90360c591e
* Add confidential compute support to google_dataproc_cluster in the dataproc module * fix parent id lookup for networking and security stages (#2744) * Add optional automated MD5 generation in net-vlan-attachment module (#2745) * Bump path-to-regexp and express in /blueprints/gke/binauthz/image (#2749) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) to 0.1.12 and updates ancestor dependency [express](https://github.com/expressjs/express). These dependencies need to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add ability to autogenerate md5 keys in net-vpn-ha (#2748) * Add ability to optionally generate MD5 secrets in VPN module * Add ability to autogenerate MD5 keys in net-vpn-ha module * restore missing output * fix test counts --------- Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * update changelog * Bump path-to-regexp and express (#2752) Bumps [path-to-regexp](https://github.com/pillarjs/path-to-regexp) and [express](https://github.com/expressjs/express). These dependencies needed to be updated together. Updates `path-to-regexp` from 0.1.10 to 0.1.12 - [Release notes](https://github.com/pillarjs/path-to-regexp/releases) - [Changelog](https://github.com/pillarjs/path-to-regexp/blob/master/History.md) - [Commits](https://github.com/pillarjs/path-to-regexp/compare/v0.1.10...v0.1.12) Updates `express` from 4.21.1 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](https://github.com/expressjs/express/compare/4.21.1...4.21.2) --- updated-dependencies: - dependency-name: path-to-regexp dependency-type: indirect - dependency-name: express dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * add support for routing mode to net-swp module (#2751) Co-authored-by: Julio Castillo <jccb@google.com> * remove default location in tag value - cloud-run-v2 tags.tf (#2755) The Parent resource has a default to europe-west1 when it should be for the resource block from where the cloud run actually is. Changed to use the var.region instead * Add path_template_match and path_template_rewrite support to net-lb-app-ext (required for React apps for example). * Add rest of load balancers. * Add path_template_match and path_template_rewrite support to internal load balancers * Add disk encyption key to the google_compute_instance_template - Sovereign support (#2750) * add disk encyption key to the google_compute_instance_template * add a condition to the kms_key_self_link * use dynamic variable for disk_encryption_key * remove the getpip from the repo --------- Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> * Add support for password validation policy to cloudsql module (#2740) * add support for password validation policy to cloudsql module * fix defaults * update changelog * bump provider version constraint --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Ludovico Magnocavallo <ludomagno@google.com> Co-authored-by: Luca Prete <preteluca@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Luca Prete <lucaprete@google.com> Co-authored-by: Julio Castillo <jccb@google.com> Co-authored-by: Matthew Callinan <47421139+Mattible@users.noreply.github.com> Co-authored-by: Taneli Leppä <taneli@google.com> Co-authored-by: Wiktor Niesiobędzki <wiktorn@google.com> Co-authored-by: Kovács Dávid <david-kovacs@t-systems.com>
VLAN Attachment module
This module allows for the provisioning of HA VPN over Interconnect. Specifically, this module creates a VPN gateway, a configurable number of tunnels, and all the resources required to established IPSec and BGP with the peer routers.
The required pair of encrypted VLAN Attachments can be created leveraging the net-vlan-attachment module, as shown in the IoIC Blueprint.
Examples
Single region setup
resource "google_compute_router" "encrypted-interconnect-overlay-router" {
name = "encrypted-interconnect-overlay-router"
project = "myproject"
network = "mynet"
region = "europe-west8"
bgp {
asn = 64514
advertise_mode = "CUSTOM"
advertised_groups = ["ALL_SUBNETS"]
advertised_ip_ranges {
range = "10.255.255.0/24"
}
advertised_ip_ranges {
range = "192.168.255.0/24"
}
}
}
resource "google_compute_external_vpn_gateway" "default" {
name = "peer-vpn-gateway"
project = "myproject"
description = "Peer IPSec over Interconnect VPN gateway"
interface {
id = 0
ip_address = "10.0.0.1"
}
interface {
id = 1
ip_address = "10.0.0.2"
}
}
module "vpngw-a" {
source = "./fabric/modules/net-ipsec-over-interconnect"
project_id = "myproject"
network = "mynet"
region = "europe-west8"
name = "vpngw-a"
interconnect_attachments = {
a = "attach-01"
b = "attach-02"
}
peer_gateway_config = {
create = false
id = google_compute_external_vpn_gateway.default.id
}
router_config = {
create = false
name = google_compute_router.encrypted-interconnect-overlay-router.name
}
tunnels = {
remote-0 = {
bgp_peer = {
address = "169.254.1.2"
asn = 64514
# MD5 Authentication is optional
md5_authentication_key = {
name = "foo"
key = "bar"
}
}
bgp_session_range = "169.254.1.1/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-1 = {
bgp_peer = {
address = "169.254.1.6"
asn = 64514
}
bgp_session_range = "169.254.1.5/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
remote-2 = {
bgp_peer = {
address = "169.254.1.10"
asn = 64514
}
bgp_session_range = "169.254.1.9/30"
shared_secret = "foobar"
vpn_gateway_interface = 0
}
remote-3 = {
bgp_peer = {
address = "169.254.1.14"
asn = 64514
}
bgp_session_range = "169.254.1.13/30"
shared_secret = "foobar"
vpn_gateway_interface = 1
}
}
}
# tftest modules=1 resources=16
Variables
| name | description | type | required | default |
|---|---|---|---|---|
| interconnect_attachments | VLAN attachments used by the VPN Gateway. | object({…}) |
✓ | |
| name | Common name to identify the VPN Gateway. | string |
✓ | |
| network | The VPC name to which resources are associated to. | string |
✓ | |
| peer_gateway_config | IP addresses for the external peer gateway. | object({…}) |
✓ | |
| project_id | The project id. | string |
✓ | |
| region | GCP Region. | string |
✓ | |
| router_config | Cloud Router configuration for the VPN. If you want to reuse an existing router, set create to false and use name to specify the desired router. | object({…}) |
✓ | |
| tunnels | VPN tunnel configurations. | map(object({…})) |
{} |
Outputs
| name | description | sensitive |
|---|---|---|
| bgp_peers | BGP peer resources. | |
| external_gateway | External VPN gateway resource. | |
| id | Fully qualified VPN gateway id. | |
| random_secret | Generated secret. | |
| router | Router resource (only if auto-created). | |
| router_name | Router name. | |
| self_link | HA VPN gateway self link. | |
| tunnels | VPN tunnel resources. |