From e976d71428fe863c8d56cc67af4507e5ad16b79b Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 30 Nov 2022 15:19:49 +0100 Subject: [PATCH 1/4] Update rest of vpn modules to tf1.3 --- modules/net-vpn-dynamic/main.tf | 110 +++++++++++---------------- modules/net-vpn-dynamic/outputs.tf | 6 +- modules/net-vpn-dynamic/variables.tf | 71 +++++++---------- modules/net-vpn-ha/main.tf | 4 +- modules/net-vpn-ha/variables.tf | 2 +- modules/net-vpn-static/README.md | 4 +- modules/net-vpn-static/main.tf | 2 +- modules/net-vpn-static/variables.tf | 10 ++- 8 files changed, 85 insertions(+), 124 deletions(-) diff --git a/modules/net-vpn-dynamic/main.tf b/modules/net-vpn-dynamic/main.tf index 4da48c12de..fcf26934bc 100644 --- a/modules/net-vpn-dynamic/main.tf +++ b/modules/net-vpn-dynamic/main.tf @@ -21,9 +21,9 @@ locals { : var.gateway_address ) router = ( - var.router_create - ? google_compute_router.router[0].name - : var.router_name + var.router_config.create + ? try(google_compute_router.router[0].name, null) + : var.router_config.name ) secret = random_id.secret.b64_url } @@ -65,75 +65,56 @@ resource "google_compute_forwarding_rule" "udp-4500" { } resource "google_compute_router" "router" { - count = var.router_create ? 1 : 0 - name = var.router_name == "" ? "vpn-${var.name}" : var.router_name + count = var.router_config.create ? 1 : 0 + name = coalesce(var.router_config.name, "vpn-${var.name}") project = var.project_id region = var.region network = var.network bgp { advertise_mode = ( - var.router_advertise_config == null - ? null - : var.router_advertise_config.mode + var.router_config.custom_advertise != null + ? "CUSTOM" + : "DEFAULT" ) advertised_groups = ( - var.router_advertise_config == null ? null : ( - var.router_advertise_config.mode != "CUSTOM" - ? null - : var.router_advertise_config.groups - ) + try(var.router_config.custom_advertise.all_subnets, false) + ? ["ALL_SUBNETS"] + : [] ) dynamic "advertised_ip_ranges" { - for_each = ( - var.router_advertise_config == null ? {} : ( - var.router_advertise_config.mode != "CUSTOM" - ? null - : var.router_advertise_config.ip_ranges - ) - ) + for_each = try(var.router_config.custom_advertise.ip_ranges, {}) iterator = range content { range = range.key description = range.value } } - asn = var.router_asn + keepalive_interval = try(var.router_config.keepalive, null) + asn = var.router_config.asn } } resource "google_compute_router_peer" "bgp_peer" { - for_each = var.tunnels - region = var.region - project = var.project_id - name = "${var.name}-${each.key}" - router = each.value.router == null ? local.router : each.value.router - peer_ip_address = each.value.bgp_peer.address - peer_asn = each.value.bgp_peer.asn - advertised_route_priority = ( - each.value.bgp_peer_options == null ? var.route_priority : ( - each.value.bgp_peer_options.route_priority == null - ? var.route_priority - : each.value.bgp_peer_options.route_priority - ) - ) + for_each = var.tunnels + region = var.region + project = var.project_id + name = "${var.name}-${each.key}" + router = coalesce(each.value.router, local.router) + peer_ip_address = each.value.bgp_peer.address + peer_asn = each.value.bgp_peer.asn + advertised_route_priority = each.value.bgp_peer.route_priority advertise_mode = ( - each.value.bgp_peer_options == null ? null : each.value.bgp_peer_options.advertise_mode + try(each.value.bgp_peer.custom_advertise, null) != null + ? "CUSTOM" + : "DEFAULT" ) - advertised_groups = ( - each.value.bgp_peer_options == null ? null : ( - each.value.bgp_peer_options.advertise_mode != "CUSTOM" - ? null - : each.value.bgp_peer_options.advertise_groups - ) + advertised_groups = concat( + try(each.value.bgp_peer.custom_advertise.all_subnets, false) ? ["ALL_SUBNETS"] : [], + try(each.value.bgp_peer.custom_advertise.all_vpc_subnets, false) ? ["ALL_VPC_SUBNETS"] : [], + try(each.value.bgp_peer.custom_advertise.all_peer_vpc_subnets, false) ? ["ALL_PEER_VPC_SUBNETS"] : [] ) dynamic "advertised_ip_ranges" { - for_each = ( - each.value.bgp_peer_options == null ? {} : ( - each.value.bgp_peer_options.advertise_mode != "CUSTOM" - ? {} - : each.value.bgp_peer_options.advertise_ip_ranges - ) - ) + for_each = try(each.value.bgp_peer.custom_advertise.ip_ranges, {}) iterator = range content { range = range.key @@ -144,11 +125,12 @@ resource "google_compute_router_peer" "bgp_peer" { } resource "google_compute_router_interface" "router_interface" { - for_each = var.tunnels - project = var.project_id - region = var.region - name = "${var.name}-${each.key}" - router = each.value.router == null ? local.router : each.value.router + for_each = var.tunnels + project = var.project_id + region = var.region + name = "${var.name}-${each.key}" + router = coalesce(each.value.router, local.router) + # FIXME: can bgp_session_range be null? ip_range = each.value.bgp_session_range == "" ? null : each.value.bgp_session_range vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name } @@ -161,18 +143,14 @@ resource "google_compute_vpn_gateway" "gateway" { } resource "google_compute_vpn_tunnel" "tunnels" { - for_each = var.tunnels - project = var.project_id - region = var.region - name = "${var.name}-${each.key}" - router = each.value.router == null ? local.router : each.value.router - peer_ip = each.value.peer_ip - ike_version = each.value.ike_version - shared_secret = ( - each.value.shared_secret == "" || each.value.shared_secret == null - ? local.secret - : each.value.shared_secret - ) + for_each = var.tunnels + project = var.project_id + region = var.region + name = "${var.name}-${each.key}" + router = coalesce(each.value.router, local.router) + peer_ip = each.value.peer_ip + ike_version = each.value.ike_version + shared_secret = coalesce(each.value.shared_secret, local.secret) target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link depends_on = [google_compute_forwarding_rule.esp] } diff --git a/modules/net-vpn-dynamic/outputs.tf b/modules/net-vpn-dynamic/outputs.tf index 09e5959e52..0e43903ade 100644 --- a/modules/net-vpn-dynamic/outputs.tf +++ b/modules/net-vpn-dynamic/outputs.tf @@ -54,7 +54,7 @@ output "tunnel_names" { description = "VPN tunnel names." value = { for name in keys(var.tunnels) : - name => google_compute_vpn_tunnel.tunnels[name].name + name => try(google_compute_vpn_tunnel.tunnels[name].name, null) } } @@ -62,7 +62,7 @@ output "tunnel_self_links" { description = "VPN tunnel self links." value = { for name in keys(var.tunnels) : - name => google_compute_vpn_tunnel.tunnels[name].self_link + name => try(google_compute_vpn_tunnel.tunnels[name].self_link, null) } } @@ -70,6 +70,6 @@ output "tunnels" { description = "VPN tunnel resources." value = { for name in keys(var.tunnels) : - name => google_compute_vpn_tunnel.tunnels[name] + name => try(google_compute_vpn_tunnel.tunnels[name], null) } } diff --git a/modules/net-vpn-dynamic/variables.tf b/modules/net-vpn-dynamic/variables.tf index 6da5c0ac43..33d23a040c 100644 --- a/modules/net-vpn-dynamic/variables.tf +++ b/modules/net-vpn-dynamic/variables.tf @@ -17,7 +17,7 @@ variable "gateway_address" { description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false." type = string - default = "" + default = null } variable "gateway_address_create" { @@ -46,60 +46,43 @@ variable "region" { type = string } -variable "route_priority" { - description = "Route priority, defaults to 1000." - type = number - default = 1000 -} - -variable "router_advertise_config" { - description = "Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions." +variable "router_config" { + description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router." type = object({ - groups = list(string) - ip_ranges = map(string) - mode = string + create = optional(bool, true) + asn = number + name = optional(string) + keepalive = optional(number) + custom_advertise = optional(object({ + all_subnets = bool + ip_ranges = map(string) + })) }) - default = null -} - -variable "router_asn" { - description = "Router ASN used for auto-created router." - type = number - default = 64514 -} - -variable "router_create" { - description = "Create router." - type = bool - default = true -} - -variable "router_name" { - description = "Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router." - type = string - default = "" + nullable = false } variable "tunnels" { - description = "VPN tunnel configurations, bgp_peer_options is usually null." + description = "VPN tunnel configurations." type = map(object({ bgp_peer = object({ - address = string - asn = number - }) - bgp_peer_options = object({ - advertise_groups = list(string) - advertise_ip_ranges = map(string) - advertise_mode = string - route_priority = number + address = string + asn = number + route_priority = optional(number, 1000) + custom_advertise = optional(object({ + all_subnets = bool + all_vpc_subnets = bool + all_peer_vpc_subnets = bool + ip_ranges = map(string) + })) }) # each BGP session on the same Cloud Router must use a unique /30 CIDR # from the 169.254.0.0/16 block. bgp_session_range = string - ike_version = number + ike_version = optional(number, 2) peer_ip = string - router = string - shared_secret = string + router = optional(string) + shared_secret = optional(string) })) - default = {} + default = {} + nullable = false } diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index 694f9b61d9..c9a810e108 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -54,7 +54,7 @@ resource "google_compute_external_vpn_gateway" "external_gateway" { resource "google_compute_router" "router" { count = var.router_config.create ? 1 : 0 - name = var.router_config.name == null ? "vpn-${var.name}" : var.router_config.name + name = coalesce(var.router_config.name, "vpn-${var.name}") project = var.project_id region = var.region network = var.network @@ -87,7 +87,7 @@ resource "google_compute_router_peer" "bgp_peer" { region = var.region project = var.project_id name = "${var.name}-${each.key}" - router = local.router + router = coalesce(each.value.router, local.router) peer_ip_address = each.value.bgp_peer.address peer_asn = each.value.bgp_peer.asn advertised_route_priority = each.value.bgp_peer.route_priority diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index f8ecd151f5..ad5c491f45 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -66,7 +66,7 @@ variable "router_config" { } variable "tunnels" { - description = "VPN tunnel configurations, bgp_peer_options is usually null." + description = "VPN tunnel configurations." type = map(object({ bgp_peer = object({ address = string diff --git a/modules/net-vpn-static/README.md b/modules/net-vpn-static/README.md index 92745e2d87..77e8c5ba6f 100644 --- a/modules/net-vpn-static/README.md +++ b/modules/net-vpn-static/README.md @@ -17,12 +17,10 @@ module "vpn" { region = var.region network = var.vpc.self_link name = "remote" - gateway_address_create = false - gateway_address = module.addresses.external_addresses["vpn"].address + gateway_address = module.addresses.external_addresses["vpn"].address remote_ranges = ["10.10.0.0/24"] tunnels = { remote-0 = { - ike_version = 2 peer_ip = "1.1.1.1" shared_secret = "mysecret" traffic_selectors = { local = ["0.0.0.0/0"], remote = ["0.0.0.0/0"] } diff --git a/modules/net-vpn-static/main.tf b/modules/net-vpn-static/main.tf index 3c8f5cb8d3..f05771c162 100644 --- a/modules/net-vpn-static/main.tf +++ b/modules/net-vpn-static/main.tf @@ -91,7 +91,7 @@ resource "google_compute_vpn_tunnel" "tunnels" { local_traffic_selector = each.value.traffic_selectors.local remote_traffic_selector = each.value.traffic_selectors.remote ike_version = each.value.ike_version - shared_secret = each.value.shared_secret == "" ? local.secret : each.value.shared_secret + shared_secret = coalesce(each.value.shared_secret, local.secret) target_vpn_gateway = google_compute_vpn_gateway.gateway.self_link depends_on = [google_compute_forwarding_rule.esp] } diff --git a/modules/net-vpn-static/variables.tf b/modules/net-vpn-static/variables.tf index 90b15f531b..935c543a44 100644 --- a/modules/net-vpn-static/variables.tf +++ b/modules/net-vpn-static/variables.tf @@ -17,7 +17,7 @@ variable "gateway_address" { description = "Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false." type = string - default = "" + default = null } variable "gateway_address_create" { @@ -50,6 +50,7 @@ variable "remote_ranges" { description = "Remote IP CIDR ranges." type = list(string) default = [] + nullable = false } variable "route_priority" { @@ -61,13 +62,14 @@ variable "route_priority" { variable "tunnels" { description = "VPN tunnel configurations." type = map(object({ - ike_version = number + ike_version = optional(number, 2) peer_ip = string - shared_secret = string + shared_secret = optional(string) traffic_selectors = object({ local = list(string) remote = list(string) }) })) - default = {} + default = {} + nullable = false } From fcb697c935369710362eb8d56f7550a86d48fdb1 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 30 Nov 2022 15:22:42 +0100 Subject: [PATCH 2/4] Bring back vpn_gateway_create var in net-vpn-ha --- modules/net-vpn-ha/main.tf | 4 ++-- modules/net-vpn-ha/variables.tf | 8 +++++++- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index c9a810e108..9d53ee080c 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -22,7 +22,7 @@ locals { : var.router_config.name ) vpn_gateway = ( - var.vpn_gateway == null + var.vpn_gateway_create ? try(google_compute_ha_vpn_gateway.ha_gateway[0].self_link, null) : var.vpn_gateway ) @@ -30,7 +30,7 @@ locals { } resource "google_compute_ha_vpn_gateway" "ha_gateway" { - count = var.vpn_gateway == null ? 1 : 0 + count = var.vpn_gateway_create ? 1 : 0 name = var.name project = var.project_id region = var.region diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index ad5c491f45..a423eab155 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -93,7 +93,13 @@ variable "tunnels" { } variable "vpn_gateway" { - description = "Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway." + description = "HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`." type = string default = null } + +variable "vpn_gateway_create" { + description = "Create HA VPN Gateway." + type = bool + default = true +} From fa63e9d5d0cb97e0fcb55a6ca8c52efc5511e317 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 30 Nov 2022 16:00:53 +0100 Subject: [PATCH 3/4] Remove optional stuff --- .../networking/hub-and-spoke-peering/main.tf | 2 - .../hub-and-spoke-vpn/vpn-dev-r1.tf | 4 -- .../hub-and-spoke-vpn/vpn-prod-r1.tf | 4 -- .../onprem-google-access-dns/main.tf | 67 +++++++++---------- .../main.tf | 22 ++---- fast/stages/02-networking-nva/vpn-onprem.tf | 4 -- .../02-networking-peering/vpn-onprem.tf | 1 - .../vpn-onprem-dev.tf | 1 - .../vpn-onprem-prod.tf | 1 - fast/stages/02-networking-vpn/vpn-onprem.tf | 1 - .../stages/02-networking-vpn/vpn-spoke-dev.tf | 4 -- .../02-networking-vpn/vpn-spoke-prod-ew1.tf | 16 ++--- .../02-networking-vpn/vpn-spoke-prod-ew4.tf | 4 -- .../cloud-config-container/onprem/README.md | 12 ++-- modules/net-vpn-dynamic/README.md | 43 ++++++++---- modules/net-vpn-dynamic/outputs.tf | 2 +- modules/net-vpn-ha/README.md | 2 - modules/net-vpn-static/README.md | 15 +++-- 18 files changed, 83 insertions(+), 122 deletions(-) diff --git a/blueprints/networking/hub-and-spoke-peering/main.tf b/blueprints/networking/hub-and-spoke-peering/main.tf index de1c76612e..999858941a 100644 --- a/blueprints/networking/hub-and-spoke-peering/main.tf +++ b/blueprints/networking/hub-and-spoke-peering/main.tf @@ -304,7 +304,6 @@ module "vpn-hub" { remote_ranges = values(var.private_service_ranges) tunnels = { spoke-2 = { - ike_version = 2 peer_ip = module.vpn-spoke-2.address shared_secret = "" traffic_selectors = { local = ["0.0.0.0/0"], remote = null } @@ -323,7 +322,6 @@ module "vpn-spoke-2" { remote_ranges = ["10.0.0.0/8"] tunnels = { hub = { - ike_version = 2 peer_ip = module.vpn-hub.address shared_secret = module.vpn-hub.random_secret traffic_selectors = { local = ["0.0.0.0/0"], remote = null } diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf index 962d97d1ae..4d1236bb8b 100644 --- a/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf +++ b/blueprints/networking/hub-and-spoke-vpn/vpn-dev-r1.tf @@ -35,7 +35,6 @@ module "landing-to-dev-vpn-r1" { asn = var.vpn_configs.dev-r1.asn } bgp_session_range = "169.254.2.1/30" - ike_version = 2 vpn_gateway_interface = 0 } 1 = { @@ -44,7 +43,6 @@ module "landing-to-dev-vpn-r1" { asn = var.vpn_configs.dev-r1.asn } bgp_session_range = "169.254.2.5/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -73,7 +71,6 @@ module "dev-to-landing-vpn-r1" { asn = var.vpn_configs.land-r1.asn } bgp_session_range = "169.254.2.2/30" - ike_version = 2 shared_secret = module.landing-to-dev-vpn-r1.random_secret vpn_gateway_interface = 0 } @@ -83,7 +80,6 @@ module "dev-to-landing-vpn-r1" { asn = var.vpn_configs.land-r1.asn } bgp_session_range = "169.254.2.6/30" - ike_version = 2 shared_secret = module.landing-to-dev-vpn-r1.random_secret vpn_gateway_interface = 1 } diff --git a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf index f76c223490..8e633686fa 100644 --- a/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf +++ b/blueprints/networking/hub-and-spoke-vpn/vpn-prod-r1.tf @@ -36,7 +36,6 @@ module "landing-to-prod-vpn-r1" { asn = var.vpn_configs.prod-r1.asn } bgp_session_range = "169.254.0.1/30" - ike_version = 2 vpn_gateway_interface = 0 } 1 = { @@ -45,7 +44,6 @@ module "landing-to-prod-vpn-r1" { asn = var.vpn_configs.prod-r1.asn } bgp_session_range = "169.254.0.5/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -74,7 +72,6 @@ module "prod-to-landing-vpn-r1" { asn = var.vpn_configs.land-r1.asn } bgp_session_range = "169.254.0.2/30" - ike_version = 2 shared_secret = module.landing-to-prod-vpn-r1.random_secret vpn_gateway_interface = 0 } @@ -84,7 +81,6 @@ module "prod-to-landing-vpn-r1" { asn = var.vpn_configs.land-r1.asn } bgp_session_range = "169.254.0.6/30" - ike_version = 2 shared_secret = module.landing-to-prod-vpn-r1.random_secret vpn_gateway_interface = 1 } diff --git a/blueprints/networking/onprem-google-access-dns/main.tf b/blueprints/networking/onprem-google-access-dns/main.tf index 141860608c..8be38fbc28 100644 --- a/blueprints/networking/onprem-google-access-dns/main.tf +++ b/blueprints/networking/onprem-google-access-dns/main.tf @@ -79,65 +79,58 @@ module "vpc-firewall" { } module "vpn1" { - source = "../../../modules/net-vpn-dynamic" - project_id = var.project_id - region = var.region.gcp1 - network = module.vpc.name - name = "to-onprem1" - router_asn = var.bgp_asn.gcp1 + source = "../../../modules/net-vpn-dynamic" + project_id = var.project_id + region = var.region.gcp1 + network = module.vpc.name + name = "to-onprem1" + router_config = { asn = var.bgp_asn.gcp1 } tunnels = { onprem = { bgp_peer = { address = local.bgp_interface_onprem1 asn = var.bgp_asn.onprem1 - } - bgp_peer_options = { - advertise_groups = ["ALL_SUBNETS"] - advertise_ip_ranges = { - (local.netblocks.dns) = "DNS resolvers" - (local.netblocks.private) = "private.gooogleapis.com" - (local.netblocks.restricted) = "restricted.gooogleapis.com" - } - advertise_mode = "CUSTOM" - route_priority = 1000 + custom_advertise = { + all_subnets = true + all_vpc_subnets = false + all_peer_vpc_subnets = false + ip_ranges = { + (local.netblocks.dns) = "DNS resolvers" + (local.netblocks.private) = "private.gooogleapis.com" + (local.netblocks.restricted) = "restricted.gooogleapis.com" + } } } bgp_session_range = "${local.bgp_interface_gcp1}/30" - ike_version = 2 peer_ip = module.vm-onprem.external_ip - router = null - shared_secret = "" } } } module "vpn2" { - source = "../../../modules/net-vpn-dynamic" - project_id = var.project_id - region = var.region.gcp2 - network = module.vpc.name - name = "to-onprem2" - router_asn = var.bgp_asn.gcp2 + source = "../../../modules/net-vpn-dynamic" + project_id = var.project_id + region = var.region.gcp2 + network = module.vpc.name + name = "to-onprem2" + router_config = { asn = var.bgp_asn.gcp2 } tunnels = { onprem = { bgp_peer = { address = local.bgp_interface_onprem2 asn = var.bgp_asn.onprem2 - } - bgp_peer_options = { - advertise_groups = ["ALL_SUBNETS"] - advertise_ip_ranges = { - (local.netblocks.dns) = "DNS resolvers" - (local.netblocks.private) = "private.gooogleapis.com" - (local.netblocks.restricted) = "restricted.gooogleapis.com" + custom_advertise = { + all_subnets = true + all_vpc_subnets = false + all_peer_vpc_subnets = false + ip_ranges = { + (local.netblocks.dns) = "DNS resolvers" + (local.netblocks.private) = "private.gooogleapis.com" + (local.netblocks.restricted) = "restricted.gooogleapis.com" + } } - advertise_mode = "CUSTOM" - route_priority = 1000 } bgp_session_range = "${local.bgp_interface_gcp2}/30" - ike_version = 2 peer_ip = module.vm-onprem.external_ip - router = null - shared_secret = "" } } } diff --git a/blueprints/networking/private-cloud-function-from-onprem/main.tf b/blueprints/networking/private-cloud-function-from-onprem/main.tf index 5775c66f14..1848e95314 100644 --- a/blueprints/networking/private-cloud-function-from-onprem/main.tf +++ b/blueprints/networking/private-cloud-function-from-onprem/main.tf @@ -94,7 +94,6 @@ module "vpn-onprem" { asn = 65002 } bgp_session_range = "169.254.0.1/30" - ike_version = 2 vpn_gateway_interface = 0 } tunnel-1 = { @@ -103,7 +102,6 @@ module "vpn-onprem" { asn = 65002 } bgp_session_range = "169.254.0.5/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -132,26 +130,18 @@ module "vpn-hub" { address = "169.254.0.1" asn = 65001 } - bgp_peer_options = null - bgp_session_range = "169.254.0.2/30" - ike_version = 2 - vpn_gateway_interface = 0 - peer_external_gateway_interface = null - router = null - shared_secret = module.vpn-onprem.random_secret + bgp_session_range = "169.254.0.2/30" + vpn_gateway_interface = 0 + shared_secret = module.vpn-onprem.random_secret } tunnel-1 = { bgp_peer = { address = "169.254.0.5" asn = 65001 } - bgp_peer_options = null - bgp_session_range = "169.254.0.6/30" - ike_version = 2 - vpn_gateway_interface = 1 - peer_external_gateway_interface = null - router = null - shared_secret = module.vpn-onprem.random_secret + bgp_session_range = "169.254.0.6/30" + vpn_gateway_interface = 1 + shared_secret = module.vpn-onprem.random_secret } } } diff --git a/fast/stages/02-networking-nva/vpn-onprem.tf b/fast/stages/02-networking-nva/vpn-onprem.tf index 4c51a04d80..0365808890 100644 --- a/fast/stages/02-networking-nva/vpn-onprem.tf +++ b/fast/stages/02-networking-nva/vpn-onprem.tf @@ -55,9 +55,7 @@ module "landing-to-onprem-ew1-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.landing-trusted-ew1 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } @@ -87,9 +85,7 @@ module "landing-to-onprem-ew4-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.landing-trusted-ew4 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface - router = null shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface } diff --git a/fast/stages/02-networking-peering/vpn-onprem.tf b/fast/stages/02-networking-peering/vpn-onprem.tf index 911cbd834c..5237a05acb 100644 --- a/fast/stages/02-networking-peering/vpn-onprem.tf +++ b/fast/stages/02-networking-peering/vpn-onprem.tf @@ -55,7 +55,6 @@ module "landing-to-onprem-ew1-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.landing-ew1 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface diff --git a/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf b/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf index f9253bcc0d..1b0ff11710 100644 --- a/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf +++ b/fast/stages/02-networking-separate-envs/vpn-onprem-dev.tf @@ -55,7 +55,6 @@ module "dev-to-onprem-ew1-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.dev-ew1 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface diff --git a/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf b/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf index 99a31f6464..d4b2af24e0 100644 --- a/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf +++ b/fast/stages/02-networking-separate-envs/vpn-onprem-prod.tf @@ -39,7 +39,6 @@ module "prod-to-onprem-ew1-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.prod-ew1 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface diff --git a/fast/stages/02-networking-vpn/vpn-onprem.tf b/fast/stages/02-networking-vpn/vpn-onprem.tf index 911cbd834c..5237a05acb 100644 --- a/fast/stages/02-networking-vpn/vpn-onprem.tf +++ b/fast/stages/02-networking-vpn/vpn-onprem.tf @@ -55,7 +55,6 @@ module "landing-to-onprem-ew1-vpn" { } bgp_peer_options = local.bgp_peer_options_onprem.landing-ew1 bgp_session_range = "${cidrhost(t.session_range, 2)}/30" - ike_version = 2 peer_external_gateway_interface = t.peer_external_gateway_interface shared_secret = t.secret vpn_gateway_interface = t.vpn_gateway_interface diff --git a/fast/stages/02-networking-vpn/vpn-spoke-dev.tf b/fast/stages/02-networking-vpn/vpn-spoke-dev.tf index d4c180e7c7..317560af00 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-dev.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-dev.tf @@ -56,7 +56,6 @@ module "landing-to-dev-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 2) }/30" - ike_version = 2 vpn_gateway_interface = 0 } 1 = { @@ -68,7 +67,6 @@ module "landing-to-dev-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 6) }/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -98,7 +96,6 @@ module "dev-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 1) }/30" - ike_version = 2 shared_secret = module.landing-to-dev-ew1-vpn.random_secret vpn_gateway_interface = 0 } @@ -111,7 +108,6 @@ module "dev-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.0/27", 5) }/30" - ike_version = 2 shared_secret = module.landing-to-dev-ew1-vpn.random_secret vpn_gateway_interface = 1 } diff --git a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf index c813ca265f..a215ad4efb 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew1.tf @@ -39,7 +39,6 @@ module "landing-to-prod-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 2) }/30" - ike_version = 2 vpn_gateway_interface = 0 } 1 = { @@ -51,7 +50,6 @@ module "landing-to-prod-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 6) }/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -78,11 +76,8 @@ module "prod-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 1) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-ew1-vpn.random_secret - vpn_gateway_interface = 0 + shared_secret = module.landing-to-prod-ew1-vpn.random_secret + vpn_gateway_interface = 0 } 1 = { bgp_peer = { @@ -93,11 +88,8 @@ module "prod-to-landing-ew1-vpn" { bgp_session_range = "${ cidrhost("169.254.0.64/27", 5) }/30" - ike_version = 2 - peer_external_gateway_interface = null - router = null - shared_secret = module.landing-to-prod-ew1-vpn.random_secret - vpn_gateway_interface = 1 + shared_secret = module.landing-to-prod-ew1-vpn.random_secret + vpn_gateway_interface = 1 } } } diff --git a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf index 4fe25c1e2c..994fba0b1c 100644 --- a/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf +++ b/fast/stages/02-networking-vpn/vpn-spoke-prod-ew4.tf @@ -39,7 +39,6 @@ module "landing-to-prod-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 2) }/30" - ike_version = 2 vpn_gateway_interface = 0 } 1 = { @@ -51,7 +50,6 @@ module "landing-to-prod-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 6) }/30" - ike_version = 2 vpn_gateway_interface = 1 } } @@ -78,7 +76,6 @@ module "prod-to-landing-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 1) }/30" - ike_version = 2 shared_secret = module.landing-to-prod-ew4-vpn.random_secret vpn_gateway_interface = 0 } @@ -91,7 +88,6 @@ module "prod-to-landing-ew4-vpn" { bgp_session_range = "${ cidrhost("169.254.0.96/27", 5) }/30" - ike_version = 2 shared_secret = module.landing-to-prod-ew4-vpn.random_secret vpn_gateway_interface = 1 } diff --git a/modules/cloud-config-container/onprem/README.md b/modules/cloud-config-container/onprem/README.md index fa29e48c8d..1a668a8d1e 100644 --- a/modules/cloud-config-container/onprem/README.md +++ b/modules/cloud-config-container/onprem/README.md @@ -24,17 +24,15 @@ The test instance is optional, as described above. ```hcl module "cloud-vpn" { - source = "./fabric/modules/net-vpn-static" - project_id = "my-project" - region = "europe-west1" - network = "my-vpc" - name = "to-on-prem" + source = "./fabric/modules/net-vpn-static" + project_id = "my-project" + region = "europe-west1" + network = "my-vpc" + name = "to-on-prem" remote_ranges = ["192.168.192.0/24"] tunnels = { remote-0 = { - ike_version = 2 peer_ip = module.on-prem.external_address - shared_secret = "" traffic_selectors = { local = ["0.0.0.0/0"], remote = null } } } diff --git a/modules/net-vpn-dynamic/README.md b/modules/net-vpn-dynamic/README.md index 1c8fb7b630..180915b13f 100644 --- a/modules/net-vpn-dynamic/README.md +++ b/modules/net-vpn-dynamic/README.md @@ -8,35 +8,50 @@ This example shows how to configure a single VPN tunnel using a couple of extra - internally generated shared secret, which can be fetched from the module's `random_secret` output for reuse; a predefined secret can be used instead by assigning it to the `shared_secret` attribute ```hcl +module "vm" { + source = "./fabric/modules/compute-vm" + project_id = "my-project" + zone = "europe-west1-b" + name = "my-vm" + network_interfaces = [{ + nat = true + network = var.vpc.self_link + subnetwork = var.subnet.self_link + }] + service_account_create = true +} + + module "vpn-dynamic" { source = "./fabric/modules/net-vpn-dynamic" project_id = "my-project" region = "europe-west1" - network = "my-vpc" + network = var.vpc.name name = "gateway-1" + router_config = { + asn = 64514 + } + tunnels = { remote-1 = { bgp_peer = { address = "169.254.139.134" asn = 64513 - } - bgp_session_range = "169.254.139.133/30" - ike_version = 2 - peer_ip = "1.1.1.1" - router = null - shared_secret = null - bgp_peer_options = { - advertise_groups = ["ALL_SUBNETS"] - advertise_ip_ranges = { - "192.168.0.0/24" = "Advertised range description" + custom_advertise = { + all_subnets = true + all_vpc_subnets = false + all_peer_vpc_subnets = false + ip_ranges = { + "192.168.0.0/24" = "Advertised range description" + } } - advertise_mode = "CUSTOM" - route_priority = 1000 } + bgp_session_range = "169.254.139.133/30" + peer_ip = module.vm.external_ip } } } -# tftest modules=1 resources=10 +# tftest modules=2 resources=12 ``` diff --git a/modules/net-vpn-dynamic/outputs.tf b/modules/net-vpn-dynamic/outputs.tf index 0e43903ade..f049df1d1a 100644 --- a/modules/net-vpn-dynamic/outputs.tf +++ b/modules/net-vpn-dynamic/outputs.tf @@ -37,7 +37,7 @@ output "random_secret" { output "router" { description = "Router resource (only if auto-created)." - value = var.router_create ? google_compute_router.router[0] : null + value = one(google_compute_router.router[*]) } output "router_name" { diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index 1c1a23ce2a..2621b4d321 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -56,7 +56,6 @@ module "vpn-2" { asn = 64514 } bgp_session_range = "169.254.1.1/30" - ike_version = 2 shared_secret = module.vpn-1.random_secret vpn_gateway_interface = 0 } @@ -66,7 +65,6 @@ module "vpn-2" { asn = 64514 } bgp_session_range = "169.254.2.1/30" - ike_version = 2 shared_secret = module.vpn-1.random_secret vpn_gateway_interface = 1 } diff --git a/modules/net-vpn-static/README.md b/modules/net-vpn-static/README.md index 77e8c5ba6f..eceb3e704a 100644 --- a/modules/net-vpn-static/README.md +++ b/modules/net-vpn-static/README.md @@ -12,13 +12,14 @@ module "addresses" { } module "vpn" { - source = "./fabric/modules/net-vpn-static" - project_id = var.project_id - region = var.region - network = var.vpc.self_link - name = "remote" - gateway_address = module.addresses.external_addresses["vpn"].address - remote_ranges = ["10.10.0.0/24"] + source = "./fabric/modules/net-vpn-static" + project_id = var.project_id + region = var.region + network = var.vpc.self_link + name = "remote" + gateway_address_create = false + gateway_address = module.addresses.external_addresses["vpn"].address + remote_ranges = ["10.10.0.0/24"] tunnels = { remote-0 = { peer_ip = "1.1.1.1" From 70b93164f0fa72ae810342a783dadaf3aaa630c8 Mon Sep 17 00:00:00 2001 From: Julio Castillo Date: Wed, 30 Nov 2022 16:02:26 +0100 Subject: [PATCH 4/4] Update READMEs --- modules/net-vpn-dynamic/README.md | 10 +++------- modules/net-vpn-ha/README.md | 5 +++-- modules/net-vpn-static/README.md | 6 +++--- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/modules/net-vpn-dynamic/README.md b/modules/net-vpn-dynamic/README.md index 180915b13f..378ba6b7b3 100644 --- a/modules/net-vpn-dynamic/README.md +++ b/modules/net-vpn-dynamic/README.md @@ -63,14 +63,10 @@ module "vpn-dynamic" { | [network](variables.tf#L34) | VPC used for the gateway and routes. | string | ✓ | | | [project_id](variables.tf#L39) | Project where resources will be created. | string | ✓ | | | [region](variables.tf#L44) | Region used for resources. | string | ✓ | | -| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | string | | "" | +| [router_config](variables.tf#L49) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | +| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | string | | null | | [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | bool | | true | -| [route_priority](variables.tf#L49) | Route priority, defaults to 1000. | number | | 1000 | -| [router_advertise_config](variables.tf#L55) | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | object({…}) | | null | -| [router_asn](variables.tf#L65) | Router ASN used for auto-created router. | number | | 64514 | -| [router_create](variables.tf#L71) | Create router. | bool | | true | -| [router_name](variables.tf#L77) | Router name used for auto created router, or to specify existing router to use. Leave blank to use VPN name for auto created router. | string | | "" | -| [tunnels](variables.tf#L83) | VPN tunnel configurations, bgp_peer_options is usually null. | map(object({…})) | | {} | +| [tunnels](variables.tf#L64) | VPN tunnel configurations. | map(object({…})) | | {} | ## Outputs diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index 2621b4d321..e6cd752c2e 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -128,8 +128,9 @@ module "vpn_ha" { | [project_id](variables.tf#L43) | Project where resources will be created. | string | ✓ | | | [region](variables.tf#L48) | Region used for resources. | string | ✓ | | | [router_config](variables.tf#L53) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | -| [tunnels](variables.tf#L68) | VPN tunnel configurations, bgp_peer_options is usually null. | map(object({…})) | | {} | -| [vpn_gateway](variables.tf#L95) | Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway. | string | | null | +| [tunnels](variables.tf#L68) | VPN tunnel configurations. | map(object({…})) | | {} | +| [vpn_gateway](variables.tf#L95) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | +| [vpn_gateway_create](variables.tf#L101) | Create HA VPN Gateway. | bool | | true | ## Outputs diff --git a/modules/net-vpn-static/README.md b/modules/net-vpn-static/README.md index eceb3e704a..836746dcc2 100644 --- a/modules/net-vpn-static/README.md +++ b/modules/net-vpn-static/README.md @@ -40,11 +40,11 @@ module "vpn" { | [network](variables.tf#L34) | VPC used for the gateway and routes. | string | ✓ | | | [project_id](variables.tf#L39) | Project where resources will be created. | string | ✓ | | | [region](variables.tf#L44) | Region used for resources. | string | ✓ | | -| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | string | | "" | +| [gateway_address](variables.tf#L17) | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | string | | null | | [gateway_address_create](variables.tf#L23) | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | bool | | true | | [remote_ranges](variables.tf#L49) | Remote IP CIDR ranges. | list(string) | | [] | -| [route_priority](variables.tf#L55) | Route priority, defaults to 1000. | number | | 1000 | -| [tunnels](variables.tf#L61) | VPN tunnel configurations. | map(object({…})) | | {} | +| [route_priority](variables.tf#L56) | Route priority, defaults to 1000. | number | | 1000 | +| [tunnels](variables.tf#L62) | VPN tunnel configurations. | map(object({…})) | | {} | ## Outputs