d8d66583f8
* Bump provider version * Fix inventories * Ignore certificates in inventories * Add header to cloud run recipe * Optimize file copy for example-based tests * Remove local references
Cloud VPN Dynamic Module
This module makes it easy to deploy a Classic VPN with dynamic (BGP) routing.
Examples
Classic VPN with single tunnel
This example shows how to configure a single VPN tunnel using a couple of extra features:
- custom advertisement on the tunnel's BGP session; if custom advertisement is not needed, simply set the
custom_advertiseattribute tonull - internally generated shared secret, which can be fetched from the module's
random_secretoutput for reuse; a predefined secret can be used instead by assigning it to theshared_secretattribute
module "vm" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "europe-west1-b"
name = "my-vm"
network_interfaces = [{
nat = true
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
service_account = {
auto_create = true
}
}
module "vpn-dynamic" {
source = "./fabric/modules/net-vpn-dynamic"
project_id = "my-project"
region = "europe-west1"
network = var.vpc.name
name = "gateway-1"
router_config = {
asn = 64514
}
tunnels = {
remote-1 = {
bgp_peer = {
address = "169.254.139.134"
asn = 64513
custom_advertise = {
all_subnets = true
all_vpc_subnets = false
all_peer_vpc_subnets = false
ip_ranges = {
"192.168.0.0/24" = "Advertised range description"
}
}
}
bgp_session_range = "169.254.139.133/30"
peer_ip = module.vm.external_ip
}
}
}
# tftest modules=2 resources=12 inventory=vpn-single-tunnel.yaml
Classic VPN with single tunnel and custom ciphers
This example shows how to configure a single VPN tunnel with custom ciphers.
module "vm" {
source = "./fabric/modules/compute-vm"
project_id = "my-project"
zone = "europe-west1-b"
name = "my-vm"
network_interfaces = [{
nat = true
network = var.vpc.self_link
subnetwork = var.subnet.self_link
}]
service_account = {
auto_create = true
}
}
module "vpn-dynamic" {
source = "./fabric/modules/net-vpn-dynamic"
project_id = "my-project"
region = "europe-west1"
network = var.vpc.name
name = "gateway-1"
router_config = {
asn = 64514
}
tunnels = {
remote-1 = {
bgp_peer = {
address = "169.254.139.134"
asn = 64513
custom_advertise = null
}
bgp_session_range = "169.254.139.133/30"
cipher_suite = {
phase1 = {
dh = ["Group-14"]
encryption = ["AES-CBC-256"]
integrity = ["HMAC-SHA2-256-128"]
prf = ["PRF-HMAC-SHA2-256"]
}
phase2 = {
encryption = ["AES-CBC-128"]
integrity = ["HMAC-SHA2-256-128"]
pfs = ["Group-14"]
}
}
peer_ip = module.vm.external_ip
}
}
}
# tftest modules=2 resources=12 inventory=vpn-single-tunnel-custom-ciphers.yaml
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| name | VPN gateway name, and prefix used for dependent resources. | string |
✓ | |
| network | VPC used for the gateway and routes. | string |
✓ | |
| project_id | Project where resources will be created. | string |
✓ | |
| region | Region used for resources. | string |
✓ | |
| router_config | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) |
✓ | |
| gateway_address | Optional address assigned to the VPN gateway. Ignored unless gateway_address_create is set to false. | string |
null |
|
| gateway_address_create | Create external address assigned to the VPN gateway. Needs to be explicitly set to false to use address in gateway_address variable. | bool |
true |
|
| tunnels | VPN tunnel configurations. | map(object({…})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| address | VPN gateway address. | |
| gateway | VPN gateway resource. | |
| id | Fully qualified VPN gateway id. | |
| name | VPN gateway name. | |
| random_secret | Generated secret. | ✓ |
| router | Router resource (only if auto-created). | |
| router_name | Router name. | |
| self_link | VPN gateway self link. | |
| tunnel_names | VPN tunnel names. | |
| tunnel_self_links | VPN tunnel self links. | |
| tunnels | VPN tunnel resources. |