Added VPN GW and Tunnel modules.

main.tf

@@ -65,6 +65,34 @@ module "hub_to_spoke_peering" {
   ]
 }
 
+module "gw" {
+  source = "./modules/cloud-vpn"
+
+  name            = "${var.hub.name}-vpn"
+  network_name    = module.hub_network.name
+  region          = var.hub.region
+  vpn_external_ip = "vpw-gw-us-west1"
+}
+
+module "to_lazurowa" {
+  source        = "./modules/cloud-vpn-tunnel"
+  name          = "${var.hub.name}-to-lazurowa"
+  gw_name       = module.gw.name
+  peer_ip       = var.peer_ip
+  shared_secret = var.shared_secret
+
+  local_selectors = [
+    var.hub.cidr,
+    var.spoke.cidr
+  ]
+
+  remote_selectors = [
+    "192.168.2.0/24", "192.168.10.0/24"
+  ]
+
+  depends_on = [module.gw]
+}
+
 module "vm_hub" {
   source = "./modules/linux-vm"
 

modules/cloud-vpn-tunnel/main.tf

@@ -0,0 +1,31 @@
+data "google_compute_vpn_gateway" "gw" {
+  name = var.gw_name
+}
+
+locals {
+  vpc_name = regex("networks/([^/]+)$", data.google_compute_vpn_gateway.gw.network)[0]
+}
+
+data google_compute_network network {
+  name = local.vpc_name
+}
+
+resource "google_compute_vpn_tunnel" "tunnel" {
+  name               = var.name
+  target_vpn_gateway = data.google_compute_vpn_gateway.gw.id
+
+  shared_secret = var.shared_secret
+  peer_ip       = var.peer_ip
+  ike_version   = 2
+
+  local_traffic_selector  = concat(var.local_selectors, ["35.199.192.0/19"])
+  remote_traffic_selector = var.remote_selectors
+}
+
+resource "google_compute_route" "route_to_remote_network" {
+  count               = length(var.remote_selectors)
+  name                = "${data.google_compute_network.network.name}-to-${replace(var.remote_selectors[count.index], "/[./]/", "-")}"
+  network             = data.google_compute_network.network.name
+  dest_range          = var.remote_selectors[count.index]
+  next_hop_vpn_tunnel = google_compute_vpn_tunnel.tunnel.id
+}

modules/cloud-vpn-tunnel/variables.tf

@@ -0,0 +1,30 @@
+variable "name" {
+  description = "Name of the VPN tunnel"
+  type        = string
+}
+
+variable "gw_name" {
+  description = "The name of the VPN gateway"
+  type        = string
+}
+
+variable "shared_secret" {
+  description = "Shared secret for the VPN tunnel"
+  type        = string
+  sensitive   = true
+}
+
+variable "peer_ip" {
+  description = "IP address of the peer VPN gateway"
+  type        = string
+}
+
+variable "local_selectors" {
+  description = "Local traffic selectors for the VPN tunnel"
+  type        = list(string)
+}
+
+variable "remote_selectors" {
+  description = "Remote traffic selectors for the VPN tunnel"
+  type        = list(string)
+}

modules/cloud-vpn/main.tf

@@ -0,0 +1,43 @@
+# Cloud VPN
+resource "google_compute_vpn_gateway" "gw" {
+  name    = var.name
+  network = var.network_name
+  region  = var.region
+}
+
+resource "google_compute_address" "vpn_ip" {
+  count = var.vpn_external_ip != null ? 0 : 1
+
+  name         = "${var.name}-ip"
+  region       = var.region
+  address_type = "EXTERNAL"
+}
+
+data "google_compute_address" "vpn_ip" {
+  count = var.vpn_external_ip != null ? 1 : 0
+
+  name   = var.vpn_external_ip
+}
+
+resource "google_compute_forwarding_rule" "gw_fw_esp" {
+  name        = "fwd-esp"
+  ip_protocol = "ESP"
+  ip_address  = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address
+  target      = google_compute_vpn_gateway.gw.id
+}
+
+resource "google_compute_forwarding_rule" "gw_fw_udp_500" {
+  name        = "fwd-udp-500"
+  ip_protocol = "UDP"
+  ip_address  = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address
+  port_range  = "500"
+  target      = google_compute_vpn_gateway.gw.id
+}
+
+resource "google_compute_forwarding_rule" "gw_fw_udp_4500" {
+  name        = "fwd-udp-4500"
+  ip_protocol = "UDP"
+  ip_address  = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address
+  port_range  = "4500"
+  target      = google_compute_vpn_gateway.gw.id
+}

modules/cloud-vpn/outputs.tf

@@ -0,0 +1,15 @@
+output "ip" {
+  value = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address
+}
+
+output "network_name" {
+  value = var.network_name
+}
+
+output "id" {
+  value = google_compute_vpn_gateway.gw.id
+}
+
+output "name" {
+  value = google_compute_vpn_gateway.gw.name
+}

modules/cloud-vpn/variables.tf

@@ -0,0 +1,21 @@
+variable "name" {
+  description = "The name of the VPN Gateway."
+  type        = string
+}
+
+variable "network_name" {
+  description = "The name of the network."
+  type        = string
+}
+
+variable "region" {
+  description = "The region of the VPN Gateway."
+  type        = string
+}
+
+variable "vpn_external_ip" {
+  description = "The name of the external IP address of the VPN Gateway."
+  type        = string
+  nullable    = true
+  default     = null
+}

variables.tf

@@ -30,3 +30,14 @@ variable "ssh" {
     ssh_user   = "slawek@1password"
   }]
 }
+
+variable "peer_ip" {
+  description = "IP address of the remote peer VPN gateway"
+  type        = string
+}
+
+variable "shared_secret" {
+  description = "Shared secret for the VPN tunnel"
+  type        = string
+  sensitive   = true
+}