Skip to content

Commit

Permalink
IPsec-encrypted Interconnect (#4777)
Browse files Browse the repository at this point in the history 
* IPsec over interconnect feature

* Removing test from other branch

* Mark several encryption fields as input-only
  • Loading branch information
@slevenick
slevenick authored May 14, 2021
1 parent 091be0c commit ec2e3e8
Show file tree
Hide file tree
Showing 6 changed files with 280 additions and 4 deletions.
107 changes: 103 additions & 4 deletions mmv1/products/compute/api.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,13 +123,21 @@ objects:
- !ruby/object:Api::Type::String
name: purpose
description: |
The purpose of this resource. Possible values include:
The purpose of this resource, which can be one of the following values:

* GCE_ENDPOINT for addresses that are used by VM instances, alias IP ranges, internal load balancers, and similar resources.
* GCE_ENDPOINT for addresses that are used by VM instances, alias IP
ranges, internal load balancers, and similar resources.

* SHARED_LOADBALANCER_VIP for an address that can be used by multiple internal load balancers.
* SHARED_LOADBALANCER_VIP for an address that can be used by multiple
internal load balancers.

* VPC_PEERING for addresses that are reserved for VPC peer networks.

* IPSEC_INTERCONNECT (Beta only) for addresses created from a private IP range
that are reserved for a VLAN attachment in an IPsec-encrypted Cloud
Interconnect configuration. These addresses are regional resources.

This should only be set when using an Internal address.
- !ruby/object:Api::Type::Enum
name: 'networkTier'
description: |
Expand Down Expand Up @@ -181,6 +189,20 @@ objects:
- :RESERVING
- :RESERVED
- :IN_USE
- !ruby/object:Api::Type::ResourceRef
name: 'network'
resource: 'Network'
imports: 'selfLink'
description: |
The URL of the network in which to reserve the address. This field
can only be used with INTERNAL type with the VPC_PEERING and
IPSEC_INTERCONNECT purposes.
min_version: beta
- !ruby/object:Api::Type::Integer
name: prefixLength
description: |
The prefix length if the resource represents an IP range.
min_version: beta
- !ruby/object:Api::Resource
name: 'Autoscaler'
kind: 'compute#autoscaler'
Expand Down Expand Up @@ -7468,6 +7490,60 @@ objects:
description: |
The IEEE 802.1Q VLAN tag for this attachment, in the range 2-4094. When
using PARTNER type this will be managed upstream.
- !ruby/object:Api::Type::Array
name: 'ipsecInternalAddresses'
description: |
URL of addresses that have been reserved for the interconnect
attachment, Used only for interconnect attachment that has the
encryption option as IPSEC.

The addresses must be RFC 1918 IP address ranges. When creating HA
VPN gateway over the interconnect attachment, if the attachment is
configured to use an RFC 1918 IP address, then the VPN gateway's IP
address will be allocated from the IP address range specified
here.

For example, if the HA VPN gateway's interface 0 is paired to this
interconnect attachment, then an RFC 1918 IP address for the VPN
gateway interface 0 will be allocated from the IP address specified
for this interconnect attachment.

If this field is not specified for interconnect attachment that has
encryption option as IPSEC, later on when creating HA VPN gateway on
this interconnect attachment, the HA VPN gateway's IP address will be
allocated from regional external IP address pool.
input: true
min_version: beta
item_type: !ruby/object:Api::Type::ResourceRef
name: 'ipsecInternalAddress'
resource: 'Address'
imports: 'selfLink'
description: |
URL of an address that has been reserved for the interconnect
attachment.
- !ruby/object:Api::Type::Enum
name: 'encryption'
description: |
Indicates the user-supplied encryption option of this interconnect
attachment:

NONE is the default value, which means that the attachment carries
unencrypted traffic. VMs can send traffic to, or receive traffic
from, this type of attachment.

IPSEC indicates that the attachment carries only traffic encrypted by
an IPsec device such as an HA VPN gateway. VMs cannot directly send
traffic to, or receive traffic from, such an attachment. To use
IPsec-encrypted Cloud Interconnect create the attachment using this
option.

Not currently available publicly.
input: true
values:
- :NONE
- :IPSEC
default_value: :NONE
min_version: beta
- !ruby/object:Api::Resource
name: 'MachineImage'
kind: 'compute#machineImage'
Expand Down Expand Up @@ -12904,6 +12980,15 @@ objects:
description: |
User-specified description for the IP range.
send_empty_value: true
- !ruby/object:Api::Type::Boolean
name: encryptedInterconnectRouter
input: true
description: |
Field to indicate if a router is dedicated to use with encrypted
Interconnect Attachment (IPsec-encrypted Cloud Interconnect feature).

Not currently available publicly.
min_version: beta
- !ruby/object:Api::Resource
name: 'RouterNat'
base_url: projects/{{project}}/regions/{{region}}/routers/{{router}}
Expand Down Expand Up @@ -15332,7 +15417,6 @@ objects:
name: 'vpnInterfaces'
description: |
A list of interfaces on this VPN gateway.
output: true
item_type: !ruby/object:Api::Type::NestedObject
properties:
- !ruby/object:Api::Type::Integer
Expand All @@ -15341,6 +15425,21 @@ objects:
- !ruby/object:Api::Type::String
name: 'ipAddress'
description: 'The external IP address for this VPN gateway interface.'
output: true
- !ruby/object:Api::Type::ResourceRef
name: 'interconnectAttachment'
resource: 'InterconnectAttachment'
imports: 'selfLink'
description: |
URL of the interconnect attachment resource. When the value
of this field is present, the VPN Gateway will be used for
IPsec-encrypted Cloud Interconnect; all Egress or Ingress
traffic for this VPN Gateway interface will go through the
specified interconnect attachment resource.

Not currently available publicly.
input: true
min_version: beta
- !ruby/object:Api::Resource
name: 'ExternalVpnGateway'
kind: 'compute#externalVpnGateway'
Expand Down
37 changes: 37 additions & 0 deletions mmv1/products/compute/terraform.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
address_name: "ipv4-address"
instance_name: "vm-instance"
- !ruby/object:Provider::Terraform::Examples
name: "compute_address_ipsec_interconnect"
primary_resource_id: "ipsec-interconnect-address"
min_version: beta
vars:
address_name: "test-address"
network_name: "test-network"
properties:
address: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
Expand Down Expand Up @@ -1088,6 +1095,15 @@ overrides: !ruby/object:Overrides::ResourceOverrides
interconnect_attachment_name: "on-prem-attachment"
router_name: "router"
network_name: "network"
- !ruby/object:Provider::Terraform::Examples
name: "compute_interconnect_attachment_ipsec_encryption"
primary_resource_id: "ipsec-encrypted-interconnect-attachment"
min_version: beta
vars:
interconnect_attachment_name: "test-interconnect-attachment"
address_name: "test-address"
router_name: "test-router"
network_name: "test-network"
properties:
id: !ruby/object:Overrides::Terraform::PropertyOverride
exclude: true
Expand Down Expand Up @@ -2056,6 +2072,13 @@ overrides: !ruby/object:Overrides::ResourceOverrides
vars:
router_name: "my-router"
network_name: "my-network"
- !ruby/object:Provider::Terraform::Examples
name: "compute_router_encrypted_interconnect"
primary_resource_id: "encrypted-interconnect-router"
min_version: beta
vars:
router_name: "test-router"
network_name: "test-network"
custom_code: !ruby/object:Provider::Terraform::CustomCode
constants: templates/terraform/constants/router.go.erb
resource_definition: templates/terraform/resource_definition/router.go.erb
Expand Down Expand Up @@ -2711,6 +2734,18 @@ overrides: !ruby/object:Overrides::ResourceOverrides
ha_vpn_gateway2_name: "ha-vpn-2"
network2_name: "network2"
router2_name: "ha-vpn-router2"
- !ruby/object:Provider::Terraform::Examples
name: "compute_ha_vpn_gateway_encrypted_interconnect"
primary_resource_id: "vpn-gateway"
min_version: beta
vars:
ha_vpn_gateway_name: "test-ha-vpngw"
interconnect_attachment1_name: "test-interconnect-attachment1"
interconnect_attachment2_name: "test-interconnect-attachment2"
address1_name: "test-address1"
address2_name: "test-address2"
router_name: "test-router"
network_name: "test-network"
properties:
name: !ruby/object:Overrides::Terraform::PropertyOverride
validation: !ruby/object:Provider::Terraform::Validation
Expand All @@ -2723,6 +2758,8 @@ overrides: !ruby/object:Overrides::ResourceOverrides
required: false # the provider-default value will be used if not specified
default_from_api: true
custom_flatten: 'templates/terraform/custom_flatten/name_from_self_link.erb'
vpnInterfaces: !ruby/object:Overrides::Terraform::PropertyOverride
default_from_api: true
ExternalVpnGateway: !ruby/object:Overrides::Terraform::ResourceOverride
properties:
interfaces: !ruby/object:Overrides::Terraform::PropertyOverride
Expand Down
15 changes: 15 additions & 0 deletions mmv1/templates/terraform/examples/compute_address_ipsec_interconnect.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "google_compute_address" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['address_name'] %>"
address_type = "INTERNAL"
purpose = "IPSEC_INTERCONNECT"
address = "192.168.1.0"
prefix_length = 29
network = google_compute_network.network.self_link
provider = google-beta
}

resource "google_compute_network" "network" {
name = "<%= ctx[:vars]['network_name'] %>"
auto_create_subnetworks = false
provider = google-beta
}
73 changes: 73 additions & 0 deletions mmv1/templates/terraform/examples/compute_ha_vpn_gateway_encrypted_interconnect.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
resource "google_compute_ha_vpn_gateway" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['ha_vpn_gateway_name'] %>"
network = google_compute_network.network.id
vpn_interfaces {
id = 0
interconnect_attachment = google_compute_interconnect_attachment.attachment1.self_link
}
vpn_interfaces {
id = 1
interconnect_attachment = google_compute_interconnect_attachment.attachment2.self_link
}
provider = google-beta
}

resource "google_compute_interconnect_attachment" "attachment1" {
name = "<%= ctx[:vars]['interconnect_attachment1_name'] %>"
edge_availability_domain = "AVAILABILITY_DOMAIN_1"
type = "PARTNER"
router = google_compute_router.router.id
encryption = "IPSEC"
ipsec_internal_addresses = [
google_compute_address.address1.self_link,
]
provider = google-beta
}

resource "google_compute_interconnect_attachment" "attachment2" {
name = "<%= ctx[:vars]['interconnect_attachment2_name'] %>"
edge_availability_domain = "AVAILABILITY_DOMAIN_2"
type = "PARTNER"
router = google_compute_router.router.id
encryption = "IPSEC"
ipsec_internal_addresses = [
google_compute_address.address2.self_link,
]
provider = google-beta
}

resource "google_compute_address" "address1" {
name = "<%= ctx[:vars]['address1_name'] %>"
address_type = "INTERNAL"
purpose = "IPSEC_INTERCONNECT"
address = "192.168.1.0"
prefix_length = 29
network = google_compute_network.network.self_link
provider = google-beta
}

resource "google_compute_address" "address2" {
name = "<%= ctx[:vars]['address2_name'] %>"
address_type = "INTERNAL"
purpose = "IPSEC_INTERCONNECT"
address = "192.168.2.0"
prefix_length = 29
network = google_compute_network.network.self_link
provider = google-beta
}

resource "google_compute_router" "router" {
name = "<%= ctx[:vars]['router_name'] %>"
network = google_compute_network.network.name
encrypted_interconnect_router = true
bgp {
asn = 16550
}
provider = google-beta
}

resource "google_compute_network" "network" {
name = "<%= ctx[:vars]['network_name'] %>"
auto_create_subnetworks = false
provider = google-beta
}
37 changes: 37 additions & 0 deletions mmv1/templates/terraform/examples/compute_interconnect_attachment_ipsec_encryption.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
resource "google_compute_interconnect_attachment" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['interconnect_attachment_name'] %>"
edge_availability_domain = "AVAILABILITY_DOMAIN_1"
type = "PARTNER"
router = google_compute_router.router.id
encryption = "IPSEC"
ipsec_internal_addresses = [
google_compute_address.address.self_link,
]
provider = google-beta
}

resource "google_compute_address" "address" {
name = "<%= ctx[:vars]['address_name'] %>"
address_type = "INTERNAL"
purpose = "IPSEC_INTERCONNECT"
address = "192.168.1.0"
prefix_length = 29
network = google_compute_network.network.self_link
provider = google-beta
}

resource "google_compute_router" "router" {
name = "<%= ctx[:vars]['router_name'] %>"
network = google_compute_network.network.name
encrypted_interconnect_router = true
bgp {
asn = 16550
}
provider = google-beta
}

resource "google_compute_network" "network" {
name = "<%= ctx[:vars]['network_name'] %>"
auto_create_subnetworks = false
provider = google-beta
}
15 changes: 15 additions & 0 deletions mmv1/templates/terraform/examples/compute_router_encrypted_interconnect.tf.erb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "google_compute_router" "<%= ctx[:primary_resource_id] %>" {
name = "<%= ctx[:vars]['router_name'] %>"
network = google_compute_network.network.name
encrypted_interconnect_router = true
bgp {
asn = 64514
}
provider = google-beta
}

resource "google_compute_network" "network" {
name = "<%= ctx[:vars]['network_name'] %>"
auto_create_subnetworks = false
provider = google-beta
}

0 comments on commit ec2e3e8

Please sign in to comment.