Simplify VPN implementation in FAST networking stages (#1228)

* peering stage * fix link, toc * vpn stage * fix link * nva stage * fix examples and test * separate envs stage * tfdoc
GoogleCloudPlatform · May 5, 2023 · fc8732c · fc8732c
1 parent 991d6d5
commit fc8732c
Show file tree

Hide file tree

Showing 29 changed files with 1,072 additions and 1,167 deletions.
diff --git a/fast/stages/2-networking-a-peering/README.md b/fast/stages/2-networking-a-peering/README.md
diff --git a/fast/stages/2-networking-a-peering/outputs.tf b/fast/stages/2-networking-a-peering/outputs.tf
@@ -88,7 +88,7 @@ output "tfvars" {
 
 output "vpn_gateway_endpoints" {
   description = "External IP Addresses for the GCP VPN gateways."
-  value = local.enable_onprem_vpn == false ? null : {
+  value = var.vpn_onprem_primary_config == null ? null : {
     onprem-primary = {
       for v in module.landing-to-onprem-primary-vpn[0].gateway.vpn_interfaces :
       v.id => v.ip_address

diff --git a/fast/stages/2-networking-a-peering/variables.tf b/fast/stages/2-networking-a-peering/variables.tf
@@ -35,23 +35,6 @@ variable "billing_account" {
   }
 }
 
-variable "custom_adv" {
-  description = "Custom advertisement definitions in name => range format."
-  type        = map(string)
-  default = {
-    cloud_dns             = "35.199.192.0/19"
-    gcp_all               = "10.128.0.0/16"
-    gcp_dev               = "10.128.32.0/19"
-    gcp_landing           = "10.128.0.0/19"
-    gcp_prod              = "10.128.64.0/19"
-    googleapis_private    = "199.36.153.8/30"
-    googleapis_restricted = "199.36.153.4/30"
-    rfc_1918_10           = "10.0.0.0/8"
-    rfc_1918_172          = "172.16.0.0/12"
-    rfc_1918_192          = "192.168.0.0/16"
-  }
-}
-
 variable "custom_roles" {
   # tfdoc:variable:source 0-bootstrap
   description = "Custom roles defined at the org level, in key => id format."
@@ -127,7 +110,7 @@ variable "prefix" {
 }
 
 variable "psa_ranges" {
-  description = "IP ranges used for Private Service Access (e.g. CloudSQL)."
+  description = "IP ranges used for Private Service Access (CloudSQL, etc.)."
   type = object({
     dev = object({
       ranges = map(string)
@@ -145,22 +128,6 @@ variable "psa_ranges" {
     })
   })
   default = null
-  # default = {
-  #   dev = {
-  #     ranges = {
-  #       cloudsql-mysql     = "10.128.62.0/24"
-  #       cloudsql-sqlserver = "10.128.63.0/24"
-  #     }
-  #     routes = null
-  #   }
-  #   prod = {
-  #     ranges = {
-  #       cloudsql-mysql     = "10.128.94.0/24"
-  #       cloudsql-sqlserver = "10.128.95.0/24"
-  #     }
-  #     routes = null
-  #   }
-  # }
 }
 
 variable "regions" {
@@ -175,24 +142,6 @@ variable "regions" {
   }
 }
 
-variable "router_onprem_configs" {
-  description = "Configurations for routers used for onprem connectivity."
-  type = map(object({
-    adv = object({
-      custom  = list(string)
-      default = bool
-    })
-    asn = number
-  }))
-  default = {
-    landing-primary = {
-      asn = "65533"
-      adv = null
-      # adv = { default = false, custom = [] }
-    }
-  }
-}
-
 variable "service_accounts" {
   # tfdoc:variable:source 1-resman
   description = "Automation service accounts in name => email format."
@@ -207,53 +156,45 @@ variable "service_accounts" {
   default = null
 }
 
-variable "vpn_onprem_configs" {
-  description = "VPN gateway configuration for onprem interconnection."
-  type = map(object({
-    adv = object({
-      default = bool
-      custom  = list(string)
-    })
-    peer_external_gateway = object({
+variable "vpn_onprem_primary_config" {
+  description = "VPN gateway configuration for onprem interconnection in the primary region."
+  type = object({
+    peer_external_gateways = map(object({
       redundancy_type = string
       interfaces      = list(string)
+    }))
+    router_config = object({
+      create    = optional(bool, true)
+      asn       = number
+      name      = optional(string)
+      keepalive = optional(number)
+      custom_advertise = optional(object({
+        all_subnets = bool
+        ip_ranges   = map(string)
+      }))
     })
-    tunnels = list(object({
-      peer_asn                        = number
-      peer_external_gateway_interface = number
-      secret                          = string
-      session_range                   = string
+    tunnels = map(object({
+      bgp_peer = object({
+        address        = string
+        asn            = number
+        route_priority = optional(number, 1000)
+        custom_advertise = optional(object({
+          all_subnets          = bool
+          all_vpc_subnets      = bool
+          all_peer_vpc_subnets = bool
+          ip_ranges            = map(string)
+        }))
+      })
+      # each BGP session on the same Cloud Router must use a unique /30 CIDR
+      # from the 169.254.0.0/16 block.
+      bgp_session_range               = string
+      ike_version                     = optional(number, 2)
+      peer_external_gateway_interface = optional(number)
+      peer_gateway                    = optional(string, "default")
+      router                          = optional(string)
+      shared_secret                   = optional(string)
       vpn_gateway_interface           = number
     }))
-  }))
-  default = {
-    landing-primary = {
-      adv = {
-        default = false
-        custom = [
-          "cloud_dns", "googleapis_private", "googleapis_restricted", "gcp_all"
-        ]
-      }
-      peer_external_gateway = {
-        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
-        interfaces      = ["8.8.8.8"]
-      }
-      tunnels = [
-        {
-          peer_asn                        = 65534
-          peer_external_gateway_interface = 0
-          secret                          = "foobar"
-          session_range                   = "169.254.1.0/30"
-          vpn_gateway_interface           = 0
-        },
-        {
-          peer_asn                        = 65534
-          peer_external_gateway_interface = 0
-          secret                          = "foobar"
-          session_range                   = "169.254.1.4/30"
-          vpn_gateway_interface           = 1
-        }
-      ]
-    }
-  }
+  })
+  default = null
 }
diff --git a/fast/stages/2-networking-a-peering/vpn-onprem.tf b/fast/stages/2-networking-a-peering/vpn-onprem.tf
@@ -17,54 +17,21 @@
 # tfdoc:file:description VPN between landing and onprem.
 
 locals {
-  enable_onprem_vpn = var.vpn_onprem_configs != null
-  bgp_peer_options_onprem = local.enable_onprem_vpn == false ? null : {
-    for k, v in var.vpn_onprem_configs :
-    k => v.adv == null ? null : {
-      advertise_groups = []
-      advertise_ip_ranges = {
-        for adv in(v.adv == null ? [] : v.adv.custom) :
-        var.custom_adv[adv] => adv
-      }
-      advertise_mode = try(v.adv.default, false) ? "DEFAULT" : "CUSTOM"
-      route_priority = null
-    }
-  }
-}
-
-moved {
-  from = module.landing-to-onprem-ew1-vpn
-  to   = module.landing-to-onprem-primary-vpn
+  onprem_peer_gateways = try(
+    var.vpn_onprem_primary_config.peer_external_gateways, {}
+  )
 }
 
 module "landing-to-onprem-primary-vpn" {
-  count      = local.enable_onprem_vpn ? 1 : 0
-  source     = "../../../modules/net-vpn-ha"
-  project_id = module.landing-project.project_id
-  network    = module.landing-vpc.self_link
-  region     = var.regions.primary
-  name       = "vpn-to-onprem-${local.region_shortnames[var.regions.primary]}"
-  router_config = {
-    name = "landing-onprem-vpn-${local.region_shortnames[var.regions.primary]}"
-    asn  = var.router_onprem_configs.landing-primary.asn
-  }
+  count         = var.vpn_onprem_primary_config == null ? 0 : 1
+  source        = "../../../modules/net-vpn-ha"
+  project_id    = module.landing-project.project_id
+  network       = module.landing-vpc.self_link
+  region        = var.regions.primary
+  name          = "vpn-to-onprem-${local.region_shortnames[var.regions.primary]}"
+  router_config = try(var.vpn_onprem_primary_config.router_config, {})
   peer_gateways = {
-    default = {
-      external = var.vpn_onprem_configs.landing-primary.peer_external_gateway
-    }
-  }
-  tunnels = {
-    for t in var.vpn_onprem_configs.landing-primary.tunnels :
-    "remote-${t.vpn_gateway_interface}-${t.peer_external_gateway_interface}" => {
-      bgp_peer = {
-        address = cidrhost(t.session_range, 1)
-        asn     = t.peer_asn
-      }
-      bgp_peer_options                = local.bgp_peer_options_onprem.landing-primary
-      bgp_session_range               = "${cidrhost(t.session_range, 2)}/30"
-      peer_external_gateway_interface = t.peer_external_gateway_interface
-      shared_secret                   = t.secret
-      vpn_gateway_interface           = t.vpn_gateway_interface
-    }
+    for k, v in local.onprem_peer_gateways : k => { external = v }
   }
+  tunnels = try(var.vpn_onprem_primary_config.tunnels, {})
 }