Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure and test HA VPN tunnels with OpenTofu #3

Merged
merged 1 commit into from
Jan 30, 2024
Merged

Configure and test HA VPN tunnels with OpenTofu #3

merged 1 commit into from
Jan 30, 2024

Conversation

yunkon-kim
Copy link
Member

This PR will provide HCL files (.tf) to configure and test HA VPN tunnels between GCP and AWS.

  • Define providers, which are AWS and GCP
  • Create network resources for HA VPN tunnels
  • Create EC2/VM instances for ping test
  • Create security group or firewall for instance access and testing

The result of the last tofu apply
It asks whether I want to proceed with modifying the security group/firewall rule.
Note - This is performed based on OpenTofu.
Note - Masking ome sensitive information (*****)
Note - I think the overall list of generated resources will not be much different, so I have shared the results below :-D

aws_vpc.my-aws-vpc: Refreshing state... [id=vpc-03dfd3447c6377908]
aws_vpn_gateway.my-aws-vpn-gateway: Refreshing state... [id=vgw-0991b694c7c3c29d1]
aws_security_group.my-aws-sg: Refreshing state... [id=sg-00cf2501bcdc7b551]
aws_subnet.my-aws-subnet-2: Refreshing state... [id=subnet-0d12dea2e62787679]
aws_subnet.my-aws-subnet-1: Refreshing state... [id=subnet-042a54780158cfe00]
aws_vpc_security_group_ingress_rule.allow-icmp: Refreshing state... [id=sgr-062db8f8870c57149]
aws_route_table.my-aws-rt: Refreshing state... [id=rtb-08102be4a1ad4b57f]
aws_instance.my-aws-instance: Refreshing state... [id=i-0d4ad416c0a8645d2]
aws_route_table_association.my-aws-rta-1: Refreshing state... [id=rtbassoc-0221c27c2bd4203e2]
google_compute_network.my-gcp-vpc-network: Refreshing state... [id=projects/*****/global/networks/my-gcp-vpc-network-name]
google_compute_router.my-gcp-router-main: Refreshing state... [id=projects/*****/regions/asia-northeast3/routers/my-gcp-router-main]
google_compute_subnetwork.my-gcp-subnet-1: Refreshing state... [id=projects/*****/regions/asia-northeast3/subnetworks/my-gcp-subnet-1]
google_compute_ha_vpn_gateway.my-gcp-ha-vpn-gateway: Refreshing state... [id=projects/*****/regions/asia-northeast3/vpnGateways/my-gcp-ha-vpn-gateway-name]
google_compute_subnetwork.my-gcp-subnet-2: Refreshing state... [id=projects/*****/regions/asia-northeast3/subnetworks/my-gcp-subnet-2]
google_compute_firewall.my-gcp-firewall: Refreshing state... [id=projects/*****/global/firewalls/my-gcp-firewall]
aws_customer_gateway.my-aws-cgw-1: Refreshing state... [id=cgw-05a9070447b6f54ec]
aws_customer_gateway.my-aws-cgw-2: Refreshing state... [id=cgw-0ae814fe92aa4a2a9]
google_compute_instance.my-gcp-vm-instance: Refreshing state... [id=projects/*****/zones/asia-northeast3-c/instances/my-gcp-vm-instance]
aws_vpn_connection.my-aws-cx-1: Refreshing state... [id=vpn-05b6ae645fe288b6c]
aws_vpn_connection.my-aws-cx-2: Refreshing state... [id=vpn-045c0eea8b2df30db]
google_compute_external_vpn_gateway.my-gcp-peer-vpn-gateway: Refreshing state... [id=projects/*****/global/externalVpnGateways/my-gcp-peer-vpn-gateway]
google_compute_vpn_tunnel.my-gcp-vpn-tunnel-4: Refreshing state... [id=projects/*****/regions/asia-northeast3/vpnTunnels/my-gcp-vpn-tunnel-4]
google_compute_vpn_tunnel.my-gcp-vpn-tunnel-1: Refreshing state... [id=projects/*****/regions/asia-northeast3/vpnTunnels/my-gcp-vpn-tunnel-1]
google_compute_vpn_tunnel.my-gcp-vpn-tunnel-2: Refreshing state... [id=projects/*****/regions/asia-northeast3/vpnTunnels/my-gcp-vpn-tunnel-2]
google_compute_vpn_tunnel.my-gcp-vpn-tunnel-3: Refreshing state... [id=projects/*****/regions/asia-northeast3/vpnTunnels/my-gcp-vpn-tunnel-3]
google_compute_router_interface.my-gcp-router-interface-3: Refreshing state... [id=asia-northeast3/my-gcp-router-main/interface-3]
google_compute_router_interface.my-gcp-router-interface-4: Refreshing state... [id=asia-northeast3/my-gcp-router-main/interface-4]
google_compute_router_interface.my-gcp-router-interface-1: Refreshing state... [id=asia-northeast3/my-gcp-router-main/interface-1]
google_compute_router_interface.my-gcp-router-interface-2: Refreshing state... [id=asia-northeast3/my-gcp-router-main/interface-2]
google_compute_router_peer.my-gcp-router-peer-3: Refreshing state... [id=projects/*****/regions/asia-northeast3/routers/my-gcp-router-main/peer-3]
google_compute_router_peer.my-gcp-router-peer-4: Refreshing state... [id=projects/*****/regions/asia-northeast3/routers/my-gcp-router-main/peer-4]
google_compute_router_peer.my-gcp-router-peer-2: Refreshing state... [id=projects/*****/regions/asia-northeast3/routers/my-gcp-router-main/peer-2]
google_compute_router_peer.my-gcp-router-peer-1: Refreshing state... [id=projects/*****/regions/asia-northeast3/routers/my-gcp-router-main/peer-1]

OpenTofu used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

OpenTofu will perform the following actions:

  # aws_vpc_security_group_ingress_rule.allow-icmp will be updated in-place
  ~ resource "aws_vpc_security_group_ingress_rule" "allow-icmp" {
      ~ cidr_ipv4              = "0.0.0.0/16" -> "0.0.0.0/0"
        id                     = "sgr-062db8f8870c57149"
        # (8 unchanged attributes hidden)
    }

  # google_compute_instance.my-gcp-vm-instance will be updated in-place
  ~ resource "google_compute_instance" "my-gcp-vm-instance" {
        id                   = "projects/*****/zones/asia-northeast3-c/instances/my-gcp-vm-instance"
      ~ metadata             = {
          - "ssh-keys" = <<-EOT
                **********************************************************************
            EOT -> null
        }
        name                 = "my-gcp-vm-instance"
        tags                 = []
        # (18 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

Do you want to perform these actions?
  OpenTofu will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aws_vpc_security_group_ingress_rule.allow-icmp: Modifying... [id=sgr-062db8f8870c57149]
aws_vpc_security_group_ingress_rule.allow-icmp: Modifications complete after 1s [id=sgr-062db8f8870c57149]
google_compute_instance.my-gcp-vm-instance: Modifying... [id=projects/*****/zones/asia-northeast3-c/instances/my-gcp-vm-instance]
google_compute_instance.my-gcp-vm-instance: Still modifying... [id=projects/*****/zones/asia-northeast3-c/instances/my-gcp-vm-instance, 10s elapsed]
google_compute_instance.my-gcp-vm-instance: Modifications complete after 13s [id=projects/*****/zones/asia-northeast3-c/instances/my-gcp-vm-instance]

Ping test

EC2 instance in AWS
image

VM instance in GCP
image

image

@yunkon-kim
Configure and test HA VPN tunnels with OpenTofu
69e0403 
* Define providers, which are AWS and GCP
* Create network resources for HA VPN tunnels
* Create EC2/VM instances for ping test
* Create security group or firewall for instance access and testing
@yunkon-kim
Copy link
Member Author

(CC @seokho-son @powerkimhub)

@yunkon-kim yunkon-kim merged commit b46cbce into cloud-barista:main Jan 30, 2024
@yunkon-kim yunkon-kim deleted the yunkon-kim-patch-240130 branch January 30, 2024 11:22
@powerkimhub powerkimhub mentioned this pull request Jan 30, 2024
Open
@seokho-son
Copy link
Member

Thanks @yunkon-kim
Looks like OpenTofu works well. :) Nice news.

@yunkon-kim yunkon-kim mentioned this pull request Feb 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yunkon-kim @seokho-son