zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' into sql-multi-region

This commit is contained in:
Julio Castillo 2022-05-04 09:34:00 +02:00 committed by GitHub
parent 4e83b5003b 14f641f8a3
commit aedf7cad91
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 295 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -20,6 +20,7 @@ All notable changes to this project will be documented in this file.
**FAST**
- Add support for Workload Identity Federation and CI/CD repositories
- Simplify VPN tunnel configuration in the Hub and Spoke VPN network stage
## [15.0.0] - 2022-04-05

11
fast/stages/02-networking-vpn/README.md
View File

@ -244,9 +244,9 @@ Per variable `vpn_onprem_configs` such ranges are advertised to onprem - further
- A private DNS zone for `googleapis.com` should be created and configured per [this article](https://cloud.google.com/vpc/docs/configure-private-google-access-hybrid#config-domain), as implemented in module `googleapis-private-zone` in [dns-landing.tf](./dns-landing.tf)
### Preliminar activities
### Preliminary activities
Before running `terraform apply` on this stage, make sure to adapt all of `variables.tf` to your needs, to update all reference to regions (e.g. `europe-west1` or `ew1`) in the whole directory to match your preferences.
Before running `terraform apply` on this stage, make sure to adapt all of `variables.tf` and `vpn-variables.tf` to your needs, to update all references to regions (e.g. `europe-west1` or `ew1`) in the whole directory to match your preferences.
If you're not using FAST, you'll also need to create a `providers.tf` file to configure the GCS backend and the service account to use to run the deployment.
@ -274,7 +274,7 @@ The new VPC requires a set of dedicated CIDRs, one per region, added to variable
Variables managing L7 Interal Load Balancers (`l7ilb_subnets`) and Private Service Access (`psa_ranges`) should also be adapted, and subnets and firewall rules for the new spoke should be added as described above.
HA VPN connectivity (see also [VPNs](#vpns)) to `landing` is managed by the `vpn-spoke-*.tf` files.
Copy `vpn-spoke-prod.tf` to `vpn-spoke-staging.tf` - replace "prod" with "staging" where relevant.
Copy `vpn-spoke-dev.tf` to `vpn-spoke-staging.tf` - replace `dev` with `staging` where relevant.
VPN configuration also controls BGP advertisements, which requires the following variable changes:
@ -305,7 +305,8 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [variables.tf](./variables.tf) | Module variables. | | |
| [vpn-onprem.tf](./vpn-onprem.tf) | VPN between landing and onprem. | <code>net-vpn-ha</code> | |
| [vpn-spoke-dev.tf](./vpn-spoke-dev.tf) | VPN between landing and development spoke. | <code>net-vpn-ha</code> | |
| [vpn-spoke-prod.tf](./vpn-spoke-prod.tf) | VPN between landing and production spoke. | <code>net-vpn-ha</code> | |
| [vpn-spoke-prod-ew1.tf](./vpn-spoke-prod-ew1.tf) | VPN between landing and production spoke in ew1. | <code>net-vpn-ha</code> | |
| [vpn-spoke-prod-ew4.tf](./vpn-spoke-prod-ew4.tf) | VPN between landing and production spoke in ew4. | <code>net-vpn-ha</code> | |
## Variables
@ -327,7 +328,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; custom &#61; list&#40;string&#41;&#10; default &#61; bool&#10; &#125;&#41;&#10; asn &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; landing-ew4 &#61; &#123; asn &#61; &#34;64512&#34;, adv &#61; null &#125;&#10; spoke-dev-ew1 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-dev-ew4 &#61; &#123; asn &#61; &#34;64513&#34;, adv &#61; null &#125;&#10; spoke-prod-ew1 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10; spoke-prod-ew4 &#61; &#123; asn &#61; &#34;64514&#34;, adv &#61; null &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [service_accounts](variables.tf#L184) | Automation service accounts in name => email format. | <code title="object&#40;&#123;&#10; data-platform-dev &#61; string&#10; data-platform-prod &#61; string&#10; project-factory-dev &#61; string&#10; project-factory-prod &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> | <code>01-resman</code> |
| [vpn_onprem_configs](variables.tf#L196) | VPN gateway configuration for onprem interconnection. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; peer_external_gateway &#61; object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;object&#40;&#123;&#10; id &#61; number&#10; ip_address &#61; string&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; tunnels &#61; list&#40;object&#40;&#123;&#10; peer_asn &#61; number&#10; peer_external_gateway_interface &#61; number&#10; secret &#61; string&#10; session_range &#61; string&#10; vpn_gateway_interface &#61; number&#10; &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#10; &#34;cloud_dns&#34;, &#34;googleapis_private&#34;, &#34;googleapis_restricted&#34;, &#34;gcp_all&#34;&#10; &#93;&#10; &#125;&#10; peer_external_gateway &#61; &#123;&#10; redundancy_type &#61; &#34;SINGLE_IP_INTERNALLY_REDUNDANT&#34;&#10; interfaces &#61; &#91;&#10; &#123; id &#61; 0, ip_address &#61; &#34;8.8.8.8&#34; &#125;,&#10; &#93;&#10; &#125;&#10; tunnels &#61; &#91;&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.0&#47;30&#34;&#10; vpn_gateway_interface &#61; 0&#10; &#125;,&#10; &#123;&#10; peer_asn &#61; 65534&#10; peer_external_gateway_interface &#61; 0&#10; secret &#61; &#34;foobar&#34;&#10; session_range &#61; &#34;169.254.1.4&#47;30&#34;&#10; vpn_gateway_interface &#61; 1&#10; &#125;&#10; &#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map&#40;object&#40;&#123;&#10; adv &#61; object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10; &#125;&#41;&#10; session_range &#61; string&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; session_range &#61; null&#10; &#125;&#10; landing-ew4 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; session_range &#61; null&#10; &#125;&#10; dev-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_dev&#34;&#93;&#10; &#125;&#10; session_range &#61; &#34;169.254.0.0&#47;27&#34;&#10; &#125;&#10; prod-ew1 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10; session_range &#61; &#34;169.254.0.64&#47;27&#34;&#10; &#125;&#10; prod-ew4 &#61; &#123;&#10; adv &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10; session_range &#61; &#34;169.254.0.96&#47;27&#34;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | <code title="map&#40;object&#40;&#123;&#10; default &#61; bool&#10; custom &#61; list&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code title="&#123;&#10; landing-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; landing-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;rfc_1918_10&#34;, &#34;rfc_1918_172&#34;, &#34;rfc_1918_192&#34;&#93;&#10; &#125;&#10; dev-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_dev&#34;&#93;&#10; &#125;&#10; prod-ew1 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10; prod-ew4 &#61; &#123;&#10; default &#61; false&#10; custom &#61; &#91;&#34;gcp_prod&#34;&#93;&#10; &#125;&#10;&#125;">&#123;&#8230;&#125;</code> | |
## Outputs

47
fast/stages/02-networking-vpn/variables-vpn.tf
View File

@ -37,52 +37,29 @@ variable "router_spoke_configs" {
variable "vpn_spoke_configs" {
description = "VPN gateway configuration for spokes."
type = map(object({
adv = object({
default = bool
custom = list(string)
})
session_range = string
default = bool
custom = list(string)
}))
default = {
landing-ew1 = {
adv = {
default = false
custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"]
}
# values for the landing router are pulled from the spoke range
session_range = null
default = false
custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"]
}
landing-ew4 = {
adv = {
default = false
custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"]
}
# values for the landing router are pulled from the spoke range
session_range = null
default = false
custom = ["rfc_1918_10", "rfc_1918_172", "rfc_1918_192"]
}
dev-ew1 = {
adv = {
default = false
custom = ["gcp_dev"]
}
# resize according to required number of tunnels
session_range = "169.254.0.0/27"
default = false
custom = ["gcp_dev"]
}
prod-ew1 = {
adv = {
default = false
custom = ["gcp_prod"]
}
# resize according to required number of tunnels
session_range = "169.254.0.64/27"
default = false
custom = ["gcp_prod"]
}
prod-ew4 = {
adv = {
default = false
custom = ["gcp_prod"]
}
# resize according to required number of tunnels
session_range = "169.254.0.96/27"
default = false
custom = ["gcp_prod"]
}
}
}

93
fast/stages/02-networking-vpn/vpn-spoke-dev.tf
View File

@ -19,14 +19,13 @@
locals {
# define the structures used for BGP peers in the VPN resources
vpn_spoke_bgp_peer_options = {
for k, v in var.vpn_spoke_configs :
k => v.adv == null ? null : {
for k, v in var.vpn_spoke_configs : k => v == null ? null : {
advertise_groups = []
advertise_ip_ranges = {
for adv in(v.adv == null ? [] : v.adv.custom) :
var.custom_adv[adv] => adv
for range in(v == null ? [] : v.custom) :
try(var.custom_adv[range], range) => range
}
advertise_mode = try(v.adv.default, false) ? "DEFAULT" : "CUSTOM"
advertise_mode = try(v.default, false) ? "DEFAULT" : "CUSTOM"
route_priority = null
}
}
@ -45,20 +44,36 @@ module "landing-to-dev-ew1-vpn" {
router_name = "landing-vpn-ew1"
router_asn = var.router_spoke_configs.landing-ew1.asn
peer_gcp_gateway = module.dev-to-landing-ew1-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(var.vpn_spoke_configs.dev-ew1.session_range, 1 + (t * 4))
asn = var.router_spoke_configs.spoke-dev-ew1.asn
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.0/27", 1)
asn = var.router_spoke_configs.spoke-dev-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${
cidrhost("169.254.0.0/27", 2)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 0
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.dev-ew1.session_range, 2 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = t
1 = {
bgp_peer = {
address = cidrhost("169.254.0.0/27", 5)
asn = var.router_spoke_configs.spoke-dev-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${
cidrhost("169.254.0.0/27", 6)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 1
}
}
depends_on = [
@ -76,20 +91,36 @@ module "dev-to-landing-ew1-vpn" {
router_name = "dev-spoke-vpn-ew1"
router_asn = var.router_spoke_configs.spoke-dev-ew1.asn
peer_gcp_gateway = module.landing-to-dev-ew1-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(var.vpn_spoke_configs.dev-ew1.session_range, 2 + (t * 4))
asn = var.router_spoke_configs.landing-ew1.asn
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.0/27", 2)
asn = var.router_spoke_configs.landing-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.dev-ew1
bgp_session_range = "${
cidrhost("169.254.0.0/27", 1)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-dev-ew1-vpn.random_secret
vpn_gateway_interface = 0
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.dev-ew1
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.dev-ew1.session_range, 1 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-dev-ew1-vpn.random_secret
vpn_gateway_interface = t
1 = {
bgp_peer = {
address = cidrhost("169.254.0.0/27", 6)
asn = var.router_spoke_configs.landing-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.dev-ew1
bgp_session_range = "${
cidrhost("169.254.0.0/27", 5)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-dev-ew1-vpn.random_secret
vpn_gateway_interface = 1
}
}
}

107
fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf Normal file
View File

@ -0,0 +1,107 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description VPN between landing and production spoke in ew1.
# local.vpn_spoke_bgp_peer_options is defined in the dev VPN file
module "landing-to-prod-ew1-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.landing-project.project_id
network = module.landing-vpc.self_link
region = "europe-west1"
name = "vpn-to-prod-ew1"
router_create = true
router_name = "landing-vpn-ew1"
router_asn = var.router_spoke_configs.landing-ew1.asn
peer_gcp_gateway = module.prod-to-landing-ew1-vpn.self_link
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.64/27", 1)
asn = var.router_spoke_configs.spoke-prod-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${
cidrhost("169.254.0.64/27", 2)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 0
}
1 = {
bgp_peer = {
address = cidrhost("169.254.0.64/27", 5)
asn = var.router_spoke_configs.spoke-prod-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${
cidrhost("169.254.0.64/27", 6)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 1
}
}
}
module "prod-to-landing-ew1-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.self_link
region = "europe-west1"
name = "vpn-to-landing-ew1"
router_create = true
router_name = "prod-spoke-vpn-ew1"
router_asn = var.router_spoke_configs.spoke-prod-ew1.asn
peer_gcp_gateway = module.landing-to-prod-ew1-vpn.self_link
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.64/27", 2)
asn = var.router_spoke_configs.landing-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew1
bgp_session_range = "${
cidrhost("169.254.0.64/27", 1)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
vpn_gateway_interface = 0
}
1 = {
bgp_peer = {
address = cidrhost("169.254.0.64/27", 6)
asn = var.router_spoke_configs.landing-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew1
bgp_session_range = "${
cidrhost("169.254.0.64/27", 5)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
vpn_gateway_interface = 1
}
}
}

107
fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf Normal file
View File

@ -0,0 +1,107 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description VPN between landing and production spoke in ew4.
# local.vpn_spoke_bgp_peer_options is defined in the dev VPN file
module "landing-to-prod-ew4-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.landing-project.project_id
network = module.landing-vpc.self_link
region = "europe-west4"
name = "vpn-to-prod-ew4"
router_create = true
router_name = "landing-vpn-ew4"
router_asn = var.router_spoke_configs.landing-ew4.asn
peer_gcp_gateway = module.prod-to-landing-ew4-vpn.self_link
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.96/27", 1)
asn = var.router_spoke_configs.spoke-prod-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew4
bgp_session_range = "${
cidrhost("169.254.0.96/27", 2)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 0
}
1 = {
bgp_peer = {
address = cidrhost("169.254.0.96/27", 5)
asn = var.router_spoke_configs.spoke-prod-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew4
bgp_session_range = "${
cidrhost("169.254.0.96/27", 6)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = 1
}
}
}
module "prod-to-landing-ew4-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.self_link
region = "europe-west4"
name = "vpn-to-landing-ew4"
router_create = true
router_name = "prod-spoke-vpn-ew4"
router_asn = var.router_spoke_configs.spoke-prod-ew4.asn
peer_gcp_gateway = module.landing-to-prod-ew4-vpn.self_link
tunnels = {
0 = {
bgp_peer = {
address = cidrhost("169.254.0.96/27", 2)
asn = var.router_spoke_configs.landing-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew4
bgp_session_range = "${
cidrhost("169.254.0.96/27", 1)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew4-vpn.random_secret
vpn_gateway_interface = 0
}
1 = {
bgp_peer = {
address = cidrhost("169.254.0.96/27", 6)
asn = var.router_spoke_configs.landing-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew4
bgp_session_range = "${
cidrhost("169.254.0.96/27", 5)
}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew4-vpn.random_secret
vpn_gateway_interface = 1
}
}
}

139
fast/stages/02-networking-vpn/vpn-spoke-prod.tf
View File

@ -1,139 +0,0 @@
/**
* Copyright 2022 Google LLC
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
# tfdoc:file:description VPN between landing and production spoke.
# local.vpn_spoke_bgp_peer_options is defined in the dev VPN file
module "landing-to-prod-ew1-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.landing-project.project_id
network = module.landing-vpc.self_link
region = "europe-west1"
name = "vpn-to-prod-ew1"
router_create = true
router_name = "landing-vpn-ew1"
router_asn = var.router_spoke_configs.landing-ew1.asn
peer_gcp_gateway = module.prod-to-landing-ew1-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(
var.vpn_spoke_configs.prod-ew1.session_range, 1 + (t * 4)
)
asn = var.router_spoke_configs.spoke-prod-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew1
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.prod-ew1.session_range, 2 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = t
}
}
}
module "prod-to-landing-ew1-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.self_link
region = "europe-west1"
name = "vpn-to-landing-ew1"
router_create = true
router_name = "prod-spoke-vpn-ew1"
router_asn = var.router_spoke_configs.spoke-prod-ew1.asn
peer_gcp_gateway = module.landing-to-prod-ew1-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(
var.vpn_spoke_configs.prod-ew1.session_range, 2 + (t * 4)
)
asn = var.router_spoke_configs.landing-ew1.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew1
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.prod-ew1.session_range, 1 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew1-vpn.random_secret
vpn_gateway_interface = t
}
}
}
module "landing-to-prod-ew4-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.landing-project.project_id
network = module.landing-vpc.self_link
region = "europe-west4"
name = "vpn-to-prod-ew4"
router_create = true
router_name = "landing-vpn-ew4"
router_asn = var.router_spoke_configs.landing-ew4.asn
peer_gcp_gateway = module.prod-to-landing-ew4-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(
var.vpn_spoke_configs.prod-ew4.session_range, 1 + (t * 4)
)
asn = var.router_spoke_configs.spoke-prod-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.landing-ew4
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.prod-ew4.session_range, 2 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = null
vpn_gateway_interface = t
}
}
}
module "prod-to-landing-ew4-vpn" {
source = "../../../modules/net-vpn-ha"
project_id = module.prod-spoke-project.project_id
network = module.prod-spoke-vpc.self_link
region = "europe-west4"
name = "vpn-to-landing-ew4"
router_create = true
router_name = "prod-spoke-vpn-ew4"
router_asn = var.router_spoke_configs.spoke-prod-ew4.asn
peer_gcp_gateway = module.landing-to-prod-ew4-vpn.self_link
tunnels = { for t in range(2) : "tunnel-${t}" => {
bgp_peer = {
address = cidrhost(
var.vpn_spoke_configs.prod-ew4.session_range, 2 + (t * 4)
)
asn = var.router_spoke_configs.landing-ew4.asn
}
bgp_peer_options = local.vpn_spoke_bgp_peer_options.prod-ew4
bgp_session_range = "${cidrhost(
var.vpn_spoke_configs.prod-ew4.session_range, 1 + (t * 4)
)}/30"
ike_version = 2
peer_external_gateway_interface = null
router = null
shared_secret = module.landing-to-prod-ew4-vpn.random_secret
vpn_gateway_interface = t
}
}
}