Files

Jason Steenblik 90360c591e Add confidential compute support to google_dataproc_cluster in the da… (#2736 )

* Add confidential compute support to google_dataproc_cluster in the dataproc module

* fix parent id lookup for networking and security stages (#2744)

* Add optional automated MD5 generation in net-vlan-attachment module (#2745)

* Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749)

Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together.


Updates `path-to-regexp` from 0.1.10 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12)

Updates `express` from 4.21.1 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-type: indirect
- dependency-name: express
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Add ability to autogenerate md5 keys in net-vpn-ha (#2748)

* Add ability to optionally generate MD5 secrets in VPN module

* Add ability to autogenerate MD5 keys in net-vpn-ha module

* restore missing output

* fix test counts

---------

Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

* update changelog

* Bump path-to-regexp and express (#2752)

Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together.

Updates `path-to-regexp` from 0.1.10 to 0.1.12
- [Release notes](https://github.com/pillarjs/path-to-regexp/releases)
- [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md)
- [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12)

Updates `express` from 4.21.1 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2)

---
updated-dependencies:
- dependency-name: path-to-regexp
  dependency-type: indirect
- dependency-name: express
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* add support for routing mode to net-swp module (#2751)

Co-authored-by: Julio Castillo <jccb@google.com>

* remove default location in tag value - cloud-run-v2 tags.tf (#2755)

The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is.

Changed to use the var.region instead

* Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example).

* Add rest of load balancers.

* Add path_template_match and path_template_rewrite support to internal load balancers

* Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750)

* add disk encyption key to the google_compute_instance_template

* add a condition to the kms_key_self_link

* use dynamic variable for disk_encryption_key

* remove the getpip from the repo

---------

Co-authored-by: Julio Castillo <jccb@google.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>

* Add support for password validation policy to cloudsql module (#2740)

* add support for password validation policy to cloudsql module

* fix defaults

* update changelog

* bump provider version constraint

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com>
Co-authored-by: Luca Prete <preteluca@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Luca Prete <lucaprete@google.com>
Co-authored-by: Julio Castillo <jccb@google.com>
Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com>
Co-authored-by: Taneli Leppä <taneli@google.com>
Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com>
Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>

2024-12-10 16:39:48 +01:00

main.tf

Add ability to autogenerate md5 keys in net-vpn-ha (#2748 )

2024-12-06 07:34:56 +00:00

outputs.tf

Add ability to autogenerate md5 keys in net-vpn-ha (#2748 )

2024-12-06 07:34:56 +00:00

README.md

Add ability to autogenerate md5 keys in net-vpn-ha (#2748 )

2024-12-06 07:34:56 +00:00

variables.tf

Add ability to autogenerate md5 keys in net-vpn-ha (#2748 )

2024-12-06 07:34:56 +00:00

versions.tf

Add confidential compute support to google_dataproc_cluster in the da… (#2736 )

2024-12-10 16:39:48 +01:00

README.md

Cloud HA VPN Module

This module makes it easy to deploy either GCP-to-GCP or GCP-to-On-prem Cloud HA VPN.

Examples

GCP to GCP

module "vpn-1" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = "europe-west4"
  network    = var.vpc1.self_link
  name       = "net1-to-net-2"
  peer_gateways = {
    default = { gcp = module.vpn-2.self_link }
  }
  router_config = {
    asn = 64514
    custom_advertise = {
      all_subnets = true
      ip_ranges = {
        "10.0.0.0/8" = "default"
      }
    }
  }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
      }
      bgp_session_range     = "169.254.1.2/30"
      vpn_gateway_interface = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
      }
      bgp_session_range     = "169.254.2.2/30"
      vpn_gateway_interface = 1
    }
  }
}

module "vpn-2" {
  source        = "./fabric/modules/net-vpn-ha"
  project_id    = var.project_id
  region        = "europe-west4"
  network       = var.vpc2.self_link
  name          = "net2-to-net1"
  router_config = { asn = 64513 }
  peer_gateways = {
    default = { gcp = module.vpn-1.self_link }
  }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.2"
        asn     = 64514
      }
      bgp_session_range     = "169.254.1.1/30"
      shared_secret         = module.vpn-1.shared_secrets["remote-0"]
      vpn_gateway_interface = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.2"
        asn     = 64514
      }
      bgp_session_range     = "169.254.2.1/30"
      shared_secret         = module.vpn-1.shared_secrets["remote-1"]
      vpn_gateway_interface = 1
    }
  }
}
# tftest modules=2 resources=22 inventory=gcp-to-gcp.yaml

Note: When using the for_each meta-argument you might experience a Cycle Error due to the multiple net-vpn-ha modules referencing each other. To fix this you can create the google_compute_ha_vpn_gateway resources separately and reference them in the net-vpn-ha module via the vpn_gateway and peer_gcp_gateway variables.

GCP to on-prem

module "vpn_ha" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = var.region
  network    = var.vpc.self_link
  name       = "mynet-to-onprem"
  peer_gateways = {
    default = {
      external = {
        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
        interfaces      = ["8.8.8.8"] # on-prem router ip address
      }
    }
  }
  router_config = { asn = 64514 }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
        # BFD is optional
        bfd = {
          min_receive_interval        = 1000
          min_transmit_interval       = 1000
          multiplier                  = 5
          session_initialization_mode = "ACTIVE"
        }
        # MD5 Authentication is optional
        md5_authentication_key = {
          name = "foo"
          key  = "bar"
        }
      }
      bgp_session_range               = "169.254.1.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
        # BFD is optional
        bfd = {
          min_receive_interval        = 1000
          min_transmit_interval       = 1000
          multiplier                  = 5
          session_initialization_mode = "ACTIVE"
        }
        # MD5 Authentication is optional
        md5_authentication_key = {
          name = "foo"
          key  = "bar"
        }
      }
      bgp_session_range               = "169.254.2.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 1
    }
  }
}
# tftest modules=1 resources=12 inventory=gcp-to-onprem.yaml

IPv6 (dual-stack)

You can optionally set your HA VPN gateway (and BGP sessions) to carry both IPv4 and IPv6 traffic. IPv6 only is not supported.

module "vpn_ha" {
  source     = "./fabric/modules/net-vpn-ha"
  project_id = var.project_id
  region     = var.region
  name       = "mynet-to-onprem"
  network    = var.vpc.self_link
  peer_gateways = {
    default = {
      external = {
        redundancy_type = "SINGLE_IP_INTERNALLY_REDUNDANT"
        interfaces      = ["8.8.8.8"] # on-prem router ip address
      }
    }
  }
  router_config = { asn = 64514 }
  tunnels = {
    remote-0 = {
      bgp_peer = {
        address = "169.254.1.1"
        asn     = 64513
        ipv6    = {}
      }
      bgp_session_range               = "169.254.1.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 0
    }
    remote-1 = {
      bgp_peer = {
        address = "169.254.2.1"
        asn     = 64513
        ipv6 = {
          nexthop_address      = "2600:2d00:0:2::1"
          peer_nexthop_address = "2600:2d00:0:3::1"
        }
      }
      bgp_session_range               = "169.254.2.2/30"
      peer_external_gateway_interface = 0
      shared_secret                   = "mySecret"
      vpn_gateway_interface           = 1
    }
  }
  vpn_gateway_create = {
    stack_type = "IPV4_IPV6"
  }
}
# tftest modules=1 resources=12 intentory=ipv6.yaml

You can optionally avoid to specify MD5 keys and the module will automatically generate them for you.

Variables

name	description	type	required	default
name	VPN Gateway name (if an existing VPN Gateway is not used), and prefix used for dependent resources.	`string`	✓
network	VPC used for the gateway and routes.	`string`	✓
project_id	Project where resources will be created.	`string`	✓
region	Region used for resources.	`string`	✓
router_config	Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router.	`object({…})`	✓
peer_gateways	Configuration of the (external or GCP) peer gateway.	`map(object({…}))`		`{}`
tunnels	VPN tunnel configurations.	`map(object({…}))`		`{}`
vpn_gateway	HA VPN Gateway Self Link for using an existing HA VPN Gateway. Ignored if `vpn_gateway_create` is set to `true`.	`string`		`null`
vpn_gateway_create	Create HA VPN Gateway. Set to null to avoid creation.	`object({…})`		`{}`

Outputs

name	description	sensitive
bgp_peers	BGP peer resources.
external_gateway	External VPN gateway resource.
gateway	VPN gateway resource (only if auto-created).
id	Fully qualified VPN gateway id.
md5_keys	BGP tunnels MD5 keys.
name	VPN gateway name (only if auto-created).
random_secret	Generated secret.
router	Router resource (only if auto-created).
router_name	Router name.
self_link	HA VPN gateway self link.
shared_secrets	IPSEC tunnels shared secrets.
tunnel_names	VPN tunnel names.
tunnel_self_links	VPN tunnel self links.
tunnels	VPN tunnel resources.