diff --git a/main.tf b/main.tf index 5b05442..b3cdd9a 100644 --- a/main.tf +++ b/main.tf @@ -65,6 +65,34 @@ module "hub_to_spoke_peering" { ] } +module "gw" { + source = "./modules/cloud-vpn" + + name = "${var.hub.name}-vpn" + network_name = module.hub_network.name + region = var.hub.region + vpn_external_ip = "vpw-gw-us-west1" +} + +module "to_lazurowa" { + source = "./modules/cloud-vpn-tunnel" + name = "${var.hub.name}-to-lazurowa" + gw_name = module.gw.name + peer_ip = var.peer_ip + shared_secret = var.shared_secret + + local_selectors = [ + var.hub.cidr, + var.spoke.cidr + ] + + remote_selectors = [ + "192.168.2.0/24", "192.168.10.0/24" + ] + + depends_on = [module.gw] +} + module "vm_hub" { source = "./modules/linux-vm" diff --git a/modules/cloud-vpn-tunnel/main.tf b/modules/cloud-vpn-tunnel/main.tf new file mode 100644 index 0000000..09cab9c --- /dev/null +++ b/modules/cloud-vpn-tunnel/main.tf @@ -0,0 +1,31 @@ +data "google_compute_vpn_gateway" "gw" { + name = var.gw_name +} + +locals { + vpc_name = regex("networks/([^/]+)$", data.google_compute_vpn_gateway.gw.network)[0] +} + +data google_compute_network network { + name = local.vpc_name +} + +resource "google_compute_vpn_tunnel" "tunnel" { + name = var.name + target_vpn_gateway = data.google_compute_vpn_gateway.gw.id + + shared_secret = var.shared_secret + peer_ip = var.peer_ip + ike_version = 2 + + local_traffic_selector = concat(var.local_selectors, ["35.199.192.0/19"]) + remote_traffic_selector = var.remote_selectors +} + +resource "google_compute_route" "route_to_remote_network" { + count = length(var.remote_selectors) + name = "${data.google_compute_network.network.name}-to-${replace(var.remote_selectors[count.index], "/[./]/", "-")}" + network = data.google_compute_network.network.name + dest_range = var.remote_selectors[count.index] + next_hop_vpn_tunnel = google_compute_vpn_tunnel.tunnel.id +} diff --git a/modules/cloud-vpn-tunnel/variables.tf b/modules/cloud-vpn-tunnel/variables.tf new file mode 100644 index 0000000..613c7e6 --- /dev/null +++ b/modules/cloud-vpn-tunnel/variables.tf @@ -0,0 +1,30 @@ +variable "name" { + description = "Name of the VPN tunnel" + type = string +} + +variable "gw_name" { + description = "The name of the VPN gateway" + type = string +} + +variable "shared_secret" { + description = "Shared secret for the VPN tunnel" + type = string + sensitive = true +} + +variable "peer_ip" { + description = "IP address of the peer VPN gateway" + type = string +} + +variable "local_selectors" { + description = "Local traffic selectors for the VPN tunnel" + type = list(string) +} + +variable "remote_selectors" { + description = "Remote traffic selectors for the VPN tunnel" + type = list(string) +} diff --git a/modules/cloud-vpn/main.tf b/modules/cloud-vpn/main.tf index e69de29..de165ab 100644 --- a/modules/cloud-vpn/main.tf +++ b/modules/cloud-vpn/main.tf @@ -0,0 +1,43 @@ +# Cloud VPN +resource "google_compute_vpn_gateway" "gw" { + name = var.name + network = var.network_name + region = var.region +} + +resource "google_compute_address" "vpn_ip" { + count = var.vpn_external_ip != null ? 0 : 1 + + name = "${var.name}-ip" + region = var.region + address_type = "EXTERNAL" +} + +data "google_compute_address" "vpn_ip" { + count = var.vpn_external_ip != null ? 1 : 0 + + name = var.vpn_external_ip +} + +resource "google_compute_forwarding_rule" "gw_fw_esp" { + name = "fwd-esp" + ip_protocol = "ESP" + ip_address = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address + target = google_compute_vpn_gateway.gw.id +} + +resource "google_compute_forwarding_rule" "gw_fw_udp_500" { + name = "fwd-udp-500" + ip_protocol = "UDP" + ip_address = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address + port_range = "500" + target = google_compute_vpn_gateway.gw.id +} + +resource "google_compute_forwarding_rule" "gw_fw_udp_4500" { + name = "fwd-udp-4500" + ip_protocol = "UDP" + ip_address = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address + port_range = "4500" + target = google_compute_vpn_gateway.gw.id +} diff --git a/modules/cloud-vpn/outputs.tf b/modules/cloud-vpn/outputs.tf new file mode 100644 index 0000000..920f4bb --- /dev/null +++ b/modules/cloud-vpn/outputs.tf @@ -0,0 +1,15 @@ +output "ip" { + value = var.vpn_external_ip != null ? data.google_compute_address.vpn_ip[0].address : google_compute_address.vpn_ip[0].address +} + +output "network_name" { + value = var.network_name +} + +output "id" { + value = google_compute_vpn_gateway.gw.id +} + +output "name" { + value = google_compute_vpn_gateway.gw.name +} diff --git a/modules/cloud-vpn/variables.tf b/modules/cloud-vpn/variables.tf new file mode 100644 index 0000000..628f62b --- /dev/null +++ b/modules/cloud-vpn/variables.tf @@ -0,0 +1,21 @@ +variable "name" { + description = "The name of the VPN Gateway." + type = string +} + +variable "network_name" { + description = "The name of the network." + type = string +} + +variable "region" { + description = "The region of the VPN Gateway." + type = string +} + +variable "vpn_external_ip" { + description = "The name of the external IP address of the VPN Gateway." + type = string + nullable = true + default = null +} diff --git a/variables.tf b/variables.tf index c0699b8..e6fc4d8 100644 --- a/variables.tf +++ b/variables.tf @@ -30,3 +30,14 @@ variable "ssh" { ssh_user = "slawek@1password" }] } + +variable "peer_ip" { + description = "IP address of the remote peer VPN gateway" + type = string +} + +variable "shared_secret" { + description = "Shared secret for the VPN tunnel" + type = string + sensitive = true +}