789328ff5a
* bump provider versions to 5.0.0 * fix cloud run, logging and vpc-sc * Fix secret manager * fix gke nodepool * fix gke multitenant stage and blueprint * Moving alloydb module to experimental. * Add project to bare resources in examples * tfdoc * fix svpc blueprint test * Revert "fix svpc blueprint test" This reverts commit 14f02659098070136e64ead600580dd52c23c339. * Fix GKE peering project * Disable tests in alloydb module * Bring back secret ids in secret manager tests * Remove duplicate key * last push --------- Co-authored-by: Julio Castillo <jccb@google.com>
VLAN Attachment module
This module allows for the provisioning of HA VPN over Interconnect. Specifically, this module creates a VPN gateway, a configurable number of tunnels, and all the resources required to established IPSec and BGP with the peer routers.
The required pair of encrypted VLAN Attachments can be created leveraging the net-vlan-attachment module, as shown in the IoIC Blueprint.
Examples
Single region setup
resource "google_compute_router" "encrypted-interconnect-overlay-router" {
name = "encrypted-interconnect-overlay-router"
project = "myproject"
network = "mynet"
region = "europe-west8"
bgp {
asn = 64514
advertise_mode = "CUSTOM"
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges {
range = "10.255.255.0/24"
}
advertised_ip_ranges {
range = "192.168.255.0/24"
}
}
}
resource "google_compute_external_vpn_gateway" "default" {
name = "peer-vpn-gateway"
project = "myproject"
description = "Peer IPSec over Interconnect VPN gateway"
interface {
id = 0
ip_address = "10.0.0.1"
}
interface {
id = 1
ip_address = "10.0.0.2"
}
}
module "vpngw-a" {
source = "./fabric/modules/net-ipsec-over-interconnect"
project_id = "myproject"
network = "mynet"
region = "europe-west8"
name = "vpngw-a"
interconnect_attachments = {
a = "attach-01"
b = "attach-02"
}
peer_gateway_config = {
create = false
id = google_compute_external_vpn_gateway.default.id
}
router_config = {
create = false
name = google_compute_router.encrypted-interconnect-overlay-router.name
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
}
bgp_session_range = "169.254.1.1/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.1.6"
asn = 64514
}
bgp_session_range = "169.254.1.5/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
remote-2 = {
bgp_peer = {
address = "169.254.1.10"
asn = 64514
}
bgp_session_range = "169.254.1.9/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-3 = {
bgp_peer = {
address = "169.254.1.14"
asn = 64514
}
bgp_session_range = "169.254.1.13/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
}
}
# tftest modules=1 resources=16
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| interconnect_attachments | VLAN attachments used by the VPN Gateway. | object({…}) |
✓ | |
| name | Common name to identify the VPN Gateway. | string |
✓ | |
| network | The VPC name to which resources are associated to. | string |
✓ | |
| peer_gateway_config | IP addresses for the external peer gateway. | object({…}) |
✓ | |
| project_id | The project id. | string |
✓ | |
| region | GCP Region. | string |
✓ | |
| router_config | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) |
✓ | |
| tunnels | VPN tunnel configurations. | map(object({…})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| bgp_peers | BGP peer resources. | |
| external_gateway | External VPN gateway resource. | |
| id | Fully qualified VPN gateway id. | |
| random_secret | Generated secret. | |
| router | Router resource (only if auto-created). | |
| router_name | Router name. | |
| self_link | HA VPN gateway self link. | |
| tunnels | VPN tunnel resources. |