PaloAltoNetworks · pavelrn · Sep 11, 2023 · Aug 29, 2023 · Aug 30, 2023 · Aug 30, 2023
diff --git a/.gitignore b/.gitignore
@@ -59,4 +59,4 @@ terraform.tfvars.json
 # password, private keys, and other secrets. But allow example files.
 *.tfvars
 *.tfvars.json
-!*/example.tfvars
+!**/example.tfvars
diff --git a/modules/vpn/Makefile b/modules/vpn/Makefile
@@ -0,0 +1,2 @@
+validate:
+	@../../makefile.sh validate
diff --git a/modules/vpn/README.md b/modules/vpn/README.md
@@ -0,0 +1,105 @@
+# VPN
+
+This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem VPN using [Cloud HA VPN](https://cloud.google.com/vpn/docs/concepts/overview#ha-vpn) including HA VPN Gateway itself. VPN includes one or more VPN instances (connections).
+
+Each created VPN instance is represented by 1..4 VPN tunnels that taget remote VPN gateway(s) located in a single remote location. Remote VPN gateway(s) might have singe IP address (`redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"`) or 2 IP addresses (`redundancy_type = "TWO_IPS_REDUNDANCY"`).
+
+## Examples
+
+See `example/` folder for example usage. 
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2, < 2.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | >= 4.58 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | >= 4.58 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpn_instances"></a> [vpn\_instances](#module\_vpn\_instances) | ./modules/vpn_instance | n/a |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_ha_vpn_gateway.ha_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ha_vpn_gateway) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_labels"></a> [labels](#input\_labels) | Labels for VPN components | `map(string)` | `{}` | no |
+| <a name="input_network"></a> [network](#input\_network) | VPC network ID that should be used for deployment | `string` | n/a | yes |
+| <a name="input_project"></a> [project](#input\_project) | n/a | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region to deploy VPN gateway in | `string` | n/a | yes |
+| <a name="input_router_name"></a> [router\_name](#input\_router\_name) | Cloud router name. The router is created by the module | `string` | n/a | yes |
+| <a name="input_vpn_config"></a> [vpn\_config](#input\_vpn\_config) | VPN configuration from GCP to on-prem or from GCP to GCP.<br>If you'd like secrets to be randomly generated set `shared_secret` to empty string ("").<br><br>Example:<pre>vpn_config = {<br>  router_asn    = 65000<br>  local_network = "vpc-vpn"<br><br>  router_advertise_config = {<br>    ip_ranges = {<br>      "10.10.0.0/16" : "GCP range 1"<br>    }<br>    mode   = "CUSTOM"<br>    groups = null<br>  }<br><br>  instances = {<br>    vpn-to-onprem = {<br>      name = "vpn-to-onprem",<br>      peer_external_gateway = {<br>        redundancy_type = "TWO_IPS_REDUNDANCY"<br>        interfaces = [{<br>          id         = 0<br>          ip_address = "1.1.1.1"<br>          }, {<br>          id         = 1<br>          ip_address = "2.2.2.2"<br>        }]<br>      },<br>      tunnels = {<br>        remote0 = {<br>          bgp_peer = {<br>            address = "169.254.1.2"<br>            asn     = 65001<br>          }<br>          bgp_peer_options                = null<br>          bgp_session_range               = "169.254.1.1/30"<br>          ike_version                     = 2<br>          vpn_gateway_interface           = 0<br>          peer_external_gateway_interface = 0<br>          shared_secret                   = "secret"<br>        }<br>        remote1 = {<br>          bgp_peer = {<br>            address = "169.254.1.6"<br>            asn     = 65001<br>          }<br>          bgp_peer_options                = null<br>          bgp_session_range               = "169.254.1.5/30"<br>          ike_version                     = 2<br>          vpn_gateway_interface           = 1<br>          peer_external_gateway_interface = 1<br>          shared_secret                   = "secret"<br>        }<br>      }<br>    }<br>  }<br>}</pre> | `any` | n/a | yes |
+| <a name="input_vpn_gateway_name"></a> [vpn\_gateway\_name](#input\_vpn\_gateway\_name) | VPN gateway name. Gateway created by the module | `string` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_random_secrets_map"></a> [random\_secrets\_map](#output\_random\_secrets\_map) | HA VPN IPsec tunnels secrets that were randomly generated |
+| <a name="output_vpn_gw_local_address_1"></a> [vpn\_gw\_local\_address\_1](#output\_vpn\_gw\_local\_address\_1) | HA VPN gateway IP address 1 |
+| <a name="output_vpn_gw_local_address_2"></a> [vpn\_gw\_local\_address\_2](#output\_vpn\_gw\_local\_address\_2) | HA VPN gateway IP address 2 |
+| <a name="output_vpn_gw_name"></a> [vpn\_gw\_name](#output\_vpn\_gw\_name) | HA VPN gateway name |
+| <a name="output_vpn_gw_self_link"></a> [vpn\_gw\_self\_link](#output\_vpn\_gw\_self\_link) | HA VPN gateway self\_link |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.2, < 2.0 |
+| <a name="requirement_google"></a> [google](#requirement\_google) | == 4.58 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_google"></a> [google](#provider\_google) | == 4.58 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_vpn_ha"></a> [vpn\_ha](#module\_vpn\_ha) | terraform-google-modules/vpn/google | 3.0.1 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_ha_vpn_gateway.ha_gateway](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_ha_vpn_gateway) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_project"></a> [project](#input\_project) | n/a | `string` | `null` | no |
+| <a name="input_region"></a> [region](#input\_region) | Region to deploy VPN gateway in | `string` | n/a | yes |
+| <a name="input_vpc_network_id"></a> [vpc\_network\_id](#input\_vpc\_network\_id) | VPC network ID that should be used for deployment | `string` | n/a | yes |
+| <a name="input_vpn"></a> [vpn](#input\_vpn) | VPN configuration from GCP to on-prem or from GCP to GCP.<br>If you'd like secrets to be randomly generated set `shared_secret` to empty string ("").<br><br>Example:<pre>vpn = {<br>router_asn    = 65000<br>local_network = "vpc-vpn"<br><br>router_advertise_config = {<br>  ip_ranges = {<br>    "10.10.0.0/16" : "GCP range 1"<br>  }<br>  mode   = "CUSTOM"<br>  groups = null<br>}<br><br>instances = {<br>  vpn-to-onprem = {<br>    name = "vpn-to-onprem",<br>    peer_external_gateway = {<br>      redundancy_type = "TWO_IPS_REDUNDANCY"<br>      interfaces = [{<br>        id         = 0<br>        ip_address = "1.1.1.1"<br>        }, {<br>        id         = 1<br>        ip_address = "2.2.2.2"<br>      }]<br>    },<br>    tunnels = {<br>      remote0 = {<br>        bgp_peer = {<br>          address = "169.254.1.2"<br>          asn     = 65001<br>        }<br>        bgp_peer_options                = null<br>        bgp_session_range               = "169.254.1.1/30"<br>        ike_version                     = 2<br>        vpn_gateway_interface           = 0<br>        peer_external_gateway_interface = 0<br>        shared_secret                   = "secret"<br>      }<br>      remote1 = {<br>        bgp_peer = {<br>          address = "169.254.1.6"<br>          asn     = 65001<br>        }<br>        bgp_peer_options                = null<br>        bgp_session_range               = "169.254.1.5/30"<br>        ike_version                     = 2<br>        vpn_gateway_interface           = 1<br>        peer_external_gateway_interface = 1<br>        shared_secret                   = "secret"<br>      }<br>    }<br>  }<br>}</pre> | `any` | n/a | yes |
+| <a name="input_vpn_gateway_name"></a> [vpn\_gateway\_name](#input\_vpn\_gateway\_name) | VPN gateway name | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_local_ipsec_gw2_address_2"></a> [local\_ipsec\_gw2\_address\_2](#output\_local\_ipsec\_gw2\_address\_2) | HA VPN gateway IP address 2 |
+| <a name="output_local_ipsec_gw_address_1"></a> [local\_ipsec\_gw\_address\_1](#output\_local\_ipsec\_gw\_address\_1) | HA VPN gateway IP address 1 |
+| <a name="output_random_secrets_map"></a> [random\_secrets\_map](#output\_random\_secrets\_map) | HA VPN IPsec tunnels secrets that were randomly generated |
+| <a name="output_vpn_gateway_name"></a> [vpn\_gateway\_name](#output\_vpn\_gateway\_name) | HA VPN gateway name |
+| <a name="output_vpn_gateway_self_link"></a> [vpn\_gateway\_self\_link](#output\_vpn\_gateway\_self\_link) | HA VPN gateway self\_link |
+<!-- END_TF_DOCS -->
diff --git a/modules/vpn/example/Makefile b/modules/vpn/example/Makefile
@@ -0,0 +1,2 @@
+validate:
+	@../../../makefile.sh validate
diff --git a/modules/vpn/example/example.tfvars b/modules/vpn/example/example.tfvars
@@ -0,0 +1,129 @@
+project      = "<project_id>"
+region       = "us-central1"
+network_name = "<network_name>"
+
+vpn_gateway_name = "my-test-gateway"
+router_name      = "my-test-router"
+
+vpn_config = {
+  router_asn    = 65000
+  local_network = "vpc-vpn"
+
+  router_advertise_config = {
+    ip_ranges = {
+      "10.10.0.0/16" : "GCP range 1"
+    }
+    mode   = "CUSTOM"
+    groups = null
+  }
+
+  instances = {
+    vpn-to-onprem = {
+      name = "vpn-to-onprem",
+      peer_external_gateway = {
+        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
+        interfaces = [{
+          id         = 0
+          ip_address = "1.1.1.1"
+        }]
+      },
+      tunnels = {
+        remote00 = {
+          bgp_peer = {
+            address = "169.254.1.2"
+            asn     = 65001
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.1.1/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 0
+          peer_external_gateway_interface = 0
+          shared_secret                   = "secret"
+        }
+        remote01 = {
+          bgp_peer = {
+            address = "169.254.1.6"
+            asn     = 65001
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.1.5/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 1
+          peer_external_gateway_interface = null
+          shared_secret                   = "secret"
+        }
+      }
+    }
+    vpn-to-onprem2 = {
+      name = "vpn-to-onprem2",
+      peer_external_gateway = {
+        redundancy_type = "TWO_IPS_REDUNDANCY"
+        interfaces = [{
+          id         = 0
+          ip_address = "3.3.3.3"
+          }, {
+          id         = 1
+          ip_address = "4.4.4.4"
+        }]
+      },
+      tunnels = {
+        remote10 = {
+          bgp_peer = {
+            address = "169.254.2.2"
+            asn     = 65002
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.2.1/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 0
+          peer_external_gateway_interface = 0
+          shared_secret                   = "secret"
+        }
+        remote11 = {
+          bgp_peer = {
+            address = "169.254.2.6"
+            asn     = 65002
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.2.5/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 1
+          peer_external_gateway_interface = 1
+          shared_secret                   = "secret"
+        }
+      }
+    }
+    vpn-to-gcp = {
+      name = "vpn-to-gcp",
+
+      peer_gcp_gateway = "https://www.googleapis.com/compute/v1/projects/<remote_project_id>/regions/<region>/vpnGateways/<remote_vpn_gw_name>"
+
+      tunnels = {
+        remote00 = {
+          bgp_peer = {
+            address = "169.254.3.2"
+            asn     = 65003
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.3.1/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 0
+          peer_external_gateway_interface = null
+          shared_secret                   = "secret"
+        }
+        remote01 = {
+          bgp_peer = {
+            address = "169.254.3.6"
+            asn     = 65003
+          }
+          bgp_peer_options                = null
+          bgp_session_range               = "169.254.3.5/30"
+          ike_version                     = 2
+          vpn_gateway_interface           = 1
+          peer_external_gateway_interface = 1
+          shared_secret                   = "secret"
+        }
+      }
+    }
+  }
+}
diff --git a/modules/vpn/example/main.tf b/modules/vpn/example/main.tf
@@ -0,0 +1,106 @@
+data "google_compute_network" "test" {
+  name    = "j26-vpc-app01-data-nonprod"
+  project = "gcp-gcs-pso"
+}
+
+module "vpn" {
+  source = "../"
+
+  project = "gcp-gcs-pso"
+  region  = "us-central1"
+
+  vpn_gateway_name = "my-test-gateway"
+  router_name      = "my-test-router"
+  network          = data.google_compute_network.test.self_link
+
+  vpn_config = {
+    router_asn    = 65000
+    local_network = "vpc-vpn"
+
+    router_advertise_config = {
+      ip_ranges = {
+        "10.10.0.0/16" : "GCP range 1"
+      }
+      mode   = "CUSTOM"
+      groups = null
+    }
+
+    instances = {
+      vpn-to-onprem = {
+        name = "vpn-to-onprem",
+        peer_external_gateway = {
+          redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
+          interfaces = [{
+            id         = 0
+            ip_address = "1.1.1.1"
+          }]
+        },
+        tunnels = {
+          remote00 = {
+            bgp_peer = {
+              address = "169.254.1.2"
+              asn     = 65001
+            }
+            bgp_peer_options                = null
+            bgp_session_range               = "169.254.1.1/30"
+            ike_version                     = 2
+            vpn_gateway_interface           = 0
+            peer_external_gateway_interface = 0
+            shared_secret                   = "secret"
+          }
+          remote01 = {
+            bgp_peer = {
+              address = "169.254.1.6"
+              asn     = 65001
+            }
+            bgp_peer_options                = null
+            bgp_session_range               = "169.254.1.5/30"
+            ike_version                     = 2
+            vpn_gateway_interface           = 1
+            peer_external_gateway_interface = 0
+            shared_secret                   = "secret"
+          }
+        }
+      }
+      vpn-to-onprem2 = {
+        name = "vpn-to-onprem2",
+        peer_external_gateway = {
+          redundancy_type = "TWO_IPS_REDUNDANCY"
+          interfaces = [{
+            id         = 0
+            ip_address = "3.3.3.3"
+            }, {
+            id         = 1
+            ip_address = "4.4.4.4"
+          }]
+        },
+        tunnels = {
+          remote10 = {
+            bgp_peer = {
+              address = "169.254.2.2"
+              asn     = 65002
+            }
+            bgp_peer_options                = null
+            bgp_session_range               = "169.254.2.1/30"
+            ike_version                     = 2
+            vpn_gateway_interface           = 0
+            peer_external_gateway_interface = 0
+            shared_secret                   = "secret"
+          }
+          remote11 = {
+            bgp_peer = {
+              address = "169.254.2.6"
+              asn     = 65002
+            }
+            bgp_peer_options                = null
+            bgp_session_range               = "169.254.2.5/30"
+            ike_version                     = 2
+            vpn_gateway_interface           = 1
+            peer_external_gateway_interface = 1
+            shared_secret                   = "secret"
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/modules/vpn/example/outputs.tf b/modules/vpn/example/outputs.tf
@@ -0,0 +1,25 @@
+output "local_ipsec_gw1" {
+  value       = module.vpn.vpn_gw_local_address_1
+  description = "Cloud VPN gateway IP address 1"
+}
+
+output "local_ipsec_gw2" {
+  value       = module.vpn.vpn_gw_local_address_2
+  description = "Cloud VPN gateway IP address 2"
+}
+
+output "random_secrets_map" {
+  value       = module.vpn.random_secrets_map
+  sensitive   = true
+  description = "IPsec VPN tunnels secrets that were randomly generated."
+}
+
+output "gw_id" {
+  value       = module.vpn.vpn_gw_self_link
+  description = "IPsec VPN tunnels secrets that were randomly generated."
+}
+
+output "gw_name" {
+  value       = module.vpn.vpn_gw_name
+  description = "IPsec VPN tunnels secrets that were randomly generated."
+}