diff --git a/modules/cloud-config-container/onprem/README.md b/modules/cloud-config-container/onprem/README.md
index a4a6c9abb..5dec2e446 100644
--- a/modules/cloud-config-container/onprem/README.md
+++ b/modules/cloud-config-container/onprem/README.md
@@ -64,13 +64,13 @@ module "on-prem" {
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
-| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | object({...}) | ✓ | |
+| vpn_config | VPN configuration, type must be one of 'dynamic' or 'static'. | object({...}) | ✓ | |
| *config_variables* | Additional variables used to render the cloud-config and CoreDNS templates. | map(any) | | {} |
| *coredns_config* | CoreDNS configuration path, if null default will be used. | string | | null |
| *local_ip_cidr_range* | IP CIDR range used for the Docker onprem network. | string | | 192.168.192.0/24 |
| *test_instance* | Test/development instance attributes, leave null to skip creation. | object({...}) | | null |
| *test_instance_defaults* | Test/development instance defaults used for optional configuration. If image is null, COS stable will be used. | object({...}) | | ... |
-| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | object({...}) | | ... |
+| *vpn_dynamic_config* | BGP configuration for dynamic VPN, ignored if VPN type is 'static'. | object({...}) | | ... |
| *vpn_static_ranges* | Remote CIDR ranges for static VPN, ignored if VPN type is 'dynamic'. | list(string) | | ["10.0.0.0/8"] |
## Outputs
diff --git a/modules/cloud-config-container/onprem/cloud-config.yaml b/modules/cloud-config-container/onprem/cloud-config.yaml
index 2055b6f77..d5a54f7fd 100644
--- a/modules/cloud-config-container/onprem/cloud-config.yaml
+++ b/modules/cloud-config-container/onprem/cloud-config.yaml
@@ -172,7 +172,8 @@ write_files:
owner: root:root
permissions: '0600'
content: |
- : PSK "${vpn_config.shared_secret}"
+ ${vpn_config.peer_ip} : PSK "${vpn_config.shared_secret}"
+ ${vpn_config.peer_ip2} : PSK "${vpn_config.shared_secret2}"
# IPSEC tunnel configuration
- path: /var/lib/docker-compose/onprem/ipsec/ipsec.conf
@@ -216,7 +217,38 @@ write_files:
closeaction=restart
%{~ if vpn_config.type == "dynamic" ~}
mark=%unique
+ %{~ endif ~}
+
+ conn gcp2
+ %{~ if vpn_config.type == "dynamic" ~}
+ leftupdown="/var/lib/strongswan/ipsec-vti.sh 1 ${vpn_dynamic_config.peer_bgp_address2}/30 ${vpn_dynamic_config.local_bgp_address2}/30"
+ %{~ endif ~}
+ left=%any
+ leftid=%any
+ %{~ if vpn_config.type == "dynamic" ~}
+ leftsubnet=0.0.0.0/0
+ %{~ else ~}
+ leftsubnet=${ip_cidr_ranges.local}
+ %{~ endif ~}
+ leftauth=psk
+ right=${vpn_config.peer_ip_wildcard2}
+ rightid=${vpn_config.peer_ip2}
+ %{~ if vpn_config.type == "dynamic" ~}
+ rightsubnet=0.0.0.0/0
+ %{~ else ~}
+ rightsubnet=${ip_cidr_ranges.remote}
+ %{~ endif ~}
+ rightauth=psk
+ type=tunnel
+ auto=start
+ dpdaction=restart
+ closeaction=restart
+ %{~ if vpn_config.type == "dynamic" ~}
+ mark=%unique
+ %{~ endif ~}
+ %{~ if vpn_config.type == "dynamic" ~}
+
# Charon configuration
- path: /var/lib/docker-compose/onprem/ipsec/vti.conf
owner: root:root
@@ -292,6 +324,10 @@ write_files:
local ${vpn_dynamic_config.local_bgp_address} as ${vpn_dynamic_config.local_bgp_asn};
neighbor ${vpn_dynamic_config.peer_bgp_address} as ${vpn_dynamic_config.peer_bgp_asn};
}
+ protocol bgp gcp_vpc_a_tun2 from gcp_vpc_a {
+ local ${vpn_dynamic_config.local_bgp_address2} as ${vpn_dynamic_config.local_bgp_asn2};
+ neighbor ${vpn_dynamic_config.peer_bgp_address2} as ${vpn_dynamic_config.peer_bgp_asn2};
+ }
%{~ endif ~}
diff --git a/modules/cloud-config-container/onprem/main.tf b/modules/cloud-config-container/onprem/main.tf
index 005b7c2ba..eaa145892 100644
--- a/modules/cloud-config-container/onprem/main.tf
+++ b/modules/cloud-config-container/onprem/main.tf
@@ -38,6 +38,7 @@ locals {
dns = cidrhost(var.local_ip_cidr_range, 3)
www = cidrhost(var.local_ip_cidr_range, 4)
shell = cidrhost(var.local_ip_cidr_range, 5)
+ vpn2 = cidrhost(var.local_ip_cidr_range, 6)
}
netblocks = local.netblocks
vpn_config = local.vpn_config
@@ -49,7 +50,8 @@ locals {
data.google_netblock_ip_ranges.restricted-googleapis.cidr_blocks_ipv4
)
vpn_config = merge(var.vpn_config, {
- peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
+ peer_ip_wildcard = "%${var.vpn_config.peer_ip}"
+ peer_ip_wildcard2 = "%${var.vpn_config.peer_ip2}"
})
}
diff --git a/modules/cloud-config-container/onprem/variables.tf b/modules/cloud-config-container/onprem/variables.tf
index 5bbb704e2..3bfc8d418 100644
--- a/modules/cloud-config-container/onprem/variables.tf
+++ b/modules/cloud-config-container/onprem/variables.tf
@@ -35,25 +35,35 @@ variable "local_ip_cidr_range" {
variable "vpn_config" {
description = "VPN configuration, type must be one of 'dynamic' or 'static'."
type = object({
- peer_ip = string
- shared_secret = string
- type = string
+ peer_ip = string
+ shared_secret = string
+ type = string
+ peer_ip2 = string
+ shared_secret2 = string
})
}
variable "vpn_dynamic_config" {
description = "BGP configuration for dynamic VPN, ignored if VPN type is 'static'."
type = object({
- local_bgp_asn = number
- local_bgp_address = string
- peer_bgp_asn = number
- peer_bgp_address = string
+ local_bgp_asn = number
+ local_bgp_address = string
+ peer_bgp_asn = number
+ peer_bgp_address = string
+ local_bgp_asn2 = number
+ local_bgp_address2 = string
+ peer_bgp_asn2 = number
+ peer_bgp_address2 = string
})
default = {
- local_bgp_asn = 65002
- local_bgp_address = "169.254.0.2"
- peer_bgp_asn = 65001
- peer_bgp_address = "169.254.0.1"
+ local_bgp_asn = 64514
+ local_bgp_address = "169.254.1.2"
+ peer_bgp_asn = 64513
+ peer_bgp_address = "169.254.1.1"
+ local_bgp_asn2 = 64514
+ local_bgp_address2 = "169.254.2.2"
+ peer_bgp_asn2 = 64520
+ peer_bgp_address2 = "169.254.2.1"
}
}
diff --git a/networking/onprem-google-access-dns/README.md b/networking/onprem-google-access-dns/README.md
index 1a16270be..3e8c19bd3 100644
--- a/networking/onprem-google-access-dns/README.md
+++ b/networking/onprem-google-access-dns/README.md
@@ -14,13 +14,13 @@ The example has been purposefully kept simple to show how to use and wire the on
This sample creates several distinct groups of resources:
-- one VPC
+- one VPC with two regions
- one set of firewall rules
-- one Cloud NAT configuration
-- one test instance
-- one service account for the test instance
+- one Cloud NAT configuration per region
+- one test instance on each region
+- one service account for the test instances
- one service account for the onprem instance
-- one dynamic VPN gateway with a single tunnel
+- two dynamic VPN gateways in each of the regions with a single tunnel
- two DNS zones (private and forwarding) and a DNS inbound policy
- one emulated on-premises environment in a single GCP instance
@@ -88,28 +88,84 @@ google.internal {
### Onprem to cloud
```bash
+# check containers are running
+sudo docker ps
+
# connect to the onprem instance
gcloud compute ssh onprem-1
-# check that the BGP session works and the advertised routes are set
-sudo docker exec -it onprem_bird_1 ip route |grep bird
-10.0.0.0/24 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
-35.199.192.0/19 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
-199.36.153.4/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
-199.36.153.8/30 via 169.254.1.1 dev vti0 proto bird src 10.0.16.2
+# check that the VPN tunnels are up
+sudo docker exec -it onprem_vpn_1 ipsec statusall
+
+Status of IKE charon daemon (strongSwan 5.8.1, Linux 5.4.0-1029-gcp, x86_64):
+ uptime: 6 minutes, since Nov 30 08:42:08 2020
+ worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 8
+ loaded plugins: charon aesni mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac curl sqlite attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp unity counters
+Listening IP addresses:
+ 10.0.16.2
+ 169.254.1.2
+ 169.254.2.2
+Connections:
+ gcp: %any...35.233.104.67,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
+ gcp: local: uses pre-shared key authentication
+ gcp: remote: [35.233.104.67] uses pre-shared key authentication
+ gcp: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
+ gcp2: %any...35.246.101.51,0.0.0.0/0,::/0 IKEv2, dpddelay=30s
+ gcp2: local: uses pre-shared key authentication
+ gcp2: remote: [35.246.101.51] uses pre-shared key authentication
+ gcp2: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
+Security Associations (2 up, 0 connecting):
+ gcp2[4]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.246.101.51[35.246.101.51]
+ gcp2[4]: IKEv2 SPIs: 227cb2c52085a743_i 13b18b0ad5d4de2b_r*, pre-shared key reauthentication in 9 hours
+ gcp2[4]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
+ gcp2{4}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cb6fdb84_i eea28dee_o
+ gcp2{4}: AES_GCM_16_256, 3298 bytes_i, 3051 bytes_o (48 pkts, 3s ago), rekeying in 2 hours
+ gcp2{4}: 0.0.0.0/0 === 0.0.0.0/0
+ gcp[3]: ESTABLISHED 6 minutes ago, 10.0.16.2[34.76.57.103]...35.233.104.67[35.233.104.67]
+ gcp[3]: IKEv2 SPIs: e2cffed5395b63dd_i 99f343468625507c_r*, pre-shared key reauthentication in 9 hours
+ gcp[3]: IKE proposal: AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
+ gcp{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c3f09701_i 4e8cc8d5_o
+ gcp{3}: AES_GCM_16_256, 3438 bytes_i, 3135 bytes_o (49 pkts, 8s ago), rekeying in 2 hours
+ gcp{3}: 0.0.0.0/0 === 0.0.0.0/0
+
+# check that the BGP sessions works and the advertised routes are set
+sudo docker exec -it onprem_bird_1 ip route
+default via 10.0.16.1 dev eth0
+10.0.0.0/24 proto bird src 10.0.16.2
+ nexthop via 169.254.1.1 dev vti0 weight 1
+ nexthop via 169.254.2.1 dev vti1 weight 1
+10.0.16.0/24 dev eth0 proto kernel scope link src 10.0.16.2
+10.10.0.0/24 proto bird src 10.0.16.2
+ nexthop via 169.254.1.1 dev vti0 weight 1
+ nexthop via 169.254.2.1 dev vti1 weight 1
+35.199.192.0/19 proto bird src 10.0.16.2
+ nexthop via 169.254.1.1 dev vti0 weight 1
+ nexthop via 169.254.2.1 dev vti1 weight 1
+169.254.1.0/30 dev vti0 proto kernel scope link src 169.254.1.2
+169.254.2.0/30 dev vti1 proto kernel scope link src 169.254.2.2
+199.36.153.4/30 proto bird src 10.0.16.2
+ nexthop via 169.254.1.1 dev vti0 weight 1
+ nexthop via 169.254.2.1 dev vti1 weight 1
+199.36.153.8/30 proto bird src 10.0.16.2
+ nexthop via 169.254.1.1 dev vti0 weight 1
+ nexthop via 169.254.2.1 dev vti1 weight 1
+
# get a shell on the toolbox container
sudo docker exec -it onprem_toolbox_1 sh
-# test pinging the IP address of the test instance (check outputs for it)
+# test pinging the IP address of the test instances (check outputs for it)
ping 10.0.0.3
+ping 10.10.0.3
# note: if you are able to ping the IP but the DNS tests below do not work,
# refer to the sections above on configuring the DNS inbound fwd IP
# test forwarding from CoreDNS via the Cloud DNS inbound policy
-dig test-1.gcp.example.org +short
+dig test-1-1.gcp.example.org +short
10.0.0.3
+dig test-2-1.gcp.example.org +short
+10.10.0.3
# test that Private Access is configured correctly
dig compute.googleapis.com +short
@@ -143,7 +199,7 @@ curl www.onprem.example.org -s |grep h1
A single pre-existing project is used in this example to keep variables and complexity to a minimum, in a real world scenarios each spoke would probably use a separate project.
-The VPN used to connect to the on-premises environment does not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
+The VPN-s used to connect to the on-premises environment do not account for HA, upgrading to use HA VPN is reasonably simple by using the relevant [module](../../modules/net-vpn-ha).
## Variables
@@ -151,12 +207,12 @@ The VPN used to connect to the on-premises environment does not account for HA,
| name | description | type | required | default |
|---|---|:---: |:---:|:---:|
| project_id | Project id for all resources. | string | ✓ | |
-| *bgp_asn* | BGP ASNs. | map(number) | | ... |
-| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | map(string) | | ... |
+| *bgp_asn* | BGP ASNs. | map(number) | | ... |
+| *bgp_interface_ranges* | BGP interface IP CIDR ranges. | map(string) | | ... |
| *dns_forwarder_address* | Address of the DNS server used to forward queries from on-premises. | string | | 10.0.0.2 |
| *forwarder_address* | GCP DNS inbound policy forwarder address. | string | | 10.0.0.2 |
-| *ip_ranges* | IP CIDR ranges. | map(string) | | ... |
-| *region* | VPC region. | string | | europe-west1 |
+| *ip_ranges* | IP CIDR ranges. | map(string) | | ... |
+| *region* | VPC region. | map(string) | | ... |
| *ssh_source_ranges* | IP CIDR ranges that will be allowed to connect via SSH to the onprem instance. | list(string) | | ["0.0.0.0/0"] |
## Outputs
@@ -164,5 +220,6 @@ The VPN used to connect to the on-premises environment does not account for HA,
| name | description | sensitive |
|---|---|:---:|
| onprem-instance | Onprem instance details. | |
-| test-instance | Test instance details. | |
+| test-instance1 | Test instance details. | |
+| test-instance2 | Test instance details. | |
diff --git a/networking/onprem-google-access-dns/diagram.png b/networking/onprem-google-access-dns/diagram.png
index 3073143d2..466cbca8c 100644
Binary files a/networking/onprem-google-access-dns/diagram.png and b/networking/onprem-google-access-dns/diagram.png differ
diff --git a/networking/onprem-google-access-dns/main.tf b/networking/onprem-google-access-dns/main.tf
index 5474bd038..742e4a899 100644
--- a/networking/onprem-google-access-dns/main.tf
+++ b/networking/onprem-google-access-dns/main.tf
@@ -15,8 +15,10 @@
*/
locals {
- bgp_interface_gcp = "${cidrhost(var.bgp_interface_ranges.gcp, 1)}"
- bgp_interface_onprem = "${cidrhost(var.bgp_interface_ranges.gcp, 2)}"
+ bgp_interface_gcp1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 1)}"
+ bgp_interface_onprem1 = "${cidrhost(var.bgp_interface_ranges.gcp1, 2)}"
+ bgp_interface_gcp2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 1)}"
+ bgp_interface_onprem2 = "${cidrhost(var.bgp_interface_ranges.gcp2, 2)}"
netblocks = {
dns = data.google_netblock_ip_ranges.dns-forwarders.cidr_blocks_ipv4.0
private = data.google_netblock_ip_ranges.private-googleapis.cidr_blocks_ipv4.0
@@ -54,9 +56,15 @@ module "vpc" {
name = "to-onprem"
subnets = [
{
- ip_cidr_range = var.ip_ranges.gcp
- name = "subnet"
- region = var.region
+ ip_cidr_range = var.ip_ranges.gcp1
+ name = "subnet1"
+ region = var.region.gcp1
+ secondary_ip_range = {}
+ },
+ {
+ ip_cidr_range = var.ip_ranges.gcp2
+ name = "subnet2"
+ region = var.region.gcp2
secondary_ip_range = {}
}
]
@@ -71,18 +79,18 @@ module "vpc-firewall" {
ssh_source_ranges = var.ssh_source_ranges
}
-module "vpn" {
+module "vpn1" {
source = "../../modules/net-vpn-dynamic"
project_id = var.project_id
- region = module.vpc.subnet_regions["${var.region}/subnet"]
+ region = var.region.gcp1
network = module.vpc.name
- name = "to-onprem"
- router_asn = var.bgp_asn.gcp
+ name = "to-onprem1"
+ router_asn = var.bgp_asn.gcp1
tunnels = {
onprem = {
bgp_peer = {
- address = local.bgp_interface_onprem
- asn = var.bgp_asn.onprem
+ address = local.bgp_interface_onprem1
+ asn = var.bgp_asn.onprem1
}
bgp_peer_options = {
advertise_groups = ["ALL_SUBNETS"]
@@ -94,7 +102,7 @@ module "vpn" {
advertise_mode = "CUSTOM"
route_priority = 1000
}
- bgp_session_range = "${local.bgp_interface_gcp}/30"
+ bgp_session_range = "${local.bgp_interface_gcp1}/30"
ike_version = 2
peer_ip = module.vm-onprem.external_ips.0
shared_secret = ""
@@ -102,13 +110,52 @@ module "vpn" {
}
}
-module "nat" {
+module "vpn2" {
+ source = "../../modules/net-vpn-dynamic"
+ project_id = var.project_id
+ region = var.region.gcp2
+ network = module.vpc.name
+ name = "to-onprem2"
+ router_asn = var.bgp_asn.gcp2
+ tunnels = {
+ onprem = {
+ bgp_peer = {
+ address = local.bgp_interface_onprem2
+ asn = var.bgp_asn.onprem2
+ }
+ bgp_peer_options = {
+ advertise_groups = ["ALL_SUBNETS"]
+ advertise_ip_ranges = {
+ (local.netblocks.dns) = "DNS resolvers"
+ (local.netblocks.private) = "private.gooogleapis.com"
+ (local.netblocks.restricted) = "restricted.gooogleapis.com"
+ }
+ advertise_mode = "CUSTOM"
+ route_priority = 1000
+ }
+ bgp_session_range = "${local.bgp_interface_gcp2}/30"
+ ike_version = 2
+ peer_ip = module.vm-onprem.external_ips.0
+ shared_secret = ""
+ }
+ }
+}
+
+module "nat1" {
source = "../../modules/net-cloudnat"
project_id = var.project_id
- region = var.region
+ region = var.region.gcp1
name = "default"
router_create = false
- router_name = module.vpn.router_name
+ router_name = module.vpn1.router_name
+}
+module "nat2" {
+ source = "../../modules/net-cloudnat"
+ project_id = var.project_id
+ region = var.region.gcp2
+ name = "default"
+ router_create = false
+ router_name = module.vpn2.router_name
}
################################################################################
@@ -125,7 +172,11 @@ module "dns-gcp" {
recordsets = concat(
[{ name = "localhost", type = "A", ttl = 300, records = ["127.0.0.1"] }],
[
- for name, ip in zipmap(module.vm-test.names, module.vm-test.internal_ips) :
+ for name, ip in zipmap(module.vm-test1.names, module.vm-test1.internal_ips) :
+ { name = name, type = "A", ttl = 300, records = [ip] }
+ ],
+ [
+ for name, ip in zipmap(module.vm-test2.names, module.vm-test2.internal_ips) :
{ name = name, type = "A", ttl = 300, records = [ip] }
]
)
@@ -152,7 +203,7 @@ module "dns-onprem" {
name = "onprem-example"
domain = "onprem.example.org."
client_networks = [module.vpc.self_link]
- forwarders = { cidrhost(var.ip_ranges.onprem, 3) = null }
+ forwarders = [cidrhost(var.ip_ranges.onprem, 3)]
}
resource "google_dns_policy" "inbound" {
@@ -170,9 +221,9 @@ resource "google_dns_policy" "inbound" {
################################################################################
module "service-account-gce" {
- source = "../../modules/iam-service-account"
+ source = "../../modules/iam-service-accounts"
project_id = var.project_id
- name = "gce-test"
+ names = ["gce-test"]
iam_project_roles = {
(var.project_id) = [
"roles/logging.logWriter",
@@ -181,14 +232,32 @@ module "service-account-gce" {
}
}
-module "vm-test" {
+module "vm-test1" {
source = "../../modules/compute-vm"
project_id = var.project_id
- region = var.region
- name = "test"
+ region = var.region.gcp1
+ name = "test-1"
network_interfaces = [{
network = module.vpc.self_link
- subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
+ subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
+ nat = false
+ addresses = null
+ alias_ips = null
+ }]
+ metadata = { startup-script = local.vm-startup-script }
+ service_account = module.service-account-gce.email
+ service_account_scopes = ["https://www.googleapis.com/auth/cloud-platform"]
+ tags = ["ssh"]
+}
+
+module "vm-test2" {
+ source = "../../modules/compute-vm"
+ project_id = var.project_id
+ region = var.region.gcp2
+ name = "test-2"
+ network_interfaces = [{
+ network = module.vpc.self_link
+ subnetwork = module.vpc.subnet_self_links["${var.region.gcp2}/subnet2"]
nat = false
addresses = null
alias_ips = null
@@ -209,22 +278,28 @@ module "config-onprem" {
coredns_config = "${path.module}/assets/Corefile"
local_ip_cidr_range = var.ip_ranges.onprem
vpn_config = {
- peer_ip = module.vpn.address
- shared_secret = module.vpn.random_secret
- type = "dynamic"
+ peer_ip = module.vpn1.address
+ peer_ip2 = module.vpn2.address
+ shared_secret = module.vpn1.random_secret
+ shared_secret2 = module.vpn2.random_secret
+ type = "dynamic"
}
vpn_dynamic_config = {
- local_bgp_asn = var.bgp_asn.onprem
- local_bgp_address = local.bgp_interface_onprem
- peer_bgp_asn = var.bgp_asn.gcp
- peer_bgp_address = local.bgp_interface_gcp
+ local_bgp_asn = var.bgp_asn.onprem1
+ local_bgp_address = local.bgp_interface_onprem1
+ peer_bgp_asn = var.bgp_asn.gcp1
+ peer_bgp_address = local.bgp_interface_gcp1
+ local_bgp_asn2 = var.bgp_asn.onprem2
+ local_bgp_address2 = local.bgp_interface_onprem2
+ peer_bgp_asn2 = var.bgp_asn.gcp2
+ peer_bgp_address2 = local.bgp_interface_gcp2
}
}
module "service-account-onprem" {
- source = "../../modules/iam-service-account"
+ source = "../../modules/iam-service-accounts"
project_id = var.project_id
- name = "gce-onprem"
+ names = ["gce-onprem"]
iam_project_roles = {
(var.project_id) = [
"roles/compute.viewer",
@@ -237,7 +312,7 @@ module "service-account-onprem" {
module "vm-onprem" {
source = "../../modules/compute-vm"
project_id = var.project_id
- region = var.region
+ region = var.region.gcp1
instance_type = "f1-micro"
name = "onprem"
boot_disk = {
@@ -250,7 +325,7 @@ module "vm-onprem" {
}
network_interfaces = [{
network = module.vpc.name
- subnetwork = module.vpc.subnet_self_links["${var.region}/subnet"]
+ subnetwork = module.vpc.subnet_self_links["${var.region.gcp1}/subnet1"]
nat = true
addresses = null
alias_ips = null
diff --git a/networking/onprem-google-access-dns/outputs.tf b/networking/onprem-google-access-dns/outputs.tf
index 3cc0ddc43..7d2f385b5 100644
--- a/networking/onprem-google-access-dns/outputs.tf
+++ b/networking/onprem-google-access-dns/outputs.tf
@@ -23,10 +23,17 @@ output "onprem-instance" {
}
}
-output "test-instance" {
+output "test-instance1" {
description = "Test instance details."
value = join(" ", [
- module.vm-test.names[0],
- module.vm-test.internal_ips[0]
+ module.vm-test1.names[0],
+ module.vm-test1.internal_ips[0]
+ ])
+}
+output "test-instance2" {
+ description = "Test instance details."
+ value = join(" ", [
+ module.vm-test2.names[0],
+ module.vm-test2.internal_ips[0]
])
}
diff --git a/networking/onprem-google-access-dns/variables.tf b/networking/onprem-google-access-dns/variables.tf
index f09bf4229..9e70a9202 100644
--- a/networking/onprem-google-access-dns/variables.tf
+++ b/networking/onprem-google-access-dns/variables.tf
@@ -18,8 +18,10 @@ variable "bgp_asn" {
description = "BGP ASNs."
type = map(number)
default = {
- gcp = 64513
- onprem = 64514
+ gcp1 = 64513
+ gcp2 = 64520
+ onprem1 = 64514
+ onprem2 = 64514
}
}
@@ -27,7 +29,8 @@ variable "bgp_interface_ranges" {
description = "BGP interface IP CIDR ranges."
type = map(string)
default = {
- gcp = "169.254.1.0/30"
+ gcp1 = "169.254.1.0/30"
+ gcp2 = "169.254.2.0/30"
}
}
@@ -41,7 +44,8 @@ variable "ip_ranges" {
description = "IP CIDR ranges."
type = map(string)
default = {
- gcp = "10.0.0.0/24"
+ gcp1 = "10.0.0.0/24"
+ gcp2 = "10.10.0.0/24"
onprem = "10.0.16.0/24"
}
}
@@ -53,8 +57,11 @@ variable "project_id" {
variable "region" {
description = "VPC region."
- type = string
- default = "europe-west1"
+ type = map(string)
+ default = {
+ gcp1 = "europe-west1"
+ gcp2 = "europe-west2"
+ }
}
variable "forwarder_address" {
diff --git a/networking/onprem-google-access-dns/versions.tf b/networking/onprem-google-access-dns/versions.tf
new file mode 100644
index 000000000..057095c0f
--- /dev/null
+++ b/networking/onprem-google-access-dns/versions.tf
@@ -0,0 +1,17 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+terraform {
+ required_version = ">= 0.12.6"
+}