zecfoundation
/
cloud-foundation-fabric
mirror of https://github.com/ZcashFoundation/cloud-foundation-fabric.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Adds bfd and md5 auth support to google_compute_router_peer (#2142) 

* Adds support for md5 auth to net-vlan-attachment
* Adds support for md5 auth to net-ipsec-over-interconnect
* Adds support for md5 auth to net-vpn-ha
* Adds support for BFD to net-vpn-ha
This commit is contained in:
Simone Ruffilli 2024-03-10 14:06:49 +01:00 committed by GitHub
parent 759e85d6af
commit eb0ed0c2a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 164 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/net-ipsec-over-interconnect/README.md
View File

@ -64,6 +64,11 @@ module "vpngw-a" {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
# MD5 Authentication is optional
md5_authentication_key = {
name = "foo"
key = "bar"
}
}
bgp_session_range = "169.254.1.1/30"
shared_secret = "foobar"
@ -112,7 +117,7 @@ module "vpngw-a" {
| [project_id](variables.tf#L54) | The project id. | <code>string</code> | ✓ | |
| [region](variables.tf#L59) | GCP Region. | <code>string</code> | ✓ | |
| [router_config](variables.tf#L64) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; asn &#61; optional&#40;number&#41;&#10; name &#61; optional&#40;string&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10; bgp_peer &#61; object&#40;&#123;&#10; address &#61; string&#10; asn &#61; number&#10; route_priority &#61; optional&#40;number, 1000&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; all_vpc_subnets &#61; bool&#10; all_peer_vpc_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; bgp_session_range &#61; string&#10; ike_version &#61; optional&#40;number, 2&#41;&#10; peer_external_gateway_interface &#61; optional&#40;number&#41;&#10; peer_gateway_id &#61; optional&#40;string, &#34;default&#34;&#41;&#10; router &#61; optional&#40;string&#41;&#10; shared_secret &#61; optional&#40;string&#41;&#10; vpn_gateway_interface &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10; bgp_peer &#61; object&#40;&#123;&#10; address &#61; string&#10; asn &#61; number&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; all_vpc_subnets &#61; bool&#10; all_peer_vpc_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; key &#61; string&#10; &#125;&#41;&#41;&#10; route_priority &#61; optional&#40;number, 1000&#41;&#10; &#125;&#41;&#10; bgp_session_range &#61; string&#10; ike_version &#61; optional&#40;number, 2&#41;&#10; peer_external_gateway_interface &#61; optional&#40;number&#41;&#10; peer_gateway_id &#61; optional&#40;string, &#34;default&#34;&#41;&#10; router &#61; optional&#40;string&#41;&#10; shared_secret &#61; optional&#40;string&#41;&#10; vpn_gateway_interface &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs

9
modules/net-ipsec-over-interconnect/main.tf
View File

@ -116,6 +116,15 @@ resource "google_compute_router_peer" "default" {
description = range.value
}
}
dynamic "md5_authentication_key" {
for_each = each.value.bgp_peer.md5_authentication_key != null ? [each.value.bgp_peer.md5_authentication_key] : []
content {
name = md5_authentication_key.value.name
key = md5_authentication_key.value.key
}
}
interface = google_compute_router_interface.default[each.key].name
}

10
modules/net-ipsec-over-interconnect/variables.tf
View File

@ -80,15 +80,19 @@ variable "tunnels" {
description = "VPN tunnel configurations."
type = map(object({
bgp_peer = object({
address = string
asn = number
route_priority = optional(number, 1000)
address = string
asn = number
custom_advertise = optional(object({
all_subnets = bool
all_vpc_subnets = bool
all_peer_vpc_subnets = bool
ip_ranges = map(string)
}))
md5_authentication_key = optional(object({
name = string
key = string
}))
route_priority = optional(number, 1000)
})
# each BGP session on the same Cloud Router must use a unique /30 CIDR
# from the 169.254.0.0/16 block.

68
modules/net-vlan-attachment/README.md
View File

@ -47,6 +47,60 @@ module "example-va" {
# tftest modules=1 resources=4
```
### Dedicated Interconnect - Single VLAN Attachment (No SLA) - BFD and MD5 Auth
```hcl
resource "google_compute_router" "interconnect-router" {
name = "interconnect-router"
network = "mynet"
project = "myproject"
region = "europe-west8"
bgp {
advertise_mode = "CUSTOM"
asn = 64514
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges {
range = "10.255.255.0/24"
}
advertised_ip_ranges {
range = "192.168.255.0/24"
}
}
}
module "example-va" {
source = "./fabric/modules/net-vlan-attachment"
network = "mynet"
project_id = "myproject"
region = "europe-west8"
name = "vlan-attachment"
description = "Example vlan attachment"
peer_asn = "65000"
router_config = {
create = false
name = google_compute_router.interconnect-router.name
bfd = {
min_receive_interval = 1000
min_transmit_interval = 1000
multiplier = 5
session_initialization_mode = "ACTIVE"
}
md5_authentication_key = {
name = "foo"
key = "bar"
}
}
dedicated_interconnect_config = {
bandwidth = "BPS_10G"
bgp_range = "169.254.0.0/30"
interconnect = "interconnect-a"
vlan_tag = 12345
}
}
# tftest modules=1 resources=4
```
### Partner Interconnect - Single VLAN Attachment (No SLA)
```hcl
@ -434,7 +488,7 @@ module "example-va-b-ew12" {
# tftest modules=4 resources=6
```
### IPSec for Dedicated Interconnect
### IPSec for Dedicated Interconnect
Refer to the [HA VPN over Interconnect Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/) for an all-encompassing example.
@ -495,7 +549,7 @@ module "example-va-b" {
# tftest modules=2 resources=9
```
### IPSec for Partner Interconnect
### IPSec for Partner Interconnect
```hcl
module "example-va-a" {
@ -533,10 +587,7 @@ module "example-va-b" {
}
# tftest modules=2 resources=6
```
<!-- BEGIN TFDOC -->
## Variables
| name | description | type | required | default |
@ -547,14 +598,14 @@ module "example-va-b" {
| [peer_asn](variables.tf#L74) | The on-premises underlay router ASN. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L79) | The project id where resources are created. | <code>string</code> | ✓ | |
| [region](variables.tf#L84) | The region where resources are created. | <code>string</code> | ✓ | |
| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; asn &#61; optional&#40;number, 65001&#41;&#10; name &#61; optional&#40;string, &#34;router&#34;&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; bfd &#61; optional&#40;object&#40;&#123;&#10; session_initialization_mode &#61; optional&#40;string, &#34;ACTIVE&#34;&#41;&#10; min_receive_interval &#61; optional&#40;number&#41;&#10; min_transmit_interval &#61; optional&#40;number&#41;&#10; multiplier &#61; optional&#40;number&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; asn &#61; optional&#40;number, 65001&#41;&#10; bfd &#61; optional&#40;object&#40;&#123;&#10; min_receive_interval &#61; optional&#40;number&#41;&#10; min_transmit_interval &#61; optional&#40;number&#41;&#10; multiplier &#61; optional&#40;number&#41;&#10; session_initialization_mode &#61; optional&#40;string, &#34;ACTIVE&#34;&#41;&#10; &#125;&#41;&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; key &#61; string&#10; &#125;&#41;&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; name &#61; optional&#40;string, &#34;router&#34;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [admin_enabled](variables.tf#L17) | Whether the VLAN attachment is enabled. | <code>bool</code> | | <code>true</code> |
| [dedicated_interconnect_config](variables.tf#L23) | Partner interconnect configuration. | <code title="object&#40;&#123;&#10; bandwidth &#61; optional&#40;string, &#34;BPS_10G&#34;&#41;&#10; bgp_range &#61; optional&#40;string, &#34;169.254.128.0&#47;29&#34;&#41;&#10; interconnect &#61; string&#10; vlan_tag &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [ipsec_gateway_ip_ranges](variables.tf#L40) | IPSec Gateway IP Ranges. | <code>map&#40;string&#41;</code> | | <code>&#123;&#125;</code> |
| [mtu](variables.tf#L46) | The MTU associated to the VLAN attachment (1440 / 1500). | <code>number</code> | | <code>1500</code> |
| [partner_interconnect_config](variables.tf#L62) | Partner interconnect configuration. | <code title="object&#40;&#123;&#10; edge_availability_domain &#61; string&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>null</code> |
| [vlan_tag](variables.tf#L110) | The VLAN id to be used for this VLAN attachment. | <code>number</code> | | <code>null</code> |
| [vpn_gateways_ip_range](variables.tf#L116) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | <code>string</code> | | <code>null</code> |
| [vlan_tag](variables.tf#L114) | The VLAN id to be used for this VLAN attachment. | <code>number</code> | | <code>null</code> |
| [vpn_gateways_ip_range](variables.tf#L120) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | <code>string</code> | | <code>null</code> |
## Outputs
@ -567,5 +618,4 @@ module "example-va-b" {
| [router](outputs.tf#L37) | Router resource (only if auto-created). | |
| [router_interface](outputs.tf#L42) | Router interface created for the VLAN attachment. | |
| [router_name](outputs.tf#L47) | Router name. | |
<!-- END TFDOC -->

16
modules/net-vlan-attachment/main.tf
View File

@ -136,10 +136,18 @@ resource "google_compute_router_peer" "default" {
dynamic "bfd" {
for_each = var.router_config.bfd != null ? toset([var.router_config.bfd]) : []
content {
session_initialization_mode = bfd.session_initialization_mode
min_receive_interval = bfd.min_receive_interval
min_transmit_interval = bfd.min_transmit_interval
multiplier = bfd.multiplier
session_initialization_mode = bfd.value.session_initialization_mode
min_receive_interval = bfd.value.min_receive_interval
min_transmit_interval = bfd.value.min_transmit_interval
multiplier = bfd.value.multiplier
}
}
dynamic "md5_authentication_key" {
for_each = var.router_config.md5_authentication_key != null ? [var.router_config.md5_authentication_key] : []
content {
name = md5_authentication_key.value.name
key = md5_authentication_key.value.key
}
}

22
modules/net-vlan-attachment/variables.tf
View File

@ -89,20 +89,24 @@ variable "region" {
variable "router_config" {
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
type = object({
create = optional(bool, true)
asn = optional(number, 65001)
name = optional(string, "router")
keepalive = optional(number)
create = optional(bool, true)
asn = optional(number, 65001)
bfd = optional(object({
min_receive_interval = optional(number)
min_transmit_interval = optional(number)
multiplier = optional(number)
session_initialization_mode = optional(string, "ACTIVE")
}))
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
bfd = optional(object({
session_initialization_mode = optional(string, "ACTIVE")
min_receive_interval = optional(number)
min_transmit_interval = optional(number)
multiplier = optional(number)
md5_authentication_key = optional(object({
name = string
key = string
}))
keepalive = optional(number)
name = optional(string, "router")
})
nullable = false
}

32
modules/net-vpn-ha/README.md
View File

@ -104,6 +104,18 @@ module "vpn_ha" {
bgp_peer = {
address = "169.254.1.1"
asn = 64513
# BFD is optional
bfd = {
min_receive_interval = 1000
min_transmit_interval = 1000
multiplier = 5
session_initialization_mode = "ACTIVE"
}
# MD5 Authentication is optional
md5_authentication_key = {
name = "foo"
key = "bar"
}
}
bgp_session_range = "169.254.1.2/30"
peer_external_gateway_interface = 0
@ -114,6 +126,18 @@ module "vpn_ha" {
bgp_peer = {
address = "169.254.2.1"
asn = 64513
# BFD is optional
bfd = {
min_receive_interval = 1000
min_transmit_interval = 1000
multiplier = 5
session_initialization_mode = "ACTIVE"
}
# MD5 Authentication is optional
md5_authentication_key = {
name = "foo"
key = "bar"
}
}
bgp_session_range = "169.254.2.2/30"
peer_external_gateway_interface = 0
@ -187,11 +211,11 @@ module "vpn_ha" {
| [network](variables.tf#L22) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
| [project_id](variables.tf#L47) | Project where resources will be created. | <code>string</code> | ✓ | |
| [region](variables.tf#L52) | Region used for resources. | <code>string</code> | ✓ | |
| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10; create &#61; optional&#40;bool, true&#41;&#10; asn &#61; number&#10; name &#61; optional&#40;string&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object&#40;&#123;&#10; asn &#61; number&#10; create &#61; optional&#40;bool, true&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; keepalive &#61; optional&#40;number&#41;&#10; name &#61; optional&#40;string&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ | |
| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="map&#40;object&#40;&#123;&#10; external &#61; optional&#40;object&#40;&#123;&#10; redundancy_type &#61; string&#10; interfaces &#61; list&#40;string&#41;&#10; description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10; &#125;&#41;&#41;&#10; gcp &#61; optional&#40;string&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10; bgp_peer &#61; object&#40;&#123;&#10; address &#61; string&#10; asn &#61; number&#10; route_priority &#61; optional&#40;number, 1000&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; all_vpc_subnets &#61; bool&#10; all_peer_vpc_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; ipv6 &#61; optional&#40;object&#40;&#123;&#10; nexthop_address &#61; optional&#40;string&#41;&#10; peer_nexthop_address &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; bgp_session_range &#61; string&#10; ike_version &#61; optional&#40;number, 2&#41;&#10; peer_external_gateway_interface &#61; optional&#40;number&#41;&#10; peer_gateway &#61; optional&#40;string, &#34;default&#34;&#41;&#10; router &#61; optional&#40;string&#41;&#10; shared_secret &#61; optional&#40;string&#41;&#10; vpn_gateway_interface &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [vpn_gateway](variables.tf#L104) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
| [vpn_gateway_create](variables.tf#L110) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10; ipv6 &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map&#40;object&#40;&#123;&#10; bgp_peer &#61; object&#40;&#123;&#10; address &#61; string&#10; asn &#61; number&#10; route_priority &#61; optional&#40;number, 1000&#41;&#10; bfd &#61; optional&#40;object&#40;&#123;&#10; min_receive_interval &#61; optional&#40;number&#41;&#10; min_transmit_interval &#61; optional&#40;number&#41;&#10; multiplier &#61; optional&#40;number&#41;&#10; session_initialization_mode &#61; optional&#40;string, &#34;ACTIVE&#34;&#41;&#10; &#125;&#41;&#41;&#10; custom_advertise &#61; optional&#40;object&#40;&#123;&#10; all_subnets &#61; bool&#10; all_vpc_subnets &#61; bool&#10; all_peer_vpc_subnets &#61; bool&#10; ip_ranges &#61; map&#40;string&#41;&#10; &#125;&#41;&#41;&#10; md5_authentication_key &#61; optional&#40;object&#40;&#123;&#10; name &#61; string&#10; key &#61; string&#10; &#125;&#41;&#41;&#10; ipv6 &#61; optional&#40;object&#40;&#123;&#10; nexthop_address &#61; optional&#40;string&#41;&#10; peer_nexthop_address &#61; optional&#40;string&#41;&#10; &#125;&#41;&#41;&#10; &#125;&#41;&#10; bgp_session_range &#61; string&#10; ike_version &#61; optional&#40;number, 2&#41;&#10; peer_external_gateway_interface &#61; optional&#40;number&#41;&#10; peer_gateway &#61; optional&#40;string, &#34;default&#34;&#41;&#10; router &#61; optional&#40;string&#41;&#10; shared_secret &#61; optional&#40;string&#41;&#10; vpn_gateway_interface &#61; number&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> | | <code>&#123;&#125;</code> |
| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object&#40;&#123;&#10; description &#61; optional&#40;string, &#34;Terraform managed external VPN gateway&#34;&#41;&#10; ipv6 &#61; optional&#40;bool, false&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | | <code>&#123;&#125;</code> |
## Outputs

16
modules/net-vpn-ha/main.tf
View File

@ -117,6 +117,22 @@ resource "google_compute_router_peer" "bgp_peer" {
description = range.value
}
}
dynamic "bfd" {
for_each = each.value.bgp_peer.bfd != null ? [each.value.bgp_peer.bfd] : []
content {
session_initialization_mode = bfd.value.session_initialization_mode
min_receive_interval = bfd.value.min_receive_interval
min_transmit_interval = bfd.value.min_transmit_interval
multiplier = bfd.value.multiplier
}
}
dynamic "md5_authentication_key" {
for_each = each.value.bgp_peer.md5_authentication_key != null ? toset([each.value.bgp_peer.md5_authentication_key]) : []
content {
name = md5_authentication_key.value.name
key = md5_authentication_key.value.key
}
}
enable_ipv6 = try(each.value.bgp_peer.ipv6, null) == null ? false : true
interface = google_compute_router_interface.router_interface[each.key].name
ipv6_nexthop_address = try(each.value.bgp_peer.ipv6.nexthop_address, null)

18
modules/net-vpn-ha/variables.tf
View File

@ -57,14 +57,14 @@ variable "region" {
variable "router_config" {
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
type = object({
create = optional(bool, true)
asn = number
name = optional(string)
keepalive = optional(number)
asn = number
create = optional(bool, true)
custom_advertise = optional(object({
all_subnets = bool
ip_ranges = map(string)
}))
keepalive = optional(number)
name = optional(string)
})
nullable = false
}
@ -76,12 +76,22 @@ variable "tunnels" {
address = string
asn = number
route_priority = optional(number, 1000)
bfd = optional(object({
min_receive_interval = optional(number)
min_transmit_interval = optional(number)
multiplier = optional(number)
session_initialization_mode = optional(string, "ACTIVE")
}))
custom_advertise = optional(object({
all_subnets = bool
all_vpc_subnets = bool
all_peer_vpc_subnets = bool
ip_ranges = map(string)
}))
md5_authentication_key = optional(object({
name = string
key = string
}))
ipv6 = optional(object({
nexthop_address = optional(string)
peer_nexthop_address = optional(string)