update changelog
This commit is contained in:
parent
d2015b0bc3
commit
f29f1a562a
|
@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### BLUEPRINTS
|
||||
|
||||
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
|
||||
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->
|
||||
- [[#982](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/982)] Adding Secondary IP Utilization calculation ([brianhmj](https://github.com/brianhmj)) <!-- 2022-12-07 10:45:21+00:00 -->
|
||||
- [[#1037](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1037)] Bump qs and formidable in /blueprints/cloud-operations/apigee/functions/export ([dependabot[bot]](https://github.com/dependabot[bot])) <!-- 2022-12-06 15:43:35+00:00 -->
|
||||
|
@ -69,6 +70,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### DOCUMENTATION
|
||||
|
||||
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
|
||||
- [[#1014](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1014)] Update typos in `net-vpc-firewall` README.md ([aymanfarhat](https://github.com/aymanfarhat)) <!-- 2022-12-08 16:48:26+00:00 -->
|
||||
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->
|
||||
- [[#1009](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1009)] Fix encryption in Data Playground blueprint ([lcaggio](https://github.com/lcaggio)) <!-- 2022-11-25 15:19:02+00:00 -->
|
||||
|
@ -123,6 +125,7 @@ All notable changes to this project will be documented in this file.
|
|||
|
||||
### MODULES
|
||||
|
||||
- [[#1045](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1045)] Assorted module fixes ([ludoo](https://github.com/ludoo)) <!-- 2022-12-10 14:40:15+00:00 -->
|
||||
- [[#1040](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1040)] Fix name in google_pubsub_schema resource ([VictorCavalcanteLG](https://github.com/VictorCavalcanteLG)) <!-- 2022-12-08 17:25:36+00:00 -->
|
||||
- [[#1043](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1043)] added reverse lookup feature to module dns #1042 ([chemapolo](https://github.com/chemapolo)) <!-- 2022-12-08 17:13:05+00:00 -->
|
||||
- [[#1044](https://github.com/GoogleCloudPlatform/cloud-foundation-fabric/pull/1044)] **incompatible change:** Refactor net-glb module for Terraform 1.3 ([ludoo](https://github.com/ludoo)) <!-- 2022-12-08 16:35:45+00:00 -->
|
||||
|
|
|
@ -0,0 +1,154 @@
|
|||
#cloud-config
|
||||
|
||||
# Copyright 2022 Google LLC
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# https://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
write_files:
|
||||
- path: /etc/docker/daemon.json
|
||||
owner: root:root
|
||||
permissions: "0644"
|
||||
content: |
|
||||
{"log-driver": "json-file", "log-opts": {"max-size": "10m"}}
|
||||
|
||||
- path: /etc/systemd/system/docker-onprem.service
|
||||
permissions: "0644"
|
||||
owner: root
|
||||
content: |
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
[Unit]
|
||||
Description=Start Docker Compose onprem infrastructure
|
||||
After=network-online.target docker.socket
|
||||
Wants=network-online.target docker.socket
|
||||
[Service]
|
||||
ExecStart=/bin/sh -c \
|
||||
"cd /var/run/onprem && /var/run/docker-compose up"
|
||||
ExecStop=/bin/sh -c \
|
||||
"cd /var/run/onprem && /var/run/docker-compose down"
|
||||
|
||||
- path: /var/run/onprem/docker-compose.yaml
|
||||
permissions: "0644"
|
||||
owner: root
|
||||
content: |
|
||||
version: "3"
|
||||
services:
|
||||
vpn:
|
||||
image: debian:bullseye-slim
|
||||
networks:
|
||||
onprem:
|
||||
ipv4_address: ${cidrhost(ip_range, 2)}
|
||||
ports:
|
||||
- "500:500/udp"
|
||||
- "4500:4500/udp"
|
||||
- "179:179/tcp"
|
||||
privileged: true
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_BROADCAST
|
||||
- NET_RAW
|
||||
command: bash /start.sh
|
||||
volumes:
|
||||
- "/lib/modules:/lib/modules:ro"
|
||||
- "/usr/share/zoneinfo/UTC:/etc/localtime:ro"
|
||||
- "/var/run/onprem/vpn/ipsec.conf:/etc/ipsec.conf:ro"
|
||||
- "/var/run/onprem/vpn/ipsec.secrets:/etc/ipsec.secrets:ro"
|
||||
- "/var/run/onprem/vpn/ipsec-vti.sh:/etc/ipsec-vti.sh:ro"
|
||||
- "/var/run/onprem/vpn/start.sh:/start.sh:ro"
|
||||
environment:
|
||||
- LAN_NETWORKS=${ip_range}
|
||||
networks:
|
||||
onprem:
|
||||
ipam:
|
||||
driver: default
|
||||
config:
|
||||
- subnet: ${ip_range}
|
||||
|
||||
- path: /var/run/onprem/vpn/start.sh
|
||||
owner: root:root
|
||||
permissions: "0755"
|
||||
content: |
|
||||
#!/bin/bash
|
||||
apt-get update
|
||||
apt-get install -y bird procps strongswan
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
_stop_ipsec() {
|
||||
echo "Shutting down strongSwan/ipsec..."
|
||||
ipsec stop
|
||||
}
|
||||
trap _stop_ipsec TERM
|
||||
echo "Starting up strongSwan/ipsec..."
|
||||
ipsec start --nofork "$@" &
|
||||
child=$!
|
||||
wait "$child"
|
||||
|
||||
- path: /var/run/onprem/vpn/ipsec.secrets
|
||||
owner: root:root
|
||||
permissions: "0600"
|
||||
content: |
|
||||
%{for peer in peer_configs}${peer.address} : PSK "${peer.shared_secret}"%{endfor}
|
||||
|
||||
- path: /var/run/onprem/vpn/ipsec.conf
|
||||
owner: root:root
|
||||
permissions: "0644"
|
||||
content: |
|
||||
# ipsec.conf - strongswan IPsec configuration file
|
||||
# https://developers.microad.co.jp/entry/2022/05/30/100000
|
||||
|
||||
config setup
|
||||
# strictcrlpolicy=yes
|
||||
# uniqueids = no
|
||||
|
||||
# left: onprem Strongswan
|
||||
# right: GCP VPN
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=secret
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
type=tunnel
|
||||
leftsubnet=0.0.0.0/0,::/0
|
||||
rightsubnet=0.0.0.0/0,::/0
|
||||
|
||||
%{~ for i, peer in peer_configs }
|
||||
conn gcp-vpn-tunnel-${i}
|
||||
esp=aes128-sha1-modp1024,3des-sha1-modp1024
|
||||
ikelifetime=600m
|
||||
keylife=180m
|
||||
rekeymargin=1m
|
||||
keyingtries=5
|
||||
keyexchange=ikev2
|
||||
left = ${peer.bgp_session.local_address}
|
||||
leftid = ${external_address}
|
||||
leftupdown = /etc/ipsec-vti.sh
|
||||
right = ${peer.address}
|
||||
auto = start
|
||||
mark=100
|
||||
%{~ endfor }
|
||||
|
||||
- path: /var/run/onprem/vpn/ipsec-vti.sh
|
||||
owner: root:root
|
||||
permissions: "0644"
|
||||
content: |
|
||||
${ipsec_vti}
|
||||
|
||||
runcmd:
|
||||
- wget -O /var/run/docker-compose https://github.com/docker/compose/releases/download/v2.14.0/docker-compose-linux-x86_64
|
||||
- chmod 755 /var/run/docker-compose
|
||||
- systemctl daemon-reload
|
||||
- systemctl enable docker-onprem.service
|
||||
- systemctl start docker-onprem.service
|
|
@ -0,0 +1,64 @@
|
|||
#!/bin/bash
|
||||
|
||||
#
|
||||
# /etc/ipsec-vti.sh
|
||||
# https://developers.microad.co.jp/entry/2022/05/30/100000
|
||||
#
|
||||
|
||||
IP=$(which ip)
|
||||
IPTABLES=$(which iptables)
|
||||
|
||||
PLUTO_MARK_OUT_ARR=($${PLUTO_MARK_OUT//// })
|
||||
PLUTO_MARK_IN_ARR=($${PLUTO_MARK_IN//// })
|
||||
|
||||
case "$PLUTO_CONNECTION" in
|
||||
%{~ for i, peer in peer_configs }
|
||||
gcp-vpn-tunnel-${i})
|
||||
VTI_INTERFACE=vti0${i+1}
|
||||
VTI_LOCALADDR=${peer.bgp_session.local_address}/30
|
||||
VTI_REMOTEADDR=${peer.bgp_session.peer_address}/30
|
||||
;;
|
||||
%{ endfor }
|
||||
esac
|
||||
|
||||
# output parameters to /var/log/messages for debug
|
||||
logger "ipsec-vti.sh: ================================================="
|
||||
logger "ipsec-vti.sh: PLUTO_CONNECTION = $${PLUTO_CONNECTION}"
|
||||
logger "ipsec-vti.sh: PLUTO_VERB = $${PLUTO_VERB}"
|
||||
logger "ipsec-vti.sh: VTI_INTERFACE = $${VTI_INTERFACE}"
|
||||
logger "ipsec-vti.sh: PLUTO_ME = $${PLUTO_ME}"
|
||||
logger "ipsec-vti.sh: PLUTO_PEER = $${PLUTO_PEER}"
|
||||
logger "ipsec-vti.sh: PLUTO_MARK_IN_ARR[0] = $${PLUTO_MARK_IN_ARR[0]}"
|
||||
logger "ipsec-vti.sh: PLUTO_MARK_OUT_ARR[0] = $${PLUTO_MARK_OUT_ARR[0]}"
|
||||
logger "ipsec-vti.sh: PLUTO_MARK_IN = $${PLUTO_MARK_IN}"
|
||||
logger "ipsec-vti.sh: ================================================="
|
||||
|
||||
case "$${PLUTO_VERB}" in
|
||||
up-client)
|
||||
$IP link add $${VTI_INTERFACE} type vti \
|
||||
local $${PLUTO_ME} remote $${PLUTO_PEER} \
|
||||
okey $${PLUTO_MARK_OUT_ARR[0]} ikey $${PLUTO_MARK_IN_ARR[0]}
|
||||
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.disable_policy=1
|
||||
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=2 || \
|
||||
sysctl -w net.ipv4.conf.$${VTI_INTERFACE}.rp_filter=0
|
||||
$IP addr add $${VTI_LOCALADDR} remote $${VTI_REMOTEADDR} dev $${VTI_INTERFACE}
|
||||
$IP link set $${VTI_INTERFACE} up mtu 1436
|
||||
$IPTABLES -t mangle -I FORWARD -o $${VTI_INTERFACE} \
|
||||
-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
$IPTABLES -t mangle -I INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \
|
||||
-j MARK --set-xmark $${PLUTO_MARK_IN}
|
||||
$IP route flush table 220
|
||||
;;
|
||||
down-client)
|
||||
$IP link del $${VTI_INTERFACE}
|
||||
$IPTABLES -t mangle -D FORWARD -o $${VTI_INTERFACE} \
|
||||
-p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
|
||||
$IPTABLES -t mangle -D INPUT -p esp -s $${PLUTO_PEER} -d $${PLUTO_ME} \
|
||||
-j MARK --set-xmark $${PLUTO_MARK_IN}
|
||||
;;
|
||||
esac
|
||||
|
||||
# Enable IPv4 forwarding
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
sysctl -w net.ipv4.conf.eth0.disable_xfrm=1
|
||||
sysctl -w net.ipv4.conf.eth0.disable_policy=1
|
|
@ -0,0 +1,49 @@
|
|||
# ipsec.conf - strongSwan IPsec configuration file
|
||||
# https://developers.microad.co.jp/entry/2022/05/30/100000
|
||||
|
||||
config setup
|
||||
# strictcrlpolicy=yes
|
||||
# uniqueids = no
|
||||
|
||||
# left: onprem Strongswan
|
||||
# right: GCP VPN
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
authby=secret
|
||||
keyexchange=ikev2
|
||||
mobike=no
|
||||
type=tunnel
|
||||
leftsubnet=0.0.0.0/0,::/0
|
||||
rightsubnet=0.0.0.0/0,::/0
|
||||
|
||||
conn gcp-vpn-tunnel01
|
||||
esp=aes128-sha1-modp1024,3des-sha1-modp1024
|
||||
ikelifetime=600m
|
||||
keylife=180m
|
||||
rekeymargin=1m
|
||||
keyingtries=5
|
||||
keyexchange=ikev2
|
||||
left = ${ Own HostIP }
|
||||
leftid = ${ PublicIP of own Site }
|
||||
leftupdown = /etc/ipsec-vti.sh
|
||||
right = ${ opposite IP address }
|
||||
auto = start
|
||||
mark=100
|
||||
|
||||
conn gcp-vpn-tunnel02
|
||||
esp=aes128-sha1-modp1024,3des-sha1-modp1024
|
||||
ikelifetime=600m
|
||||
keylife=180m
|
||||
rekeymargin=1m
|
||||
keyingtries=5
|
||||
keyexchange=ikev2
|
||||
left = ${ Own HostIP }
|
||||
leftid = ${ PublicIP of own Site }
|
||||
leftupdown = /etc/ipsec-vti.sh
|
||||
right = ${ opposite IP address }
|
||||
auto = start
|
||||
mark=200
|
|
@ -0,0 +1,47 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
locals {
|
||||
_peer_ranges = [
|
||||
for i, peer in var.peer_configs : cidrsubnet("169.254.0.0/16", 14, i)
|
||||
]
|
||||
cloud_config = templatefile("${path.module}/assets/cloud-config.yaml", {
|
||||
asn = var.asn
|
||||
external_address = var.external_address
|
||||
ip_range = var.ip_range
|
||||
ipsec_vti = indent(6, templatefile("${path.module}/assets/ipsec-vti.sh", {
|
||||
peer_configs = local.peer_configs
|
||||
}))
|
||||
peer_configs = local.peer_configs
|
||||
})
|
||||
peer_configs = [
|
||||
for i, peer in var.peer_configs : merge(peer, {
|
||||
bgp_session = {
|
||||
asn = peer.bgp_session.asn
|
||||
local_address = (
|
||||
peer.bgp_session.local_address == null
|
||||
? cidrhost(local._peer_ranges, i, 1)
|
||||
: peer.bgp_session.local_address
|
||||
)
|
||||
peer_address = (
|
||||
peer.bgp_session.local_address == null
|
||||
? cidrhost(local._peer_ranges, i, 0)
|
||||
: peer.bgp_session.local_address
|
||||
)
|
||||
}
|
||||
})
|
||||
]
|
||||
}
|
|
@ -0,0 +1,20 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
output "cloud_config" {
|
||||
description = "Cloud config content to be set in user-data metadata."
|
||||
value = local.cloud_config
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
/**
|
||||
* Copyright 2022 Google LLC
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
variable "asn" {
|
||||
description = "Local BGP asn."
|
||||
type = number
|
||||
default = 64521
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "external_address" {
|
||||
description = "Public address of the instance."
|
||||
type = string
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "ip_range" {
|
||||
description = "Local address range used for the Docker network and announced via BGP."
|
||||
type = string
|
||||
default = "192.168.128.0/24"
|
||||
nullable = false
|
||||
}
|
||||
|
||||
variable "peer_configs" {
|
||||
description = "Peer configurations."
|
||||
type = list(object({
|
||||
address = string
|
||||
shared_secret = string
|
||||
bgp_session = optional(object({
|
||||
asn = optional(number, 64520)
|
||||
local_address = optional(string)
|
||||
peer_address = optional(string)
|
||||
}), {})
|
||||
}))
|
||||
nullable = false
|
||||
}
|
Loading…
Reference in New Issue