diff --git a/.kitchen.yml b/.kitchen.yml index bcdf897..7db1e81 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -23,6 +23,7 @@ suites: driver: name: terraform root_module_directory: test/fixtures/single_tunnels + verify_version: false command_timeout: 1800 verifier: name: terraform @@ -36,6 +37,7 @@ suites: driver: name: terraform root_module_directory: test/fixtures/vpn_ha + verify_version: false command_timeout: 1800 verifier: name: terraform diff --git a/Makefile b/Makefile index 1aef813..1f3c567 100644 --- a/Makefile +++ b/Makefile @@ -18,7 +18,7 @@ # Make will use bash instead of sh SHELL := /usr/bin/env bash -DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.0 +DOCKER_TAG_VERSION_DEVELOPER_TOOLS := 1.10 DOCKER_IMAGE_DEVELOPER_TOOLS := cft/developer-tools REGISTRY_URL := gcr.io/cloud-foundation-cicd diff --git a/build/int.cloudbuild.yaml b/build/int.cloudbuild.yaml index 97a0c8b..8c0e820 100644 --- a/build/int.cloudbuild.yaml +++ b/build/int.cloudbuild.yaml @@ -38,4 +38,4 @@ tags: - 'integration' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/build/lint.cloudbuild.yaml b/build/lint.cloudbuild.yaml index 34d006d..d15fd36 100644 --- a/build/lint.cloudbuild.yaml +++ b/build/lint.cloudbuild.yaml @@ -21,4 +21,4 @@ tags: - 'lint' substitutions: _DOCKER_IMAGE_DEVELOPER_TOOLS: 'cft/developer-tools' - _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.0' + _DOCKER_TAG_VERSION_DEVELOPER_TOOLS: '1.10' diff --git a/metadata.yaml b/metadata.yaml new file mode 100644 index 0000000..e5f3f7a --- /dev/null +++ b/metadata.yaml @@ -0,0 +1,185 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-vpn + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: 'Terraform Google Cloud Platform - ' + source: + repo: https://github.com/terraform-google-modules/terraform-google-vpn + sourceType: git + version: 2.3.0 + actuationTool: + type: Terraform + version: '>=0.13.0' + subBlueprints: + - name: vpn_ha + location: modules/vpn_ha + examples: + - name: multi_tunnels + location: examples/multi_tunnels + - name: single_tunnels + location: examples/single_tunnels + - name: vpn_ha + location: examples/vpn_ha + variables: + - name: advertised_route_priority + description: Please enter the priority for the advertised route to BGP peer(default is 100) + type: number + default: 100 + required: false + - name: bgp_cr_session_range + description: Please enter the cloud-router interface IP/Session IP + type: list(string) + default: + - 169.254.1.1/30 + - 169.254.1.5/30 + required: false + - name: bgp_remote_session_range + description: Please enter the remote environments BGP Session IP + type: list(string) + default: + - 169.254.1.2 + - 169.254.1.6 + required: false + - name: cr_enabled + description: If there is a cloud router for BGP routing + type: bool + default: false + required: false + - name: cr_name + description: The name of cloud router for BGP routing + type: string + default: "" + required: false + - name: gateway_name + description: The name of VPN gateway + type: string + default: test-vpn + required: false + - name: ike_version + description: Please enter the IKE version used by this tunnel (default is IKEv2) + type: number + default: 2 + required: false + - name: local_traffic_selector + description: | + Local traffic selector to use when establishing the VPN tunnel with peer VPN gateway. + Value should be list of CIDR formatted strings and ranges should be disjoint. + type: list(string) + default: + - 0.0.0.0/0 + required: false + - name: network + description: The name of VPC being created + type: string + required: true + - name: peer_asn + description: Please enter the ASN of the BGP peer that cloud router will use + type: list(string) + default: + - "65101" + required: false + - name: peer_ips + description: IP address of remote-peer/gateway + type: list(string) + required: true + - name: project_id + description: The ID of the project where this VPC will be created + type: string + required: true + - name: region + description: The region in which you want to create the VPN gateway + type: string + required: true + - name: remote_subnet + description: remote subnet ip range in CIDR format - x.x.x.x/x + type: list(string) + default: [] + required: false + - name: remote_traffic_selector + description: | + Remote traffic selector to use when establishing the VPN tunnel with peer VPN gateway. + Value should be list of CIDR formatted strings and ranges should be disjoint. + type: list(string) + default: + - 0.0.0.0/0 + required: false + - name: route_priority + description: Priority for static route being created + type: number + default: 1000 + required: false + - name: route_tags + description: A list of instance tags to which this route applies. + type: list(string) + default: [] + required: false + - name: shared_secret + description: Please enter the shared secret/pre-shared key + type: string + default: "" + required: false + - name: tunnel_count + description: The number of tunnels from each VPN gw (default is 1) + type: number + default: 1 + required: false + - name: tunnel_name_prefix + description: The optional custom name of VPN tunnel being created + type: string + default: "" + required: false + - name: vpn_gw_ip + description: Please enter the public IP address of the VPN Gateway, if you have already one. Do not set this variable to autocreate one + type: string + default: "" + required: false + outputs: + - name: gateway_ip + description: The VPN Gateway Public IP + - name: gateway_self_link + description: The self-link of the Gateway + - name: ipsec_secret-dynamic + description: The secret + - name: ipsec_secret-static + description: The secret + - name: name + description: The name of the Gateway + - name: network + description: The name of the VPC + - name: project_id + description: The Project-ID + - name: vpn_tunnels_names-dynamic + description: The VPN tunnel name is + - name: vpn_tunnels_names-static + description: The VPN tunnel name is + - name: vpn_tunnels_self_link-dynamic + description: The VPN tunnel self-link is + - name: vpn_tunnels_self_link-static + description: The VPN tunnel self-link is + roles: + - level: Project + roles: + - roles/owner + - roles/compute.networkAdmin + - roles/compute.instanceAdmin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com diff --git a/modules/vpn_ha/README.md b/modules/vpn_ha/README.md index ce95fe9..3dee861 100644 --- a/modules/vpn_ha/README.md +++ b/modules/vpn_ha/README.md @@ -144,7 +144,7 @@ module "vpn_ha" { | router\_asn | Router ASN used for auto-created router. | `number` | `64514` | no | | router\_name | Name of router, leave blank to create one. | `string` | `""` | no | | tunnels | VPN tunnel configurations, bgp\_peer\_options is usually null. | 
map(object({
    bgp_peer = object({
      address = string
      asn     = number
    })
    bgp_peer_options = object({
      advertise_groups    = list(string)
      advertise_ip_ranges = map(string)
      advertise_mode      = string
      route_priority      = number
    })
    bgp_session_range               = string
    ike_version                     = number
    vpn_gateway_interface           = number
    peer_external_gateway_interface = number
    shared_secret                   = string
  }))
| `{}` | no | -| vpn\_gateway\_self\_link | self\_link of existing VPN gateway to be used for the vpn tunnel | `any` | `null` | no | +| vpn\_gateway\_self\_link | self\_link of existing VPN gateway to be used for the vpn tunnel | `string` | `null` | no | ## Outputs diff --git a/modules/vpn_ha/metadata.yaml b/modules/vpn_ha/metadata.yaml new file mode 100644 index 0000000..0aa2da5 --- /dev/null +++ b/modules/vpn_ha/metadata.yaml @@ -0,0 +1,159 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: blueprints.cloud.google.com/v1alpha1 +kind: BlueprintMetadata +metadata: + name: terraform-google-vpn + annotations: + config.kubernetes.io/local-config: "true" +spec: + title: Cloud VPN HA Module + source: + repo: https://github.com/terraform-google-modules/terraform-google-vpn + sourceType: git + version: 2.3.0 + actuationTool: + type: Terraform + version: '>=0.13.0' + examples: + - name: multi_tunnels + location: examples/multi_tunnels + - name: single_tunnels + location: examples/single_tunnels + - name: vpn_ha + location: examples/vpn_ha + variables: + - name: create_vpn_gateway + description: create a VPN gateway + type: bool + default: true + required: false + - name: labels + description: Labels for vpn components + type: map(string) + default: {} + required: false + - name: name + description: VPN gateway name, and prefix used for dependent resources. + type: string + required: true + - name: network + description: VPC used for the gateway and routes. + type: string + required: true + - name: peer_external_gateway + description: Configuration of an external VPN gateway to which this VPN is connected. + type: |- + object({ + redundancy_type = string + interfaces = list(object({ + id = number + ip_address = string + })) + }) + required: false + - name: peer_gcp_gateway + description: Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. + type: string + required: false + - name: project_id + description: Project where resources will be created. + type: string + required: true + - name: region + description: Region used for resources. + type: string + required: true + - name: route_priority + description: Route priority, defaults to 1000. + type: number + default: 1000 + required: false + - name: router_advertise_config + description: Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. + type: |- + object({ + groups = list(string) + ip_ranges = map(string) + mode = string + }) + required: false + - name: router_asn + description: Router ASN used for auto-created router. + type: number + default: 64514 + required: false + - name: router_name + description: Name of router, leave blank to create one. + type: string + default: "" + required: false + - name: tunnels + description: VPN tunnel configurations, bgp_peer_options is usually null. + type: |- + map(object({ + bgp_peer = object({ + address = string + asn = number + }) + bgp_peer_options = object({ + advertise_groups = list(string) + advertise_ip_ranges = map(string) + advertise_mode = string + route_priority = number + }) + bgp_session_range = string + ike_version = number + vpn_gateway_interface = number + peer_external_gateway_interface = number + shared_secret = string + })) + default: {} + required: false + - name: vpn_gateway_self_link + description: self_link of existing VPN gateway to be used for the vpn tunnel + type: string + required: false + outputs: + - name: external_gateway + description: External VPN gateway resource. + - name: gateway + description: HA VPN gateway resource. + - name: name + description: VPN gateway name. + - name: random_secret + description: Generated secret. + - name: router + description: Router resource (only if auto-created). + - name: router_name + description: Router name. + - name: self_link + description: HA VPN gateway self link. + - name: tunnel_names + description: VPN tunnel names. + - name: tunnel_self_links + description: VPN tunnel self links. + - name: tunnels + description: VPN tunnel resources. + roles: + - level: Project + roles: + - roles/owner + - roles/compute.networkAdmin + - roles/compute.instanceAdmin + - roles/iam.serviceAccountUser + services: + - cloudresourcemanager.googleapis.com + - compute.googleapis.com diff --git a/modules/vpn_ha/variables.tf b/modules/vpn_ha/variables.tf index 0a2f0b3..c515adb 100644 --- a/modules/vpn_ha/variables.tf +++ b/modules/vpn_ha/variables.tf @@ -104,6 +104,7 @@ variable "tunnels" { variable "vpn_gateway_self_link" { description = "self_link of existing VPN gateway to be used for the vpn tunnel" + type = string default = null } diff --git a/modules/vpn_ha/versions.tf b/modules/vpn_ha/versions.tf index 29d67da..d292af7 100644 --- a/modules/vpn_ha/versions.tf +++ b/modules/vpn_ha/versions.tf @@ -25,6 +25,10 @@ terraform { source = "hashicorp/google-beta" version = ">= 3.30.0, < 5.0" } + random = { + source = "hashicorp/random" + version = "~> 3.4" + } } provider_meta "google" { diff --git a/variables.tf b/variables.tf index 960d68a..4555614 100644 --- a/variables.tf +++ b/variables.tf @@ -88,6 +88,7 @@ variable "shared_secret" { variable "route_priority" { description = "Priority for static route being created" + type = number default = 1000 } @@ -123,6 +124,7 @@ variable "bgp_remote_session_range" { variable "advertised_route_priority" { description = "Please enter the priority for the advertised route to BGP peer(default is 100)" + type = number default = 100 } diff --git a/versions.tf b/versions.tf index 53b83cd..efa1026 100644 --- a/versions.tf +++ b/versions.tf @@ -21,6 +21,10 @@ terraform { source = "hashicorp/google" version = ">= 3.30.0, < 5.0" } + random = { + source = "hashicorp/random" + version = "~> 3.4" + } } provider_meta "google" {