forked from spotify/terraform-google-aws-hybrid-cloud-vpn
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
225 lines (206 loc) · 9.71 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
# Copyright 2020 Spotify AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
locals {
ha_vpn_interfaces_ips = [
for x in google_compute_ha_vpn_gateway.gateway.vpn_interfaces :
lookup(x, "ip_address")
]
suffix = var.suffix != "null" ? var.suffix : random_string.suffix.result
external_vpn_gateway_interfaces = {
"0" = {
tunnel_address = aws_vpn_connection.vpn-alpha.tunnel1_address
vgw_inside_address = aws_vpn_connection.vpn-alpha.tunnel1_vgw_inside_address
asn = aws_vpn_connection.vpn-alpha.tunnel1_bgp_asn
cgw_inside_address = "${aws_vpn_connection.vpn-alpha.tunnel1_cgw_inside_address}/30"
shared_secret = aws_vpn_connection.vpn-alpha.tunnel1_preshared_key
vpn_gateway_interface = 0
},
"1" = {
tunnel_address = aws_vpn_connection.vpn-alpha.tunnel2_address
vgw_inside_address = aws_vpn_connection.vpn-alpha.tunnel2_vgw_inside_address
asn = aws_vpn_connection.vpn-alpha.tunnel2_bgp_asn
cgw_inside_address = "${aws_vpn_connection.vpn-alpha.tunnel2_cgw_inside_address}/30"
shared_secret = aws_vpn_connection.vpn-alpha.tunnel2_preshared_key
vpn_gateway_interface = 0
},
"2" = {
tunnel_address = aws_vpn_connection.vpn-beta.tunnel1_address
vgw_inside_address = aws_vpn_connection.vpn-beta.tunnel1_vgw_inside_address
asn = aws_vpn_connection.vpn-beta.tunnel1_bgp_asn
cgw_inside_address = "${aws_vpn_connection.vpn-beta.tunnel1_cgw_inside_address}/30"
shared_secret = aws_vpn_connection.vpn-beta.tunnel1_preshared_key
vpn_gateway_interface = 1
},
"3" = {
tunnel_address = aws_vpn_connection.vpn-beta.tunnel2_address
vgw_inside_address = aws_vpn_connection.vpn-beta.tunnel2_vgw_inside_address
asn = aws_vpn_connection.vpn-beta.tunnel2_bgp_asn
cgw_inside_address = "${aws_vpn_connection.vpn-beta.tunnel2_cgw_inside_address}/30"
shared_secret = aws_vpn_connection.vpn-beta.tunnel2_preshared_key
vpn_gateway_interface = 1
},
}
}
data "aws_region" "current" {}
data "google_project" "project" {}
resource "random_string" "suffix" {
length = 10
special = false
upper = false
}
resource "google_compute_ha_vpn_gateway" "gateway" {
provider = google-beta
name = "ha-vpn-gw-to-aws-${data.aws_region.current.name}-${local.suffix}"
project = data.google_project.project.project_id
network = var.google_network
}
# Can't loop the cgw because TF errors with : Terraform value depends on resource attributes that cannot be determined
# until apply, so Terraform cannot predict how many instances will be created.
# We know for each GW there will always be 2 interfaces so maybe a map of alpha/beta if we want a loop. For now
# I'm leaving as separate resources.
resource "aws_customer_gateway" "cgw-alpha" {
bgp_asn = var.google_side_asn
ip_address = google_compute_ha_vpn_gateway.gateway.vpn_interfaces[0].ip_address
type = "ipsec.1"
tags = {
Name = "aws-to-google-vpn-gateway-alpha-${local.suffix}"
}
}
resource "aws_customer_gateway" "cgw-beta" {
bgp_asn = var.google_side_asn
ip_address = google_compute_ha_vpn_gateway.gateway.vpn_interfaces[1].ip_address
type = "ipsec.1"
tags = {
Name = "aws-to-google-vpn-gateway-beta-${local.suffix}"
}
}
// TODO Track this Issue and implement when ready https://github.com/terraform-providers/terraform-provider-aws/issues/11584
resource "aws_vpn_connection" "vpn-alpha" {
customer_gateway_id = aws_customer_gateway.cgw-alpha.id
transit_gateway_id = var.transit_gateway_id
type = aws_customer_gateway.cgw-alpha.type
tunnel1_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel2_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel1_phase1_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel2_phase1_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel1_phase1_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel2_phase1_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel1_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel2_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel1_phase2_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel2_phase2_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel1_phase2_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel2_phase2_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tags = {
"Name" = "vpn-to-google-alpha-${local.suffix}"
}
}
resource "aws_vpn_connection" "vpn-beta" {
customer_gateway_id = aws_customer_gateway.cgw-beta.id
transit_gateway_id = var.transit_gateway_id
type = aws_customer_gateway.cgw-beta.type
tunnel1_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel2_phase1_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel1_phase1_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel2_phase1_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel1_phase1_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel2_phase1_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel1_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel2_phase2_encryption_algorithms = var.aws_vpn_configs.encryption_algorithms
tunnel1_phase2_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel2_phase2_integrity_algorithms = var.aws_vpn_configs.integrity_algorithms
tunnel1_phase2_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tunnel2_phase2_dh_group_numbers = var.aws_vpn_configs.dh_group_numbers
tags = {
"Name" = "vpn-to-google-beta-${local.suffix}"
}
}
resource "google_compute_router" "router" {
provider = google-beta
name = "cr-to-aws-tgw-ha-vpn-${data.aws_region.current.name}-${local.suffix}"
network = var.google_network
description = "Google to AWS via Transit GW connection for AWS region ${data.aws_region.current.name}"
bgp {
asn = var.google_side_asn
advertise_mode = (
var.router_advertise_config == null
? null
: var.router_advertise_config.mode
)
advertised_groups = (
var.router_advertise_config == null ? null : (
var.router_advertise_config.mode != "CUSTOM"
? null
: var.router_advertise_config.groups
)
)
dynamic "advertised_ip_ranges" {
for_each = (
var.router_advertise_config == null ? {} : (
var.router_advertise_config.mode != "CUSTOM"
? null
: var.router_advertise_config.ip_ranges
)
)
iterator = range
content {
range = range.key
description = range.value
}
}
}
}
resource "google_compute_external_vpn_gateway" "external_gateway" {
provider = google-beta
name = "aws-${var.transit_gateway_id}-${data.aws_region.current.name}-${local.suffix}"
redundancy_type = "FOUR_IPS_REDUNDANCY"
description = "AWS Transit GW: ${var.transit_gateway_id} in AWS region ${data.aws_region.current.name}"
dynamic "interface" {
for_each = local.external_vpn_gateway_interfaces
content {
id = interface.key
ip_address = interface.value["tunnel_address"]
}
}
}
resource "google_compute_vpn_tunnel" "tunnels" {
provider = google-beta
for_each = local.external_vpn_gateway_interfaces
name = "tunnel${each.key}-${google_compute_router.router.name}"
description = "Tunnel to AWS - HA VPN interface ${each.key} to AWS interface ${each.value.tunnel_address}"
router = google_compute_router.router.self_link
ike_version = 2
shared_secret = each.value.shared_secret
vpn_gateway = google_compute_ha_vpn_gateway.gateway.self_link
vpn_gateway_interface = each.value.vpn_gateway_interface
peer_external_gateway = google_compute_external_vpn_gateway.external_gateway.self_link
peer_external_gateway_interface = each.key
}
resource "google_compute_router_interface" "interfaces" {
provider = google-beta
for_each = local.external_vpn_gateway_interfaces
name = "interface${each.key}-${google_compute_router.router.name}"
router = google_compute_router.router.name
ip_range = each.value.cgw_inside_address
vpn_tunnel = google_compute_vpn_tunnel.tunnels[each.key].name
}
resource "google_compute_router_peer" "router_peers" {
provider = google-beta
for_each = local.external_vpn_gateway_interfaces
name = "peer${each.key}-${google_compute_router.router.name}"
router = google_compute_router.router.name
peer_ip_address = each.value.vgw_inside_address
peer_asn = each.value.asn
interface = google_compute_router_interface.interfaces[each.key].name
}