zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update rest of vpn modules to tf1.3

This commit is contained in:
Julio Castillo 2022-11-30 15:19:49 +01:00
parent 620babe5c0
commit e976d71428
8 changed files with 85 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
modules/net-vpn-dynamic/main.tf
View File

@ -21,9 +21,9 @@ locals {
: var.gateway_address
)
router = (
var.router_create
? google_compute_router.router[0].name
: var.router_name
var.router_config.create
? try(google_compute_router.router[0].name, null)
: var.router_config.name
)
secret = random_id.secret.b64_url
}
@ -65,75 +65,56 @@ resource "google_compute_forwarding_rule" "udp-4500" {
}
resource "google_compute_router" "router" {
count = var.router_create ? 1 : 0
name = var.router_name == "" ? "vpn-${var.name}" : var.router_name
count = var.router_config.create ? 1 : 0
name = coalesce(var.router_config.name, "vpn-${var.name}")
project = var.project_id
region = var.region
network = var.network
bgp {
advertise_mode = (
var.router_advertise_config == null
? null
: var.router_advertise_config.mode
var.router_config.custom_advertise != null
? "CUSTOM"
: "DEFAULT"
)
advertised_groups = (
var.router_advertise_config == null ? null : (
var.router_advertise_config.mode != "CUSTOM"
? null
: var.router_advertise_config.groups
)
try(var.router_config.custom_advertise.all_subnets, false)
? ["ALL_SUBNETS"]
: []
)
dynamic "advertised_ip_ranges" {
for_each = (
var.router_advertise_config == null ? {} : (
var.router_advertise_config.mode != "CUSTOM"
? null
: var.router_advertise_config.ip_ranges
)
)
for_each = try(var.router_config.custom_advertise.ip_ranges, {})
iterator = range
content {
range = range.key
description = range.value
}
}
asn = var.router_asn
keepalive_interval = try(var.router_config.keepalive, null)
asn = var.router_config.asn
}
}
resource "google_compute_router_peer" "bgp_peer" {
for_each = var.tunnels
region = var.region
project = var.project_id
name = "${var.name}-${each.key}"
router = each.value.router == null ? local.router : each.value.router
peer_ip_address = each.value.bgp_peer.address
peer_asn = each.value.bgp_peer.asn
advertised_route_priority = (
each.value.bgp_peer_options == null ? var.route_priority : (
each.value.bgp_peer_options.route_priority == null
? var.route_priority
: each.value.bgp_peer_options.route_priority
)
)
for_each = var.tunnels
region = var.region
project = var.project_id
name = "${var.name}-${each.key}"
router = coalesce(each.value.router, local.router)
peer_ip_address = each.value.bgp_peer.address
peer_asn = each.value.bgp_peer.asn
advertised_route_priority = each.value.bgp_peer.route_priority
advertise_mode = (
each.value.bgp_peer_options == null ? null : each.value.bgp_peer_options.advertise_mode
try(each.value.bgp_peer.custom_advertise, null) != null
? "CUSTOM"
: "DEFAULT"
)
advertised_groups = (
each.value.bgp_peer_options == null ? null : (
each.value.bgp_peer_options.advertise_mode != "CUSTOM"
? null
: each.value.bgp_peer_options.advertise_groups
)
advertised_groups = concat(
try(each.value.bgp_peer.custom_advertise.all_subnets, false) ? ["ALL_SUBNETS"] : [],
try(each.value.bgp_peer.custom_advertise.all_vpc_subnets, false) ? ["ALL_VPC_SUBNETS"] : [],
try(each.value.bgp_peer.custom_advertise.all_peer_vpc_subnets, false) ? ["ALL_PEER_VPC_SUBNETS"] : []
)
dynamic "advertised_ip_ranges" {
for_each = (
each.value.bgp_peer_options == null ? {} : (
each.value.bgp_peer_options.advertise_mode != "CUSTOM"
? {}
: each.value.bgp_peer_options.advertise_ip_ranges
)
)
for_each = try(each.value.bgp_peer.custom_advertise.ip_ranges, {})
iterator = range
content {
range = range.key
@ -144,11 +125,12 @@ resource "google_compute_router_peer" "bgp_peer" {
}
resource "google_compute_router_interface" "router_interface" {
for_each = var.tunnels
project = var.project_id
region = var.region
name = "${var.name}-${each.key}"
router = each.value.router == null ? local.router : each.value.router
for_each = var.tunnels
project = var.project_id
region = var.region
name = "${var.name}-${each.key}"
router = coalesce(each.value.router, local.router)
# FIXME: can bgp_session_range be null?
ip_range = each.value.bgp_session_range == "" ? null : each.value.bgp_session_range
vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name
}
@ -161,18 +143,14 @@ resource "google_compute_vpn_gateway" "gateway" {
}
resource "google_compute_vpn_tunnel" "tunnels" {
for_each = var.tunnels
project = var.project_id
region = var.region
name = "${var.name}-${each.key}"
router = each.value.router == null ? local.router : each.value.router
peer_ip = each.value.peer_ip
ike_version = each.value.ike_version
shared_secret = (
each.value.shared_secret == "" || each.value.shared_secret == null
? local.secret
: each.value.shared_secret
)
for_each = var.tunnels
project = var.project_id
region = var.region
name = "${var.name}-${each.key}"
router = coalesce(each.value.router, local.router)
peer_ip = each.value.peer_ip
ike_version = each.value.ike_version
shared_secret = coalesce(each.value.shared_secret, local.secret)
target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link
depends_on = [google_compute_forwarding_rule.esp]
}

6
modules/net-vpn-dynamic/outputs.tf
View File

@ -54,7 +54,7 @@ output "tunnel_names" {
description = "VPN tunnel names."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name].name
name => try(google_compute_vpn_tunnel.tunnels[name].name, null)
}
}
@ -62,7 +62,7 @@ output "tunnel_self_links" {
description = "VPN tunnel self links."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name].self_link
name => try(google_compute_vpn_tunnel.tunnels[name].self_link, null)
}
}
@ -70,6 +70,6 @@ output "tunnels" {
description = "VPN tunnel resources."
value = {
for name in keys(var.tunnels) :
name => google_compute_vpn_tunnel.tunnels[name]
name => try(google_compute_vpn_tunnel.tunnels[name], null)
}
}

71
modules/net-vpn-dynamic/variables.tf
View File

@ -17,7 +17,7 @@
variable "gateway_address" {
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
type = string
default = ""
default = null
}
variable "gateway_address_create" {
@ -46,60 +46,43 @@ variable "region" {
type = string
}
variable "route_priority" {
description = "Route priority, defaults to 1000."
type = number
default = 1000
}
variable "router_advertise_config" {
description = "Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions."
variable "router_config" {
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
type = object({
groups = list(string)
ip_ranges = map(string)
mode = string
create = optional(bool, true)
asn = number
name = optional(string)
keepalive = optional(number)
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
})
default = null
}
variable "router_asn" {
description = "Router ASN used for auto-created router."
type = number
default = 64514
}
variable "router_create" {
description = "Create router."
type = bool
default = true
}
variable "router_name" {
description = "Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router."
type = string
default = ""
nullable = false
}
variable "tunnels" {
description = "VPN tunnel configurations, bgp_peer_options is usually null."
description = "VPN tunnel configurations."
type = map(object({
bgp_peer = object({
address = string
asn = number
})
bgp_peer_options = object({
advertise_groups = list(string)
advertise_ip_ranges = map(string)
advertise_mode = string
route_priority = number
address = string
asn = number
route_priority = optional(number, 1000)
custom_advertise = optional(object({
all_subnets = bool
all_vpc_subnets = bool
all_peer_vpc_subnets = bool
ip_ranges = map(string)
}))
})
# each BGP session on the same Cloud Router must use a unique /30 CIDR
# from the 169.254.0.0/16 block.
bgp_session_range = string
ike_version = number
ike_version = optional(number, 2)
peer_ip = string
router = string
shared_secret = string
router = optional(string)
shared_secret = optional(string)
}))
default = {}
default = {}
nullable = false
}

4
modules/net-vpn-ha/main.tf
View File

@ -54,7 +54,7 @@ resource "google_compute_external_vpn_gateway" "external_gateway" {
resource "google_compute_router" "router" {
count = var.router_config.create ? 1 : 0
name = var.router_config.name == null ? "vpn-${var.name}" : var.router_config.name
name = coalesce(var.router_config.name, "vpn-${var.name}")
project = var.project_id
region = var.region
network = var.network
@ -87,7 +87,7 @@ resource "google_compute_router_peer" "bgp_peer" {
region = var.region
project = var.project_id
name = "${var.name}-${each.key}"
router = local.router
router = coalesce(each.value.router, local.router)
peer_ip_address = each.value.bgp_peer.address
peer_asn = each.value.bgp_peer.asn
advertised_route_priority = each.value.bgp_peer.route_priority

2
modules/net-vpn-ha/variables.tf
View File

@ -66,7 +66,7 @@ variable "router_config" {
}
variable "tunnels" {
description = "VPN tunnel configurations, bgp_peer_options is usually null."
description = "VPN tunnel configurations."
type = map(object({
bgp_peer = object({
address = string

4
modules/net-vpn-static/README.md
View File

@ -17,12 +17,10 @@ module "vpn" {
region = var.region
network = var.vpc.self_link
name = "remote"
gateway_address_create = false
gateway_address = module.addresses.external_addresses["vpn"].address
gateway_address = module.addresses.external_addresses["vpn"].address
remote_ranges = ["10.10.0.0/24"]
tunnels = {
remote-0 = {
ike_version = 2
peer_ip = "1.1.1.1"
shared_secret = "mysecret"
traffic_selectors = { local = ["0.0.0.0/0"], remote = ["0.0.0.0/0"] }

2
modules/net-vpn-static/main.tf
View File

@ -91,7 +91,7 @@ resource "google_compute_vpn_tunnel" "tunnels" {
local_traffic_selector = each.value.traffic_selectors.local
remote_traffic_selector = each.value.traffic_selectors.remote
ike_version = each.value.ike_version
shared_secret = each.value.shared_secret == "" ? local.secret : each.value.shared_secret
shared_secret = coalesce(each.value.shared_secret, local.secret)
target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link
depends_on = [google_compute_forwarding_rule.esp]
}

10
modules/net-vpn-static/variables.tf
View File

@ -17,7 +17,7 @@
variable "gateway_address" {
description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false."
type = string
default = ""
default = null
}
variable "gateway_address_create" {
@ -50,6 +50,7 @@ variable "remote_ranges" {
description = "Remote IP CIDR ranges."
type = list(string)
default = []
nullable = false
}
variable "route_priority" {
@ -61,13 +62,14 @@ variable "route_priority" {
variable "tunnels" {
description = "VPN tunnel configurations."
type = map(object({
ike_version = number
ike_version = optional(number, 2)
peer_ip = string
shared_secret = string
shared_secret = optional(string)
traffic_selectors = object({
local = list(string)
remote = list(string)
})
}))
default = {}
default = {}
nullable = false
}