Adds bfd and md5 auth support to google_compute_router_peer (#2142)
* Adds support for md5 auth to net-vlan-attachment * Adds support for md5 auth to net-ipsec-over-interconnect * Adds support for md5 auth to net-vpn-ha * Adds support for BFD to net-vpn-ha
This commit is contained in:
parent
759e85d6af
commit
eb0ed0c2a3
|
@ -64,6 +64,11 @@ module "vpngw-a" {
|
|||
bgp_peer = {
|
||||
address = "169.254.1.2"
|
||||
asn = 64514
|
||||
# MD5 Authentication is optional
|
||||
md5_authentication_key = {
|
||||
name = "foo"
|
||||
key = "bar"
|
||||
}
|
||||
}
|
||||
bgp_session_range = "169.254.1.1/30"
|
||||
shared_secret = "foobar"
|
||||
|
@ -112,7 +117,7 @@ module "vpngw-a" {
|
|||
| [project_id](variables.tf#L54) | The project id. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L59) | GCP Region. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L64) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = optional(number) name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway_id = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tunnels](variables.tf#L79) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) md5_authentication_key = optional(object({ name = string key = string })) route_priority = optional(number, 1000) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway_id = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -116,6 +116,15 @@ resource "google_compute_router_peer" "default" {
|
|||
description = range.value
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "md5_authentication_key" {
|
||||
for_each = each.value.bgp_peer.md5_authentication_key != null ? [each.value.bgp_peer.md5_authentication_key] : []
|
||||
content {
|
||||
name = md5_authentication_key.value.name
|
||||
key = md5_authentication_key.value.key
|
||||
}
|
||||
}
|
||||
|
||||
interface = google_compute_router_interface.default[each.key].name
|
||||
}
|
||||
|
||||
|
|
|
@ -80,15 +80,19 @@ variable "tunnels" {
|
|||
description = "VPN tunnel configurations."
|
||||
type = map(object({
|
||||
bgp_peer = object({
|
||||
address = string
|
||||
asn = number
|
||||
route_priority = optional(number, 1000)
|
||||
address = string
|
||||
asn = number
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
all_vpc_subnets = bool
|
||||
all_peer_vpc_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
md5_authentication_key = optional(object({
|
||||
name = string
|
||||
key = string
|
||||
}))
|
||||
route_priority = optional(number, 1000)
|
||||
})
|
||||
# each BGP session on the same Cloud Router must use a unique /30 CIDR
|
||||
# from the 169.254.0.0/16 block.
|
||||
|
|
|
@ -47,6 +47,60 @@ module "example-va" {
|
|||
# tftest modules=1 resources=4
|
||||
```
|
||||
|
||||
### Dedicated Interconnect - Single VLAN Attachment (No SLA) - BFD and MD5 Auth
|
||||
|
||||
```hcl
|
||||
resource "google_compute_router" "interconnect-router" {
|
||||
name = "interconnect-router"
|
||||
network = "mynet"
|
||||
project = "myproject"
|
||||
region = "europe-west8"
|
||||
bgp {
|
||||
advertise_mode = "CUSTOM"
|
||||
asn = 64514
|
||||
advertised_groups = ["ALL_SUBNETS"]
|
||||
advertised_ip_ranges {
|
||||
range = "10.255.255.0/24"
|
||||
}
|
||||
advertised_ip_ranges {
|
||||
range = "192.168.255.0/24"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module "example-va" {
|
||||
source = "./fabric/modules/net-vlan-attachment"
|
||||
network = "mynet"
|
||||
project_id = "myproject"
|
||||
region = "europe-west8"
|
||||
name = "vlan-attachment"
|
||||
description = "Example vlan attachment"
|
||||
peer_asn = "65000"
|
||||
router_config = {
|
||||
create = false
|
||||
name = google_compute_router.interconnect-router.name
|
||||
bfd = {
|
||||
min_receive_interval = 1000
|
||||
min_transmit_interval = 1000
|
||||
multiplier = 5
|
||||
session_initialization_mode = "ACTIVE"
|
||||
}
|
||||
md5_authentication_key = {
|
||||
name = "foo"
|
||||
key = "bar"
|
||||
}
|
||||
}
|
||||
dedicated_interconnect_config = {
|
||||
bandwidth = "BPS_10G"
|
||||
bgp_range = "169.254.0.0/30"
|
||||
interconnect = "interconnect-a"
|
||||
vlan_tag = 12345
|
||||
}
|
||||
}
|
||||
|
||||
# tftest modules=1 resources=4
|
||||
```
|
||||
|
||||
### Partner Interconnect - Single VLAN Attachment (No SLA)
|
||||
|
||||
```hcl
|
||||
|
@ -434,7 +488,7 @@ module "example-va-b-ew12" {
|
|||
# tftest modules=4 resources=6
|
||||
```
|
||||
|
||||
### IPSec for Dedicated Interconnect
|
||||
### IPSec for Dedicated Interconnect
|
||||
|
||||
Refer to the [HA VPN over Interconnect Blueprint](../../blueprints/networking/ha-vpn-over-interconnect/) for an all-encompassing example.
|
||||
|
||||
|
@ -495,7 +549,7 @@ module "example-va-b" {
|
|||
# tftest modules=2 resources=9
|
||||
```
|
||||
|
||||
### IPSec for Partner Interconnect
|
||||
### IPSec for Partner Interconnect
|
||||
|
||||
```hcl
|
||||
module "example-va-a" {
|
||||
|
@ -533,10 +587,7 @@ module "example-va-b" {
|
|||
}
|
||||
# tftest modules=2 resources=6
|
||||
```
|
||||
|
||||
|
||||
<!-- BEGIN TFDOC -->
|
||||
|
||||
## Variables
|
||||
|
||||
| name | description | type | required | default |
|
||||
|
@ -547,14 +598,14 @@ module "example-va-b" {
|
|||
| [peer_asn](variables.tf#L74) | The on-premises underlay router ASN. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L79) | The project id where resources are created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L84) | The region where resources are created. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = optional(number, 65001) name = optional(string, "router") keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) bfd = optional(object({ session_initialization_mode = optional(string, "ACTIVE") min_receive_interval = optional(number) min_transmit_interval = optional(number) multiplier = optional(number) })) })">object({…})</code> | ✓ | |
|
||||
| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = optional(number, 65001) bfd = optional(object({ min_receive_interval = optional(number) min_transmit_interval = optional(number) multiplier = optional(number) session_initialization_mode = optional(string, "ACTIVE") })) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) md5_authentication_key = optional(object({ name = string key = string })) keepalive = optional(number) name = optional(string, "router") })">object({…})</code> | ✓ | |
|
||||
| [admin_enabled](variables.tf#L17) | Whether the VLAN attachment is enabled. | <code>bool</code> | | <code>true</code> |
|
||||
| [dedicated_interconnect_config](variables.tf#L23) | Partner interconnect configuration. | <code title="object({ bandwidth = optional(string, "BPS_10G") bgp_range = optional(string, "169.254.128.0/29") interconnect = string vlan_tag = string })">object({…})</code> | | <code>null</code> |
|
||||
| [ipsec_gateway_ip_ranges](variables.tf#L40) | IPSec Gateway IP Ranges. | <code>map(string)</code> | | <code>{}</code> |
|
||||
| [mtu](variables.tf#L46) | The MTU associated to the VLAN attachment (1440 / 1500). | <code>number</code> | | <code>1500</code> |
|
||||
| [partner_interconnect_config](variables.tf#L62) | Partner interconnect configuration. | <code title="object({ edge_availability_domain = string })">object({…})</code> | | <code>null</code> |
|
||||
| [vlan_tag](variables.tf#L110) | The VLAN id to be used for this VLAN attachment. | <code>number</code> | | <code>null</code> |
|
||||
| [vpn_gateways_ip_range](variables.tf#L116) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | <code>string</code> | | <code>null</code> |
|
||||
| [vlan_tag](variables.tf#L114) | The VLAN id to be used for this VLAN attachment. | <code>number</code> | | <code>null</code> |
|
||||
| [vpn_gateways_ip_range](variables.tf#L120) | The IP range (cidr notation) to be used for the GCP VPN gateways. If null IPSec over Interconnect is not enabled. | <code>string</code> | | <code>null</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
@ -567,5 +618,4 @@ module "example-va-b" {
|
|||
| [router](outputs.tf#L37) | Router resource (only if auto-created). | |
|
||||
| [router_interface](outputs.tf#L42) | Router interface created for the VLAN attachment. | |
|
||||
| [router_name](outputs.tf#L47) | Router name. | |
|
||||
|
||||
<!-- END TFDOC -->
|
||||
|
|
|
@ -136,10 +136,18 @@ resource "google_compute_router_peer" "default" {
|
|||
dynamic "bfd" {
|
||||
for_each = var.router_config.bfd != null ? toset([var.router_config.bfd]) : []
|
||||
content {
|
||||
session_initialization_mode = bfd.session_initialization_mode
|
||||
min_receive_interval = bfd.min_receive_interval
|
||||
min_transmit_interval = bfd.min_transmit_interval
|
||||
multiplier = bfd.multiplier
|
||||
session_initialization_mode = bfd.value.session_initialization_mode
|
||||
min_receive_interval = bfd.value.min_receive_interval
|
||||
min_transmit_interval = bfd.value.min_transmit_interval
|
||||
multiplier = bfd.value.multiplier
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "md5_authentication_key" {
|
||||
for_each = var.router_config.md5_authentication_key != null ? [var.router_config.md5_authentication_key] : []
|
||||
content {
|
||||
name = md5_authentication_key.value.name
|
||||
key = md5_authentication_key.value.key
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -89,20 +89,24 @@ variable "region" {
|
|||
variable "router_config" {
|
||||
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
|
||||
type = object({
|
||||
create = optional(bool, true)
|
||||
asn = optional(number, 65001)
|
||||
name = optional(string, "router")
|
||||
keepalive = optional(number)
|
||||
create = optional(bool, true)
|
||||
asn = optional(number, 65001)
|
||||
bfd = optional(object({
|
||||
min_receive_interval = optional(number)
|
||||
min_transmit_interval = optional(number)
|
||||
multiplier = optional(number)
|
||||
session_initialization_mode = optional(string, "ACTIVE")
|
||||
}))
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
bfd = optional(object({
|
||||
session_initialization_mode = optional(string, "ACTIVE")
|
||||
min_receive_interval = optional(number)
|
||||
min_transmit_interval = optional(number)
|
||||
multiplier = optional(number)
|
||||
md5_authentication_key = optional(object({
|
||||
name = string
|
||||
key = string
|
||||
}))
|
||||
keepalive = optional(number)
|
||||
name = optional(string, "router")
|
||||
})
|
||||
nullable = false
|
||||
}
|
||||
|
|
|
@ -104,6 +104,18 @@ module "vpn_ha" {
|
|||
bgp_peer = {
|
||||
address = "169.254.1.1"
|
||||
asn = 64513
|
||||
# BFD is optional
|
||||
bfd = {
|
||||
min_receive_interval = 1000
|
||||
min_transmit_interval = 1000
|
||||
multiplier = 5
|
||||
session_initialization_mode = "ACTIVE"
|
||||
}
|
||||
# MD5 Authentication is optional
|
||||
md5_authentication_key = {
|
||||
name = "foo"
|
||||
key = "bar"
|
||||
}
|
||||
}
|
||||
bgp_session_range = "169.254.1.2/30"
|
||||
peer_external_gateway_interface = 0
|
||||
|
@ -114,6 +126,18 @@ module "vpn_ha" {
|
|||
bgp_peer = {
|
||||
address = "169.254.2.1"
|
||||
asn = 64513
|
||||
# BFD is optional
|
||||
bfd = {
|
||||
min_receive_interval = 1000
|
||||
min_transmit_interval = 1000
|
||||
multiplier = 5
|
||||
session_initialization_mode = "ACTIVE"
|
||||
}
|
||||
# MD5 Authentication is optional
|
||||
md5_authentication_key = {
|
||||
name = "foo"
|
||||
key = "bar"
|
||||
}
|
||||
}
|
||||
bgp_session_range = "169.254.2.2/30"
|
||||
peer_external_gateway_interface = 0
|
||||
|
@ -187,11 +211,11 @@ module "vpn_ha" {
|
|||
| [network](variables.tf#L22) | VPC used for the gateway and routes. | <code>string</code> | ✓ | |
|
||||
| [project_id](variables.tf#L47) | Project where resources will be created. | <code>string</code> | ✓ | |
|
||||
| [region](variables.tf#L52) | Region used for resources. | <code>string</code> | ✓ | |
|
||||
| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ create = optional(bool, true) asn = number name = optional(string) keepalive = optional(number) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) })">object({…})</code> | ✓ | |
|
||||
| [router_config](variables.tf#L57) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | <code title="object({ asn = number create = optional(bool, true) custom_advertise = optional(object({ all_subnets = bool ip_ranges = map(string) })) keepalive = optional(number) name = optional(string) })">object({…})</code> | ✓ | |
|
||||
| [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | <code title="map(object({ external = optional(object({ redundancy_type = string interfaces = list(string) description = optional(string, "Terraform managed external VPN gateway") })) gcp = optional(string) }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) ipv6 = optional(object({ nexthop_address = optional(string) peer_nexthop_address = optional(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L104) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L110) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object({ description = optional(string, "Terraform managed external VPN gateway") ipv6 = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
| [tunnels](variables.tf#L72) | VPN tunnel configurations. | <code title="map(object({ bgp_peer = object({ address = string asn = number route_priority = optional(number, 1000) bfd = optional(object({ min_receive_interval = optional(number) min_transmit_interval = optional(number) multiplier = optional(number) session_initialization_mode = optional(string, "ACTIVE") })) custom_advertise = optional(object({ all_subnets = bool all_vpc_subnets = bool all_peer_vpc_subnets = bool ip_ranges = map(string) })) md5_authentication_key = optional(object({ name = string key = string })) ipv6 = optional(object({ nexthop_address = optional(string) peer_nexthop_address = optional(string) })) }) bgp_session_range = string ike_version = optional(number, 2) peer_external_gateway_interface = optional(number) peer_gateway = optional(string, "default") router = optional(string) shared_secret = optional(string) vpn_gateway_interface = number }))">map(object({…}))</code> | | <code>{}</code> |
|
||||
| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | <code>string</code> | | <code>null</code> |
|
||||
| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. Set to null to avoid creation. | <code title="object({ description = optional(string, "Terraform managed external VPN gateway") ipv6 = optional(bool, false) })">object({…})</code> | | <code>{}</code> |
|
||||
|
||||
## Outputs
|
||||
|
||||
|
|
|
@ -117,6 +117,22 @@ resource "google_compute_router_peer" "bgp_peer" {
|
|||
description = range.value
|
||||
}
|
||||
}
|
||||
dynamic "bfd" {
|
||||
for_each = each.value.bgp_peer.bfd != null ? [each.value.bgp_peer.bfd] : []
|
||||
content {
|
||||
session_initialization_mode = bfd.value.session_initialization_mode
|
||||
min_receive_interval = bfd.value.min_receive_interval
|
||||
min_transmit_interval = bfd.value.min_transmit_interval
|
||||
multiplier = bfd.value.multiplier
|
||||
}
|
||||
}
|
||||
dynamic "md5_authentication_key" {
|
||||
for_each = each.value.bgp_peer.md5_authentication_key != null ? toset([each.value.bgp_peer.md5_authentication_key]) : []
|
||||
content {
|
||||
name = md5_authentication_key.value.name
|
||||
key = md5_authentication_key.value.key
|
||||
}
|
||||
}
|
||||
enable_ipv6 = try(each.value.bgp_peer.ipv6, null) == null ? false : true
|
||||
interface = google_compute_router_interface.router_interface[each.key].name
|
||||
ipv6_nexthop_address = try(each.value.bgp_peer.ipv6.nexthop_address, null)
|
||||
|
|
|
@ -57,14 +57,14 @@ variable "region" {
|
|||
variable "router_config" {
|
||||
description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
|
||||
type = object({
|
||||
create = optional(bool, true)
|
||||
asn = number
|
||||
name = optional(string)
|
||||
keepalive = optional(number)
|
||||
asn = number
|
||||
create = optional(bool, true)
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
keepalive = optional(number)
|
||||
name = optional(string)
|
||||
})
|
||||
nullable = false
|
||||
}
|
||||
|
@ -76,12 +76,22 @@ variable "tunnels" {
|
|||
address = string
|
||||
asn = number
|
||||
route_priority = optional(number, 1000)
|
||||
bfd = optional(object({
|
||||
min_receive_interval = optional(number)
|
||||
min_transmit_interval = optional(number)
|
||||
multiplier = optional(number)
|
||||
session_initialization_mode = optional(string, "ACTIVE")
|
||||
}))
|
||||
custom_advertise = optional(object({
|
||||
all_subnets = bool
|
||||
all_vpc_subnets = bool
|
||||
all_peer_vpc_subnets = bool
|
||||
ip_ranges = map(string)
|
||||
}))
|
||||
md5_authentication_key = optional(object({
|
||||
name = string
|
||||
key = string
|
||||
}))
|
||||
ipv6 = optional(object({
|
||||
nexthop_address = optional(string)
|
||||
peer_nexthop_address = optional(string)
|
||||
|
|
Loading…
Reference in New Issue