diff --git a/fast/stages/02-networking-nva/README.md b/fast/stages/02-networking-nva/README.md
index a72519b50..ca4d3bcae 100644
--- a/fast/stages/02-networking-nva/README.md
+++ b/fast/stages/02-networking-nva/README.md
@@ -387,7 +387,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [region_trigram](variables.tf#L183) | Short names for GCP regions. | map(string) | | {…} | |
| [router_configs](variables.tf#L192) | Configurations for CRs and onprem routers. | map(object({…})) | | {…} | |
| [service_accounts](variables.tf#L215) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L229) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [vpn_onprem_configs](variables.tf#L229) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-peering/README.md b/fast/stages/02-networking-peering/README.md
index f6a828099..c7829f0fb 100644
--- a/fast/stages/02-networking-peering/README.md
+++ b/fast/stages/02-networking-peering/README.md
@@ -311,7 +311,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [region_trigram](variables.tf#L166) | Short names for GCP regions. | map(string) | | {…} | |
| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-separate-envs/README.md b/fast/stages/02-networking-separate-envs/README.md
index a874311a9..66b31646e 100644
--- a/fast/stages/02-networking-separate-envs/README.md
+++ b/fast/stages/02-networking-separate-envs/README.md
@@ -252,7 +252,7 @@ You're now ready to run `terraform init` and `apply`.
| [psa_ranges](variables.tf#L129) | IP ranges used for Private Service Access (e.g. CloudSQL). | object({…}) | | null | |
| [router_onprem_configs](variables.tf#L166) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [service_accounts](variables.tf#L189) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L201) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [vpn_onprem_configs](variables.tf#L201) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
## Outputs
diff --git a/fast/stages/02-networking-vpn/README.md b/fast/stages/02-networking-vpn/README.md
index 8a884c09b..047a1189c 100644
--- a/fast/stages/02-networking-vpn/README.md
+++ b/fast/stages/02-networking-vpn/README.md
@@ -336,7 +336,7 @@ DNS configurations are centralised in the `dns-*.tf` files. Spokes delegate DNS
| [router_onprem_configs](variables.tf#L175) | Configurations for routers used for onprem connectivity. | map(object({…})) | | {…} | |
| [router_spoke_configs](variables-vpn.tf#L18) | Configurations for routers used for internal connectivity. | map(object({…})) | | {…} | |
| [service_accounts](variables.tf#L193) | Automation service accounts in name => email format. | object({…}) | | null | 01-resman |
-| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
+| [vpn_onprem_configs](variables.tf#L207) | VPN gateway configuration for onprem interconnection. | map(object({…})) | | {…} | |
| [vpn_spoke_configs](variables-vpn.tf#L37) | VPN gateway configuration for spokes. | map(object({…})) | | {…} | |
## Outputs
diff --git a/modules/net-vpn-ha/README.md b/modules/net-vpn-ha/README.md
index be09a8e06..1c1a23ce2 100644
--- a/modules/net-vpn-ha/README.md
+++ b/modules/net-vpn-ha/README.md
@@ -126,18 +126,12 @@ module "vpn_ha" {
|---|---|:---:|:---:|:---:|
| [name](variables.tf#L17) | VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources. | string | ✓ | |
| [network](variables.tf#L22) | VPC used for the gateway and routes. | string | ✓ | |
-| [project_id](variables.tf#L45) | Project where resources will be created. | string | ✓ | |
-| [region](variables.tf#L50) | Region used for resources. | string | ✓ | |
-| [peer_external_gateway](variables.tf#L27) | Configuration of an external VPN gateway to which this VPN is connected. | object({…}) | | null |
-| [peer_gcp_gateway](variables.tf#L39) | Self Link URL of the peer side HA GCP VPN gateway to which this VPN tunnel is connected. | string | | null |
-| [route_priority](variables.tf#L55) | Route priority, defaults to 1000. | number | | 1000 |
-| [router_advertise_config](variables.tf#L61) | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. | object({…}) | | null |
-| [router_asn](variables.tf#L71) | Router ASN used for auto-created router. | number | | 64514 |
-| [router_create](variables.tf#L77) | Create router. | bool | | true |
-| [router_name](variables.tf#L83) | Router name used for auto created router, or to specify an existing router to use if `router_create` is set to `true`. Leave blank to use VPN name for auto created router. | string | | "" |
-| [tunnels](variables.tf#L89) | VPN tunnel configurations, bgp_peer_options is usually null. | map(object({…})) | | {} |
-| [vpn_gateway](variables.tf#L114) | HA VPN Gateway Self Link for using an existing HA VPN Gateway, leave empty if `vpn_gateway_create` is set to `true`. | string | | null |
-| [vpn_gateway_create](variables.tf#L120) | Create HA VPN Gateway. | bool | | true |
+| [peer_gateway](variables.tf#L27) | Configuration of the (external or GCP) peer gateway. | object({…}) | ✓ | |
+| [project_id](variables.tf#L43) | Project where resources will be created. | string | ✓ | |
+| [region](variables.tf#L48) | Region used for resources. | string | ✓ | |
+| [router_config](variables.tf#L53) | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) | ✓ | |
+| [tunnels](variables.tf#L68) | VPN tunnel configurations, bgp_peer_options is usually null. | map(object({…})) | | {} |
+| [vpn_gateway](variables.tf#L95) | Self link of an existing HA VPN Gateway to use. Set to null to create new VPN Gateway. | string | | null |
## Outputs
@@ -145,14 +139,14 @@ module "vpn_ha" {
|---|---|:---:|
| [bgp_peers](outputs.tf#L18) | BGP peer resources. | |
| [external_gateway](outputs.tf#L25) | External VPN gateway resource. | |
-| [gateway](outputs.tf#L34) | VPN gateway resource (only if auto-created). | |
-| [name](outputs.tf#L43) | VPN gateway name (only if auto-created). . | |
-| [random_secret](outputs.tf#L52) | Generated secret. | |
-| [router](outputs.tf#L57) | Router resource (only if auto-created). | |
-| [router_name](outputs.tf#L66) | Router name. | |
-| [self_link](outputs.tf#L71) | HA VPN gateway self link. | |
-| [tunnel_names](outputs.tf#L76) | VPN tunnel names. | |
-| [tunnel_self_links](outputs.tf#L84) | VPN tunnel self links. | |
-| [tunnels](outputs.tf#L92) | VPN tunnel resources. | |
+| [gateway](outputs.tf#L30) | VPN gateway resource (only if auto-created). | |
+| [name](outputs.tf#L35) | VPN gateway name (only if auto-created). . | |
+| [random_secret](outputs.tf#L40) | Generated secret. | |
+| [router](outputs.tf#L45) | Router resource (only if auto-created). | |
+| [router_name](outputs.tf#L50) | Router name. | |
+| [self_link](outputs.tf#L55) | HA VPN gateway self link. | |
+| [tunnel_names](outputs.tf#L60) | VPN tunnel names. | |
+| [tunnel_self_links](outputs.tf#L68) | VPN tunnel self links. | |
+| [tunnels](outputs.tf#L76) | VPN tunnel resources. | |
diff --git a/modules/net-vpn-ha/variables.tf b/modules/net-vpn-ha/variables.tf
index 8f24b6cbc..f8ecd151f 100644
--- a/modules/net-vpn-ha/variables.tf
+++ b/modules/net-vpn-ha/variables.tf
@@ -25,6 +25,7 @@ variable "network" {
}
variable "peer_gateway" {
+ description = "Configuration of the (external or GCP) peer gateway."
type = object({
external = optional(object({
redundancy_type = string
@@ -34,8 +35,8 @@ variable "peer_gateway" {
})
nullable = false
validation {
- condition = var.peer_gateway.external != null || var.peer_gateway.gcp != null
- error_message = "TODO"
+ condition = (var.peer_gateway.external != null) != (var.peer_gateway.gcp != null)
+ error_message = "Peer gateway configuration must define exactly one between `external` and `gcp`."
}
}
@@ -50,6 +51,7 @@ variable "region" {
}
variable "router_config" {
+ description = "Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router."
type = object({
create = optional(bool, true)
asn = number