf @@ -79,59 +79,53 @@ module "vpn-onprem" { region = var.region network = module.vpc-onprem.self_link name = "${var.name}-onprem-to-hub" - router_asn = 65001 - router_advertise_config = { - groups = ["ALL_SUBNETS"] - ip_ranges = { + router_config = { + asn = 65001 + custom_advertise = { + all_subnets = true + ip_ranges = {} } - mode = "CUSTOM" } - peer_gcp_gateway = module.vpn-hub.self_link + peer_gateway = { gcp = module.vpn-hub.self_link } tunnels = { tunnel-0 = { bgp_peer = { address = "169.254.0.2" asn = 65002 } - bgp_peer_options = null - bgp_session_range = "169.254.0.1/30" - ike_version = 2 - vpn_gateway_interface = 0 - peer_external_gateway_interface = null - router = null - shared_secret = "" + bgp_session_range = "169.254.0.1/30" + ike_version = 2 + vpn_gateway_interface = 0 } tunnel-1 = { bgp_peer = { address = "169.254.0.6" asn = 65002 } - bgp_peer_options = null - bgp_session_range = "169.254.0.5/30" - ike_version = 2 - vpn_gateway_interface = 1 - peer_external_gateway_interface = null - router = null - shared_secret = "" + bgp_session_range = "169.254.0.5/30" + ike_version = 2 + vpn_gateway_interface = 1 } } } module "vpn-hub" { - source = "../../../modules/net-vpn-ha" - project_id = module.project.project_id - region = var.region - network = module.vpc-hub.name - name = "${var.name}-hub-to-onprem" - router_asn = 65002 - peer_gcp_gateway = module.vpn-onprem.self_link - router_advertise_config = { - groups = ["ALL_SUBNETS"] - ip_ranges = { - (var.psc_endpoint) = "to-psc-endpoint" + source = "../../../modules/net-vpn-ha" + project_id = module.project.project_id + region = var.region + network = module.vpc-hub.name + name = "${var.name}-hub-to-onprem" + router_config = { + asn = 65002 + custom_advertise = { + all_subnets = true + ip_ranges = { + (var.psc_endpoint) = "to-psc-endpoint" + } } - mode = "CUSTOM" } + peer_gateway = { gcp = module.vpn-onprem.self_link } + tunnels = { tunnel-0 = { bgp_peer = { diff --git a/fast/stages/02-networking-nva/variables.tf b/fast/stages/02-networking-nva/variables.tf index 90f76676..f488a28e 100644 --- a/fast/stages/02-networking-nva/variables.tf +++ b/fast/stages/02-networking-nva/variables.tf @@ -235,10 +235,7 @@ variable "vpn_onprem_configs" { }) peer_external_gateway = object({ redundancy_type = string - interfaces = list(object({ - id = number - ip_address = string - })) + interfaces = list(string) }) tunnels = list(object({ peer_asn = number @@ -258,9 +255,7 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] } tunnels = [ { @@ -288,9 +283,7 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] } tunnels = [ { diff --git a/fast/stages/02-networking-nva/vpn-onprem.tf b/fast/stages/02-networking-nva/vpn-onprem.tf index c860c099..4c51a04d 100644 --- a/fast/stages/02-networking-nva/vpn-onprem.tf +++ b/fast/stages/02-networking-nva/vpn-onprem.tf @@ -33,16 +33,19 @@ locals { } module "landing-to-onprem-ew1-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link - region = "europe-west1" - name = "vpn-to-onprem-ew1" - router_create = true - router_name = "landing-onprem-vpn-ew1" - router_asn = var.router_configs.landing-trusted-ew1.asn - peer_external_gateway = var.vpn_onprem_configs.landing-trusted-ew1.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-trusted-vpc.self_link + region = "europe-west1" + name = "vpn-to-onprem-ew1" + router_config = { + name = "landing-onprem-vpn-ew1" + asn = var.router_configs.landing-trusted-ew1.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.landing-trusted-ew1.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.landing-trusted-ew1.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { @@ -62,16 +65,19 @@ module "landing-to-onprem-ew1-vpn" { } module "landing-to-onprem-ew4-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-trusted-vpc.self_link - region = "europe-west4" - name = "vpn-to-onprem-ew4" - router_create = true - router_name = "landing-onprem-vpn-ew4" - router_asn = var.router_configs.landing-trusted-ew4.asn - peer_external_gateway = var.vpn_onprem_configs.landing-trusted-ew4.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-trusted-vpc.self_link + region = "europe-west4" + name = "vpn-to-onprem-ew4" + router_config = { + name = "landing-onprem-vpn-ew4" + asn = var.router_configs.landing-trusted-ew4.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.landing-trusted-ew4.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.landing-trusted-ew4.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { diff --git a/fast/stages/02-networking-peering/variables.tf b/fast/stages/02-networking-peering/variables.tf index 111633e6..faa91698 100644 --- a/fast/stages/02-networking-peering/variables.tf +++ b/fast/stages/02-networking-peering/variables.tf @@ -213,10 +213,7 @@ variable "vpn_onprem_configs" { }) peer_external_gateway = object({ redundancy_type = string - interfaces = list(object({ - id = number - ip_address = string - })) + interfaces = list(string) }) tunnels = list(object({ peer_asn = number @@ -236,9 +233,7 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] } tunnels = [ { diff --git a/fast/stages/02-networking-peering/vpn-onprem.tf b/fast/stages/02-networking-peering/vpn-onprem.tf index 48cad54b..911cbd83 100644 --- a/fast/stages/02-networking-peering/vpn-onprem.tf +++ b/fast/stages/02-networking-peering/vpn-onprem.tf @@ -33,16 +33,19 @@ locals { } module "landing-to-onprem-ew1-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-vpc.self_link - region = "europe-west1" - name = "vpn-to-onprem-ew1" - router_create = true - router_name = "landing-onprem-vpn-ew1" - router_asn = var.router_onprem_configs.landing-ew1.asn - peer_external_gateway = var.vpn_onprem_configs.landing-ew1.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-vpc.self_link + region = "europe-west1" + name = "vpn-to-onprem-ew1" + router_config = { + name = "landing-onprem-vpn-ew1" + asn = var.router_onprem_configs.landing-ew1.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.landing-ew1.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.landing-ew1.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { @@ -54,7 +57,6 @@ module "landing-to-onprem-ew1-vpn" { bgp_session_range = "${cidrhost(t.session_range, 2)}/30" ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } diff --git a/fast/stages/02-networking-separate-envs/variables.tf b/fast/stages/02-networking-separate-envs/variables.tf index d71534db..019d0b2e 100644 --- a/fast/stages/02-networking-separate-envs/variables.tf +++ b/fast/stages/02-networking-separate-envs/variables.tf @@ -207,10 +207,7 @@ variable "vpn_onprem_configs" { }) peer_external_gateway = object({ redundancy_type = string - interfaces = list(object({ - id = number - ip_address = string - })) + interfaces = list(string) }) tunnels = list(object({ peer_asn = number @@ -230,9 +227,8 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] + } tunnels = [ { @@ -260,9 +256,7 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] } tunnels = [ { diff --git a/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf b/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf index 313a073d..f9253bcc 100644 --- a/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf +++ b/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf @@ -33,16 +33,19 @@ locals { } module "dev-to-onprem-ew1-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.dev-spoke-project.project_id - network = module.dev-spoke-vpc.self_link - region = "europe-west1" - name = "vpn-to-onprem-ew1" - router_create = true - router_name = "dev-onprem-vpn-ew1" - router_asn = var.router_onprem_configs.dev-ew1.asn - peer_external_gateway = var.vpn_onprem_configs.dev-ew1.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.dev-spoke-project.project_id + network = module.dev-spoke-vpc.self_link + region = "europe-west1" + name = "vpn-to-onprem-ew1" + router_config = { + name = "dev-onprem-vpn-ew1" + asn = var.router_onprem_configs.dev-ew1.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.dev-ew1.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.dev-ew1.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { @@ -54,7 +57,6 @@ module "dev-to-onprem-ew1-vpn" { bgp_session_range = "${cidrhost(t.session_range, 2)}/30" ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } diff --git a/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf b/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf index 0a8e9655..99a31f64 100644 --- a/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf +++ b/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf @@ -17,16 +17,19 @@ # tfdoc:file:description VPN between prod and onprem. module "prod-to-onprem-ew1-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.self_link - region = "europe-west1" - name = "vpn-to-onprem-ew1" - router_create = true - router_name = "prod-onprem-vpn-ew1" - router_asn = var.router_onprem_configs.prod-ew1.asn - peer_external_gateway = var.vpn_onprem_configs.prod-ew1.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.prod-spoke-project.project_id + network = module.prod-spoke-vpc.self_link + region = "europe-west1" + name = "vpn-to-onprem-ew1" + router_config = { + name = "prod-onprem-vpn-ew1" + asn = var.router_onprem_configs.prod-ew1.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.prod-ew1.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.prod-ew1.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { @@ -38,7 +41,6 @@ module "prod-to-onprem-ew1-vpn" { bgp_session_range = "${cidrhost(t.session_range, 2)}/30" ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } diff --git a/fast/stages/02-networking-vpn/variables.tf b/fast/stages/02-networking-vpn/variables.tf index 111633e6..faa91698 100644 --- a/fast/stages/02-networking-vpn/variables.tf +++ b/fast/stages/02-networking-vpn/variables.tf @@ -213,10 +213,7 @@ variable "vpn_onprem_configs" { }) peer_external_gateway = object({ redundancy_type = string - interfaces = list(object({ - id = number - ip_address = string - })) + interfaces = list(string) }) tunnels = list(object({ peer_asn = number @@ -236,9 +233,7 @@ variable "vpn_onprem_configs" { } peer_external_gateway = { redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [ - { id = 0, ip_address = "8.8.8.8" }, - ] + interfaces = ["8.8.8.8"] } tunnels = [ { diff --git a/fast/stages/02-networking-vpn/vpn-onprem.tf b/fast/stages/02-networking-vpn/vpn-onprem.tf index 48cad54b..911cbd83 100644 --- a/fast/stages/02-networking-vpn/vpn-onprem.tf +++ b/fast/stages/02-networking-vpn/vpn-onprem.tf @@ -33,16 +33,19 @@ locals { } module "landing-to-onprem-ew1-vpn" { - count = local.enable_onprem_vpn ? 1 : 0 - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-vpc.self_link - region = "europe-west1" - name = "vpn-to-onprem-ew1" - router_create = true - router_name = "landing-onprem-vpn-ew1" - router_asn = var.router_onprem_configs.landing-ew1.asn - peer_external_gateway = var.vpn_onprem_configs.landing-ew1.peer_external_gateway + count = local.enable_onprem_vpn ? 1 : 0 + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-vpc.self_link + region = "europe-west1" + name = "vpn-to-onprem-ew1" + router_config = { + name = "landing-onprem-vpn-ew1" + asn = var.router_onprem_configs.landing-ew1.asn + } + peer_gateway = { + external = var.vpn_onprem_configs.landing-ew1.peer_external_gateway + } tunnels = { for t in var.vpn_onprem_configs.landing-ew1.tunnels : "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => { @@ -54,7 +57,6 @@ module "landing-to-onprem-ew1-vpn" { bgp_session_range = "${cidrhost(t.session_range, 2)}/30" ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } diff --git a/fast/stages/02-networking-vpn/vpn-spoke-dev.tf b/fast/stages/02-networking-vpn/vpn-spoke-dev.tf index 1ad329a0..d4c180e7 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-dev.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-dev.tf @@ -39,11 +39,13 @@ module "landing-to-dev-ew1-vpn" { network = module.landing-vpc.self_link region = "europe-west1" name = "vpn-to-dev-ew1" - # The router used for this VPN is managed in vpn-prod.tf - router_create = false - router_name = "landing-vpn-ew1" - router_asn = var.router_spoke_configs.landing-ew1.asn - peer_gcp_gateway = module.dev-to-landing-ew1-vpn.self_link + router_config = { + # The router used for this VPN is managed in vpn-prod.tf + create = false + name = "landing-vpn-ew1" + asn = var.router_spoke_configs.landing-ew1.asn + } + peer_gateway = { gcp = module.dev-to-landing-ew1-vpn.self_link } tunnels = { 0 = { bgp_peer = { @@ -54,11 +56,8 @@ module "landing-to-dev-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 2) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 0 + ike_version = 2 + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -69,11 +68,8 @@ module "landing-to-dev-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 6) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 1 + ike_version = 2 + vpn_gateway_interface = 1 } } depends_on = [ @@ -82,15 +78,16 @@ module "landing-to-dev-ew1-vpn" { } module "dev-to-landing-ew1-vpn" { - source = "../../../modules/net-vpn-ha" - project_id = module.dev-spoke-project.project_id - network = module.dev-spoke-vpc.self_link - region = "europe-west1" - name = "vpn-to-landing-ew1" - router_create = true - router_name = "dev-spoke-vpn-ew1" - router_asn = var.router_spoke_configs.spoke-dev-ew1.asn - peer_gcp_gateway = module.landing-to-dev-ew1-vpn.self_link + source = "../../../modules/net-vpn-ha" + project_id = module.dev-spoke-project.project_id + network = module.dev-spoke-vpc.self_link + region = "europe-west1" + name = "vpn-to-landing-ew1" + router_config = { + name = "dev-spoke-vpn-ew1" + asn = var.router_spoke_configs.spoke-dev-ew1.asn + } + peer_gateway = { gcp = module.landing-to-dev-ew1-vpn.self_link } tunnels = { 0 = { bgp_peer = { @@ -101,11 +98,9 @@ module "dev-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 1) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-dev-ew1-vpn.random_secret - vpn_gateway_interface = 0 + ike_version = 2 + shared_secret = module.landing-to-dev-ew1-vpn.random_secret + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -116,11 +111,9 @@ module "dev-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 5) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-dev-ew1-vpn.random_secret - vpn_gateway_interface = 1 + ike_version = 2 + shared_secret = module.landing-to-dev-ew1-vpn.random_secret + vpn_gateway_interface = 1 } } } diff --git a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf index 9562e4ce..c813ca26 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf @@ -19,15 +19,16 @@ # local.vpn_spoke_bgp_peer_options is defined in the dev VPN file module "landing-to-prod-ew1-vpn" { - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-vpc.self_link - region = "europe-west1" - name = "vpn-to-prod-ew1" - router_create = true - router_name = "landing-vpn-ew1" - router_asn = var.router_spoke_configs.landing-ew1.asn - peer_gcp_gateway = module.prod-to-landing-ew1-vpn.self_link + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-vpc.self_link + region = "europe-west1" + name = "vpn-to-prod-ew1" + router_config = { + name = "landing-vpn-ew1" + asn = var.router_spoke_configs.landing-ew1.asn + } + peer_gateway = { gcp = module.prod-to-landing-ew1-vpn.self_link } tunnels = { 0 = { bgp_peer = { @@ -38,11 +39,8 @@ module "landing-to-prod-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 2) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 0 + ike_version = 2 + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -53,25 +51,23 @@ module "landing-to-prod-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 6) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 1 + ike_version = 2 + vpn_gateway_interface = 1 } } } module "prod-to-landing-ew1-vpn" { - source = "../../../modules/net-vpn-ha" - project_id = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.self_link - region = "europe-west1" - name = "vpn-to-landing-ew1" - router_create = true - router_name = "prod-spoke-vpn-ew1" - router_asn = var.router_spoke_configs.spoke-prod-ew1.asn - peer_gcp_gateway = module.landing-to-prod-ew1-vpn.self_link + source = "../../../modules/net-vpn-ha" + project_id = module.prod-spoke-project.project_id + network = module.prod-spoke-vpc.self_link + region = "europe-west1" + name = "vpn-to-landing-ew1" + router_config = { + name = "prod-spoke-vpn-ew1" + asn = var.router_spoke_configs.spoke-prod-ew1.asn + } + peer_gateway = { gcp = module.landing-to-prod-ew1-vpn.self_link } tunnels = { 0 = { bgp_peer = { diff --git a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf index cbee0bef..4fe25c1e 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf @@ -19,15 +19,16 @@ # local.vpn_spoke_bgp_peer_options is defined in the dev VPN file module "landing-to-prod-ew4-vpn" { - source = "../../../modules/net-vpn-ha" - project_id = module.landing-project.project_id - network = module.landing-vpc.self_link - region = "europe-west4" - name = "vpn-to-prod-ew4" - router_create = true - router_name = "landing-vpn-ew4" - router_asn = var.router_spoke_configs.landing-ew4.asn - peer_gcp_gateway = module.prod-to-landing-ew4-vpn.self_link + source = "../../../modules/net-vpn-ha" + project_id = module.landing-project.project_id + network = module.landing-vpc.self_link + region = "europe-west4" + name = "vpn-to-prod-ew4" + router_config = { + name = "landing-vpn-ew4" + asn = var.router_spoke_configs.landing-ew4.asn + } + peer_gateway = { gcp = module.prod-to-landing-ew4-vpn.self_link } tunnels = { 0 = { bgp_peer = { @@ -38,11 +39,8 @@ module "landing-to-prod-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 2) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 0 + ike_version = 2 + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -53,25 +51,23 @@ module "landing-to-prod-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 6) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = null - vpn_gateway_interface = 1 + ike_version = 2 + vpn_gateway_interface = 1 } } } module "prod-to-landing-ew4-vpn" { - source = "../../../modules/net-vpn-ha" - project_id = module.prod-spoke-project.project_id - network = module.prod-spoke-vpc.self_link - region = "europe-west4" - name = "vpn-to-landing-ew4" - router_create = true - router_name = "prod-spoke-vpn-ew4" - router_asn = var.router_spoke_configs.spoke-prod-ew4.asn - peer_gcp_gateway = module.landing-to-prod-ew4-vpn.self_link + source = "../../../modules/net-vpn-ha" + project_id = module.prod-spoke-project.project_id + network = module.prod-spoke-vpc.self_link + region = "europe-west4" + name = "vpn-to-landing-ew4" + router_config = { + name = "prod-spoke-vpn-ew4" + asn = var.router_spoke_configs.spoke-prod-ew4.asn + } + peer_gateway = { gcp = module.landing-to-prod-ew4-vpn.self_link } tunnels = { 0 = { bgp_peer = { @@ -82,11 +78,9 @@ module "prod-to-landing-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 1) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-ew4-vpn.random_secret - vpn_gateway_interface = 0 + ike_version = 2 + shared_secret = module.landing-to-prod-ew4-vpn.random_secret + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -97,11 +91,9 @@ module "prod-to-landing-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 5) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-ew4-vpn.random_secret - vpn_gateway_interface = 1 + ike_version = 2 + shared_secret = module.landing-to-prod-ew4-vpn.random_secret + vpn_gateway_interface = 1 } } } diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index b79a25f1..be09a8e0 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -5,20 +5,21 @@ This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem [Cloud H ### GCP to GCP ```hcl -module "vpn_ha-1" { - source = "./fabric/modules/net-vpn-ha" - project_id = "" - region = "europe-west4" - network = "https://www.googleapis.com/compute/v1/projects//global/networks/network-1" - name = "net1-to-net-2" - peer_gcp_gateway = module.vpn_ha-2.self_link - router_asn = 64514 - router_advertise_config = { - groups = ["ALL_SUBNETS"] - ip_ranges = { - "10.0.0.0/8" = "default" +module "vpn-1" { + source = "./fabric/modules/net-vpn-ha" + project_id = var.project_id + region = "europe-west4" + network = var.vpc1.self_link + name = "net1-to-net-2" + peer_gateway = { gcp = module.vpn-2.self_link } + router_config = { + asn = 64514 + custom_advertise = { + all_subnets = true + ip_ranges = { + "10.0.0.0/8" = "default" + } } - mode = "CUSTOM" } tunnels = { remote-0 = { @@ -26,64 +27,48 @@ module "vpn_ha-1" { address = "169.254.1.1" asn = 64513 } - bgp_peer_options = null - bgp_session_range = "169.254.1.2/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = "" - vpn_gateway_interface = 0 + bgp_session_range = "169.254.1.2/30" + vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.2.1" asn = 64513 } - bgp_peer_options = null - bgp_session_range = "169.254.2.2/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = "" - vpn_gateway_interface = 1 + bgp_session_range = "169.254.2.2/30" + vpn_gateway_interface = 1 } } } -module "vpn_ha-2" { - source = "./fabric/modules/net-vpn-ha" - project_id = "" - region = "europe-west4" - network = "https://www.googleapis.com/compute/v1/projects//global/networks/local-network" - name = "net2-to-net1" - router_asn = 64513 - peer_gcp_gateway = module.vpn_ha-1.self_link +module "vpn-2" { + source = "./fabric/modules/net-vpn-ha" + project_id = var.project_id + region = "europe-west4" + network = var.vpc2.self_link + name = "net2-to-net1" + router_config = { asn = 64513 } + peer_gateway = { gcp = module.vpn-1.self_link} tunnels = { remote-0 = { bgp_peer = { address = "169.254.1.2" asn = 64514 } - bgp_peer_options = null - bgp_session_range = "169.254.1.1/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.vpn_ha-1.random_secret - vpn_gateway_interface = 0 + bgp_session_range = "169.254.1.1/30" + ike_version = 2 + shared_secret = module.vpn-1.random_secret + vpn_gateway_interface = 0 } remote-1 = { bgp_peer = { address = "169.254.2.2" asn = 64514 } - bgp_peer_options = null - bgp_session_range = "169.254.2.1/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.vpn_ha-1.random_secret - vpn_gateway_interface = 1 + bgp_session_range = "169.254.2.1/30" + ike_version = 2 + shared_secret = module.vpn-1.random_secret + vpn_gateway_interface = 1 } } } @@ -101,25 +86,21 @@ module "vpn_ha" { region = var.region network = var.vpc.self_link name = "mynet-to-onprem" - peer_external_gateway = { - redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" - interfaces = [{ - id = 0 - ip_address = "8.8.8.8" # on-prem router ip address - }] + peer_gateway = { + external = { + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + interfaces = ["8.8.8.8"] # on-prem router ip address + } } - router_asn = 64514 + router_config = { asn = 64514 } tunnels = { remote-0 = { bgp_peer = { address = "169.254.1.1" asn = 64513 } - bgp_peer_options = null bgp_session_range = "169.254.1.2/30" - ike_version = 2 peer_external_gateway_interface = 0 - router = null shared_secret = "mySecret" vpn_gateway_interface = 0 } @@ -128,11 +109,8 @@ module "vpn_ha" { address = "169.254.2.1" asn = 64513 } - bgp_peer_options = null bgp_session_range = "169.254.2.2/30" - ike_version = 2 peer_external_gateway_interface = 0 - router = null shared_secret = "mySecret" vpn_gateway_interface = 1 } diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index 8c487031..0fa06476 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -16,120 +16,89 @@ */ locals { - peer_external_gateway = ( - var.peer_external_gateway != null - ? google_compute_external_vpn_gateway.external_gateway[0].self_link - : null - - ) router = ( - var.router_create - ? try(google_compute_router.router[0].name, null) - : var.router_name + var.router_config.create + ? google_compute_router.router[0].name + : var.router_config.name ) - vpn_gateway = ( - var.vpn_gateway_create - ? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null) - : var.vpn_gateway - ) - secret = random_id.secret.b64_url + vpn_gateway = one(google_compute_ha_vpn_gateway.ha_gateway[*].self_link) + secret = random_id.secret.b64_url } resource "google_compute_ha_vpn_gateway" "ha_gateway" { - provider = google-beta - count = var.vpn_gateway_create ? 1 : 0 - name = var.name - project = var.project_id - region = var.region - network = var.network + count = var.vpn_gateway == null ? 1 : 0 + name = var.name + project = var.project_id + region = var.region + network = var.network } resource "google_compute_external_vpn_gateway" "external_gateway" { - provider = google-beta - count = var.peer_external_gateway != null ? 1 : 0 + count = var.peer_gateway.external != null ? 1 : 0 name = "external-${var.name}" project = var.project_id - redundancy_type = var.peer_external_gateway.redundancy_type + redundancy_type = var.peer_gateway.external.redundancy_type description = "Terraform managed external VPN gateway" dynamic "interface" { - for_each = var.peer_external_gateway.interfaces + for_each = var.peer_gateway.external.interfaces content { - id = interface.value.id - ip_address = interface.value.ip_address + id = interface.key + ip_address = interface.value } } } resource "google_compute_router" "router" { - count = var.router_create ? 1 : 0 - name = var.router_name == "" ? "vpn-${var.name}" : var.router_name + count = var.router_config.create ? 1 : 0 + name = var.router_config.name == null ? "vpn-${var.name}" : var.router_config.name project = var.project_id region = var.region network = var.network bgp { advertise_mode = ( - var.router_advertise_config == null - ? null - : var.router_advertise_config.mode + var.router_config.custom_advertise != null + ? "CUSTOM" + : "DEFAULT" ) advertised_groups = ( - var.router_advertise_config == null ? null : ( - var.router_advertise_config.mode != "CUSTOM" - ? null - : var.router_advertise_config.groups - ) + try(var.router_config.custom_advertise.all_subnets, false) + ? ["ALL_SUBNETS"] + : [] ) dynamic "advertised_ip_ranges" { - for_each = ( - var.router_advertise_config == null ? {} : ( - var.router_advertise_config.mode != "CUSTOM" - ? null - : var.router_advertise_config.ip_ranges - ) - ) + for_each = try(var.router_config.custom_advertise.ip_ranges, {}) iterator = range content { range = range.key description = range.value } } - asn = var.router_asn + keepalive_interval = try(var.router_config.keepalive, null) + asn = var.router_config.asn } } resource "google_compute_router_peer" "bgp_peer" { - for_each = var.tunnels - region = var.region - project = var.project_id - name = "${var.name}-${each.key}" - router = local.router - peer_ip_address = each.value.bgp_peer.address - peer_asn = each.value.bgp_peer.asn - advertised_route_priority = ( - each.value.bgp_peer_options == null ? var.route_priority : ( - each.value.bgp_peer_options.route_priority == null - ? var.route_priority - : each.value.bgp_peer_options.route_priority - ) - ) + for_each = var.tunnels + region = var.region + project = var.project_id + name = "${var.name}-${each.key}" + router = local.router + peer_ip_address = each.value.bgp_peer.address + peer_asn = each.value.bgp_peer.asn + advertised_route_priority = each.value.bgp_peer.route_priority advertise_mode = ( - each.value.bgp_peer_options == null ? null : each.value.bgp_peer_options.advertise_mode + try(each.value.bgp_peer.custom_advertise, null) != null + ? "CUSTOM" + : "DEFAULT" ) - advertised_groups = ( - each.value.bgp_peer_options == null ? null : ( - each.value.bgp_peer_options.advertise_mode != "CUSTOM" - ? null - : each.value.bgp_peer_options.advertise_groups - ) + advertised_groups = concat( + try(each.value.bgp_peer.custom_advertise.all_subnets, false) ? ["ALL_SUBNETS"] : [], + try(each.value.bgp_peer.custom_advertise.all_vpc_subnets, false) ? ["ALL_VPC_SUBNETS"] : [], + try(each.value.bgp_peer.custom_advertise.all_peer_vpc_subnets, false) ? ["ALL_PEER_VPC_SUBNETS"] : [] ) dynamic "advertised_ip_ranges" { - for_each = ( - each.value.bgp_peer_options == null ? {} : ( - each.value.bgp_peer_options.advertise_mode != "CUSTOM" - ? {} - : each.value.bgp_peer_options.advertise_ip_ranges - ) - ) + for_each = try(each.value.bgp_peer.custom_advertise.ip_ranges, {}) iterator = range content { range = range.key @@ -140,33 +109,29 @@ resource "google_compute_router_peer" "bgp_peer" { } resource "google_compute_router_interface" "router_interface" { - for_each = var.tunnels - project = var.project_id - region = var.region - name = "${var.name}-${each.key}" - router = local.router + for_each = var.tunnels + project = var.project_id + region = var.region + name = "${var.name}-${each.key}" + router = local.router + # FIXME: can bgp_session_range be null? ip_range = each.value.bgp_session_range == "" ? null : each.value.bgp_session_range vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name } resource "google_compute_vpn_tunnel" "tunnels" { - provider = google-beta for_each = var.tunnels project = var.project_id region = var.region name = "${var.name}-${each.key}" router = local.router - peer_external_gateway = local.peer_external_gateway + peer_external_gateway = one(google_compute_external_vpn_gateway.external_gateway[*].self_link) peer_external_gateway_interface = each.value.peer_external_gateway_interface - peer_gcp_gateway = var.peer_gcp_gateway + peer_gcp_gateway = var.peer_gateway.gcp vpn_gateway_interface = each.value.vpn_gateway_interface ike_version = each.value.ike_version - shared_secret = ( - each.value.shared_secret == "" || each.value.shared_secret == null - ? local.secret - : each.value.shared_secret - ) - vpn_gateway = local.vpn_gateway + shared_secret = coalesce(each.value.shared_secret, local.secret) + vpn_gateway = local.vpn_gateway } resource "random_id" "secret" { diff --git a/modules/net-vpn-ha/outputs.tf b/modules/net-vpn-ha/outputs.tf index 94aac982..98b83394 100644 --- a/modules/net-vpn-ha/outputs.tf +++ b/modules/net-vpn-ha/outputs.tf @@ -24,29 +24,17 @@ output "bgp_peers" { output "external_gateway" { description = "External VPN gateway resource." - value = ( - var.peer_external_gateway != null - ? google_compute_external_vpn_gateway.external_gateway[0] - : null - ) + value = one(google_compute_external_vpn_gateway.external_gateway[*]) } output "gateway" { description = "VPN gateway resource (only if auto-created)." - value = ( - var.vpn_gateway_create - ? google_compute_ha_vpn_gateway.ha_gateway[0] - : null - ) + value = one(google_compute_ha_vpn_gateway.ha_gateway[*]) } output "name" { description = "VPN gateway name (only if auto-created). ." - value = ( - var.vpn_gateway_create - ? google_compute_ha_vpn_gateway.ha_gateway[0].name - : null - ) + value = one(google_compute_ha_vpn_gateway.ha_gateway[*].name) } output "random_secret" { @@ -56,11 +44,7 @@ output "random_secret" { output "router" { description = "Router resource (only if auto-created)." - value = ( - var.router_name == "" - ? google_compute_router.router[0] - : null - ) + value = one(google_compute_router.router[*]) } output "router_name" { diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index 4e8d17ac..8f24b6cb 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -24,22 +24,19 @@ variable "network" { type = string } -variable "peer_external_gateway" { - description = "Configuration of an external VPN gateway to which this VPN is connected." +variable "peer_gateway" { type = object({ - redundancy_type = string - interfaces = list(object({ - id = number - ip_address = string + external = optional(object({ + redundancy_type = string + interfaces = list(string) })) + gcp = optional(string) }) - default = null -} - -variable "peer_gcp_gateway" { - description = "Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected." - type = string - default = null + nullable = false + validation { + condition = var.peer_gateway.external != null || var.peer_gateway.gcp != null + error_message = "TODO" + } } variable "project_id" { @@ -52,73 +49,49 @@ variable "region" { type = string } -variable "route_priority" { - description = "Route priority, defaults to 1000." - type = number - default = 1000 -} - -variable "router_advertise_config" { - description = "Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions." +variable "router_config" { type = object({ - groups = list(string) - ip_ranges = map(string) - mode = string + create = optional(bool, true) + asn = number + name = optional(string) + keepalive = optional(number) + custom_advertise = optional(object({ + all_subnets = bool + ip_ranges = map(string) + })) }) - default = null -} - -variable "router_asn" { - description = "Router ASN used for auto-created router." - type = number - default = 64514 -} - -variable "router_create" { - description = "Create router." - type = bool - default = true -} - -variable "router_name" { - description = "Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router." - type = string - default = "" + nullable = false } variable "tunnels" { description = "VPN tunnel configurations, bgp_peer_options is usually null." type = map(object({ bgp_peer = object({ - address = string - asn = number - }) - bgp_peer_options = object({ - advertise_groups = list(string) - advertise_ip_ranges = map(string) - advertise_mode = string - route_priority = number + address = string + asn = number + route_priority = optional(number, 1000) + custom_advertise = optional(object({ + all_subnets = bool + all_vpc_subnets = bool + all_peer_vpc_subnets = bool + ip_ranges = map(string) + })) }) # each BGP session on the same Cloud Router must use a unique /30 CIDR # from the 169.254.0.0/16 block. bgp_session_range = string - ike_version = number - peer_external_gateway_interface = number - router = string - shared_secret = string + ike_version = optional(number, 2) + peer_external_gateway_interface = optional(number) + router = optional(string) + shared_secret = optional(string) vpn_gateway_interface = number })) - default = {} + default = {} + nullable = false } variable "vpn_gateway" { - description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`." + description = "Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway." type = string default = null } - -variable "vpn_gateway_create" { - description = "Create HA VPN Gateway." - type = bool - default = true -} diff --git a/tests/examples/variables.tf b/tests/examples/variables.tf index 1924ac40..76c3770d 100644 --- a/tests/examples/variables.tf +++ b/tests/examples/variables.tf @@ -68,14 +68,21 @@ variable "subnet" { variable "vpc" { default = { name = "vpc_name" - self_link = "projects/xxx/global/networks/yyy" + self_link = "projects/xxx/global/networks/aaa" + } +} + +variable "vpc1" { + default = { + name = "vpc_name" + self_link = "projects/xxx/global/networks/bbb" } } variable "vpc2" { default = { name = "vpc2_name" - self_link = "vpc2_self_link" + self_link = "projects/xxx/global/networks/ccc" } }