diff --git a/.gitignore b/.gitignore index 1faffbd..4c48e6d 100644 --- a/.gitignore +++ b/.gitignore @@ -42,7 +42,8 @@ crash.log # version control. # # example.tfvars -test/fixtures/shared/terraform.tfvars +terraform.tfvars + credentials.json diff --git a/examples/multi_external_vpn_gateways/prod.tf b/examples/multi_external_vpn_gateways/prod.tf new file mode 100644 index 0000000..bd47c19 --- /dev/null +++ b/examples/multi_external_vpn_gateways/prod.tf @@ -0,0 +1,87 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +# Creating an external VPN gateway IP for DC1 +resource "google_compute_external_vpn_gateway" "external_gateway1" { + provider = google-beta + name = "vpn-peering-gw1" + project = var.prod_project_id + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + description = "My VPN peering gateway1" + + interface { + id = 0 + ip_address = "8.8.8.8" + } +} + +# Creating an external VPN gateway IP for DC2 +resource "google_compute_external_vpn_gateway" "external_gateway2" { + provider = google-beta + name = "vpn-peering-gw2" + project = var.prod_project_id + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + description = "My VPN peering gateway2" + + interface { + id = 0 + ip_address = "8.4.4.8" + } +} + +# In order to have successful setup, you need to configure the On-Premise +# VPN by this below tunnels configuration. + +module "vpn-ha-to-onprem" { + source = "../../modules/vpn_ha" + project_id = var.prod_project_id + region = var.region + network = var.prod_network_self_link + name = "prod-to-onprem" + router_asn = 64512 + + tunnels = { + # DC1 remote tunnel with specific external VPN gateway + remote-0 = { + bgp_peer = { + address = "169.254.1.2" + asn = 64515 + } + bgp_peer_options = null + bgp_session_range = "169.254.1.1/30" + ike_version = 2 + vpn_gateway_interface = 0 + peer_external_gateway_self_link = google_compute_external_vpn_gateway.external_gateway1.self_link + peer_external_gateway_interface = 0 + shared_secret = "Secret1" + } + + # DC2 remote tunnel with specific external VPN gateway + remote-1 = { + bgp_peer = { + address = "169.254.2.2" + asn = 64516 + } + bgp_peer_options = null + bgp_session_range = "169.254.2.1/30" + ike_version = 2 + vpn_gateway_interface = 1 + peer_external_gateway_self_link = google_compute_external_vpn_gateway.external_gateway2.self_link + peer_external_gateway_interface = 0 + shared_secret = "Secret2" + } + } +} diff --git a/examples/multi_external_vpn_gateways/variables.tf b/examples/multi_external_vpn_gateways/variables.tf new file mode 100644 index 0000000..c5542d7 --- /dev/null +++ b/examples/multi_external_vpn_gateways/variables.tf @@ -0,0 +1,31 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +variable "prod_project_id" { + description = "Production Project ID." + type = string +} + +variable "prod_network_self_link" { + description = "Production Network Self Link." + type = string +} + +variable "region" { + description = "Region." + type = string + default = "europe-west4" +} diff --git a/examples/multi_external_vpn_gateways/versions.tf b/examples/multi_external_vpn_gateways/versions.tf new file mode 100644 index 0000000..08b9215 --- /dev/null +++ b/examples/multi_external_vpn_gateways/versions.tf @@ -0,0 +1,19 @@ +/** + * Copyright 2020 Google LLC + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +terraform { + required_version = ">= 1.3" +} diff --git a/modules/vpn_ha/README.md b/modules/vpn_ha/README.md index 779a3e6..9c29733 100644 --- a/modules/vpn_ha/README.md +++ b/modules/vpn_ha/README.md @@ -139,7 +139,6 @@ module "vpn_ha" { create_vpn_gateway = true vpn_gateway_self_link = null external_vpn_gateway_description = "My VPN peering gateway" - peer_external_gateway = {} router_name = "my-vpn-router" router_asn = 64515 @@ -175,8 +174,83 @@ module "vpn_ha" { asn = 64513 } bgp_session_name = "bgp-peer-1" - bgp_session_range = "169.254.2.1/30" + bgp_session_range = "169.254.2.2/30" + ike_version = 2 + peer_external_gateway_interface = 0 + vpn_gateway_interface = 1 + shared_secret = "mySecret" + } + + } +} +``` + +### GCP to on-prem using multiple external VPN gateways + +```hcl + +resource "google_compute_external_vpn_gateway" "external_gateway1" { + provider = google-beta + name = "vpn-peering-gw1" + project = "" + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + description = "My VPN peering gateway1" + + interface { + id = 0 + ip_address = "8.8.8.8" + } +} + +resource "google_compute_external_vpn_gateway" "external_gateway2" { + provider = google-beta + name = "vpn-peering-gw2" + project = "" + redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT" + description = "My VPN peering gateway2" + + interface { + id = 0 + ip_address = "8.8.4.4" + } +} + +module "vpn_ha" { + source = "terraform-google-modules/vpn/google//modules/vpn_ha" + project_id = "" + region = "europe-west4" + network = "https://www.googleapis.com/compute/v1/projects//global/networks/my-network" + name = "mynet-to-onprem" + create_vpn_gateway = true + vpn_gateway_self_link = null + router_name = "my-vpn-router" + router_asn = 64515 + + tunnels = { + + remote-0 = { + bgp_peer = { + address = "169.254.1.1" + asn = 64513 + } + bgp_session_name = "bgp-peer-0" + bgp_session_range = "169.254.1.2/30" + ike_version = 2 + peer_external_gateway_self_link = google_compute_external_vpn_gateway.external_gateway1.self_link # set a resource link + peer_external_gateway_interface = 0 + vpn_gateway_interface = 0 + shared_secret = "mySecret" + } + + remote-1 = { + bgp_peer = { + address = "169.254.2.1" + asn = 64513 + } + bgp_session_name = "bgp-peer-1" + bgp_session_range = "169.254.2.2/30" ike_version = 2 + peer_external_gateway_self_link = google_compute_external_vpn_gateway.external_gateway2.self_link # set a resource link peer_external_gateway_interface = 0 vpn_gateway_interface = 1 shared_secret = "mySecret" @@ -206,7 +280,7 @@ module "vpn_ha" { | router\_asn | Router ASN used for auto-created router. | `number` | `64514` | no | | router\_name | Name of router, leave blank to create one. | `string` | `""` | no | | stack\_type | The IP stack type will apply to all the tunnels associated with this VPN gateway. | `string` | `"IPV4_ONLY"` | no | -| tunnels | VPN tunnel configurations, bgp\_peer\_options is usually null. | 
map(object({
    bgp_peer = object({
      address = string
      asn     = number
    })
    bgp_session_name = optional(string)
    bgp_peer_options = optional(object({
      ip_address          = optional(string)
      advertise_groups    = optional(list(string))
      advertise_ip_ranges = optional(map(string))
      advertise_mode      = optional(string)
      route_priority      = optional(number)
    }))
    bgp_session_range               = optional(string)
    ike_version                     = optional(number)
    vpn_gateway_interface           = optional(number)
    peer_external_gateway_interface = optional(number)
    shared_secret                   = optional(string, "")
  }))
| `{}` | no | +| tunnels | VPN tunnel configurations, bgp\_peer\_options is usually null. | 
map(object({
    bgp_peer = object({
      address = string
      asn     = number
    })
    bgp_session_name = optional(string)
    bgp_peer_options = optional(object({
      ip_address          = optional(string)
      advertise_groups    = optional(list(string))
      advertise_ip_ranges = optional(map(string))
      advertise_mode      = optional(string)
      route_priority      = optional(number)
    }))
    bgp_session_range               = optional(string)
    ike_version                     = optional(number)
    vpn_gateway_interface           = optional(number)
    peer_external_gateway_self_link = optional(string, null)
    peer_external_gateway_interface = optional(number)
    shared_secret                   = optional(string, "")
  }))
| `{}` | no | | vpn\_gateway\_self\_link | self\_link of existing VPN gateway to be used for the vpn tunnel. create\_vpn\_gateway should be set to false | `string` | `null` | no | ## Outputs diff --git a/modules/vpn_ha/main.tf b/modules/vpn_ha/main.tf index 47abf73..910182a 100644 --- a/modules/vpn_ha/main.tf +++ b/modules/vpn_ha/main.tf @@ -25,7 +25,6 @@ locals { var.peer_external_gateway != null ? google_compute_external_vpn_gateway.external_gateway[0].self_link : null - ) secret = random_id.secret.b64_url vpn_gateway_self_link = ( @@ -169,7 +168,7 @@ resource "google_compute_vpn_tunnel" "tunnels" { region = var.region name = "${var.name}-${each.key}" router = local.router - peer_external_gateway = local.peer_external_gateway + peer_external_gateway = each.value.peer_external_gateway_self_link != null ? each.value.peer_external_gateway_self_link : local.peer_external_gateway peer_external_gateway_interface = each.value.peer_external_gateway_interface peer_gcp_gateway = var.peer_gcp_gateway vpn_gateway_interface = each.value.vpn_gateway_interface diff --git a/modules/vpn_ha/variables.tf b/modules/vpn_ha/variables.tf index 539b198..1318373 100644 --- a/modules/vpn_ha/variables.tf +++ b/modules/vpn_ha/variables.tf @@ -111,6 +111,7 @@ variable "tunnels" { bgp_session_range = optional(string) ike_version = optional(number) vpn_gateway_interface = optional(number) + peer_external_gateway_self_link = optional(string, null) peer_external_gateway_interface = optional(number) shared_secret = optional(string, "") }))