From 666af08cd26edb12a541e39e3879933e65908c14 Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Thu, 5 Dec 2024 12:29:48 +0100 Subject: [PATCH] Add optional automated MD5 generation to net-vlan-attachment module --- modules/net-vlan-attachment/README.md | 74 ++++++++++++++++++++---- modules/net-vlan-attachment/main.tf | 7 ++- modules/net-vlan-attachment/outputs.tf | 11 ++++ modules/net-vlan-attachment/variables.tf | 2 +- 4 files changed, 82 insertions(+), 12 deletions(-) diff --git a/modules/net-vlan-attachment/README.md b/modules/net-vlan-attachment/README.md index 7b6517a1de..08edaa788c 100644 --- a/modules/net-vlan-attachment/README.md +++ b/modules/net-vlan-attachment/README.md @@ -44,7 +44,7 @@ module "example-va" { vlan_tag = 12345 } } -# tftest modules=1 resources=4 +# tftest modules=1 resources=5 ``` ### Dedicated Interconnect - Single VLAN Attachment (No SLA) - BFD and MD5 Auth @@ -98,7 +98,60 @@ module "example-va" { } } -# tftest modules=1 resources=4 +# tftest modules=1 resources=5 +``` + +If you don't specify the MD5 key, the module will generate a random 12 charachters key for you. + +```hcl +resource "google_compute_router" "interconnect-router" { + name = "interconnect-router" + network = "mynet" + project = "myproject" + region = "europe-west8" + bgp { + advertise_mode = "CUSTOM" + asn = 64514 + advertised_groups = ["ALL_SUBNETS"] + advertised_ip_ranges { + range = "10.255.255.0/24" + } + advertised_ip_ranges { + range = "192.168.255.0/24" + } + } +} + +module "example-va" { + source = "./fabric/modules/net-vlan-attachment" + network = "mynet" + project_id = "myproject" + region = "europe-west8" + name = "vlan-attachment" + description = "Example vlan attachment" + peer_asn = "65000" + router_config = { + create = false + name = google_compute_router.interconnect-router.name + bfd = { + min_receive_interval = 1000 + min_transmit_interval = 1000 + multiplier = 5 + session_initialization_mode = "ACTIVE" + } + md5_authentication_key = { + name = "foo" + } + } + dedicated_interconnect_config = { + bandwidth = "BPS_10G" + bgp_range = "169.254.0.0/30" + interconnect = "interconnect-a" + vlan_tag = 12345 + } +} + +# tftest modules=1 resources=5 ``` ### Partner Interconnect - Single VLAN Attachment (No SLA) @@ -135,7 +188,7 @@ module "example-va" { name = google_compute_router.interconnect-router.name } } -# tftest modules=1 resources=2 +# tftest modules=1 resources=3 ``` ### Dedicated Interconnect - Two VLAN Attachments on a single region (99.9% SLA) @@ -198,7 +251,7 @@ module "example-va-b" { vlan_tag = 1002 } } -# tftest modules=2 resources=7 +# tftest modules=2 resources=9 ``` ### Partner Interconnect - Two VLAN Attachments on a single region (99.9% SLA) @@ -255,7 +308,7 @@ module "example-va-b" { edge_availability_domain = "AVAILABILITY_DOMAIN_2" } } -# tftest modules=2 resources=3 +# tftest modules=2 resources=5 ``` ### Dedicated Interconnect - Four VLAN Attachments on two regions (99.99% SLA) @@ -376,7 +429,7 @@ module "example-va-b-ew12" { vlan_tag = 1004 } } -# tftest modules=4 resources=14 +# tftest modules=4 resources=18 ``` ### Partner Interconnect - Four VLAN Attachments on two regions (99.99% SLA) @@ -485,7 +538,7 @@ module "example-va-b-ew12" { edge_availability_domain = "AVAILABILITY_DOMAIN_2" } } -# tftest modules=4 resources=6 +# tftest modules=4 resources=10 ``` ### IPSec for Dedicated Interconnect @@ -546,7 +599,7 @@ module "example-va-b" { } vpn_gateways_ip_range = "10.255.255.8/29" # Allows for up to 8 tunnels } -# tftest modules=2 resources=9 +# tftest modules=2 resources=10 ``` ### IPSec for Partner Interconnect @@ -585,7 +638,7 @@ module "example-va-b" { } vpn_gateways_ip_range = "10.255.255.8/29" # Allows for up to 8 tunnels } -# tftest modules=2 resources=6 +# tftest modules=2 resources=8 ``` ## Variables @@ -598,7 +651,7 @@ module "example-va-b" { | [peer_asn](variables.tf#L74) | The on-premises underlay router ASN. | string | ✓ | | | [project_id](variables.tf#L79) | The project id where resources are created. | string | ✓ | | | [region](variables.tf#L84) | The region where resources are created. | string | ✓ | | -| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | +| [router_config](variables.tf#L89) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | | [admin_enabled](variables.tf#L17) | Whether the VLAN attachment is enabled. | bool | | true | | [dedicated_interconnect_config](variables.tf#L23) | Partner interconnect configuration. | object({…}) | | null | | [ipsec_gateway_ip_ranges](variables.tf#L40) | IPSec Gateway IP Ranges. | map(string) | | {} | @@ -612,6 +665,7 @@ module "example-va-b" { |---|---|:---:| | [attachment](outputs.tf#L17) | VLAN Attachment resource. | | | [id](outputs.tf#L22) | Fully qualified VLAN attachment id. | | +| [md5_configuration](outputs.tf#L52) | MD5 configuration. | | | [name](outputs.tf#L27) | The name of the VLAN attachment created. | | | [pairing_key](outputs.tf#L32) | Opaque identifier of an PARTNER attachment used to initiate provisioning with a selected partner. | | | [router](outputs.tf#L37) | Router resource (only if auto-created). | | diff --git a/modules/net-vlan-attachment/main.tf b/modules/net-vlan-attachment/main.tf index 5b59933f7f..ae1840cf7f 100644 --- a/modules/net-vlan-attachment/main.tf +++ b/modules/net-vlan-attachment/main.tf @@ -21,6 +21,7 @@ locals { ? local.ipsec_enabled ? try(google_compute_router.encrypted[0].name, null) : try(google_compute_router.unencrypted[0].name, null) : var.router_config.name ) + secret = random_id.secret.b64_url } resource "google_compute_address" "default" { @@ -147,7 +148,7 @@ resource "google_compute_router_peer" "default" { for_each = var.router_config.md5_authentication_key != null ? [var.router_config.md5_authentication_key] : [] content { name = md5_authentication_key.value.name - key = md5_authentication_key.value.key + key = coalesce(md5_authentication_key.value.key, local.secret) } } @@ -155,3 +156,7 @@ resource "google_compute_router_peer" "default" { google_compute_router_interface.default ] } + +resource "random_id" "secret" { + byte_length = 12 +} diff --git a/modules/net-vlan-attachment/outputs.tf b/modules/net-vlan-attachment/outputs.tf index 5c88ddc651..3592178663 100644 --- a/modules/net-vlan-attachment/outputs.tf +++ b/modules/net-vlan-attachment/outputs.tf @@ -48,3 +48,14 @@ output "router_name" { description = "Router name." value = local.router } + +output "md5_configuration" { + description = "MD5 configuration." + value = ( + var.router_config.md5_authentication_key != null + ? { + name = var.router_config.md5_authentication_key.name + key = coalesce(var.router_config.md5_authentication_key.key, local.secret) + } : {} + ) +} diff --git a/modules/net-vlan-attachment/variables.tf b/modules/net-vlan-attachment/variables.tf index eb63564c66..c8e55fb46f 100644 --- a/modules/net-vlan-attachment/variables.tf +++ b/modules/net-vlan-attachment/variables.tf @@ -103,7 +103,7 @@ variable "router_config" { })) md5_authentication_key = optional(object({ name = string - key = string + key = optional(string) })) keepalive = optional(number) name = optional(string, "router")