This Terraform module will create a VPC VPN Gateway and attach it to a new or existing PowerVS Workspace. Providing secure access to IBM Cloud Power infrastructure.
This Terraform module deploys the following infrastructure:
- VPC
- VPC Subnet
- VPC Security Groups
- VPC VPN Gateway
- PowerVS Workspace (Optional)
- Transit Gateway (Optional)
- Cloud Connection w/DirectLink* (Optional)
* Only in locations without Power Edge Routers
To order and use IBM Cloud services, billing information is required for your account. See Upgrading Your Account.
You will need the following IAM access, or higher, to deploy this VPN
| Service Name (Resource Type) |
Service Access | Platform Access |
|---|---|---|
| VPC Infrastructure Services - Virtual Private Cloud - Subnet - Security Group for VPC - VPN for VPC - Virtual Server for VPC* |
Editor | |
| Transit Gateway - Transit Gateway |
Manager | Editor |
| Workspace for Power Systems Virtual Server | Manager | Editor |
* Virtual Server for VPC access is only needed when specifying local and remote identities
If you wish to run Terraform locally, see Install Terraform.
You must supply an IBM Cloud API key so that Terraform can connect to the IBM Cloud Terraform provider. See Create API Key.
This automation will require some network planning before deploying. You will need to know the IP
space you plan to use (or are using) for your PowerVS Workspace and which parts of your on-prem
network you wish to be routable. These will be specified using the power_cidrs and client_cidrs*
variables respectively. You do not have to know the exact subnets you plan to use, but rather pick a
CIDR(s) that will encompass them.
Please be careful to not pick an IP space for the PowerVS Workspace that could conflict with
internal IBM IPs. These include 10.0.0.0/14, 10.200.0.0/14, 10.198.0.0/15, and 10.254.0.0/16.
Otherwise, they may not be routed through the VPN. See
Power Subnet Configuration
for more information. You also must avoid using the same IP space as the VPN gateway is configured
to use. By default this is 10.134.0.0/28, but can be changed by specifying the optional variable
vpn_subnet_cidr.
- Note: An address prefix is added to the VPC for each of the
client_cidrssupplied. If the prefix is smaller than a/29network, it will be expanded to/29. This does not affect the VPN policy, only the internal networking of the VPC.
You may choose to use the Terraform command line to deploy this module. You can download terraform here:
Install Terraform. Once installed, run
terraform init and then terraform apply to create the VPN. When you run apply, terraform will
prompt you for the required variables.
If you need to specify any of the optional variables, you can do so by exporting the variable using
the prefix TF_VAR_, using a .tfvars file, or by passing them as an option to the terraform
command using -var. For more information see
Assigning Values to Root Module Variables.
Schematics is an IBM Cloud service, that delivers Infrastructure as Code (IaC) tools as a service. You can use the capabilities of Schematics to consistently deploy and manage your cloud infrastructure environments. From a single pane of glass, you can run end-to-end automation to build one or more stacks of cloud resources, manage their lifecycle, manage changes in their configurations, deploy your app workloads, and perform day-2 operations.
To create a VPN with Schematics, first create a workspace. Specify this repository for the repository URL and set the Terraform version to 1.5 or greater. Click Next, and then give the workspace a name and any other details you'd like. You may choose to use any Resource Group or Location.
| Specify Template | Workspace Details |
|---|---|
 |
 |
Once your Workspace is created. Use the Variables section below the Details section on the Settings page to configure the VPN. You will need to edit and specify every variable that has a description not starting with "Optional variable". If needed also specify any variables that are optional.
After setting the variables, you may use the "Apply plan" button at the top of the page to deploy the VPN.
If the PowerVS Workspace location you choose does not have a Power Edge Router (See
Getting started with the Power Edge Router
), you will need to take an additional step when creating subnets in that Workspace. For subnets in
these locations to be routed through the VPN you will need to attach the Cloud Connection that was
created by this automation. This option is found in the same UI panel as the other subnet options
when you choose to Create subnet from the
PowerVS Workspace Subnets cloud portal.
There are a number of variables defined in variables.tf used by this Terraform module to deploy and configure your infrastructure. See Inputs for full list of variables with their descriptions, defaults, and conditions.
If you have problems or questions when using the underlying IBM Cloud infrastructure, you can get help by searching for information or by asking questions through one of the forums. You can also create a case in the IBM Cloud console.
For information about opening an IBM support ticket, see Contacting support.
To report bugs or make feature requests regarding this Terraform module, please create an issue in this repository.
To understand the details for general Power Systems communication through VPC, including architecture and troubleshooting, see the Power Systems communication through a VPC Transit Hub solution tutorial.
- What is Terraform
- IBM Cloud provider Terraform getting started
- IBM Cloud VPC VPN Gateway
- IBM Cloud PowerVS
| Name | Version |
|---|---|
| terraform | >= 1.5.0 |
| ibm | 1.62.0 |
| random | 3.5.1 |
| Name | Source | Version |
|---|---|---|
| cloud_connection | ./modules/cloud-connection | n/a |
| power | ./modules/power | n/a |
| transit | ./modules/transit | n/a |
| vpc | ./modules/vpc | n/a |
| vpn | ./modules/vpn | n/a |
| Name | Type |
|---|---|
| random_string.resource_identifier | resource |
| ibm_resource_group.group | data source |
| ibm_resource_instance.power_workspace | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| client_cidrs | List of CIDRs for the client network to be routed by the VPN gateway to the Power and VPC network. Use the format ["cidr_1", "cidr_2"] to specify this variable. |
list(string) |
n/a | yes |
| create_default_vpc_address_prefixes | Optional variable to indicate whether a default address prefix should be created for each zone in this VPC. | bool |
false |
no |
| data_location_file_path | Debug variable to indicated where the file with PER location data is stored. This variable is used for testing, and should not normally be altered. |
string |
"./data/locations.yaml" |
no |
| ibmcloud_api_key | The IBM Cloud platform API key needed to deploy IAM enabled resources | string |
n/a | yes |
| identity_local | Optional local identity for the VPN configuration. The local identity is the identity of this VPN gateway. The local identity can be an FQDN or any arbitrary string. However, it must match the remote identity setting of the connecting VPN gateway. For example, the local identity of this VPN gateway must be the same as the remote identity set for the on-prem VPN gateway. The variable identity_remote must also be specified. |
string |
"" |
no |
| identity_remote | Optional remote identity for the VPN configuration. The remote identity is the identity of the connecting VPN. The remote identity can be an FQDN or any arbitrary string. However, it must match the local identity setting of the connecting VPN gateway. For example, the local identity of the on-prem VPN gateway must be the same as the remote identity set for this VPN gateway. The variable identity_remote must also be specified. |
string |
"" |
no |
| name | The name used for the new Power Workspace, Transit Gateway, and VPC. Other resources created will use this for their basename and be suffixed by a random identifier. |
string |
n/a | yes |
| peer_address | The peer address identifies the gateway address that is not within the address prefixes for your VPC. | string |
n/a | yes |
| per_override | Optional variable to force the PowerVS location to be seen as PER enabled by this automation. When set true, this will force the use of PER instead of creating Cloud Connections.Set true when a location has been upgraded to PER before this automation has been made aware.See Getting started with the Power Edge Router for a complete list of PER enabled locations. |
bool |
false |
no |
| power_cidrs | List of CIDRs for the PowerVS Workspace to be routed by the VPN gateway to the client network. Because these will be connected through Direct Link, please avoid using IPs in these CIDRs: 10.0.0.0/14, 10.200.0.0/14, 10.198.0.0/15, and 10.254.0.0/16. Otherwise, they may not be routed through the VPN. Use the format ["cidr_1", "cidr_2"] to specify this variable. |
list(string) |
n/a | yes |
| power_cloud_connection_speed | Optional variable to specify the speed of the cloud connection (speed in megabits per second). This only applies to locations WITHOUT Power Edge Routers. Supported values are 50, 100, 200, 500, 1000, 2000, 5000, 10000. Default Value is 1000. |
number |
1000 |
no |
| power_workspace_location | The location used to create the power workspace. Available locations are: dal10, dal12, us-south, us-east, wdc06, wdc07, sao01, sao04, tor01, mon01, eu-de-1, eu-de-2, lon04, lon06, syd04, syd05, tok04, osa21, mad02, mad04. Please see PowerVS Locations for a complete list of PowerVS locations. |
string |
n/a | yes |
| power_workspace_name | Optional variable to specify the name of an existing power workspace. If supplied the workspace will be used to connect the VPN with. |
string |
"" |
no |
| preshared_key | Key configured on the peer gateway. The key is usually a complex string similar to a password, for example: 3j9atsxOzAtr1O1VEY. Preshared key must be at least 16 characters. |
string |
n/a | yes |
| resource_group_name | Resource Group to create new resources in (Resource Group name is case sensitive). | string |
n/a | yes |
| transit_gateway_name | Optional variable to specify the name of an existing transit gateway, if supplied it will be assumed that you've connected your power workspace to it. A connection to the VPC containing the VPN Server will be added, but not for the Power Workspace. Supplying this variable will also suppress Power Workspace creation. |
string |
"" |
no |
| vpn_subnet_cidr | Optional variable to specify the CIDR for subnet the VPN will be in. You should only need to change this if you have a conflict with your Power Workspace Subnets or with a VPC connected with this solution. |
string |
"10.134.0.0/28" |
no |
| vsi_vpn_ssh_key_name | Debug variable to specify an existing ssh key by name to use with VPN VSI (identity support). Variables identity_remote and identity_local must also be specified. |
string |
"" |
no |
| Name | Description |
|---|---|
| vpn_endpoint | The internet accessible endpoint for the VPN |