From c6c6bbfffa5731b19cd261440b52e00c0dc230ce Mon Sep 17 00:00:00 2001 From: Luca Prete Date: Fri, 6 Dec 2024 10:34:56 +0300 Subject: [PATCH] Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete Co-authored-by: Ludovico Magnocavallo --- .../README.md | 2 +- .../README.md | 2 +- .../networking/vpc-connectivity-lab/README.md | 2 +- .../serverless/cloud-run-corporate/README.md | 2 +- modules/net-vpn-ha/README.md | 32 +++++++++++-------- modules/net-vpn-ha/main.tf | 11 ++++++- modules/net-vpn-ha/outputs.tf | 21 +++++++++++- modules/net-vpn-ha/variables.tf | 2 +- .../stages/s2_networking_a_simple/simple.yaml | 4 +-- .../stages/s2_networking_a_simple/vpn.yaml | 4 +-- .../stages/s2_networking_b_nva/ncc-ra.yaml | 4 +-- .../stages/s2_networking_b_nva/regional.yaml | 4 +-- .../stages/s2_networking_b_nva/simple.yaml | 4 +-- .../s2_networking_c_separate_envs/simple.yaml | 4 +-- .../net_vpn_ha/examples/gcp-to-gcp.yaml | 4 +-- .../net_vpn_ha/examples/gcp-to-onprem.yaml | 4 +-- tests/modules/net_vpn_ha/examples/ipv6.yaml | 4 +-- 17 files changed, 71 insertions(+), 39 deletions(-) diff --git a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md index 44779f8977..1b715567be 100644 --- a/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md +++ b/blueprints/apigee/network-patterns/nb-glb-psc-neg-sb-psc-ilbl7-hybrid-neg/README.md @@ -79,5 +79,5 @@ module "test" { onprem_project_id = "my-onprem-project" hostname = "test.myorg.org" } -# tftest modules=14 resources=80 +# tftest modules=14 resources=84 ``` diff --git a/blueprints/networking/private-cloud-function-from-onprem/README.md b/blueprints/networking/private-cloud-function-from-onprem/README.md index 17b5340c06..cede1f707b 100644 --- a/blueprints/networking/private-cloud-function-from-onprem/README.md +++ b/blueprints/networking/private-cloud-function-from-onprem/README.md @@ -45,5 +45,5 @@ module "test" { } project_id = "test-project" } -# tftest modules=11 resources=50 +# tftest modules=11 resources=54 ``` diff --git a/blueprints/networking/vpc-connectivity-lab/README.md b/blueprints/networking/vpc-connectivity-lab/README.md index 1c400c7d0a..271f794107 100644 --- a/blueprints/networking/vpc-connectivity-lab/README.md +++ b/blueprints/networking/vpc-connectivity-lab/README.md @@ -108,5 +108,5 @@ module "test" { prefix = "fast-sr0-sbox" } -# tftest modules=35 resources=136 +# tftest modules=35 resources=144 ``` diff --git a/blueprints/serverless/cloud-run-corporate/README.md b/blueprints/serverless/cloud-run-corporate/README.md index 4a530ccc62..ac2cb64c8d 100644 --- a/blueprints/serverless/cloud-run-corporate/README.md +++ b/blueprints/serverless/cloud-run-corporate/README.md @@ -253,7 +253,7 @@ module "test" { prj_onprem_id = "onprem-project-id" } -# tftest modules=15 resources=58 +# tftest modules=15 resources=62 ``` ```hcl diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md index 3df0b9f662..d54c4f539e 100644 --- a/modules/net-vpn-ha/README.md +++ b/modules/net-vpn-ha/README.md @@ -62,7 +62,7 @@ module "vpn-2" { asn = 64514 } bgp_session_range = "169.254.1.1/30" - shared_secret = module.vpn-1.random_secret + shared_secret = module.vpn-1.shared_secrets["remote-0"] vpn_gateway_interface = 0 } remote-1 = { @@ -71,12 +71,12 @@ module "vpn-2" { asn = 64514 } bgp_session_range = "169.254.2.1/30" - shared_secret = module.vpn-1.random_secret + shared_secret = module.vpn-1.shared_secrets["remote-1"] vpn_gateway_interface = 1 } } } -# tftest modules=2 resources=18 inventory=gcp-to-gcp.yaml +# tftest modules=2 resources=22 inventory=gcp-to-gcp.yaml ``` Note: When using the `for_each` meta-argument you might experience a Cycle Error due to the multiple `net-vpn-ha` modules referencing each other. To fix this you can create the [google_compute_ha_vpn_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ha_vpn_gateway) resources separately and reference them in the `net-vpn-ha` module via the `vpn_gateway` and `peer_gcp_gateway` variables. @@ -146,7 +146,7 @@ module "vpn_ha" { } } } -# tftest modules=1 resources=10 inventory=gcp-to-onprem.yaml +# tftest modules=1 resources=12 inventory=gcp-to-onprem.yaml ``` ### IPv6 (dual-stack) @@ -200,8 +200,10 @@ module "vpn_ha" { stack_type = "IPV4_IPV6" } } -# tftest modules=1 resources=10 intentory=ipv6.yaml +# tftest modules=1 resources=12 intentory=ipv6.yaml ``` + +You can optionally avoid to specify MD5 keys and the module will automatically generate them for you. ## Variables @@ -213,7 +215,7 @@ module "vpn_ha" { | [region](variables.tf#L53) | Region used for resources. | string | ✓ | | | [router_config](variables.tf#L58) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | | | [peer_gateways](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | map(object({…})) | | {} | -| [tunnels](variables.tf#L74) | VPN tunnel configurations. | map(object({…})) | | {} | +| [tunnels](variables.tf#L74) | VPN tunnel configurations. | map(object({…})) | | {} | | [vpn_gateway](variables.tf#L111) | HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`. | string | | null | | [vpn_gateway_create](variables.tf#L117) | Create HA VPN Gateway. Set to null to avoid creation. | object({…}) | | {} | @@ -225,12 +227,14 @@ module "vpn_ha" { | [external_gateway](outputs.tf#L25) | External VPN gateway resource. | | | [gateway](outputs.tf#L30) | VPN gateway resource (only if auto-created). | | | [id](outputs.tf#L35) | Fully qualified VPN gateway id. | | -| [name](outputs.tf#L42) | VPN gateway name (only if auto-created). . | | -| [random_secret](outputs.tf#L47) | Generated secret. | | -| [router](outputs.tf#L52) | Router resource (only if auto-created). | | -| [router_name](outputs.tf#L57) | Router name. | | -| [self_link](outputs.tf#L62) | HA VPN gateway self link. | | -| [tunnel_names](outputs.tf#L67) | VPN tunnel names. | | -| [tunnel_self_links](outputs.tf#L75) | VPN tunnel self links. | | -| [tunnels](outputs.tf#L83) | VPN tunnel resources. | | +| [md5_keys](outputs.tf#L42) | BGP tunnels MD5 keys. | | +| [name](outputs.tf#L53) | VPN gateway name (only if auto-created). | | +| [random_secret](outputs.tf#L58) | Generated secret. | | +| [router](outputs.tf#L63) | Router resource (only if auto-created). | | +| [router_name](outputs.tf#L68) | Router name. | | +| [self_link](outputs.tf#L73) | HA VPN gateway self link. | | +| [shared_secrets](outputs.tf#L78) | IPSEC tunnels shared secrets. | | +| [tunnel_names](outputs.tf#L86) | VPN tunnel names. | | +| [tunnel_self_links](outputs.tf#L94) | VPN tunnel self links. | | +| [tunnels](outputs.tf#L102) | VPN tunnel resources. | | diff --git a/modules/net-vpn-ha/main.tf b/modules/net-vpn-ha/main.tf index 0162714f86..c53e18e52d 100644 --- a/modules/net-vpn-ha/main.tf +++ b/modules/net-vpn-ha/main.tf @@ -16,6 +16,10 @@ */ locals { + md5_keys = { + for k, v in random_id.md5_keys + : k => v.b64_url + } peer_gateways_external = { for k, v in var.peer_gateways : k => v.external if v.external != null } @@ -117,7 +121,7 @@ resource "google_compute_router_peer" "bgp_peer" { for_each = each.value.bgp_peer.md5_authentication_key != null ? toset([each.value.bgp_peer.md5_authentication_key]) : [] content { name = md5_authentication_key.value.name - key = md5_authentication_key.value.key + key = coalesce(md5_authentication_key.value.key, local.md5_keys[each.key]) } } enable_ipv6 = try(each.value.bgp_peer.ipv6, null) == null ? false : true @@ -160,3 +164,8 @@ resource "google_compute_vpn_tunnel" "tunnels" { resource "random_id" "secret" { byte_length = 8 } + +resource "random_id" "md5_keys" { + for_each = var.tunnels + byte_length = 12 +} diff --git a/modules/net-vpn-ha/outputs.tf b/modules/net-vpn-ha/outputs.tf index 2655eea734..09e96e625e 100644 --- a/modules/net-vpn-ha/outputs.tf +++ b/modules/net-vpn-ha/outputs.tf @@ -39,8 +39,19 @@ output "id" { ) } +output "md5_keys" { + description = "BGP tunnels MD5 keys." + value = { + for k, v in var.tunnels : + k => try(v.bgp_peer.md5_authentication_key, null) == null ? {} : { + key = coalesce(v.bgp_peer.md5_authentication_key.key, local.md5_keys[k]) + name = v.bgp_peer.md5_authentication_key.name + } + } +} + output "name" { - description = "VPN gateway name (only if auto-created). ." + description = "VPN gateway name (only if auto-created)." value = one(google_compute_ha_vpn_gateway.ha_gateway[*].name) } @@ -64,6 +75,14 @@ output "self_link" { value = local.vpn_gateway } +output "shared_secrets" { + description = "IPSEC tunnels shared secrets." + value = { + for k, v in var.tunnels + : k => coalesce(v.shared_secret, local.secret) + } +} + output "tunnel_names" { description = "VPN tunnel names." value = { diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf index d9b2392618..c59cddbf13 100644 --- a/modules/net-vpn-ha/variables.tf +++ b/modules/net-vpn-ha/variables.tf @@ -84,7 +84,7 @@ variable "tunnels" { })) md5_authentication_key = optional(object({ name = string - key = string + key = optional(string) })) ipv6 = optional(object({ nexthop_address = optional(string) diff --git a/tests/fast/stages/s2_networking_a_simple/simple.yaml b/tests/fast/stages/s2_networking_a_simple/simple.yaml index afd24899e3..eaf9c6690a 100644 --- a/tests/fast/stages/s2_networking_a_simple/simple.yaml +++ b/tests/fast/stages/s2_networking_a_simple/simple.yaml @@ -47,5 +47,5 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 29 - random_id: 1 - resources: 197 + random_id: 3 + resources: 199 diff --git a/tests/fast/stages/s2_networking_a_simple/vpn.yaml b/tests/fast/stages/s2_networking_a_simple/vpn.yaml index 869cd3b8f5..d948bcb932 100644 --- a/tests/fast/stages/s2_networking_a_simple/vpn.yaml +++ b/tests/fast/stages/s2_networking_a_simple/vpn.yaml @@ -45,5 +45,5 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 31 - random_id: 5 - resources: 232 + random_id: 17 + resources: 244 diff --git a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml index 182338498a..bb1a447703 100644 --- a/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml +++ b/tests/fast/stages/s2_networking_b_nva/ncc-ra.yaml @@ -50,5 +50,5 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 39 - random_id: 2 - resources: 257 + random_id: 6 + resources: 261 diff --git a/tests/fast/stages/s2_networking_b_nva/regional.yaml b/tests/fast/stages/s2_networking_b_nva/regional.yaml index 61d3d53cd3..bcd5a85555 100644 --- a/tests/fast/stages/s2_networking_b_nva/regional.yaml +++ b/tests/fast/stages/s2_networking_b_nva/regional.yaml @@ -52,5 +52,5 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 47 - random_id: 2 - resources: 265 + random_id: 6 + resources: 269 diff --git a/tests/fast/stages/s2_networking_b_nva/simple.yaml b/tests/fast/stages/s2_networking_b_nva/simple.yaml index d8f362d8b8..51c09deb68 100644 --- a/tests/fast/stages/s2_networking_b_nva/simple.yaml +++ b/tests/fast/stages/s2_networking_b_nva/simple.yaml @@ -52,5 +52,5 @@ counts: google_tags_tag_binding: 3 google_vpc_access_connector: 2 modules: 43 - random_id: 2 - resources: 243 + random_id: 6 + resources: 247 diff --git a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml index 65cd1d33f6..1f684b5980 100644 --- a/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml +++ b/tests/fast/stages/s2_networking_c_separate_envs/simple.yaml @@ -45,5 +45,5 @@ counts: google_tags_tag_binding: 2 google_vpc_access_connector: 2 modules: 22 - random_id: 2 - resources: 211 + random_id: 6 + resources: 215 diff --git a/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml b/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml index fd6b90be1a..d7591c4b5a 100644 --- a/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml +++ b/tests/modules/net_vpn_ha/examples/gcp-to-gcp.yaml @@ -212,5 +212,5 @@ counts: google_compute_router_peer: 4 google_compute_vpn_tunnel: 4 modules: 2 - random_id: 2 - resources: 18 + random_id: 6 + resources: 22 diff --git a/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml b/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml index c2d49b2971..eaf35b63bb 100644 --- a/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml +++ b/tests/modules/net_vpn_ha/examples/gcp-to-onprem.yaml @@ -126,5 +126,5 @@ counts: google_compute_router_peer: 2 google_compute_vpn_tunnel: 2 modules: 1 - random_id: 1 - resources: 10 + random_id: 3 + resources: 12 diff --git a/tests/modules/net_vpn_ha/examples/ipv6.yaml b/tests/modules/net_vpn_ha/examples/ipv6.yaml index 48cb3de1e2..c0df23a248 100644 --- a/tests/modules/net_vpn_ha/examples/ipv6.yaml +++ b/tests/modules/net_vpn_ha/examples/ipv6.yaml @@ -131,5 +131,5 @@ counts: google_compute_router_peer: 2 google_compute_vpn_tunnel: 2 modules: 1 - random_id: 1 - resources: 10 + random_id: 3 + resources: 12